Last 5 Entries

ID User Tweet Date
1 bad_packets 4 transactions now. total received stands at 0.30863173 BTC (~$5.800 USD) https://www.blockchain.com/btc/address/1Eo9FKmAkNg8UAR4xj6F15Y53phFutzSys https://twitter.com/bad_packets/status/1334991685021929472/photo/1 2020-12-04 22:43:15
2 OTX status Completed: An upgrade to the OTX Web site is complete. https://stspg.io/8qbycktrwnf2?u= m813w62v70kp 2020-12-04 21:46:09
3 malware_traffic From 2020-12-02 (Wednesday) to 2020-12-03 (Thursday). I ran a #Qakbot infection and saw #CobaltStrike activity several hours later - Also saw a small bit of HTTPS traffic to www.coolwick.com - Paste of info: https://pastebin.com/z36CxZ5z - Pastebin raw: https://pastebin.com/raw/z36CxZ5z https://twitter.com/malware_traffic/status/1334969751509094402/photo/1 2020-12-04 21:16:05
4 jaimeblascob @InQuest Fair amount of other payloads hosted there as well as files reaching out to the IP https://otx.alienvault.com/indicator/ip/216.170.114.70 2020-12-04 20:25:47
5 HeliosCert @HeliosCert Sample analysed on #virustotal VirusTotal-Score: 66 VirusTotal: https://www.virustotal.com/gui/file/6eab7bffc475c38a72197435609ca3a46551af56cc55540d793dd9329a00ee64/detection/f-6eab7bffc475c38a72197435609ca3a46551af56cc55540d793dd9329a00ee64-1579173798 Threat: Ransom_WCRY.SMALYM (TrendMicro) 2020-12-04 20:25:02
6 lazyactivist192 #Qakbot/#Qbot spun up their "041220.gif" campaign. using binaries signed by "APOTHEKA. s.r.o." again. Sheets are fairly low detection rate at 2/70. https://pastebin.com/K9Ayg4Yq 2020-12-04 20:21:15
7 OTX status Completed: An upgrade to the OTX Web site is complete. https://stspg.io/d614vhs28ltn?u= 1rvbx4y6q9wy 2020-12-04 19:26:43
8 InQuest @FewAtoms Nice find.. looks like they did some storage refactoring since our first Tweet. That RTF document hash has changed as well. Now it's 0579b258d0be73b20cd434e8004e2bcd134f3277915f30f743f03f9b55fe0cf6 2020-12-04 19:12:23
9 HeliosCert @HeliosCert Sample analysed on #virustotal VirusTotal-Score: 64 VirusTotal: https://www.virustotal.com/gui/file/44533af9de63dd3fac4a9fbba9b6831496b9121eb3ce221145926c3d6b37310e/detection/f-44533af9de63dd3fac4a9fbba9b6831496b9121eb3ce221145926c3d6b37310e-1606723218 Threat: Ransom_WCRY.SMALYM (TrendMicro) 2020-12-04 19:05:02
10 bad_packets DNS-hijacking exploit attempts ongoing targeting D-Link and ZTE routers. Rogue DNS server 192.95.59.130 (๐Ÿ‡จ๐Ÿ‡ฆ) still online. Target: ๐Ÿ‡ง๐Ÿ‡ท banks. per @siimi_m_ #threatintel https://twitter.com/bad_packets/status/1330346587126632451 https://twitter.com/bad_packets/status/1334934875615326208/photo/1 2020-12-04 18:57:30
11 phishunt_io #NewPhishing | #phishing #scam ๐ŸŒ /lnstagram-help-center-copyrght.ml/ ๐Ÿšฉ 172.67.195.216 โ˜ CLOUDFLARENET https://twitter.com/phishunt_io/status/1334930847129104384/photo/1 2020-12-04 18:41:30
12 James_inthe_box @bofheaded @malwrhunterteam @DissectMalware @Malwageddon @anyrun_app A few more: https://www.hybrid-analysis.com/yara-search/results/6b47f8b4f94b047438dee92594c27ad1513ad2c3f55caec8d37a4db42d913c4a 2020-12-04 18:16:16
13 James_inthe_box @bofheaded @malwrhunterteam @DissectMalware @Malwageddon So your run is a bundle..attempts to drop: http://212.80.219.173/googlemap.exe http://185.243.113.10/lexus.exe attrib is the same as the @anyrun_app I tweeted. https://twitter.com/James_inthe_box/status/1334921171570098177/photo/1 2020-12-04 18:03:03
14 HeliosCert @HeliosCert Sample analysed on #virustotal VirusTotal-Score: 62 VirusTotal: https://www.virustotal.com/gui/file/9395b8f1ef8bd964b349b320a5079816bae8b676caa2d8df17a69d41009eab1d/detection/f-9395b8f1ef8bd964b349b320a5079816bae8b676caa2d8df17a69d41009eab1d-1600061998 Threat: Ransom_WCRY.SMALYM (TrendMicro) 2020-12-04 17:55:02
15 OTX status Completed: An upgrade to the OTX Web site is complete. https://stspg.io/4rmxncld1xg3?u= x7wgvv1r3vlk 2020-12-04 17:32:52
16 ffforward Friday #qbot #qakbot #quakbot inc. Complaint-Letter_*_12042020.zip XLS https://bazaar.abuse.ch/sample/bcc1731e3f2dc4772be5ad445247f717b82ec84eda5f86adc57824241dc77823/ โฌ https://urlhaus.abuse.ch/url/889019/ DLL https://bazaar.abuse.ch/sample/679f9013eedb140beadc91e4983d4cef7adbc6b5fdfdb77ad74ad82dd67d2e4e/ #Signed "AGRO - KOVO spol. s r. o." Config by @hatching_ioโค๏ธ https://tria.ge/201204-6h2bnpww5a cc @JAMESWT_MHT @James_inthe_box https://twitter.com/ffforward/status/1334893984901160962/photo/1 2020-12-04 16:15:01
17 ffforward Another #AgentTesla. Exfils to /mail.yandex.com with TLS so obviously Iranian APT trying to masquerade as Russian APT. https://bazaar.abuse.ch/sample/37bac12dc8f7e3aa6ac6a2856d932c46b30945043f097097753cd9abf78323e7/ cc @JAMESWT_MHT https://twitter.com/ffforward/status/1334886010459738113/photo/1 2020-12-04 15:43:20
18 HeliosCert @HeliosCert Sample analysed on #virustotal VirusTotal-Score: 64 VirusTotal: https://www.virustotal.com/gui/file/1c4a7589d26c97c38d4f826242b6740b35441e43ddd7394d399dbf94ab868483/detection/f-1c4a7589d26c97c38d4f826242b6740b35441e43ddd7394d399dbf94ab868483-1606797618 Threat: Ransom_WCRY.SMALYM (TrendMicro) 2020-12-04 15:25:02
19 JAMESWT_MHT #VelvetSweatshop xlsx caught by @abuse_ch https://bazaar.abuse.ch/browse/tag/VelvetSweatshop/ Drop #AgentTesla https://bazaar.abuse.ch/sample/00f5c6bba9ef3a6af2ae5195c89e46529744e9cf4eabe9d1d8959a068970b93a/ https://bazaar.abuse.ch/sample/a72ee397635337a52d81d5a1d5bea4c48a375af13dc2848737f21c0577ab17b5/ https://bazaar.abuse.ch/sample/11984c9c8d7bfe34b27fd41ea7f08f7b97923a8c4cf0316138d34bd90cb1a38a https://bazaar.abuse.ch/sample/b457e5f6faf9eb8c70d0350ff57869f011cd1c4abdf6db5d6335797e33ae7d10/ Urls https://urlhaus.abuse.ch/browse/tag/VelvetSweatshop/ https://urlhaus.abuse.ch/url/888515/ cc @malwrhunterteam @FBussoletti @cocaman https://twitter.com/JAMESWT_MHT/status/1334878767714537472/photo/1 2020-12-04 15:14:33
20 ffforward Some skidware #agenttesla-like #stealer targeting ๐Ÿ‡ช๐Ÿ‡ธ . Exfils to /mail.crealuz.es. not the first to do so. https://bazaar.abuse.ch/sample/8e9adb1c076c14c7316dcba86cfa55987aa194f9cb189c79bc22e617c0d65252/ cc @JAMESWT_MHT https://twitter.com/ffforward/status/1334877492251938823/photo/1 2020-12-04 15:09:29
21 amitaiz ืœ"ื–ื›ื•ืชื" ืฉืœ ืฉื™ืจื‘ื™ื˜ ื™ืืžืจ ืฉื”ืคื•ื’ืขืŸ ืฉื›ื ืจืื” ืคื’ืข ื‘ื—ื‘ืจื” (ื“ื•"ื— ืงืœื™ืจ ืกืงื™) ืžื–ื•ื”ื” ืจืง ืขืœ ื™ื“ื™ 7 ืžืชื•ืš 70 ื›ืœื™ ืื ื˜ื™ ื•ื™ืจื•ืก. ืžืชื•ื›ื ืื’ื‘ ืกื ื˜ื™ื ืœ ื•ื•ืืŸ ๐Ÿ’ช ืขื•ื“ ืชื”ื™ื”: ืื ื™ ืœื ื™ื•ื“ืข ืœืžื” ืœื ื ื—ืกืžื” ื”ืชืงืฉื•ืจืช ืขื ื”ืฉืจืช C&C ื“ืจืš ื”-DNS ืื• ื”ืคื™ื™ืจื•ื•ืœ. ืืฉืžื— ืœืฉืžื•ืข ืžืื ืฉื™ื ืฉืžื‘ื™ื ื™ื: https://www.virustotal.com/gui/file/96cc69242a7900810c4d2e9f3f55aad8edb89137959f4c370f80a6e574ddc201/detection 2020-12-04 14:45:40
22 siri_urz .SYTCO 811C6DE9CE787C8D540A09795A5673C1 Conti Ransomware https://twitter.com/siri_urz/status/1334870080488939521/photo/1 2020-12-04 14:40:02
23 dubstard ๐ŸŽฏ @fbsecurity @Facebook โš  /yazparaยญ.com โ˜ฃ AS22612 199.188.201.148 ๐Ÿ‡บ๐Ÿ‡ธ ๐Ÿ–ง๐ŸŒ Namecheap ๐Ÿ” @SectigoHQ @sectigostore @JAMESWT_MHT @JCyberSec_ @whale_it ๐Ÿ”™ ๐Ÿ”ŽSame IP already seen and reported before. abuse continues: ๐Ÿ”— https://twitter.com/dubstard/status/1313149617354272770 ๐Ÿ”— https://twitter.com/JCyberSec_/status/1313434143691362305 https://twitter.com/dubstard/status/1334868056909209603/photo/1 2020-12-04 14:32:00
24 HeliosCert @HeliosCert Sample analysed on #virustotal VirusTotal-Score: 65 VirusTotal: https://www.virustotal.com/gui/file/07ddc1174619fa3982bf105cb95b1ba5bb7e55c2a6977ac8a387536c0bbd4f00/detection/f-07ddc1174619fa3982bf105cb95b1ba5bb7e55c2a6977ac8a387536c0bbd4f00-1605960378 Threat: Ransom_WCRY.SMALYM (TrendMicro) 2020-12-04 14:10:02
25 andpalmier https://verifica.ora-online.help/ ๐Ÿ—’๏ธ @hostinger ๐Ÿ” @letsencrypt โ˜ฃ๏ธ 2.57.89.81 (AS47583) ๐Ÿ” https://urlscan.io/result/71bc0c40-c3f7-4ace-8b0c-f288a347ec83/ https://twitter.com/andpalmier/status/1334861854406021120/photo/1 2020-12-04 14:07:21
26 andpalmier https://normativacertificata-dati.com/ ๐Ÿ—’๏ธ @Namecheap ๐Ÿ” @SectigoHQ โ˜ฃ๏ธ 162.0.209.241 (AS22612) ๐Ÿ” https://urlscan.io/result/60ef0633-24b6-424f-80c5-1da3ca0a886a/ https://accesso.clienti.portale.jameka.net ๐Ÿ—’๏ธ @ardhosting ๐Ÿ” @letsencrypt โ˜ฃ๏ธ 103.20.190.12 (AS45731) ๐Ÿ” https://urlscan.io/result/95802f7d-cc46-4351-9a1a-129df922aadc/ https://twitter.com/andpalmier/status/1334861849716781056/photo/1 2020-12-04 14:07:20
27 andpalmier https://lnformazionesicurezza-online.com/ ๐Ÿ—’๏ธ @internetbs ๐Ÿ” @letsencrypt โ˜ฃ๏ธ 185.224.137.56 (AS47583) ๐Ÿ” https://urlscan.io/result/d6af7c26-fd4d-4512-b86f-4befabb28e82/ https://portalesanpaolo.com/index ๐Ÿ—’๏ธ @Namecheap ๐Ÿ” @SectigoHQ โ˜ฃ๏ธ 162.0.209.240 (AS22612) ๐Ÿ” https://urlscan.io/result/e9e431f7-5bb2-4863-9241-2fa75dbbf186/ https://twitter.com/andpalmier/status/1334861845514113026/photo/1 2020-12-04 14:07:19
28 andpalmier https://assistenzaappweb.com/ ๐Ÿ—’๏ธ @a2hosting ๐Ÿ” @cpanel โ˜ฃ๏ธ 70.32.23.76 (AS55293) ๐Ÿ” https://urlscan.io/result/85ce5431-030f-4168-90ea-9beafca57c56/ https://aggiorna-dati-conto.com/index ๐Ÿ—’๏ธ @Namecheap ๐Ÿ” @SectigoHQ โ˜ฃ๏ธ 68.65.120.126 (AS22612) ๐Ÿ” https://urlscan.io/result/c7fc6ae8-9f84-4dc1-a366-54d7dc21f4e6/ https://twitter.com/andpalmier/status/1334861841370140672/photo/1 2020-12-04 14:07:18
29 andpalmier https://obblighiaggiornamenti.com/ ๐Ÿ—’๏ธ @a2hosting ๐Ÿ” @cpanel โ˜ฃ๏ธ 70.32.23.76 (AS55293) ๐Ÿ” https://urlscan.io/result/eb9ada7b-05d2-4be9-a24b-5af99ce8bfd9/ https://portale-intesasp.com/index ๐Ÿ—’๏ธ @Namecheap ๐Ÿ” @SectigoHQ โ˜ฃ๏ธ 162.0.209.246 (AS22612) ๐Ÿ” https://urlscan.io/result/83be6939-5f70-4be7-9fc4-b3f7ed6dc241/ https://twitter.com/andpalmier/status/1334861837263904772/photo/1 2020-12-04 14:07:17
30 andpalmier https://informazione-conto.com/ ๐Ÿ—’๏ธ @internetbs ๐Ÿ” @letsencrypt โ˜ฃ๏ธ 82.221.136.4 (AS50613) ๐Ÿ” https://urlscan.io/result/dd4a4bdc-b025-4b5e-bc79-fdd6d3e8f2da/ https://supporto-dati.com/ ๐Ÿ—’๏ธ @internetbs ๐Ÿ” @letsencrypt โ˜ฃ๏ธ 82.221.105.125 (AS50613) ๐Ÿ” https://urlscan.io/result/64aa7c45-a72f-4a9c-aadc-bd6122752b0a/ https://twitter.com/andpalmier/status/1334861833124057089/photo/1 2020-12-04 14:07:16
31 andpalmier #mwitaly #phishing @IntesaSP_Help @UniCredit_IT @PosteNews ๐ŸŽฃ๐Ÿ‡ฎ๐Ÿ‡น CC @JAMESWT_MHT URLs: https://gist.github.com/andpalmier/060bc76e3de68ae361de160a42bb4835 โš ๏ธ exposed victims creds Info โฌ‡๏ธ https://twitter.com/andpalmier/status/1334861828824895488/photo/1 2020-12-04 14:07:15
32 sdotknight Looks like another sample of the Lazarus fileless implant for macOS has popped up. https://www.virustotal.com/gui/file/bb430087484c1f4587c54efc75681eb60cf70956ef2a999a75ce7b563b8bd694/details 2020-12-04 13:37:53
33 pcrisk @Emm_ADC_Soft @demonslay335 Sample - https://www.virustotal.com/gui/file/5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de/detection 2020-12-04 13:37:22
34 PGRotondo La Threat Intelligence #ThreatIntelligence รจ utile solo se condivisa. https://xforce.io Entra nel gruppo "Italy eXchange". condiviti e cerca informazioni su campagne di #malware in #Italia. 2020-12-04 13:36:20
35 Racco42 #malspam "Outstanding Invoices" with .js attachment brings #loda https://app.any.run/tasks/c7fc7a6b-0d28-4994-a44c-0e07ebaf7d98 C2: tmlo.awsmppl.com:50253 2020-12-04 13:08:01
36 HeliosCert @HeliosCert Sample analysed on #virustotal VirusTotal-Score: 60 VirusTotal: https://www.virustotal.com/gui/file/75bd35501d9fe2df1205ea415754f5538926cd5ea2e35fde516f56ec8157d76b/detection/f-75bd35501d9fe2df1205ea415754f5538926cd5ea2e35fde516f56ec8157d76b-1550046656 Threat: Ransom_WCRY.SMALYM (TrendMicro) 2020-12-04 12:15:02
37 phishunt_io #NewPhishing | #phishing #scam ๐ŸŒ /connect.faceboook-8280919741631.com/ ๐Ÿšฉ 162.0.209.244 โ˜ NAMECHEAP-NET https://twitter.com/phishunt_io/status/1334830362871144450/photo/1 2020-12-04 12:02:13
38 elgofo @ArthurHoaro l'analyse est lร  https://www.virustotal.com/gui/file/c1dd9c26671fddc83c9923493236d210d7461b29dd066f743bd4794c1d647549/detection 2020-12-04 11:26:02
39 HeliosCert @HeliosCert Sample analysed on #virustotal VirusTotal-Score: 63 VirusTotal: https://www.virustotal.com/gui/file/690c35be19958fba1cb29a124eba641b7e3f9fb32c415ffead2df0875b025a42/detection/f-690c35be19958fba1cb29a124eba641b7e3f9fb32c415ffead2df0875b025a42-1601466110 Threat: Ransom_WCRY.SMALYM (TrendMicro) 2020-12-04 11:20:03
40 andpalmier Hey. these are still active: dvla-vehicletax-rebate.com re5512.com 4uk-app.com ref427.com 24yrs.com 8r180.com @Domaindotcom @HostGator @Cloudflare @Namecheap @SectigoHQ cc @JAMESWT_MHT https://twitter.com/andpalmier/status/1334423259006328836 https://twitter.com/andpalmier/status/1334814772538249216/photo/1 2020-12-04 11:00:16
41 malwaretracekr #Malware #ํƒ๋ฐฐ #Parcel #์Šค๋ฏธ์‹ฑ #Smishing #MoqHao h**p://gg.gg/ndegg -> h**p://osyximjnob.duckdns.org/?ztdjvjtvrh @duckdns (185.223.167.64) @zenlayer #AS21859 Download app : <Random>.apk (Chrome) https://www.virustotal.com/gui/file/4a81fc9f327245252f3ac0ca61143ec8038a61494d78384592af2c8e899719f8/detection https://twitter.com/malwaretracekr/status/1334814444199636993/photo/1 2020-12-04 10:58:57
42 olihough86 #404Keylogger #stealer exfil SMTP 597 //orisinlog.com related opendir: https://twitter.com/petrovic082/status/1334788350197248008 https://app.any.run/tasks/cd0a8bd5-81ad-4b5f-b225-6337f3179f2d 2020-12-04 10:37:12
43 Certego_Intel #Malware #Hancitor #Blocklist Domain: freitasforcongress.com VirusTotal: https://www.virustotal.com/gui/domain/freitasforcongress.com #CyberSecurity #ThreatIntel (bot generated) 2020-12-04 10:20:01
44 abel1ma 12ๆœˆ4ๆ—ฅ18ๆ™‚ใ”ใ‚ใซๆ—ฅๆœฌ่ชž็‰ˆsextortion๏ผˆๆ€ง็š„่„…่ฟซ๏ผ‰ใฎ่ฉๆฌบใƒกใƒผใƒซใŒๆฅใฆใ„ใพใ—ใŸ ไปถๅ ้ซ˜ใƒฌใƒ™ใƒซใฎๅฑ้™บใ€‚ใ‚ขใ‚ซใ‚ฆใƒณใƒˆใŒใƒใƒƒใ‚ญใƒณใ‚ฐใ•ใ‚Œใพใ—ใŸใ€‚ใ™ใใซใƒ‘ใ‚นใƒฏใƒผใƒ‰ใ‚’ๅค‰ๆ›ดใ—ใฆใใ ใ•ใ„ใ€‚ ๆŒฏ่พผๅ…ˆ 3N1d4zihWWkLCRQA5S2iVamr7MMbEgQQq7 https://www.bitcoinabuse.com/reports/3N1d4zihWWkLCRQA5S2iVamr7MMbEgQQq7 2020-12-04 09:59:30
45 philofishal @howardnoakley MACOS_1373c52 is for an AdLoad variant. e.g. https://www.virustotal.com/gui/file/7e83221db0a6d3f89a3ccb9c7e2b9310d9856dec5e7e56b7bfce39cbc761003c/detection 2020-12-04 09:21:14
46 HeliosCert @HeliosCert Sample analysed on #virustotal VirusTotal-Score: 65 VirusTotal: https://www.virustotal.com/gui/file/f8ab8940fdcf249bf7cf2fde7f36f0ae5c4eac8d68344f7e9937e8eb0dce7619/detection/f-f8ab8940fdcf249bf7cf2fde7f36f0ae5c4eac8d68344f7e9937e8eb0dce7619-1581325665 Threat: Ransom_WCRY.SMALYM (TrendMicro) 2020-12-04 08:50:02
47 JAMESWT_MHT #quakbot #qbot #qakbot #signed "SHOECORP LIMITED" Samples @ffforward https://bazaar.abuse.ch/browse/tag/SHOECORP%20LIMITED/ C2๐Ÿ”ฝ๐Ÿ’ช@hatching_io https://tria.ge/201204-asb3kj9nnx @malwrhunterteam @FBussoletti @sugimu_sec @VK_Intel @Notwhickey @JRoosen @Jan0fficial @fr0s7_ @sec_soup @malware_traffic @dms1899 @guelfoweb https://twitter.com/JAMESWT_MHT/status/1334780369254625280/photo/1 2020-12-04 08:43:33
48 keweonOnline @IOitaliait removed this question from there Facebook page. There App seems to be infected with a Trojan. Spyware and a Backdoor and they spread it to all Italian citizens. https://www.virustotal.com/gui/file/c4ea2d04ac7de86c4be3a8e4a3b34ab379cce178de3d80ae4bbe7286fe05ac53/detection @GooglePlay @Apple @ESETresearch Can you double check this App please? https://twitter.com/keweonOnline/status/1334777606613463041/photo/1 2020-12-04 08:32:35
49 siri_urz .DEMON 42469BBD43954D8ED09B27899B25FFB0 BlackKingdom #Ransomware https://twitter.com/siri_urz/status/1334775963742314498/photo/1 2020-12-04 08:26:03
50 petrovic082 #Ransomware https://app.any.run/tasks/cea5616d-ff0b-4026-919f-ca90921ab119/ notes https://pastebin.com/raw/1kRkuJVE 2020-12-04 08:21:15