달빗(Dalbit,m00nlight): 중국 해커 그룹의 APT 공격 캠페인 - ASEC BLOG
Tags
Common Information
| Type | Value |
|---|---|
| UUID | c9bc9584-8d1a-4327-ae6d-33e80b336815 |
| Fingerprint | b6845c1bc3a13561 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Jan. 31, 2023, 9:06 a.m. |
| Added to db | Jan. 31, 2023, 2:16 a.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | 달빗(Dalbit,m00nlight): 중국 해커 그룹의 APT 공격 캠페인 |
| Title | 달빗(Dalbit,m00nlight): 중국 해커 그룹의 APT 공격 캠페인 - ASEC BLOG |
| Detected Hints/Tags/Attributes | 140/2/261 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://asec.ahnlab.com/ko/46431/ |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 18 | ✔ | ASEC | https://asec.ahnlab.com/ko/feed/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 9 | cve-2018-8639 |
|
| Details | CVE | 34 | cve-2019-1458 |
|
| Details | Domain | 2 | m00nlight.top |
|
| Details | Domain | 285 | microsoft.net |
|
| Details | Domain | 397 | asp.net |
|
| Details | Domain | 42 | co.kr |
|
| Details | Domain | 22 | update.zip |
|
| Details | Domain | 13 | info.zip |
|
| Details | Domain | 5 | startmail.com |
|
| Details | Domain | 2 | sk1.m00nlight.top |
|
| Details | Domain | 2 | moack.co.ltd |
|
| Details | Domain | 2 | fk.m00nlight.top |
|
| Details | Domain | 3 | aa.zxcss.com |
|
| Details | File | 2 | conf.aspx |
|
| Details | File | 3 | 2.aspx |
|
| Details | File | 2 | 3.aspx |
|
| Details | File | 2 | file.aspx |
|
| Details | File | 2 | 4.asmx |
|
| Details | File | 7 | tunnel.aspx |
|
| Details | File | 2 | 2.asmx |
|
| Details | File | 2 | 1.asmx |
|
| Details | File | 10 | 1.aspx |
|
| Details | File | 2 | d:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\aa.aspx |
|
| Details | File | 2 | d:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\11.aspx |
|
| Details | File | 2 | app_web_defaultwsdlhelpgenerator.aspx |
|
| Details | File | 2 | sjx_41yb.dll |
|
| Details | File | 2 | app_web_ldaj2kwn.dll |
|
| Details | File | 2 | modifyregistryhelp.jsp |
|
| Details | File | 2 | eee.jsp |
|
| Details | File | 8 | error.jsp |
|
| Details | File | 2 | 123.jsp |
|
| Details | File | 11 | test.jsp |
|
| Details | File | 2 | aaa.jsp |
|
| Details | File | 2 | sb.jsp |
|
| Details | File | 47 | index.jsp |
|
| Details | File | 5 | update.jsp |
|
| Details | File | 20 | shell.jsp |
|
| Details | File | 128 | w3wp.exe |
|
| Details | File | 87 | java.exe |
|
| Details | File | 21 | sqlserver.exe |
|
| Details | File | 24 | update.zip |
|
| Details | File | 3 | c:\programdata\update.exe |
|
| Details | File | 7 | 8.txt |
|
| Details | File | 2 | c:\programdata\8.ini |
|
| Details | File | 7 | frpc.ini |
|
| Details | File | 15 | frpc.exe |
|
| Details | File | 2 | calc32.exe |
|
| Details | File | 2 | c:\windows\debug\winh32.exe |
|
| Details | File | 4 | log.ini |
|
| Details | File | 2 | c:\windows\debug\log.ini |
|
| Details | File | 5 | sp.exe |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 2 | c:\temp\s.bat |
|
| Details | File | 175 | update.exe |
|
| Details | File | 14 | debug.exe |
|
| Details | File | 25 | main.exe |
|
| Details | File | 13 | info.exe |
|
| Details | File | 48 | agent.exe |
|
| Details | File | 58 | test.exe |
|
| Details | File | 2 | zabbix.exe |
|
| Details | File | 2 | winh32.exe |
|
| Details | File | 2 | 8080.ini |
|
| Details | File | 2 | 8.ini |
|
| Details | File | 13 | info.zip |
|
| Details | File | 2 | frpc__8083.ini |
|
| Details | File | 2 | debug.ini |
|
| Details | File | 38 | debug.log |
|
| Details | File | 17 | debug.txt |
|
| Details | File | 2 | frpc__2381.ini |
|
| Details | File | 2 | lcx3.exe |
|
| Details | File | 3 | lcx.exe |
|
| Details | File | 478 | lsass.exe |
|
| Details | File | 2 | %systemroot%\temp\duhgghmpert.dmp |
|
| Details | File | 2 | %systemroot%\temp\dumpert.dmp |
|
| Details | File | 2 | %systemroot%\temp\tarko.dmp |
|
| Details | File | 2 | %systemroot%\temp\lsa.txt |
|
| Details | File | 1122 | svchost.exe |
|
| Details | File | 2 | web_log.dmp |
|
| Details | File | 2 | web_log.zip |
|
| Details | File | 61 | 1.bat |
|
| Details | File | 2 | c:\temp\evtlogon.dat |
|
| Details | File | 4 | c:\windows\system32\bitlockerwizardelev.exe |
|
| Details | File | 2 | %allusersprofile%\badpotatonet4.exe |
|
| Details | File | 8 | vmp.exe |
|
| Details | File | 2 | %allusersprofile%\sweetpotato.exe |
|
| Details | File | 2 | vmp1.exe |
|
| Details | File | 2 | %allusersprofile%\lcx.exe |
|
| Details | File | 2 | %allusersprofile%\lcx_vp.exe |
|
| Details | File | 2 | %systemdrive%\temp\lcx.exe |
|
| Details | File | 2 | %systemdrive%\temp\lcx_vp.exe |
|
| Details | File | 2 | %systemdrive%\temp\svchost.exe |
|
| Details | File | 95 | wevtutil.exe |
|
| Details | File | 8 | asp.asp |
|
| Details | File | 4 | juicypotato.c4 |
|
| Details | File | 4 | sweetpotato.c4 |
|
| Details | File | 27 | agent.c4 |
|
| Details | File | 31 | generic.c4 |
|
| Details | File | 4 | exploit.c4 |
|
| Details | File | 4 | frp.c4 |
|
| Details | md5 | 2 | 0359a857a22c8e93bc43caea07d07e23 |
|
| Details | md5 | 3 | 85a6e4448f4e5be1aa135861a2c35d35 |
|
| Details | md5 | 2 | 4fc81fd5ac488b677a4c0ce5c272ffe3 |
|
| Details | md5 | 2 | c0452b18695644134a1e38af0e974172 |
|
| Details | md5 | 4 | 6b4c7ea91d5696369dd0a848586f0b28 |
|
| Details | md5 | 2 | 96b23ff19a945fad77dd4dd6d166faaa |
|
| Details | md5 | 2 | 88bef25e4958d0a198a2cc0d921e4384 |
|
| Details | md5 | 2 | c908340bf152b96dc0f270eb6d39437f |
|
| Details | md5 | 2 | 2c3de1cefe5cd2a5315a9c9970277bd7 |
|
| Details | md5 | 4 | e5b626c4b172065005d04205b026e446 |
|
| Details | md5 | 2 | 27ec6fb6739c4886b3c9e21b6b9041b6 |
|
| Details | md5 | 5 | 612585fa3ada349a02bc97d4c60de784 |
|
| Details | md5 | 3 | 21c7b2e6e0fb603c5fdd33781ac84b8f |
|
| Details | md5 | 2 | c44457653b2c69933e04734fe31ff699 |
|
| Details | md5 | 4 | e31b7d841b1865e11eab056e70416f1a |
|
| Details | md5 | 2 | 69c7d9025fa3841c4cd69db1353179cf |
|
| Details | md5 | 2 | fca13226da57b33f95bf3faad1004ee0 |
|
| Details | md5 | 2 | af002abd289296572d8afadfca809294 |
|
| Details | md5 | 3 | e981219f6ba673e977c5c1771f86b189 |
|
| Details | md5 | 2 | f978d05f1ebeb5df334f395d58a7e108 |
|
| Details | md5 | 2 | e3af60f483774014c43a7617c44d05e7 |
|
| Details | md5 | 4 | c802dd3d8732d9834c5a558e9d39ed37 |
|
| Details | md5 | 4 | 07191f554ed5d9025bc85ee1bf51f975 |
|
| Details | md5 | 2 | 61a687b0bea0ef97224c7bd2df118b87 |
|
| Details | md5 | 5 | 9fe61c9538f2df492dff1aab0f90579f |
|
| Details | md5 | 5 | ab9091f25a5ad44bef898588764f1990 |
|
| Details | md5 | 4 | 87e5c9f3127f29465ae04b9160756c62 |
|
| Details | md5 | 4 | 4bafbdca775375283a90f47952e182d9 |
|
| Details | md5 | 4 | 0311ee1452a19b97e626d24751375652 |
|
| Details | md5 | 2 | acacf51ceef8943f0ee40fc181b6f1fa |
|
| Details | md5 | 2 | 3cbea05bf7a1affb821e379b1966d89c |
|
| Details | md5 | 2 | 10f4a1df9c3f1388f9c74eb4cdf24e7c |
|
| Details | md5 | 2 | b5bdf2de230722e1fe63d88d8f628ebc |
|
| Details | md5 | 2 | edb685194f2fcd6a92f6e909dee7a237 |
|
| Details | md5 | 2 | e9bd5ed33a573bd5d9c4e071567808e5 |
|
| Details | md5 | 2 | fbae6c3769ed4ae4eccaff76af7e7dfe |
|
| Details | md5 | 4 | 937435bbcbc3670430bb762c56c7b329 |
|
| Details | md5 | 4 | fd0f73dd80d15626602c08b90529d9fd |
|
| Details | md5 | 2 | 29274ca90e6dcf5ae4762739fcbadf01 |
|
| Details | md5 | 2 | 784becfb944dec42cccf75c8cf2b97e3 |
|
| Details | md5 | 2 | 7307c6900952d4ef385231179c0a05e4 |
|
| Details | md5 | 2 | bcfca13c801608a82a0924f787a19e1d |
|
| Details | md5 | 2 | 75fe1b6536e94aaee132c8d022e14f85 |
|
| Details | md5 | 2 | d6cb8b66f7a9f3b26b4a98acb2f9d0c5 |
|
| Details | md5 | 2 | 323a36c23e61c6b37f28abfd5b7e5dfe |
|
| Details | md5 | 2 | 7b40aa57e1c61ecd6db2a1c18e08b0af |
|
| Details | md5 | 2 | 3665d512be2e9d31fc931912d5c6900e |
|
| Details | md5 | 2 | 1aca4310315d79e70168f15930cc3308 |
|
| Details | md5 | 4 | 5e0845a9f08c1cfc7966824758b6953a |
|
| Details | md5 | 6 | 9b0e4652a0317e6e4da66f29a74b5ad7 |
|
| Details | md5 | 2 | d8d36f17b50c8a37c2201fbb0672200a |
|
| Details | md5 | 2 | b998a39b31ad9b409d68dcb74ac6d97d |
|
| Details | md5 | 2 | d5054ed83e63f911be46b3ff8af82267 |
|
| Details | md5 | 2 | e7b7bf4c2ed49575bedabdce2385c8d5 |
|
| Details | md5 | 4 | f01a9a2d1e31332ed36c1a4d2839f412 |
|
| Details | md5 | 2 | d4d8c9be9a4a6499d254e845c6835f5f |
|
| Details | md5 | 4 | 4eb5eb52061cc8cf06e28e7eb20cd055 |
|
| Details | md5 | 2 | 0cc22fd05a3e771b09b584db0a161363 |
|
| Details | md5 | 4 | 8de8dfcb99621b21bf66a3ef2fcd8138 |
|
| Details | md5 | 4 | df8f2dc27cbbd10d944210b19f97dafd |
|
| Details | md5 | 2 | 2866f3c8dfd5698e7c58d166a5857e1e |
|
| Details | md5 | 2 | cbee2fd458ff686a4cd2dde42306bba1 |
|
| Details | md5 | 2 | 3dc8b64b498220612a43d36049f055ab |
|
| Details | md5 | 3 | 31c4a3f16baa5e0437fdd4603987b812 |
|
| Details | md5 | 2 | b33a27bfbe7677df4a465dfa9795ff4a |
|
| Details | md5 | 7 | 7d9c233b8c9e3f0ea290d2b84593c842 |
|
| Details | md5 | 2 | c4f18576fd1177ba1ef54e884cb7a79d |
|
| Details | md5 | 2 | 5d33609af27ea092f80aff1af6ddf98d |
|
| Details | md5 | 4 | 622f060fce624bdca9a427c3edec1663 |
|
| Details | md5 | 2 | 1f2432ec77b750aa3e3f72c866584dc3 |
|
| Details | md5 | 2 | d331602d190c0963ec83e46f5a5cd54a |
|
| Details | md5 | 2 | 21d268341884c4fc62b5af7a3b433d90 |
|
| Details | md5 | 2 | 6a20945ae9f7c9e1a28015e40758bb4f |
|
| Details | md5 | 2 | a29f39713ce6a92e642d14374e7203f0 |
|
| Details | md5 | 2 | 7ce988f1b593e96206a1ef57eb1bec8a |
|
| Details | md5 | 2 | fc9abba1f212db8eeac7734056b81a6e |
|
| Details | md5 | 3 | 9f55b31c66a01953c17eea6ace66f636 |
|
| Details | md5 | 3 | 33129e959221bf9d5211710747fddabe |
|
| Details | md5 | 2 | 48b99c2f0441f5a4794afb4f89610e48 |
|
| Details | md5 | 2 | 28e026b9550e4eb37435013425abfa38 |
|
| Details | md5 | 2 | 2ceabffe2d40714e5535212d46d78119 |
|
| Details | md5 | 2 | c72750485db39d0c04469cd6b100a595 |
|
| Details | md5 | 2 | 68403cc3a6fcbeb9e5e9f7263d04c02f |
|
| Details | md5 | 2 | 52ff6e3e942ac8ee012dcde89e7a1116 |
|
| Details | md5 | 2 | d82481e9bc50d9d9aeb9d56072bf3cfe |
|
| Details | md5 | 2 | 22381941763862631070e043d4dd0dc2 |
|
| Details | md5 | 2 | 6b5bccf615bf634b0e55a86a9c24c902 |
|
| Details | md5 | 2 | 942d949a28b2921fb980e2d659e6ef75 |
|
| Details | md5 | 2 | 059d98dcb83be037cd9829d31c096dab |
|
| Details | md5 | 2 | cca50cdd843aa824e5eef5f05e74f4a5 |
|
| Details | md5 | 2 | f6f0d44aa5e3d83bb1ac777c9cea7060 |
|
| Details | md5 | 2 | 0ca345bc074fa2ef7a2797b875b6cd4d |
|
| Details | md5 | 2 | f6da8dc4e1226aa2d0dabc32acd06915 |
|
| Details | md5 | 2 | 0bbfaea19c8d1444ae282ff5911a527b |
|
| Details | md5 | 2 | a69d3580921ec8adce64c9b38ac3653a |
|
| Details | md5 | 2 | c4e39c1fc0e1b165319fa533a9795c44 |
|
| Details | md5 | 3 | fb6bf74c6c1f2482e914816d6e97ce09 |
|
| Details | md5 | 2 | 678dbe60e15d913fb363c8722bde313d |
|
| Details | md5 | 3 | e0f4afe374d75608d604fbf108eac64f |
|
| Details | md5 | 4 | f5271a6d909091527ed9f30eafa0ded6 |
|
| Details | md5 | 2 | ae8acf66bfe3a44148964048b826d005 |
|
| Details | md5 | 5 | 6983f7001de10f4d19fc2d794c3eb534 |
|
| Details | md5 | 2 | fcb7f7dab6d401a17bd436fc12a84623 |
|
| Details | md5 | 6 | bb8bdb3e8c92e97e2f63626bc3b254c4 |
|
| Details | md5 | 2 | 80f421c5fd5b28fc05b485de4f7896a1 |
|
| Details | md5 | 4 | a03b57cc0103316e974bbb0f159f78f6 |
|
| Details | md5 | 2 | 46f366e3ee36c05ab5a7a319319f7c72 |
|
| Details | md5 | 2 | 7bd775395b821e158a6961c573e6fd43 |
|
| Details | md5 | 3 | b434df66d0dd15c2f5e5b2975f2cfbe2 |
|
| Details | md5 | 2 | c17cfe533f8ce24f0e41bd7e14a35e5e |
|
| Details | md5 | 1 | d3763ffbfaf30bcfd866b8ed0324e7a3 |
|
| Details | md5 | 1 | f13dab7d9ce88ddc0c80c2b9c5f422b5 |
|
| Details | md5 | 1 | e8c76dfec3c03e44eddff089dd85f489 |
|
| Details | md5 | 3 | 011cedd9932207ee5539895e2a1ed60a |
|
| Details | md5 | 2 | bc744a4bf1c158dba37276bf7db50d85 |
|
| Details | md5 | 2 | 23c0500a69b71d5942585bb87559fe83 |
|
| Details | md5 | 3 | 53271b2ab6c327a68e78a7c0bf9f4044 |
|
| Details | md5 | 2 | c87ac56d434195c527d3358e12e2b2e0 |
|
| Details | IPv4 | 2 | 103.118.42.208 |
|
| Details | IPv4 | 2 | 91.217.139.117 |
|
| Details | IPv4 | 1441 | 127.0.0.1 |
|
| Details | IPv4 | 2 | 205.185.122.95 |
|
| Details | IPv4 | 2 | 175.24.32.228 |
|
| Details | IPv4 | 2 | 45.136.186.19 |
|
| Details | IPv4 | 2 | 45.136.186.175 |
|
| Details | IPv4 | 2 | 45.93.31.122 |
|
| Details | IPv4 | 2 | 45.93.31.75 |
|
| Details | IPv4 | 2 | 45.93.28.103 |
|
| Details | IPv4 | 2 | 101.43.121.50 |
|
| Details | MITRE ATT&CK Techniques | 695 | T1059 |
|
| Details | MITRE ATT&CK Techniques | 310 | T1047 |
|
| Details | MITRE ATT&CK Techniques | 78 | T1569 |
|
| Details | MITRE ATT&CK Techniques | 480 | T1053 |
|
| Details | MITRE ATT&CK Techniques | 112 | T1098 |
|
| Details | MITRE ATT&CK Techniques | 67 | T1505 |
|
| Details | MITRE ATT&CK Techniques | 116 | T1134 |
|
| Details | MITRE ATT&CK Techniques | 208 | T1068 |
|
| Details | MITRE ATT&CK Techniques | 289 | T1003 |
|
| Details | MITRE ATT&CK Techniques | 243 | T1018 |
|
| Details | MITRE ATT&CK Techniques | 168 | T1046 |
|
| Details | MITRE ATT&CK Techniques | 235 | T1562 |
|
| Details | MITRE ATT&CK Techniques | 247 | T1070 |
|
| Details | MITRE ATT&CK Techniques | 159 | T1021 |
|
| Details | MITRE ATT&CK Techniques | 118 | T1570 |
|
| Details | MITRE ATT&CK Techniques | 534 | T1005 |
|
| Details | MITRE ATT&CK Techniques | 89 | T1114 |
|
| Details | MITRE ATT&CK Techniques | 126 | T1567 |
|
| Details | MITRE ATT&CK Techniques | 152 | T1090 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 472 | T1486 |
|
| Details | MITRE ATT&CK Techniques | 49 | T1608.001 |
|
| Details | Url | 4 | http://www.ive***.co.kr/uploadfile/ufaceimage/1/update.zip |
|
| Details | Url | 2 | http://121.167.***.***/temp/8.txt |
|
| Details | Url | 2 | http://103.118.42.208:8080/frpc.exe |
|
| Details | Url | 2 | http://91.217.139.117:8080/calc32.exe |
|
| Details | Url | 2 | http://91.217.139.117:8001/log.ini |
|
| Details | Url | 2 | http://91.217.139.117:8080/1.bat |
|
| Details | Url | 2 | http://91.217.139.117:8443/log.ini |
|
| Details | Url | 2 | http://175.24.32.228:8888/readme |
|
| Details | Url | 2 | http://sk1.m00nlight.top:80 |
|
| Details | Url | 2 | https://fk.m00nlight.top:443 |
|
| Details | Url | 2 | https://aa.zxcss.com:443 |