Twitter IOC Hunter

Last 5 Entries

ID	User	Tweet	Date
1	nekomimimaiden	電車でD SS 13パッチ： https://www.dropbox.com/s/qrobg6bit8fmy45/dend_ss_ver113_all.zip?dl= 1 ハッシュ値： https://www.dropbox.com/s/wwp3tqx3g528fh2/dend_ss_ver113_check_sum_utf8.txt?dl= 1 カスペルスキー＆ウイルストータル（ https://www.virustotal.com/gui/file/b677418ffd65ec8f1952f33309733be871472e4dd5719dcba7b264c4a6412843/detection ）では脅威なし。アップデートパス： https://twitter.com/nekomimimaiden/status/1366874644024725505/photo/1	2021-03-02 22:14:45
2	neonprimetime	#malware received today 3/2/2021 subject: order 09748 Package attachment: invoice.jnlp download url: invoicesecure.net/documents https://www.joesandbox.com/analysis/361228/0/html https://www.virustotal.com/gui/file/91c8702137880cebf55f89e1d0b07df0c7c05b277850879384fa1dfe7470006c/community https://twitter.com/neonprimetime/status/1366868658954194945/photo/1	2021-03-02 21:50:58
3	bl4ckh0l3z	@malwrhunterteam #donot confirmed. 💻 C2: shortler.xyz	2021-03-02 21:43:37
4	3eslan	أفضل 6 مواقع لفحص جهازك وملفاتك أون لاين وإزالة الفيروسات بدون تثبيت أي شئ 1- https://metadefender.opswat.com/?lang= en 2 - https://virustotal.com/gui/home/search 3- https://pandasecurity.com/en/homeusers/solutions/cloud-cleaner/ 4- https://eset.com/uk/home/online-scanner/ 5- https://lite.al/jOTmV 6- https://virscan.org https://twitter.com/3eslan/status/1366857193904046083/photo/1	2021-03-02 21:05:24
5	dubstard	🎯 Fake Elon Musk "giveaway" scam ⚠ /ilogivemus-2021.info ☣ AS50465 193.106.175.25 🌐 @regru 🖧 IQHost Ξ 0xeD80d06d49EFcB4FAc90546De2b8d71Bb2f724C0 ₿ 12Ss9yu4pvQWjQgNwzXpbt1LwsnWD9kXHf cc @ActorExpose @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @sniko_ https://twitter.com/dubstard/status/1366851201686470658/photo/1	2021-03-02 20:41:36
6	neonprimetime	live credential #phishing abusing @dropbox targeting @Office365 users final domain: 2wag32vqfdsv3nzermj9ba-on.drv.tw https://app.any.run/tasks/8fa4cbbb-a23d-4a7d-a2cf-14cddce73abc/ https://twitter.com/neonprimetime/status/1366848382153732102/photo/1	2021-03-02 20:30:23
7	HeliosCert	@HeliosCert Sample analysed on #virustotal VirusTotal-Score: 66 VirusTotal: https://www.virustotal.com/gui/file/536e72b2445a6b84f17407affa4b6228eda08b7e60cd1bac9b02e4757bbebe15/detection/f-536e72b2445a6b84f17407affa4b6228eda08b7e60cd1bac9b02e4757bbebe15-1582092842 Threat: Ransom_WCRY.SMALYM (TrendMicro)	2021-03-02 20:30:02
8	InQuest	If you are looking for a real fun #maldoc to analyze. take a look at this #LokiBot sample. Appears to have a @swiftcommunity transaction themed lure. https://labs.inquest.net/dfi/sha256/548296865b8b5a459b2b10452f1ae241e0a986f16bb926c0e32abede05382dc8 https://twitter.com/InQuest/status/1366848153203462146/photo/1	2021-03-02 20:29:29
9	wwp96	#bitrat @JAMESWT_MHT eni4.exe c2 via api.telegram.org hxxp://hk-chemlab.com/plugin/eni4.exe hxxp://hk-chemlab.com/plugin/best4.exe 2f97eae8d78bcbe6fcbb6e19be4bda85 7879ad6172d23092b29031d2bccaba26 - eni4.exe https://app.any.run/tasks/c56eff7f-f8c5-4c54-9ca4-4365650c380f/	2021-03-02 19:57:28
10	wwp96	#LokiBot @hexlax @JAMESWT_MHT hxxp://gilardoni-it.xyz/MY/five/fre.php 3ba6f23f9212861c618d968582f891e5 https://app.any.run/tasks/cdbc0530-3cf9-40d8-a25a-4c5a6ff4f7d3/	2021-03-02 19:49:16
11	OTX	status Completed: An upgrade to the OTX Web site is complete. https://stspg.io/lzyd2jz8jj3f?u= z0sjnqgvy67s	2021-03-02 19:44:11
12	wwp96	#vjworm @JAMESWT_MHT hxxp://wodmainenew.xyz:1001/Vre 8caf8fd00757e2363f43aa3d2b7dd4a4 https://app.any.run/tasks/03f066cb-ee7e-4d0e-8ecd-64c513ea6c4d/	2021-03-02 19:42:52
13	wwp96	#opendir #floxif #neutrino @JAMESWT_MHT hxxp://krntix.com/ntr/tasks.php cfcb6a5c16929238bbfb020445160f3c https://app.any.run/tasks/59e0ed0d-5f24-4adb-9a63-61a211c1259e/ https://twitter.com/wwp96/status/1366835703963934725/photo/1	2021-03-02 19:40:01
14	Racco42	#malspam " FACTURA N° 472-830" with .js attachment brings #wshrat https://app.any.run/tasks/47099b5d-ba7c-4fd5-9989-ddb4a1c9a00f C2: nitrot.duckdns.org:4561	2021-03-02 19:39:47
15	micham	Why do services "provide" email addresses that bounce for days to no avail? My report of a #phishing site (still up) targeting @1und1service to a @lolipopjp address (gathered from whois) will just burn up energy without a meaningful outcome. ¯\_(ツ)_/¯ https://www.virustotal.com/gui/url/54e1cfe8cce53c21b99b64d540b5b27a1d7ae3a9e2b136d66f2875510600afd0/detection https://twitter.com/micham/status/1366835210906574849/photo/1	2021-03-02 19:38:03
16	wwp96	#LokiBot @hexlax @JAMESWT_MHT hxxp://hiqhway39clothing.com/zoro/zoro6/fre.php 43f9fd0e3e8bf66bee9581e616f870f5 https://app.any.run/tasks/0237678f-1d3c-4c63-a53b-6f62b6fe4651/	2021-03-02 19:30:36
17	wwp96	#LokiBot @hexlax @JAMESWT_MHT hxxp://sunwindz.in.net/.cgi-in/fre.php 1f9ac8ae695caf124ea03af7f4853944 https://app.any.run/tasks/eca52689-17c4-4422-9e41-0f70c69f0f4d/	2021-03-02 19:30:18
18	RangXOR	#Qealler is back 🆕 The #CnC server at 179.43.145.245 - currently hosted at @PrivateLayer https://www.virustotal.com/gui/ip-address/179.43.145.245/community New sample (discovered by @wwp96) appears to be an updated instance of the #infostealer - at first glance the code is slightly more sophisticated 1/2	2021-03-02 19:11:09
19	500mk500	@sysk1ll3r @malwrhunterteam @TRCert alcakpkk.net cukurevimizidrisbabamiz.site kahpeapo2023.net rehberkuranhedefturan.site sonosmanlidevleti.site turkhavasahasi1.net turkislamdevletleri.site https://www.virustotal.com/gui/ip-address/47.254.133.23/relations	2021-03-02 18:59:36
20	phishunt_io	#NewPhishing \| #phishing #scam 🌐 /covid.scotiabank.ds04.teksideapps.online/ 🚩 199.175.0.197 ☁ TEKSIDEIO 🔒 R3 https://twitter.com/phishunt_io/status/1366825290203361287/photo/1	2021-03-02 18:58:38
21	micham	If u tipsy. u need enkripsi? #Indonesia #ikan #GoHome #enkripsi Stay safe! https://www.virustotal.com/gui/url/4a665c38b1d4d58329a7cf0a73ac2e38a82471dfbcb9fdc6174d5edae1f3760c/detection https://twitter.com/micham/status/1366819503745630208/photo/1	2021-03-02 18:35:38
22	MBThreatIntel	New domain registered by #malsmoke threat actor to social engineer visitors to adult sites. pornohdmovies.com Our original blog: https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/ https://twitter.com/MBThreatIntel/status/1366810023016337413/photo/1	2021-03-02 17:57:58
23	p5yb34m	#Trickbot .dll (rob21 botnet): ://metalin-cr.com/appdata/datafile.php .xls Sample: https://bazaar.abuse.ch/sample/5249e43b972f40a78393ddc43b32e444c5ff30bd068078e63112a9da85abfcd5/ .dll Sample: https://bazaar.abuse.ch/sample/cd1a99942b7a7e273ebf42e7435aeb7692fb90f38600a0282fa3ff605d9733e6/ Malware Config (C2s): https://tria.ge/210302-1r1rkzhbzx	2021-03-02 17:33:57
24	MBThreatIntel	Tech support scam #browlock stadnewstoday.xyz 161.35.57.57 https://twitter.com/MBThreatIntel/status/1366800862069202946/photo/1	2021-03-02 17:21:34
25	kyleehmke	Probable CloudAtlas domain ms-officeupdate.org (192.99.221.76) was registered on 3/1/21 using khalid.hussain@tutanota.com. Previous report from @jfslowik/@DomainTools on probable related infrastructure: https://www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas In @ThreatConnect: https://app.threatconnect.com/auth/incident/incident.xhtml?incident= 4658093532 https://twitter.com/kyleehmke/status/1366796835541684224/photo/1	2021-03-02 17:05:34
26	DeZio91	@LeonEbersmann @prepaidhosterDE Kann da nichts feststellen. https://www.virustotal.com/gui/url/ea766832895499f83cd064f344c7e5953e8da04faa7af2d6c36ca2098cc2a8e6/detection https://sitecheck.sucuri.net/results/https/webmail.prepaid-webspace.de	2021-03-02 16:56:23
27	kyleehmke	Set of 2/22/21 suspicious Njalla-registered domains hosted at 80.78.23.11: endpoint.fail endpoint.support connect.flights Some Njalla domains from 2/19 probably related: endpoint.live (37.120.193.206) endpoint.bet https://twitter.com/kyleehmke/status/1366789816789176333/photo/1	2021-03-02 16:37:40
28	James_inthe_box	It's past time to start nuking this #lokibot c2 IP @ovh_support_en 51.195.53.221 been like this for months now.. https://twitter.com/James_inthe_box/status/1366789522864803842/photo/1	2021-03-02 16:36:30
29	andpalmier	http://verifica-sicurezza-online.com 🗒 @tldsol 🔐 @letsencrypt ☢️ 103.153.183.33 (AS140947) 🔍 https://urlscan.io/result/135f7daa-4e28-4dd2-82b2-3e3d12b3069a/ https://archivioclienti.me/info/index.php 🗒 @NameCheap 🔐 @SectigoHQ ☢️ 192.64.117.203 (AS22612) 🔍 https://urlscan.io/result/5afb88d4-034e-4471-abf9-b3555e46c6b1/	2021-03-02 16:35:40
30	andpalmier	http://portale-cliente-me-x.com 🗒 #publicdomainregistry 🔐 @letsencrypt ☢️ 207.174.212.247 (AS394695) 🔍 https://urlscan.io/result/e73e168a-d5d0-4a2e-b08a-ff25a11961dc/ https://portale-cliente-me-x.com 🗒 @gandi_net 🔐 @CloudflareHelp ☢️ 207.174.212.247 (AS394695) 🔍 https://urlscan.io/result/811e991b-586c-4c51-9e17-dc355673be70/	2021-03-02 16:35:39
31	andpalmier	https://www.intesasicur-web.com 🗒 @NameCheap 🔐 @SectigoHQ ☢️ 192.64.117.163 (AS22612) 🔍 https://urlscan.io/result/843ad07a-fe07-47eb-a1ee-0bbcbecc8394/ http://procedi-per-i-nuovi-criteri2021.profit-groupe.net 🗒 @PROFITGroupe 🔐 @cpanel ☢️ 5.39.67.131 (AS16276) 🔍 https://urlscan.io/result/b7dc770b-5807-4925-ad5c-ef2ad3e56c80/	2021-03-02 16:35:39
32	andpalmier	http://gruppo-isp-banking-secur.com 🗒 @NameCheap 🔐 @SectigoHQ ☢️ 162.0.209.203 (AS22612) 🔍 https://urlscan.io/result/ed56f36f-8de6-4134-bc8d-3a892b4c39e4/ https://www.dominio-security-isp.com 🗒 @NameCheap 🔐 @SectigoHQ ☢️ 162.0.215.5 (AS22612) 🔍 https://urlscan.io/result/9c0d3a87-a0e8-46c8-965b-18107050288e/	2021-03-02 16:35:39
33	andpalmier	#mwitaly 🎣 active #phishing targeting italian banks 🇮🇹 CC @JAMESWT_MHT 🎯 @intesasanpaolo @INGItalia 🚨 list include compromised sites list: https://gist.github.com/andpalmier/5e74c6469e894b29cfc2cca1442965d7 Thread for info ⬇️ https://twitter.com/andpalmier/status/1366789305042145293/photo/1	2021-03-02 16:35:38
34	reecdeep	#FormBook #Malware targets #Italy 🇮🇹 02/03/2021 "PAGAMENTO Fattura" https://app.any.run/tasks/e2fb9cb5-511e-4b2c-b643-2345e6a9f74c 🔥 https://tria.ge/210302-2b41wctf52 Using NSIS + hardened loader (7vjan5zljeas9uo.dll) #infosec #CyberSecurity #cybercrime #Security #cyber	2021-03-02 16:29:06
35	fmondini	GitHub #Squatting #Campaign #XForce has identified a new squatting campaign used by #threat actors to target #media sector. The campaign has a global scope assumingly luring users into giving away their login #credentials. #Phishing. #Credential #Theft https://exchange.xforce.ibmcloud.com/collection/d0e5b562efc4f5caf7a9c0e4b41e4cf2	2021-03-02 16:18:14
36	fmondini	LinkedIn #Squatting #Campaign #XForce has identified a new squatting campaign used by #threat actors to target #media sector. The campaign has a global scope assumingly luring users into giving away their login credentials. #Phishing. #CredentialTheft https://exchange.xforce.ibmcloud.com/collection/6b8bc4ff097549974c6be2fa8c588b22	2021-03-02 16:15:00
37	kyleehmke	Suspicious domain perslime.com was registered through Njalla on 2/25/21 and is hosted at 80.92.206.186. https://twitter.com/kyleehmke/status/1366784059419033604/photo/1	2021-03-02 16:14:48
38	kyleehmke	Suspicious domain killyheal.com was registered through Aminserve on 2/24/21 using xiomararhitz@protonmail.com and is hosted at 91.228.218.66. https://twitter.com/kyleehmke/status/1366781046843449353/photo/1	2021-03-02 16:02:49
39	InQuest	#opendir with Phish kit and source code: paulhofstadler.com Poses as locked invoice document requiring sign-in to view. https://twitter.com/InQuest/status/1366777783142260743/photo/1	2021-03-02 15:49:51
40	r3dbU7z	https://www.virustotal.com/gui/file/2417357dd09e9c1a7992de3d4daca9c3fefb8661e931a11f3e15f655fc8a596c/detection https://twitter.com/r3dbU7z/status/1366773363146952709/photo/1	2021-03-02 15:32:17
41	500mk500	@B0rys_Grishenko @PaczkomatyPL @apkdetect @CSIRT_KNF @CERT_OPL @CERT_Polska @PPiekutowski @ThreatLabsPL As far as I can see/guess: all .ga. .top. *.tw domains for 2021 year could be covered as #Android #Cerberus detection: https://www.virustotal.com/gui/ip-address/47.254.157.47/relations	2021-03-02 15:30:37
42	siri_urz	https://www.first.org/events/web/cti-apr2021/ Call for Speakers	2021-03-02 15:15:01
43	James_inthe_box	doc hash: 9567ee669eaeb8ec571d37759c0e9e3c6f8d6f5c711039a3745296084e2f900f dll hash: 46ef7a76af23c6b073fabeb7242c7b5727c379a07cc1081532212e4ba2132abe	2021-03-02 15:08:34
44	siri_urz	F194605B1026C00A6DB40ADAD0D4E165 Dropper ^^	2021-03-02 15:04:32
45	James_inthe_box	Incoming #hancitor run. DocuSign subject. @google doc links. metalplessparts.net sender: https://docs.google.com/document/d/e/2PACX-1vT38Zmi5k1sCKdNRCaTa4nd8Pyf0m3Gvb0NIK5jOQAOXHMBzCHtkuYRMzGRMthBT3W61R2fjerYgid3/pub https://twitter.com/James_inthe_box/status/1366766147182321668/photo/1	2021-03-02 15:03:37
46	siri_urz	E48D9011E9A01A48EE04ED4E05E335EE Snake MBR Killer C:\Users\kaise\Downloads\overwrite_mbr-master\overwrite_mbr\Release\Release.pdb https://twitter.com/siri_urz/status/1366765487657484296/photo/1	2021-03-02 15:01:00
47	h2jazi	The actor has used a new dynamic DNS domain: varifsecuripass.duckdns.org 159.89.238.15 1beb2cc546e7cd8a4aac6c76eacc4dfc "BANK TRANSFER CONFIRMATION.zip"	2021-03-02 14:53:21
48	siri_urz	3729FEA74EC3A3081A1EE7E92BA2BB64 TheWarehouse #Ransomware (TheSynt4x) C:\Users\gigaz\Downloads\TheWarehouse-master\TheWarehouse-master\TheWarehouse2\obj\Debug\TheWarehouse.pdb https://twitter.com/siri_urz/status/1366760764716023822/photo/1	2021-03-02 14:42:14
49	kyleehmke	Per @urlscanio. two of the domains -- ffoxnewz.com and tesiaa.com -- redirect to or host redirected content from the legitimate Fox and BBC websites. respectively. https://twitter.com/kyleehmke/status/1366759681486643206/photo/1	2021-03-02 14:37:55
50	kyleehmke	Set of suspicious domains registered on 2/16 through MonoVM using panthebt@protonmail.com: bbcsworld.com (185.243.114.102) ffoxnewz.com (161.129.64.104) redeitt.com (45.86.163.221) tesiaa.com (46.30.188.198) In @ThreatConnect: https://app.threatconnect.com/auth/incident/incident.xhtml?incident= 4658049688 https://twitter.com/kyleehmke/status/1366759676789084169/photo/1	2021-03-02 14:37:54