IoC (TT Malware Log)

Malware の IoC(Indicator)情報

◆注意◆ マルウェア解析専析家向けサイト

     FQDN, URL,IPアドレス等はそのまま掲載しています


** Caution ** Malware expert site

                    FQDN, URL, IP address etc. are posted as they are

Winnti(APT41)

攻撃組織: Winnti / APT41 / Blackfly / Suckfly / (Axiom) / (Group 72) 未対応

【インディケータ情報】

■ハッシュ情報(Sha256) - CrackShot -

993d14d00b1463519fea78ca65d8529663f487cd76b67b3fd35440bcdf7a8e31
049a2d4d54c511b16f8bc33dae670736bf938c3542f2342192ad877ab38a7b5d
d00b3edc3fe688fa035f1b919ef6e8f451a9c2197ef83d9bac3fa3af5e752243
7096f1fdefa15065283a0b7928d1ab97923688c7974f98a33c94de214c675567
c667c9b2b9741247a56fcf0deebb4dc52b9ab4c0da6d9cdaba5461a5e2c86e0c


■ハッシュ情報(Sha1) - CrackShot -

44260a1dfd92922a621124640015160e621f32d5
dde82093decde6371eb852a5e9a1aa4acf3b56ba
a045939f53c5ad2c0f7368b082aa7b0bd7b116da
a260dcf193e747cee49ae83568eea6c04bf93cb3
8272c1f41f7c223316c0d78bd3bd5744e25c2e9f


■ハッシュ情報(MD5) - CrackShot -

04fb0ccf3ef309b1cd587f609ab0e81e
0b2e07205245697a749e422238f9f785
272537bbd2a8e2a2c3938dc31f0d2461
dd792f9185860e1464b4346254b2101b
fcfab508663d9ce519b51f767e902806


■ハッシュ情報(Sha256) - GearShift -

7e0c95fc64357f12e837112987333cdaf8c1208ef8c100649eba71f1ea90c1db
4aa6970cac04ace4a930de67d4c18106cf4004ba66670cfcdaa77a4c4821a213


■ハッシュ情報(Sha1) - GearShift -

c2fb50c9ef7ae776a42409bce8ef1be464654a4e
f3c222606f890573e6128fbeb389f37bd6f6bda3


■ハッシュ情報(MD5) - GearShift -

5b26f5c7c367d5e976aaba320965cc7f
f8c89ccd8937f2b760e6706738210744


■ハッシュ情報(Sha256) - HighNoon -

42d138d0938494fd64e1e919707e7201e6675b1122bf30ab51b1ae26adaec921
7566558469ede04efc665212b45786a730055770f6ea8f924d8c1e324cae8691
7cd17fc948eb5fa398b8554fea036bdb3c0045880e03acbe532f4082c271e3c5


■ハッシュ情報(Sha1) - HighNoon -

41bac813ae07aef41436e8ad22d605f786f9e099
ad77a34627192abdf32daa9208fbde8b4ebfb25c
3f1dee370a155dc2e8fb15e776821d7697583c75


■ハッシュ情報(MD5) - HighNoon -

46a557fbdce734a6794b228df0195474
77c60e5d2d99c3f63f2aea1773ed4653
849ab91e93116ae420d2fe2136d24a87


■ハッシュ情報(Sha256) - HighNoon.bin -

490c3e4af829e85751a44d21b25de1781cfe4961afdef6bb5759d9451f530994
63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7
79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d


■ハッシュ情報(Sha1) - HighNoon.bin -

1036a7088b060250bb66b6de91f0c6ac462dc24c
5ee7c57dc84391f63eaa3824c53cc10eafc9e388
03de2118aac6f20786043c7ef0324ef01dcf4265


■ハッシュ情報(MD5) - HighNoon.bin -

36711896cfeb67f599305b590f195aec
7d51ea0230d4692eeedc2d5a4cd66d2d
a0a96138b57ee24eed31b652ddf60d4e


■ハッシュ情報(Sha256) - JumpAll -

c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d


■ハッシュ情報(Sha1) - JumpAll -

adde0644a572ed593e8b0566698d4e3de0fefb8a


■ハッシュ情報(MD5) - JumpAll -

ba08b593250c3ca5c13f56e2ca97d85e


■ハッシュ情報(Sha256) - PoisonPlug -

e65d39fa659f64a57ee13e8a638abd9031fa1486311d2782f32e979d5dee1ca5
2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90
70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e
3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f
9283703dfbc642dd70c8c7667528552690e998bcb3f3374273c0b5c90c0d1366
f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661
0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb


■ハッシュ情報(Sha1) - PoisonPlug -

1835c7751436cc199c55b42f34566d25fe6104ca
32466d8d232d7b1801f456fe336615e6fa5e6ffb
971bb08196bba400b07cf213345f55ce0a6eedc8
2366d181a1697bcb4f368df397dd0533ab8b5d27
4dc5fadece500ccd8cc49cfcf8a1b59baee3382a
d0429abec299ddfee7e1d9ccff1766afd4c0992b
6f065eea36e28403d4d518b8e24bb7a915b612c3
82072cb53416c89bfee95b239f9a90677a0848df


■ハッシュ情報(MD5) - PoisonPlug -

223e4cc4cf5ce049f300671697a17a01
37e100dd8b2ad8b301b130c2bca3f1ea
557ff68798c71652db8a85596a4bab72
830a09ff05eac9a5f42897ba5176a36a
b0877494d36fab1f9f4219c3defbfb19
c8403fabda4d036a55d0353520e765c9
ff8d92dfbcda572ef97c142017eec658
ffd0f34739c1568797891b9961111464


■ハッシュ情報(Sha256) - PoisonPlug.Shadow -

faedf9fef6edac2f0565882112b2eae14edda024239d3218a9fe9ac7e0b12db6
462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8
92cb362ae8d24c05f368d13036534fe014344994d46031a0a8636a7ca0b792c6


■ハッシュ情報(Sha1) - PoisonPlug.Shadow -

f067443c2c4d99dc6577006a2f105e51af731659
f1a181d29b38dfe60d8ea487e8ed0ef30f064763
5a85d1e19e0414fc59e454ccbaef0a3c6bb41268


■ハッシュ情報(MD5) - PoisonPlug.Shadow -

72584d6b7dd10c82d9118567b548b2b1
97363d50a279492fda14cbab53429e75
a6c7db170bc7a4ee2cdb192247b59cd6


■ハッシュ情報(Sha256) - Phishing Payload -

354c174e583e968f0ecf86cc20d59ecd6e0f9d21800428453b8db63f344f0f22
bae8f4f5fc959bff980d6a6d12797b0d647e97cc811c5b9e827d0b985d87f68f


■ハッシュ情報(Sha1) - Phishing Payload -

67c957c268c1e56cc8eb34b02e5c09eae62680f5
b193ff40a98cd086f92893784d8896065faa3ee3


■ハッシュ情報(MD5) - Phishing Payload -

5e87b09f9a3f1b728c9797560a38764b
8c6cceae2eea92deb6f7632f949293f0


■ドメイン

agegamepay[.]com
ageofwuxia[.]com
ageofwuxia[.]info
ageofwuxia[.]net
ageofwuxia[.]org
bugcheck.xigncodeservice[.]com
byeserver[.]com
dnsgogle[.]com
gamewushu[.]com
gxxservice[.]com
ibmupdate[.]com
infestexe[.]com
kasparsky[.]net
linux-update[.]net
macfee[.]ga
micros0ff[.]com
micros0tf[.]com
notped[.]com
operatingbox[.]com
paniesx[.]com
serverbye[.]com
sexyjapan.ddns[.]info
symanteclabs[.]com
techniciantext[.]com
win7update[.]net
xigncodeservice[.]com


■Email Address

akbklxp@126[.]com
akbklxp@163[.]com
hackershby@126[.]com
hrsimon59@gmail[.]com
injuriesa@126[.]com
injuriesa@163[.]com
injuriesa@gmail[.]com
injuriesa@hotmail[.]com
injuriesa@qq[.]com
kbklxp@126[.]com
petervc1983@gmail[.]com
ravinder10@126[.]com
ravinder10@hotmail[.]com
ravinder10@sohu[.]com
wolf_zhi@yahoo[.]com


【検索】

■CrackShot

google: 993d14d00b1463519fea78ca65d8529663f487cd76b67b3fd35440bcdf7a8e31
google: 049a2d4d54c511b16f8bc33dae670736bf938c3542f2342192ad877ab38a7b5d
google: d00b3edc3fe688fa035f1b919ef6e8f451a9c2197ef83d9bac3fa3af5e752243
google: 7096f1fdefa15065283a0b7928d1ab97923688c7974f98a33c94de214c675567
google: c667c9b2b9741247a56fcf0deebb4dc52b9ab4c0da6d9cdaba5461a5e2c86e0c


■GearShift

google: 7e0c95fc64357f12e837112987333cdaf8c1208ef8c100649eba71f1ea90c1db
google: 4aa6970cac04ace4a930de67d4c18106cf4004ba66670cfcdaa77a4c4821a213


■HighNoon

google: 42d138d0938494fd64e1e919707e7201e6675b1122bf30ab51b1ae26adaec921
google: 7566558469ede04efc665212b45786a730055770f6ea8f924d8c1e324cae8691
google: 7cd17fc948eb5fa398b8554fea036bdb3c0045880e03acbe532f4082c271e3c5


■HighNoon.bin -

google: 490c3e4af829e85751a44d21b25de1781cfe4961afdef6bb5759d9451f530994
google: 63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7
google: 79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d


■JumpAll

google: c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d


■PoisonPlug

google: e65d39fa659f64a57ee13e8a638abd9031fa1486311d2782f32e979d5dee1ca5
google: 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
google: 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90
google: 70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e
google: 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f
google: 9283703dfbc642dd70c8c7667528552690e998bcb3f3374273c0b5c90c0d1366
google: f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661
google: 0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb


■PoisonPlug.Shadow

google: faedf9fef6edac2f0565882112b2eae14edda024239d3218a9fe9ac7e0b12db6
google: 462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8
google: 92cb362ae8d24c05f368d13036534fe014344994d46031a0a8636a7ca0b792c6


■Phishing Payload

google: 354c174e583e968f0ecf86cc20d59ecd6e0f9d21800428453b8db63f344f0f22
google: bae8f4f5fc959bff980d6a6d12797b0d647e97cc811c5b9e827d0b985d87f68f


【VT検索】

■CrackShot

https://www.virustotal.com/gui/file/993d14d00b1463519fea78ca65d8529663f487cd76b67b3fd35440bcdf7a8e31
https://www.virustotal.com/gui/file/049a2d4d54c511b16f8bc33dae670736bf938c3542f2342192ad877ab38a7b5d
https://www.virustotal.com/gui/file/d00b3edc3fe688fa035f1b919ef6e8f451a9c2197ef83d9bac3fa3af5e752243
https://www.virustotal.com/gui/file/7096f1fdefa15065283a0b7928d1ab97923688c7974f98a33c94de214c675567
https://www.virustotal.com/gui/file/c667c9b2b9741247a56fcf0deebb4dc52b9ab4c0da6d9cdaba5461a5e2c86e0c


■GearShift

https://www.virustotal.com/gui/file/7e0c95fc64357f12e837112987333cdaf8c1208ef8c100649eba71f1ea90c1db
https://www.virustotal.com/gui/file/4aa6970cac04ace4a930de67d4c18106cf4004ba66670cfcdaa77a4c4821a213


■HighNoon

https://www.virustotal.com/gui/file/42d138d0938494fd64e1e919707e7201e6675b1122bf30ab51b1ae26adaec921
https://www.virustotal.com/gui/file/7566558469ede04efc665212b45786a730055770f6ea8f924d8c1e324cae8691
https://www.virustotal.com/gui/file/7cd17fc948eb5fa398b8554fea036bdb3c0045880e03acbe532f4082c271e3c5


■HighNoon.bin -

https://www.virustotal.com/gui/file/490c3e4af829e85751a44d21b25de1781cfe4961afdef6bb5759d9451f530994
https://www.virustotal.com/gui/file/63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7
https://www.virustotal.com/gui/file/79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d


■JumpAll

https://www.virustotal.com/gui/file/c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d


■PoisonPlug

https://www.virustotal.com/gui/file/e65d39fa659f64a57ee13e8a638abd9031fa1486311d2782f32e979d5dee1ca5
https://www.virustotal.com/gui/file/2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
https://www.virustotal.com/gui/file/5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90
https://www.virustotal.com/gui/file/70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e
https://www.virustotal.com/gui/file/3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f
https://www.virustotal.com/gui/file/9283703dfbc642dd70c8c7667528552690e998bcb3f3374273c0b5c90c0d1366
https://www.virustotal.com/gui/file/f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661
https://www.virustotal.com/gui/file/0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb


■PoisonPlug.Shadow

https://www.virustotal.com/gui/file/faedf9fef6edac2f0565882112b2eae14edda024239d3218a9fe9ac7e0b12db6
https://www.virustotal.com/gui/file/462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8
https://www.virustotal.com/gui/file/92cb362ae8d24c05f368d13036534fe014344994d46031a0a8636a7ca0b792c6


■Phishing Payload

https://www.virustotal.com/gui/file/354c174e583e968f0ecf86cc20d59ecd6e0f9d21800428453b8db63f344f0f22
https://www.virustotal.com/gui/file/bae8f4f5fc959bff980d6a6d12797b0d647e97cc811c5b9e827d0b985d87f68f




【資料】

◆APT41 Double Dragon (FireEye, 2019/08/08)
https://content.fireeye.com/apt-41/rpt-apt41/


【関連まとめ記事】

全体まとめ
 ◆攻撃組織 / Actor (まとめ)
  ◆標的型攻撃組織 / APT (まとめ)

◆Winnti / APT41 (まとめ)
https://malware-log.hatenablog.com/entry/Winnti