Pulse Detail — Threat Intelligence

PULSE NAME

Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger

WHITE Kimsuky Tr1sa111 2026-04-14 Modified: 2026-04-14

IOCs

MEDIUM VOLUME

↓ CSV ↓ JSON

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1113 T1132.001 T1056.001 T1036.005 T1204.002 T1566.001 T1115 T1082 T1053 T1140 T1112 T1083 T1057 T1041 T1059.001 T1547.001 T1027 T1518.001 T1071.001 T1059.005

Indicators of Compromise (47)

All IPv4 FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
IPv4	51.79.185.184	—	2026-04-14
FileHash-MD5	08815400eb034d0c760d031e735bd392	—	2026-04-14
FileHash-MD5	0ac44ad9cfbc58ed76415f7bc79239f9	—	2026-04-14
FileHash-MD5	4599ac1bbe483c73064df1353feafd01	—	2026-04-14
FileHash-MD5	6d03fd0b89fe997408b9e9e3d5ead602	—	2026-04-14
FileHash-MD5	6f90f6b96fe3a5b79c1935211f557a08	—	2026-04-14
FileHash-SHA1	51ab17a51cc000bbae89980082c57281c4c0b462	—	2026-04-14
FileHash-SHA1	66af61e3e376284f691d449d0042e8b2c1174278	—	2026-04-14
FileHash-SHA1	6aa51c23f0319a6b940072274adf47a0c29f27b6	—	2026-04-14
FileHash-SHA1	a76af8176da28fdab47f9a77d50eb0e89f2b8557	—	2026-04-14
FileHash-SHA1	f759ccb6886234c63a66abd6102c636a46d1eba8	—	2026-04-14
FileHash-SHA256	1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793	—	2026-04-14
FileHash-SHA256	7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b	—	2026-04-14
FileHash-SHA256	85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8	—	2026-04-14
FileHash-SHA256	a36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922	—	2026-04-14
FileHash-SHA256	af50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f	—	2026-04-14
FileHash-SHA256	d7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b	—	2026-04-14
IPv4	118.194.249.109	—	2026-04-14
IPv4	130.94.29.111	—	2026-04-14
IPv4	162.255.119.150	—	2026-04-14
IPv4	27.102.137.150	—	2026-04-14
IPv4	27.102.137.38	—	2026-04-14
IPv4	27.102.138.45	—	2026-04-14
IPv4	38.60.220.135	—	2026-04-14
URL	http://check.nid-log.com/api'	—	2026-04-14
URL	http://check.nid-log.com/api/bootservice.php	—	2026-04-14
URL	http://check.nid-log.com/api/bootservice.php?tag=	—	2026-04-14
URL	http://check.nid-log.com/api/checkservice.php	—	2026-04-14
URL	http://check.nid-log.com/api/finalservice.php	—	2026-04-14
URL	http://noreplymail.space/BitJoker/bootservice.php	—	2026-04-14
YARA	22885ad517585b9f0c5bb9fdd785df00e7c0cfc0	—	2026-04-14
domain	nid-log.com	—	2026-04-14
domain	noreplymail.space	—	2026-04-14
domain	uncork.biz	—	2026-04-14
domain	withheldforprivacy.com	—	2026-04-14
hostname	check.nid-log.com	—	2026-04-14
hostname	chk.uncork.biz	—	2026-04-14
hostname	miss-tax.dns.navy	—	2026-04-14
hostname	nid-htl.duckdns.org	—	2026-04-14
hostname	nid-navercwu.servecounterstrike.com	—	2026-04-14
hostname	nid-naverfxc.servecounterstrike.com	—	2026-04-14
hostname	nid-naverpep.servequake.com	—	2026-04-14
hostname	nid-navertca.servehalflife.com	—	2026-04-14
hostname	nid-tax.dns.army	—	2026-04-14
hostname	pay-tax.dns.navy	—	2026-04-14
hostname	tax-invoice.dns.army	—	2026-04-14
hostname	verify.efine-log.kro.kr	—	2026-04-14

References (1)

↗ https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery