Andariel Hackers Attacking Asset Management Companies To Inject Malicious Code (gbhackers.com)
from kid@sh.itjust.works to cybersecurity@sh.itjust.works on 14 Mar 2024 11:55
https://sh.itjust.works/post/16205125

IoC MD5 – a714b928bbc7cd480fed85e379966f95 (VT: 43/72) : AndarLoader (%SystemDirectory%\SVPNClientW.exe)

– 4f1b1124e34894398aa423200a8ab894 (VT: 43/72) : KeyLogger (%USERPROFILE%\documents\kerberos.tmp, %USERPROFILE%\kl.exe, %SystemDirectory%\dllhostsvc.exe)

– 2c69c4786ce663e58a3cc093c6d5b530 (VT: 0) : ModeLoader

– 29efd64dd3c7fe1e2b022b7ad73a1ba5 (VT: 64/73) : Mimikatz (%USERPROFILE%\mimi.exe)

C&C 주소 – privacy.hopto[.]org:443 : AndarLoader – privatemake.bounceme[.]net:443 : AndarLoader – 84.38.129[.]21 : MeshAgent – hxxp://www.ipservice.kro[.]kr/index.php : ModeLoader – hxxp://www.ipservice.kro[.]kr/view.php : ModeLoader – hxxp://www.ipservice.kro[.]kr/modeRead.php : ModeLoader – hxxp://panda.ourhome.o-r[.]kr/view.php : ModeLoader – hxxp://panda.ourhome.o-r[.]kr/modeRead.php : ModeLoader – hxxp://panda.ourhome.o-r[.]kr/modeView.php : ModeLoader – hxxp://www.mssrv.kro[.]kr/view.php : ModeLoader – hxxp://www.mssrv.kro[.]kr/modeView.php : ModeLoader – hxxp://www.mssrv.kro[.]kr/modeRead.php : ModeLoader – hxxp://www.mssrv.kro[.]kr/modeWrite.php : ModeLoader

#cybersecurity

threaded - newest