1 |
nekomimimaiden |
電車でD SS 13パッチ: https://www.dropbox.com/s/qrobg6bit8fmy45/dend_ss_ver113_all.zip?dl= 1
ハッシュ値: https://www.dropbox.com/s/wwp3tqx3g528fh2/dend_ss_ver113_check_sum_utf8.txt?dl= 1
カスペルスキー&ウイルストータル( https://www.virustotal.com/gui/file/b677418ffd65ec8f1952f33309733be871472e4dd5719dcba7b264c4a6412843/detection ) では脅威なし。
アップデートパス: https://twitter.com/nekomimimaiden/status/1366874644024725505/photo/1
|
2021-03-02 22:14:45 |
2 |
neonprimetime |
#malware received today 3/2/2021
subject: order 09748 Package
attachment: invoice.jnlp
download url: invoicesecure.net/documents
https://www.joesandbox.com/analysis/361228/0/html
https://www.virustotal.com/gui/file/91c8702137880cebf55f89e1d0b07df0c7c05b277850879384fa1dfe7470006c/community https://twitter.com/neonprimetime/status/1366868658954194945/photo/1
|
2021-03-02 21:50:58 |
3 |
bl4ckh0l3z |
@malwrhunterteam #donot confirmed.
💻 C2:
shortler.xyz
|
2021-03-02 21:43:37 |
4 |
3eslan |
أفضل 6 مواقع لفحص جهازك وملفاتك أون لاين
وإزالة الفيروسات بدون تثبيت أي شئ
1- https://metadefender.opswat.com/?lang= en
2 - https://virustotal.com/gui/home/search
3- https://pandasecurity.com/en/homeusers/solutions/cloud-cleaner/
4- https://eset.com/uk/home/online-scanner/
5- https://lite.al/jOTmV
6- https://virscan.org https://twitter.com/3eslan/status/1366857193904046083/photo/1
|
2021-03-02 21:05:24 |
5 |
dubstard |
🎯 Fake Elon Musk "giveaway" scam
⚠ /ilogivemus-2021.info
☣ AS50465 193.106.175.25
🌐 @regru
🖧 IQHost
Ξ 0xeD80d06d49EFcB4FAc90546De2b8d71Bb2f724C0
₿ 12Ss9yu4pvQWjQgNwzXpbt1LwsnWD9kXHf
cc @ActorExpose @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @sniko_ https://twitter.com/dubstard/status/1366851201686470658/photo/1
|
2021-03-02 20:41:36 |
6 |
neonprimetime |
live credential #phishing abusing @dropbox targeting @Office365 users
final domain: 2wag32vqfdsv3nzermj9ba-on.drv.tw
https://app.any.run/tasks/8fa4cbbb-a23d-4a7d-a2cf-14cddce73abc/ https://twitter.com/neonprimetime/status/1366848382153732102/photo/1
|
2021-03-02 20:30:23 |
7 |
HeliosCert |
@HeliosCert
Sample analysed on #virustotal
VirusTotal-Score: 66
VirusTotal: https://www.virustotal.com/gui/file/536e72b2445a6b84f17407affa4b6228eda08b7e60cd1bac9b02e4757bbebe15/detection/f-536e72b2445a6b84f17407affa4b6228eda08b7e60cd1bac9b02e4757bbebe15-1582092842
Threat: Ransom_WCRY.SMALYM (TrendMicro)
|
2021-03-02 20:30:02 |
8 |
InQuest |
If you are looking for a real fun #maldoc to analyze. take a look at this #LokiBot sample. Appears to have a @swiftcommunity transaction themed lure.
https://labs.inquest.net/dfi/sha256/548296865b8b5a459b2b10452f1ae241e0a986f16bb926c0e32abede05382dc8 https://twitter.com/InQuest/status/1366848153203462146/photo/1
|
2021-03-02 20:29:29 |
9 |
wwp96 |
#bitrat @JAMESWT_MHT eni4.exe c2 via api.telegram.org
hxxp://hk-chemlab.com/plugin/eni4.exe
hxxp://hk-chemlab.com/plugin/best4.exe
2f97eae8d78bcbe6fcbb6e19be4bda85
7879ad6172d23092b29031d2bccaba26 - eni4.exe
https://app.any.run/tasks/c56eff7f-f8c5-4c54-9ca4-4365650c380f/
|
2021-03-02 19:57:28 |
10 |
wwp96 |
#LokiBot @hexlax @JAMESWT_MHT
hxxp://gilardoni-it.xyz/MY/five/fre.php
3ba6f23f9212861c618d968582f891e5
https://app.any.run/tasks/cdbc0530-3cf9-40d8-a25a-4c5a6ff4f7d3/
|
2021-03-02 19:49:16 |
11 |
OTX |
status Completed: An upgrade to the OTX Web site is complete. https://stspg.io/lzyd2jz8jj3f?u= z0sjnqgvy67s
|
2021-03-02 19:44:11 |
12 |
wwp96 |
#vjworm @JAMESWT_MHT
hxxp://wodmainenew.xyz:1001/Vre
8caf8fd00757e2363f43aa3d2b7dd4a4
https://app.any.run/tasks/03f066cb-ee7e-4d0e-8ecd-64c513ea6c4d/
|
2021-03-02 19:42:52 |
13 |
wwp96 |
#opendir #floxif #neutrino @JAMESWT_MHT
hxxp://krntix.com/ntr/tasks.php
cfcb6a5c16929238bbfb020445160f3c
https://app.any.run/tasks/59e0ed0d-5f24-4adb-9a63-61a211c1259e/ https://twitter.com/wwp96/status/1366835703963934725/photo/1
|
2021-03-02 19:40:01 |
14 |
Racco42 |
#malspam " FACTURA N° 472-830" with .js attachment brings #wshrat
https://app.any.run/tasks/47099b5d-ba7c-4fd5-9989-ddb4a1c9a00f
C2: nitrot.duckdns.org:4561
|
2021-03-02 19:39:47 |
15 |
micham |
Why do services "provide" email addresses that bounce for days to no avail?
My report of a #phishing site (still up) targeting @1und1service to a @lolipopjp address (gathered from whois) will just burn up energy without a meaningful outcome. ¯\_(ツ)_/¯
https://www.virustotal.com/gui/url/54e1cfe8cce53c21b99b64d540b5b27a1d7ae3a9e2b136d66f2875510600afd0/detection https://twitter.com/micham/status/1366835210906574849/photo/1
|
2021-03-02 19:38:03 |
16 |
wwp96 |
#LokiBot @hexlax @JAMESWT_MHT
hxxp://hiqhway39clothing.com/zoro/zoro6/fre.php
43f9fd0e3e8bf66bee9581e616f870f5
https://app.any.run/tasks/0237678f-1d3c-4c63-a53b-6f62b6fe4651/
|
2021-03-02 19:30:36 |
17 |
wwp96 |
#LokiBot @hexlax @JAMESWT_MHT
hxxp://sunwindz.in.net/.cgi-in/fre.php
1f9ac8ae695caf124ea03af7f4853944
https://app.any.run/tasks/eca52689-17c4-4422-9e41-0f70c69f0f4d/
|
2021-03-02 19:30:18 |
18 |
RangXOR |
#Qealler is back 🆕
The #CnC server at 179.43.145.245 - currently hosted at @PrivateLayer
https://www.virustotal.com/gui/ip-address/179.43.145.245/community
New sample (discovered by @wwp96) appears to be an updated instance of the #infostealer - at first glance the code is slightly more sophisticated
1/2
|
2021-03-02 19:11:09 |
19 |
500mk500 |
@sysk1ll3r @malwrhunterteam @TRCert alcakpkk.net
cukurevimizidrisbabamiz.site
kahpeapo2023.net
rehberkuranhedefturan.site
sonosmanlidevleti.site
turkhavasahasi1.net
turkislamdevletleri.site
https://www.virustotal.com/gui/ip-address/47.254.133.23/relations
|
2021-03-02 18:59:36 |
20 |
phishunt_io |
#NewPhishing | #phishing #scam
🌐 /covid.scotiabank.ds04.teksideapps.online/
🚩 199.175.0.197
☁ TEKSIDEIO
🔒 R3 https://twitter.com/phishunt_io/status/1366825290203361287/photo/1
|
2021-03-02 18:58:38 |
21 |
micham |
If u tipsy. u need enkripsi?
#Indonesia #ikan #GoHome #enkripsi
Stay safe!
https://www.virustotal.com/gui/url/4a665c38b1d4d58329a7cf0a73ac2e38a82471dfbcb9fdc6174d5edae1f3760c/detection https://twitter.com/micham/status/1366819503745630208/photo/1
|
2021-03-02 18:35:38 |
22 |
MBThreatIntel |
New domain registered by #malsmoke threat actor to social engineer visitors to adult sites.
pornohdmovies.com
Our original blog:
https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/ https://twitter.com/MBThreatIntel/status/1366810023016337413/photo/1
|
2021-03-02 17:57:58 |
23 |
p5yb34m |
#Trickbot .dll (rob21 botnet):
://metalin-cr.com/appdata/datafile.php
.xls Sample:
https://bazaar.abuse.ch/sample/5249e43b972f40a78393ddc43b32e444c5ff30bd068078e63112a9da85abfcd5/
.dll Sample:
https://bazaar.abuse.ch/sample/cd1a99942b7a7e273ebf42e7435aeb7692fb90f38600a0282fa3ff605d9733e6/
Malware Config (C2s):
https://tria.ge/210302-1r1rkzhbzx
|
2021-03-02 17:33:57 |
24 |
MBThreatIntel |
Tech support scam #browlock
stadnewstoday.xyz
161.35.57.57 https://twitter.com/MBThreatIntel/status/1366800862069202946/photo/1
|
2021-03-02 17:21:34 |
25 |
kyleehmke |
Probable CloudAtlas domain ms-officeupdate.org (192.99.221.76) was registered on 3/1/21 using khalid.hussain@tutanota.com.
Previous report from @jfslowik/@DomainTools on probable related infrastructure: https://www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas
In @ThreatConnect: https://app.threatconnect.com/auth/incident/incident.xhtml?incident= 4658093532 https://twitter.com/kyleehmke/status/1366796835541684224/photo/1
|
2021-03-02 17:05:34 |
26 |
DeZio91 |
@LeonEbersmann @prepaidhosterDE Kann da nichts feststellen.
https://www.virustotal.com/gui/url/ea766832895499f83cd064f344c7e5953e8da04faa7af2d6c36ca2098cc2a8e6/detection
https://sitecheck.sucuri.net/results/https/webmail.prepaid-webspace.de
|
2021-03-02 16:56:23 |
27 |
kyleehmke |
Set of 2/22/21 suspicious Njalla-registered domains hosted at 80.78.23.11:
endpoint.fail
endpoint.support
connect.flights
Some Njalla domains from 2/19 probably related:
endpoint.live (37.120.193.206)
endpoint.bet https://twitter.com/kyleehmke/status/1366789816789176333/photo/1
|
2021-03-02 16:37:40 |
28 |
James_inthe_box |
It's past time to start nuking this #lokibot c2 IP @ovh_support_en
51.195.53.221
been like this for months now.. https://twitter.com/James_inthe_box/status/1366789522864803842/photo/1
|
2021-03-02 16:36:30 |
29 |
andpalmier |
http://verifica-sicurezza-online.com
🗒 @tldsol
🔐 @letsencrypt
☢️ 103.153.183.33 (AS140947)
🔍 https://urlscan.io/result/135f7daa-4e28-4dd2-82b2-3e3d12b3069a/
https://archivioclienti.me/info/index.php
🗒 @NameCheap
🔐 @SectigoHQ
☢️ 192.64.117.203 (AS22612)
🔍 https://urlscan.io/result/5afb88d4-034e-4471-abf9-b3555e46c6b1/
|
2021-03-02 16:35:40 |
30 |
andpalmier |
http://portale-cliente-me-x.com
🗒 #publicdomainregistry
🔐 @letsencrypt
☢️ 207.174.212.247 (AS394695)
🔍 https://urlscan.io/result/e73e168a-d5d0-4a2e-b08a-ff25a11961dc/
https://portale-cliente-me-x.com
🗒 @gandi_net
🔐 @CloudflareHelp
☢️ 207.174.212.247 (AS394695)
🔍 https://urlscan.io/result/811e991b-586c-4c51-9e17-dc355673be70/
|
2021-03-02 16:35:39 |
31 |
andpalmier |
https://www.intesasicur-web.com
🗒 @NameCheap
🔐 @SectigoHQ
☢️ 192.64.117.163 (AS22612)
🔍 https://urlscan.io/result/843ad07a-fe07-47eb-a1ee-0bbcbecc8394/
http://procedi-per-i-nuovi-criteri2021.profit-groupe.net
🗒 @PROFITGroupe
🔐 @cpanel
☢️ 5.39.67.131 (AS16276)
🔍 https://urlscan.io/result/b7dc770b-5807-4925-ad5c-ef2ad3e56c80/
|
2021-03-02 16:35:39 |
32 |
andpalmier |
http://gruppo-isp-banking-secur.com
🗒 @NameCheap
🔐 @SectigoHQ
☢️ 162.0.209.203 (AS22612)
🔍 https://urlscan.io/result/ed56f36f-8de6-4134-bc8d-3a892b4c39e4/
https://www.dominio-security-isp.com
🗒 @NameCheap
🔐 @SectigoHQ
☢️ 162.0.215.5 (AS22612)
🔍 https://urlscan.io/result/9c0d3a87-a0e8-46c8-965b-18107050288e/
|
2021-03-02 16:35:39 |
33 |
andpalmier |
#mwitaly
🎣 active #phishing targeting italian banks 🇮🇹
CC @JAMESWT_MHT
🎯 @intesasanpaolo @INGItalia
🚨 list include compromised sites
list: https://gist.github.com/andpalmier/5e74c6469e894b29cfc2cca1442965d7
Thread for info ⬇️ https://twitter.com/andpalmier/status/1366789305042145293/photo/1
|
2021-03-02 16:35:38 |
34 |
reecdeep |
#FormBook #Malware targets #Italy 🇮🇹 02/03/2021
"PAGAMENTO Fattura"
https://app.any.run/tasks/e2fb9cb5-511e-4b2c-b643-2345e6a9f74c
🔥
https://tria.ge/210302-2b41wctf52
Using NSIS + hardened loader (7vjan5zljeas9uo.dll)
#infosec #CyberSecurity #cybercrime #Security #cyber
|
2021-03-02 16:29:06 |
35 |
fmondini |
GitHub #Squatting #Campaign
#XForce has identified a new squatting campaign used by #threat actors to target #media sector. The campaign has a global scope assumingly luring users into giving away their login #credentials.
#Phishing. #Credential #Theft
https://exchange.xforce.ibmcloud.com/collection/d0e5b562efc4f5caf7a9c0e4b41e4cf2
|
2021-03-02 16:18:14 |
36 |
fmondini |
LinkedIn #Squatting #Campaign
#XForce has identified a new squatting campaign used by #threat actors to target #media sector. The campaign has a global scope assumingly luring users into giving away their login credentials.
#Phishing. #CredentialTheft
https://exchange.xforce.ibmcloud.com/collection/6b8bc4ff097549974c6be2fa8c588b22
|
2021-03-02 16:15:00 |
37 |
kyleehmke |
Suspicious domain perslime.com was registered through Njalla on 2/25/21 and is hosted at 80.92.206.186. https://twitter.com/kyleehmke/status/1366784059419033604/photo/1
|
2021-03-02 16:14:48 |
38 |
kyleehmke |
Suspicious domain killyheal.com was registered through Aminserve on 2/24/21 using xiomararhitz@protonmail.com and is hosted at 91.228.218.66. https://twitter.com/kyleehmke/status/1366781046843449353/photo/1
|
2021-03-02 16:02:49 |
39 |
InQuest |
#opendir with Phish kit and source code:
paulhofstadler.com
Poses as locked invoice document requiring sign-in to view. https://twitter.com/InQuest/status/1366777783142260743/photo/1
|
2021-03-02 15:49:51 |
40 |
r3dbU7z |
https://www.virustotal.com/gui/file/2417357dd09e9c1a7992de3d4daca9c3fefb8661e931a11f3e15f655fc8a596c/detection https://twitter.com/r3dbU7z/status/1366773363146952709/photo/1
|
2021-03-02 15:32:17 |
41 |
500mk500 |
@B0rys_Grishenko @PaczkomatyPL @apkdetect @CSIRT_KNF @CERT_OPL @CERT_Polska @PPiekutowski @ThreatLabsPL As far as I can see/guess: all .*ga. *.top. *.tw domains for 2021 year could be covered as #Android #Cerberus detection: https://www.virustotal.com/gui/ip-address/47.254.157.47/relations
|
2021-03-02 15:30:37 |
42 |
siri_urz |
https://www.first.org/events/web/cti-apr2021/ Call for Speakers
|
2021-03-02 15:15:01 |
43 |
James_inthe_box |
doc hash:
9567ee669eaeb8ec571d37759c0e9e3c6f8d6f5c711039a3745296084e2f900f
dll hash:
46ef7a76af23c6b073fabeb7242c7b5727c379a07cc1081532212e4ba2132abe
|
2021-03-02 15:08:34 |
44 |
siri_urz |
F194605B1026C00A6DB40ADAD0D4E165 Dropper ^^
|
2021-03-02 15:04:32 |
45 |
James_inthe_box |
Incoming #hancitor run. DocuSign subject. @google doc links. metalplessparts.net sender:
https://docs.google.com/document/d/e/2PACX-1vT38Zmi5k1sCKdNRCaTa4nd8Pyf0m3Gvb0NIK5jOQAOXHMBzCHtkuYRMzGRMthBT3W61R2fjerYgid3/pub https://twitter.com/James_inthe_box/status/1366766147182321668/photo/1
|
2021-03-02 15:03:37 |
46 |
siri_urz |
E48D9011E9A01A48EE04ED4E05E335EE
Snake MBR Killer
C:\Users\kaise\Downloads\overwrite_mbr-master\overwrite_mbr\Release\Release.pdb https://twitter.com/siri_urz/status/1366765487657484296/photo/1
|
2021-03-02 15:01:00 |
47 |
h2jazi |
The actor has used a new dynamic DNS domain:
varifsecuripass.duckdns.org
159.89.238.15
1beb2cc546e7cd8a4aac6c76eacc4dfc
"BANK TRANSFER CONFIRMATION.zip"
|
2021-03-02 14:53:21 |
48 |
siri_urz |
3729FEA74EC3A3081A1EE7E92BA2BB64
TheWarehouse #Ransomware (TheSynt4x)
C:\Users\gigaz\Downloads\TheWarehouse-master\TheWarehouse-master\TheWarehouse2\obj\Debug\TheWarehouse.pdb https://twitter.com/siri_urz/status/1366760764716023822/photo/1
|
2021-03-02 14:42:14 |
49 |
kyleehmke |
Per @urlscanio. two of the domains -- ffoxnewz.com and tesiaa.com -- redirect to or host redirected content from the legitimate Fox and BBC websites. respectively. https://twitter.com/kyleehmke/status/1366759681486643206/photo/1
|
2021-03-02 14:37:55 |
50 |
kyleehmke |
Set of suspicious domains registered on 2/16 through MonoVM using panthebt@protonmail.com:
bbcsworld.com (185.243.114.102)
ffoxnewz.com (161.129.64.104)
redeitt.com (45.86.163.221)
tesiaa.com (46.30.188.198)
In @ThreatConnect: https://app.threatconnect.com/auth/incident/incident.xhtml?incident= 4658049688 https://twitter.com/kyleehmke/status/1366759676789084169/photo/1
|
2021-03-02 14:37:54 |