← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell | Sysdig
WHITE CyberHunter_NL 2025-04-16 Modified: 2025-05-16
62
IOCs
HIGH VOLUME
vshellunc5174snowlightcode languageperlnovemberaddress34mandiantmarchcobalt strikeslivertelegramdownloadersummermacosvirustotalfebruarystringstrojangenerator
Indicators of Compromise (62)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 193beea281b0d13323dffb32483aa661 MD5 of 21ccb25887eae8b17349cefc04394dc3ad75c289768d7ba61f51d228b4c964db 2025-04-16
FileHash-MD5 1a36513fbd980c884968fc60dc193977 MD5 of 6579defcd1326efad359c59cfe9a76d7df375e54f6e977dd880d10f81325999e 2025-04-16
FileHash-MD5 90bb96c7a3fd501d7ac0fce143083b85 MD5 of c0838b1211d482d21ccb2c9cc9fb224d1f826474d496a76d21ca18fa2ef92bc1 2025-04-16
FileHash-MD5 96f307b0ba3bb11715fab5db8d61191f MD5 of e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8 2025-04-16
FileHash-MD5 f665278591038f346e65817b17c930f9 MD5 of f064fdd24c56f2d20f1a6a32fc7edbd3848f962b25965b788b0dc725eeab9db4 2025-04-16
FileHash-SHA1 0fbac5c94f32b0e011baf39df82a65d293b14e7d SHA1 of e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8 2025-04-16
FileHash-SHA1 6125e88f6c8cbe8c19236fdba7f3d69d104bbbb6 SHA1 of 21ccb25887eae8b17349cefc04394dc3ad75c289768d7ba61f51d228b4c964db 2025-04-16
FileHash-SHA1 6ff1f6cdef8503cacde51d0577a51e56916fb44c SHA1 of 6579defcd1326efad359c59cfe9a76d7df375e54f6e977dd880d10f81325999e 2025-04-16
FileHash-SHA1 978c8d81697ebb29d809c21b398ac88fea6013bd SHA1 of f064fdd24c56f2d20f1a6a32fc7edbd3848f962b25965b788b0dc725eeab9db4 2025-04-16
FileHash-SHA1 a031bd01a0de10b2a5e83f82ca84881835fa9d80 SHA1 of c0838b1211d482d21ccb2c9cc9fb224d1f826474d496a76d21ca18fa2ef92bc1 2025-04-16
FileHash-SHA256 21ccb25887eae8b17349cefc04394dc3ad75c289768d7ba61f51d228b4c964db 2025-04-16
FileHash-SHA256 6579defcd1326efad359c59cfe9a76d7df375e54f6e977dd880d10f81325999e 2025-04-16
FileHash-SHA256 8d88944149ea1477bd7ba0a07be3a4371ba958d4a47b783f7c10cbe08c5e7d38 2025-04-16
FileHash-SHA256 c0838b1211d482d21ccb2c9cc9fb224d1f826474d496a76d21ca18fa2ef92bc1 2025-04-16
FileHash-SHA256 e6db3de3a21debce119b16697ea2de5376f685567b284ef2dee32feb8d2d44f8 2025-04-16
FileHash-SHA256 f064fdd24c56f2d20f1a6a32fc7edbd3848f962b25965b788b0dc725eeab9db4 2025-04-16
URL http://124.221.120.25:2222/vs666 2025-04-16
URL http://47.97.176.108:8887/?a=l64&h=47.97.176.108&t=ws_&p=8887 2025-04-16
URL http://ciscocdn.com:8888/supershell/compile/download/x64 2025-04-16
URL http://gooogleasia.com:8080/download_$executable 2025-04-16
URL http://images.windowstimes.online/?a=l64&h=images.windowstimes.online&t=ws_&p=80 2025-04-16
URL http://lin.c1oudf1are.com:42323/?a=l64&h=lin.c1oudf1are.com&t=ws_&p=42323 2025-04-16
URL http://lin.huionepay.me:2086/?a=l64&h=lin.huionepay.me&t=ws_&p=2086 2025-04-16
URL http://lin.telegrams.icu:2086/?a=l64&h=lin.telegrams.icu&t=ws_&p=2086 2025-04-16
URL http://vs.gooogleasia.com:8443/?a=l64&h=vs.gooogleasia.com&t=ws_&p=8443 2025-04-16
URL http://www.bing-server.com:443 2025-04-16
YARA a97af19c81959c9e3ab62f8b492850dad5db9844 This rule detects strings seen in SNOWLIGHT malware acting as a dropper for fileless payloads. 2025-04-16
domain 1c38.sa 2025-04-16
domain c1oudf1are.com 2025-04-16
domain chmobank.com 2025-04-16
domain ciscocdn.com 2025-04-16
domain container.name 2025-04-16
domain googlespays.com 2025-04-16
domain gooogleasia.com 2025-04-16
domain huionepay.me 2025-04-16
domain mcafeecdn.xyz 2025-04-16
domain multi-user.target 2025-04-16
domain network.target 2025-04-16
domain ogleasia.com 2025-04-16
domain proc.is 2025-04-16
domain proc.name 2025-04-16
domain samsungcdn.com 2025-04-16
domain sex666vr.com 2025-04-16
domain telegrams.icu 2025-04-16
domain user.name 2025-04-16
hostname 5.ns1.name 2025-04-16
hostname account.gooogleasia.com 2025-04-16
hostname apib.googlespays.com 2025-04-16
hostname btt.evil.gooogleasia.com 2025-04-16
hostname evil.gooogleasia.com 2025-04-16
hostname https.sex666vr.com 2025-04-16
hostname images.windowstimes.online 2025-04-16
hostname ks.evil.gooogleasia.com 2025-04-16
hostname lin.c1oudf1are.com 2025-04-16
hostname lin.huionepay.me 2025-04-16
hostname lin.telegrams.icu 2025-04-16
hostname login.microsoftonline.gooogleasia.com 2025-04-16
hostname mtls.sex666vr.com 2025-04-16
hostname start.bootstrapcdn.fun 2025-04-16
hostname vs.gooogleasia.com 2025-04-16
hostname wg.gooogleasia.com 2025-04-16
hostname www.bing-server.com 2025-04-16
References (1)
↗ https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/