Last 5 Entries

ID User Tweet Date
1 michalmalik https://www.virustotal.com/gui/file/6daad0b78e302f9c15ba77ff747dc0be17a11aea9e18fe99e131adbcb11601a4/detection < macOS thing. go do your thing detection engines ;-) it's similar to https://www.virustotal.com/gui/file/3683a0b816e0f17a9d0561e2494b51ef78c72baa5b87c96d9a895db22ae0113a/detection 2022-09-29 23:49:01
2 ActorExpose 0xB42E42c80f6af7b6Afd8877f4853f0bbC0eb3A43 discord: "//discord.com/invite/valeriagames". twitter: "//twitter.com/ValeriaStudios". @Iamdeadlyz @CryptoScamDB @milannshrestga @Sync_Pundit @fish_illuminati https://twitter.com/DestroyPhish/status/1575145431868260360 2022-09-29 22:50:00
3 AnonAnonymous 591c2cd3a9b902a182fbf05bf5423cae17e3e6874c0d2e09107e914d86f39780 BruteRatel_1.2.2.Scandinavian_Defense.tar.gz #Anonymous https://www.virustotal.com/gui/file/591c2cd3a9b902a182fbf05bf5423cae17e3e6874c0d2e09107e914d86f39780/details 2022-09-29 22:46:09
4 ActorExpose @Aliana12865394 @CatcherPhishing Hello scammer.. thanks "metamasksuport.directapp@gmail.com" @Sync_Pundit @milannshrestga metamasksuport.directapp dude still active 2022-09-29 22:44:53
5 ActorExpose Some kind of tracker on this phish //poocoin.site //trckr.click/js/k.min.js //trckr.click/3298bc9/postback do u know what this is? @Iamdeadlyz @Sync_Pundit @milannshrestga @fish_illuminati @Spam404 https://twitter.com/DestroyPhish/status/1575416251026898945 2022-09-29 22:44:01
6 ActorExpose Still active.. 1. //shibaswapconnec.blogspot.com 2. //app-shibeswap.xyz @milannshrestga @Sync_Pundit @fish_illuminati https://twitter.com/DestroyPhish/status/1575428585162252289 2022-09-29 22:39:25
7 0xToxin an unknown .NET clipper delivered via #malspam Coinbase associated mail. 24/72 for stub on VT https://www.virustotal.com/gui/file/b3a840ace75bed204b4d91ec22e2cbdb985fe6c4c76b1322c96c453abeb10180 Encrypted payload: http://172.245.214.173/noden/Jpknrv_Rsmrdnne.bmp 35/71 for clipper on VT https://www.virustotal.com/gui/file/46dc8a5ceb4db853c037259dcb7ddbccb49ad7715fb9dc9efa32afd470d177d6 https://twitter.com/0xToxin/status/1575574532676468736/photo/1 2022-09-29 19:53:36
8 xiatianguo Chinese Phishing scammers were arrested. They abused auPay. ๆญๅ–œๆญๅ–œ๐ŸŽ‰ #Phishing #China https://news.yahoo.co.jp/articles/fff161a429adc3f6ed745efa8c448d7da511c6c7 https://twitter.com/xiatianguo/status/1575567336152518657/photo/1 2022-09-29 19:25:00
9 abuse_ch New Exchange #0day exploit in the wild ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ English version here ๐Ÿ‘‡๐Ÿ‘‡๐Ÿ‘‡ https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html https://twitter.com/blackorbird/status/1575521156966535168 2022-09-29 18:52:59
10 RebornWhs @pprussel14 @CyberSquarePeg Apparently it is Chinese: https://www.virustotal.com/gui/file/71601f812858dffe350d42c21d1935a4058fc8b06bc51d0bc226f6a21b927082/details Sadly can't scan apks I didn't install on @ExodusPrivacy but maybe you can try that? 2022-09-29 18:43:06
11 StopMalvertisin #Javali / #Ousaban MSI: https://www.virustotal.com/gui/file/ff2541a040d6ef04007f0259644deeb35411e59c784f315d79d6ed24d84b610f ZIP: https://ortobom-8nb4n-1vn36vg.qatarcentral.cloudapp.azure.com/catalogo/casal.doc https://www.virustotal.com/gui/file/c639d5e2412f2fcf7836d56e05a6882e65eafce6c23d7643267149e6bf1a0761 https://twitter.com/StopMalvertisin/status/1575524001434128388/photo/1 2022-09-29 16:32:48
12 pollo290987 #RedLine rar - scr /onedrive.live.com/?cid= 356fb8ea8216a2d5&id= 356FB8EA8216A2D5!130&authkey= !AP5dmJbcBkOgtQw c246493e0de032e85866d5d985a9e3f0 42a123d2a8c6b9bf813d4ba30c6f7339 C2 /62.204.41.139:25190 2022-09-29 14:07:49
13 pollo290987 #AgentTesla gz - exe /www.sendspace.com/file/ugk0y3 50e758f2b0fe0fcf6e3068dea77c74dd 82bcc806ea96e38b0ee9a21b99dd37b0 /quranlearningacademy.net/leg/pgMSZQItQ27.jpb C2: /gnd@grabadosm2r.cl 2022-09-29 14:04:48
14 Cyanotle . @Steam phishing campaign claiming to be a @PUBG gift. ๐ŸŽฏhxxps://no5353280.asia/6x53/login/ Registrar: @DNSPod https://www.virustotal.com/gui/url/8099ac8e28559ccebfb9bd7bcf69a43f28510f5053a135204b256a831e7ef187/detection CC: @dubstard @JCyberSec_ @malwrhunterteam https://twitter.com/Cyanotle/status/1575486069524819968/photo/1 2022-09-29 14:02:04
15 pollo290987 #LokiBot eaac044d40eb3b031a73f6f584fee30c /cdn.discordapp.com/attachments/1024201994199646209/1024596511146909717/Jveoc_Bhietzoo.png C2 /162.0.223.13 2022-09-29 14:01:35
16 pollo290987 #FormBook fdc1d2b0261d03dd71982e21f3db3136 /109.248.150.185/abc/ababa.exe fabd97c6f7d41d2a462ec3b11e52e8b5 Campaign: te2r 2022-09-29 14:00:02
17 pollo290987 #Remcos 8ab00a532da1de4d0f3fb53efc609de7 /192.227.183.152/12.png C2 /172.111.234.110:5888 2022-09-29 13:56:40
18 pollo290987 7d7857efc4e86e8929c8bb31ba639efd e2192935aaa1b1118e2615b9f88326d5 2dedb758dad228456a163b918779e9c1 e39d8d991e3f336ae022759f6ccaa9d8 33fe176f741f8970bd3d39605a01bd3a 2022-09-29 13:41:28
19 pollo290987 c715e689d24226675e9c472408133d87 7993de810b2cd5eac9fba224fd5af38d 0caa342959be0b06e5c3e60bff26c1ca d17280e91a8f519bf4b7d0541feb3ef2 29e94f7df7bc29b3b504064acfe78a36 1a3ab4e1c9e202dc01bd6f2040a795d6 684a76463fb75a02f79f003655a66d68 df28c48c875d9d0bfd7943cd7f2b5cab 2022-09-29 13:41:16
20 pollo290987 C2 portaleletronicoswsvr.mysecuritycamera.com:80/media/wysiwyg/2022/gbE2tCYbn.php e4cd9895e8f4db20a21b2c113b294e92 13d98ecfc0eb33c5458c4bfe67474cd3 3e50a3ec2b66f7c7e21de9576e52efe7 0da8f1579e5837a1cce0b9f3a7581e06 5fb5d9f5d769f12fb0cd33e90442e67f 3fa8ee4856ece49d4ebcc83315cae954 2022-09-29 13:40:53
21 pollo290987 #Ousanban /154.156.133.34.bc.googleusercontent.com/5466190-47.2022.4.04.33050215875-53.9409.RRy.2315 /s3.eu-west-1.amazonaws.com/5895521-71.2022.2.00.5476-setember27092022/ 3875470-32.7026.fSa.4829.html tjman.zipx 2022-09-29 13:39:39
22 cyberwar_15 #๋ถํ•œ #NorthKorea #CyberWar ๋ถํ•œ์œผ๋กœ๋ถ€ํ„ฐ ํ•œ๊ตญ์˜ ๊ตญ๊ฐ€ ์‚ฌ์ด๋ฒ„ ์•ˆ๋ณด๊ฐ€ ์œ„ํ˜‘๋ฐ›๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. attachnents.epizy.com cloud.kcrea.rf.gd ewha-cloud.epizy.com clouds.kvongnum.rf.gd files.khu.rf.gd https://twitter.com/cyberwar_15/status/1575476579639078913/photo/1 2022-09-29 13:24:22
23 JAMESWT_MHT "Conferma di pagamento Bonifico" spam email spread #AgentTesla Gz๐Ÿ‘‡ https://bazaar.abuse.ch/sample/3aa822fabef85ed8fcdeefeb781d5b4aeb411c5033bc8bb70394e471d5c15ca5/ Exe๐Ÿ‘‡๐Ÿ‘‡ https://bazaar.abuse.ch/sample/875d08a7b75de030784897ef652ce55a7e882c08760f70d7de2b7c26ba3f673c/ exfil FTPโšก๏ธ โš ๏ธHost: ftp.onogost.com Username: infoo@onogost.com https://twitter.com/JAMESWT_MHT/status/1575472359598850049/photo/1 2022-09-29 13:07:36
24 Indranilvet @CRED_club https://www.virustotal.com/en/file/68846bbc80eefafa62caa002419967f15b5d3cfe1444530629a555ecae0289e6/analysis/ #VTMobile I found the virus. kindly ๐Ÿ”งthis issue 2022-09-29 12:28:19
25 pcrisk HORNET Ransomware; Renames files to random strings; Ransom note: README_random_number .txt https://www.virustotal.com/gui/file/f238cd2585954b7ffe1179ca28048a612f6a14439dac4699cfddd0e482c26ea2/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-29 12:00:52
26 ViriBack @1ZRR4H @nosecurething @idclickthat Thank you for the tag. added to Tracker. Also pivoting allowed me to find this other C2. which might not be related to current campaign. hxxps://a1a2a3b4.com/sh1z01/index/login https://twitter.com/ViriBack/status/1575451588977631241/photo/1 2022-09-29 11:45:03
27 pcrisk T_TEN Ransomware; Variant of DCRTR ransomware; Extension: .T_TEN; Ransom notes: pop-up window and readme.txt https://www.virustotal.com/gui/file/5c8c28b78d1bfd2e06b828ad2df4be7d595fea367680437a8f04fd2a55a50f6f/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-29 11:20:03
28 JAMESWT_MHT @1ZRR4H @Fortinet @StopMalvertisin @malwrhunterteam @th3_protoCOL @ffforward @Cryptolaemus1 @SecurityAura @Max_Mal_ @Iamdeadlyz @dark0pcodes Mentioned Installer5.2.msi sample (disguises itself as Softland NovaPDF 11) https://app.any.run/tasks/03c78583-54e9-4bb3-9185-9d48b26eeb86 Source Url https://urlhaus.abuse.ch/url/2323117/ signature:"Kancelaria Adwokacka Adwokat Aleksandra Krzemiล„ska" IoCs MD5 https://pastebin.com/1UE5GKJV https://twitter.com/JAMESWT_MHT/status/1575441685571670017/photo/1 2022-09-29 11:05:42
29 pcrisk Lol Ransomware; Extension: .lol; Ransom note: Message.txt https://www.virustotal.com/gui/file/fd217d262bae4fbd47ae208b4e45152e0a458cc9b7245e2221836a23a9e2467b/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-29 10:55:15
30 StopMalvertisin Interesting 0679a664901206cea9e8dae9eac9a1ab https://www.virustotal.com/gui/file/0a9d7369a1c4cb32172404abd4e1a6c5aa35a674b4bfdcca81dc909b0f047b65 Remote Template: http://filestorel.eastus.cloudapp.azure.com:443/update/MSDN/MSDN_template.dotm - Connection Time Out -> Update your info automatically After โ€œEnable Contentโ€ -> /msdnbenefits@micros0ft.com https://twitter.com/StopMalvertisin/status/1575427033504501760/photo/1 2022-09-29 10:07:29
31 StopMalvertisin MSI: https://bazaar.abuse.ch/sample/52011338415ad95fd442cd18adc72db52c3a01e15039b5405c8456046365bd0c/ DNGuard: https://bazaar.abuse.ch/sample/03d96e2735ffed34003e9a470cd2d095ec39ee0e1386dcc3c3aec850ba2d4fff/ AgileDotNet: https://bazaar.abuse.ch/sample/3ca71c1824145103c2ffda6c0cb4a9488847841e1980ebac91ac6e5e5cd85247/ 2022-09-29 09:49:34
32 StopMalvertisin @abuse_ch @kilijanek @cocaman @JAMESWT_MHT @1ZRR4H @luigi_martire94 @malwrhuntertean 1.ISO: https://bazaar.abuse.ch/sample/ea3aae6146970d6882b97208d3ab7d2b5daec3e0e5692d7056e1a3a92c0e3228/ heathen.wll: https://bazaar.abuse.ch/sample/29b3cf17d3b9bbfc858e027f988bd7077c67b1dc2d9fc240892e868b5097f4f2/ 2022-09-29 09:39:19
33 mgprasanth #QAKBOT - Wave 3 ( 28-09-22) IOC's https://www.virustotal.com/gui/collection/beae509cab7a4e244764f26390c7102d01a0b16df19b4c1d8008d685af3e4250 2022-09-29 09:06:57
34 yvesago #phishing @DHLexpress s://dhl.de.designresources.africa/verfolgung/suivie.php?id= ef0b0f84cca611ecaebeb178 VIA p://ytgixmafmv.airsoft.toys/vnafvra97w?q= 9174978986&id= u2.4 ping @malwrhunterteam @PhishStats https://twitter.com/yvesago/status/1575410033768243201/photo/1 2022-09-29 08:59:56
35 StopMalvertisin DNGuard HVM Runtime: https://www.virustotal.com/gui/file/a0b11444c5913bc048c2f97b670cc801176df17565c48d6e7a30fef651ca8426 AgileDotNet Runtime: https://www.virustotal.com/gui/file/61b747324a40dd60471d83b9c4431deab9297f7f60c6f70777f65637608ef29e 2022-09-29 08:55:41
36 StopMalvertisin It's a known fact that the TA often swaps payloads. Earlier the same MSI was downloading a different ZIP file from the same AWS URL. Payload was bundled with the AgileDotNet VMRuntime.dll ๐Ÿ˜ ZIP: https://www.virustotal.com/gui/file/3ca71c1824145103c2ffda6c0cb4a9488847841e1980ebac91ac6e5e5cd85247 Banker DLL: https://www.virustotal.com/gui/file/dae87db5e6bf447e461e078f8e96f6845ec08bbc01a210a158df1d606c782497 https://twitter.com/StopMalvertisin/status/1575408960173023232/photo/1 2022-09-29 08:55:40
37 StopMalvertisin .NET #KLBanker with DNGuard HVM (.Net obfuscator and code protection) MSI: https://www.virustotal.com/gui/file/52011338415ad95fd442cd18adc72db52c3a01e15039b5405c8456046365bd0c ZIP: https://s3.eu-west-3.amazonaws.com/rmw.ptgh/mprs.dsnt/prlf.mjrt/pictures200.zip Current Payload (1): https://www.virustotal.com/gui/file/3ca71c1824145103c2ffda6c0cb4a9488847841e1980ebac91ac6e5e5cd85247 Banker DLL: https://www.virustotal.com/gui/file/4b22e864e2b2275bde0f8b30eeb147a08e08b365ec17a21d380843a77bc9b546 https://twitter.com/StopMalvertisin/status/1575408947728564224/photo/1 2022-09-29 08:55:37
38 cocaman @JAMESWT_MHT @StopMalvertisin @1ZRR4H @luigi_martire94 @malwrhuntertean https://bazaar.abuse.ch/sample/5abb692f55ca071005f8a4f6cf8737cb5654ce47c7e66591181aca79ba70eb75/ 2022-09-29 08:29:29
39 cocaman @JAMESWT_MHT @StopMalvertisin @1ZRR4H @luigi_martire94 @malwrhuntertean ISO https://www.virustotal.com/gui/file/5abb692f55ca071005f8a4f6cf8737cb5654ce47c7e66591181aca79ba70eb75 2022-09-29 08:27:21
40 1ZRR4H 6/ Then the TA install #Syncro RMM (I didn't know this one) for C&C and persistence on the infected computers. The installer sends a signal to: /rmm.syncromsp.com/device_api/auth/?shop_api_key= HABB92nNT4_O5RPUFRDWwA&installer_version= 1.0.161 + https://www.virustotal.com/gui/file/1988e9a4716e60e5b6fd98a3c9dc1d599ff5052f47ae223ebb1f57dc746b3388 https://twitter.com/1ZRR4H/status/1575364127534583810/photo/1 2022-09-29 05:57:31
41 0xrb @r3dbU7z Few More #Kaiji storages Go-based cryptominer hxxp://155.94.141.226:808/ hxxp://115.126.74.37:808/ hxxp://154.12.42.195:808/ hxxp://195.178.120.201:808 cc: @_odisseus https://twitter.com/0xrb/status/1575354022298411009/photo/1 2022-09-29 05:17:22
42 pcrisk Iq20 ransomware; Dharma/CrySis family; Extension: .iq20 (also appends victim's unique ID and developers' email address); Ransom notes: info.txt and pop-up window (Info.hta) https://www.virustotal.com/gui/file/6f64d864d4cdeaa6062e44e34c0969ebdead56edb22e5a2b61c987ca3400fad4/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-29 04:46:22
43 av_eip @BushidoToken @darkcoders_mrx Interestingly the seatbelt.exe https://www.virustotal.com/gui/file/1d7816e533403f63368db315a4d2f73244537ec6f50c1b2aba2bf013eed48375 does match a lot of signatures released by FireEye/@Mandiant for their leak of offensive tools https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html 2022-09-29 02:56:44
44 ChuZiuz โ€ข Into DNS >> https://intodns.com/ โ€ข URL Void >> https://www.urlvoid.com/ โ€ข URL Scan >> https://urlscan.io/ โ€ข DNSlytics >> https://dnslytics.com/ โ€ข Pulsedive >> https://pulsedive.com/ โ€ข Alienvault >> https://otx.alienvault.com/ 2022-09-28 23:05:21
45 emidanielnz @lissascott @TalosSecurity @PhishTank_Bot I'd start from Virustotal. https://www.virustotal.com/gui/url/581d791c4cd17774ea92f1e518d65ead6d1dbbec0e86ecadc5725d7fd3b7f3b6 https://www.virustotal.com/gui/url/a3c28e997997da5fda1eef1ce190c82c0e038a22daba00de2b291d982b095b10 2022-09-28 22:55:44
46 abel1ma ใƒกใƒข ใ‚นใƒซใ‚ฌ้Š€่กŒใ‚’้จ™ใฃใŸใƒ•ใ‚ฃใƒƒใ‚ทใƒณใ‚ฐใƒกใƒผใƒซ ไปถๅ ใ€ใ‚นใƒซใ‚ฌ้Š€่กŒ๏ฝœSURUGA bankใ€‘ๆ€ฅใŽใฎๆฅญๅ‹™ใŒใ‚ใ‚Šใพใ™ใฎใงใ”ๆณจๆ„ใใ ใ•ใ„ใ€‚ ่ช˜ๅฐŽๅ…ˆ hxxps://hqtickvlq3k.shop/jp hxxps://qopio4l321hd.shop/jp hxxps://wcvak2jk3lb.shop/jp 107.174.78.141 2022-09-28 22:34:07
47 TaWeststrate Domain: http://rotterdamsefondsen.nl - AlienVault - Open Threat Exchange https://otx.alienvault.com/indicator/domain/rotterdamsefondsen.nl 2022-09-28 21:55:18
48 MBThreatIntel New #FakeUpdates/#SocGholish shadowed domain โžก๏ธ fundraising.mystylingmylife.xyz https://twitter.com/MBThreatIntel/status/1575241303302209537/photo/1 2022-09-28 21:49:27
49 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /facebook-help30305848756843030.web.app/ ๐Ÿšฉ 172.67.192.61 โ˜ CLOUDFLARENET ๐Ÿ”’ E1 https://twitter.com/phishunt_io/status/1575239093277102093/photo/1 2022-09-28 21:40:41
50 michalmalik https://www.virustotal.com/gui/file/754c3be639adc1304bc4e05b51d293d1198fc5e51f55453bc1b6e554cad058da/detection < Linux Go thing. executes a small ELF via memfd_create that tries to connect to 18.163.190.116:7800. pretty :-) 2022-09-28 20:56:09
51 k3dg3 This was an obnoxious chain.. TLDR: HTML Attachment -> loads googleusercontent hosted XML -> loads an iframe-> redirects to zipped JavaScript download -> runs PowerShell command -> downloads #NetSupport #RAT https://bazaar.abuse.ch/sample/12fb0d89c508973c12788d7790ff3d8de1db4d2c72211414641012b62c00b190/ 2022-09-28 20:52:06
52 James_inthe_box @StopMalvertisin @ShadowChasing1 @h2jazi Mucked with an xll earlier today..had this bookmarked for a while now: https://pentestlab.blog/2019/12/11/persistence-office-application-startup/ 2022-09-28 18:48:20
53 Jacques67281271 Look at the Analysis of "DCUO Hack Remake http://v6.9.zip" . https://app.any.run/tasks/dc0e54a7-a5d7-48f7-9f7f-533110ecbf8a #@anyrun_app 2022-09-28 17:44:43
54 pollo290987 5e9ffef2bf215c8c6c867ffff6f1f6eb Accounting#2361.iso 4e2f63142936aeef241fcc1e36c0729c Accounting.lnk f533e6c66d8a458c97c2bd408757d481 amplitude.db a2d79245b870cd4ca81e3e2efa434ed8 hideboundUndemonstrable.cmd 7c54d3ee1a633769d732ab6e1a0bc473 milkshakeEquated.js 2022-09-28 17:37:13
55 pollo290987 db8889891be53aa5dfc474c121030446 : Invoi_PDF#0-9{4}.iso 33f0ecc3b42e9c3beef822535ae21dc4 : Invoi_PDF.lnk 41e60934b4352378f755b8b234e28b1d : braved.db 2022-09-28 17:24:17
56 pollo290987 #IcedID zip - iso - lnk - dbdll 09-27-2022Invoi_PDF#0-9{4}.zip Invoi_PDF#0-9{4}.iso Invoi_PDF.lnk braved.db C2 /tezycronam.com iso cadets braved.db timberedShear.cmd unerringlyOffering.js Invoi_PDF.lnk 2022-09-28 17:23:56
57 k3dg3 #TA580 #Bumblebee attack chain change. Smash URL -> VHD -> LNK -> HTA -> PowerShell -> Payload Download -> DLL payload: http://45.153.243.98/ASUYfdhjsQx/nda.dll https://bazaar.abuse.ch/sample/ac75ab4c3a8ee0979b4ea982b38ae9eea6c94ab8e3459705fe5529c3653a853f/ 2022-09-28 17:18:34
58 jrleonett .::: ALERTA DE CAMPAร‘A DE PHISING Y TROJANOS Analisis del HTML malicioso en https://www.virustotal.com/gui/file/535a3b13ce3f79e4ead5d82eec2f157e5833ba41ce00d69590ed21fd95641887 #guatemala #ciberseguridad #ogdi #cybercrime #guatemalacibersegura #yoprevengolosciberdelitos #ciberdelitos #computoforense https://twitter.com/jrleonett/status/1575169354739511305/photo/1 2022-09-28 17:03:34
59 StopMalvertisin A twist on the IMG attachment delivering #Remcos https://twitter.com/0xToxin/status/1575019743886835712 ACH_PAYMENT_ADVICE_WFARGO220926.docx https://www.virustotal.com/gui/file/5aee205c72fa31e67ee0a05b9b43673ab60fa813f45375f7b17c537c8017ed2e Remote Template: http://209.127.20.13/b44u8j.dotm Drops a shortcut in Users\Public and runs it. Next Stage: http://209.127.20.13/woke.js https://twitter.com/StopMalvertisin/status/1575169120735096841/photo/1 2022-09-28 17:02:38
60 LinuxSec #Security readings: VirusTotal https://www.virustotal.com/gui/file/591c2cd3a9b902a182fbf05bf5423cae17e3e6874c0d2e09107e914d86f39780. see more https://tweetedtimes.com/LinuxSec?s= tnp 2022-09-28 17:02:12
61 pr0xylife #Qakbot - obama207 - html > .zip > .iso > .lnk > .js > .cmd > .dll cmd /c REF.lnk wscript.exe gaffes\actualistsMollusk.js cmd /c gaffes\inhibitedScribbly.cmd regsvr32 /s gaffes\twinkle.dll https://bazaar.abuse.ch/sample/8a4d0f98792dbd499c3cabe38360d6091559d779c01cd814c306584114b87034/ https://bazaar.abuse.ch/sample/466484398eb25d42b0e0b095f10590a566610447eb212d1dc7f7bd342e89fe5a/ IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama207_28.09.2022.txt https://twitter.com/pr0xylife/status/1575165550254526465/photo/1 2022-09-28 16:48:26
62 500mk500 Currently NULL-detection ratio on VT: XAPK: https://www.virustotal.com/gui/file/56ca20b7b5a94ac723306a76714ed88fbe97fff93cc9d9e015fb41d6516c7178/detection APK: https://bazaar.abuse.ch/sample/d93def97d593c453ec9065294b985b6ccb0e49535daa82dec415503094f277e6/ Detection for C2 domains: https://github.com/stamparm/maltrail/commit/1c47883231c35c20ce32b062359026131b73c97e https://twitter.com/sh1shk0va/status/1575155357529346048 https://twitter.com/500mk500/status/1575165431802757129/photo/1 2022-09-28 16:47:58
63 BhaavukAroraa Top story: VirusTotal https://www.virustotal.com/gui/file/591c2cd3a9b902a182fbf05bf5423cae17e3e6874c0d2e09107e914d86f39780. see more https://tweetedtimes.com/BhaavukAroraa?s= tnp 2022-09-28 15:52:21
64 SritaKaren #Cybersecurity #InfoSec #hacking VirusTotal https://www.virustotal.com/gui/file/591c2cd3a9b902a182fbf05bf5423cae17e3e6874c0d2e09107e914d86f39780. see more https://tweetedtimes.com/SritaKaren?s= tnp 2022-09-28 15:52:20
65 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /pile.fr/santa55/gruposantander/home/Phone_Number ๐Ÿšฉ 188.114.97.6 โ˜ CLOUDFLARENET ๐Ÿ”’ E1 https://twitter.com/phishunt_io/status/1575150834039640066/photo/1 2022-09-28 15:49:58
66 susession Trending News: VirusTotal https://www.virustotal.com/gui/file/591c2cd3a9b902a182fbf05bf5423cae17e3e6874c0d2e09107e914d86f39780. see more https://tweetedtimes.com/susession?s= tnp 2022-09-28 15:17:20
67 bigmacjpg @0xToxin @WellsFargo Continuing with the @WellsFargo theme. https://www.virustotal.com/gui/file/5aee205c72fa31e67ee0a05b9b43673ab60fa813f45375f7b17c537c8017ed2e is a malicious Word doc that pulls macro enabled remote template https://www.virustotal.com/gui/file/9b7de51558eeffaf3077641a0184391a34c76c2f752109fcab5c97836a8728f1 that drops the LNK and proceeds down the goat.txt/woke.js attack path you described. 2022-09-28 15:14:54
68 James_inthe_box Large #icedid / #bokbot #malspam campaign starting up. subjects contain "September 28 22"; https://app.any.run/tasks/bbf1a19b-4bad-4627-95e0-14c65c3f1ed6 loader c2: http://alockajilly.com/ cc @Myrtus0x0 2022-09-28 14:59:17
69 the_hofmann @BushidoToken @darkcoders_mrx Also a version called "bruteratel 1.2.2.zip" via Telegram. Apparently added with license. https://www.virustotal.com/gui/file/aabe4b60c5a7c64e284057193b369eb2b078dbdae945092179f224240352e47e/details https://twitter.com/the_hofmann/status/1575109316104769537/photo/1 2022-09-28 13:04:59
70 jaydinbas New-ish #bluenoroff #lazarus sample https://www.virustotal.com/gui/file/71284b7b1d6d83c642da4272484cc4e971cdffb8c69b6a47aed7eade5687284f signed "Dmitry Raykhman" matches report vvv https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/ 2022-09-28 12:58:49
71 pr0xylife Fresh .dll rolling out with new c2's. https://bazaar.abuse.ch/sample/b9dd2d79e9b78f0d3f439c302f19b0bbec463f135701ab2ea99c27f48fa2eb1a/ https://tria.ge/220928-pjxt9sghfl 2022-09-28 12:37:37
72 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /verify-lnstagram.bedrijfmaju.com/ ๐Ÿšฉ 188.114.96.3 โ˜ CLOUDFLARENET ๐Ÿ”’ E1 https://twitter.com/phishunt_io/status/1575088017538260992/photo/1 2022-09-28 11:40:21
73 reecdeep @tosscoinwitcher @0xToxin @James_inthe_box @pr0xylife @0n315 #Guloader final stage is #AgentTesla #Malware โžก๏ธfrom hxxp://alumark.ehost.pl/USA3.prx ๐Ÿ”ฅc2: ftp://ftp.artemusa.cl/ newfilereport@artemusa.cl #CyberSec #infosec #cybercrime #infosecurity https://twitter.com/reecdeep/status/1575083966360522753/photo/1 2022-09-28 11:24:15
74 StopMalvertisin ๐Ÿ˜‚ G2A EXPLOIT.docx https://www.virustotal.com/gui/file/6672635497a52b15eaf05ecefad59b211e30fe0b96ad69f813ce2f8e36e0d163 Contains link to https://pst.klgrth.io/paste/u59vw "Refund any Bitcoin payment sent to G2A" Load script in TamperMonkey or Greasemonkey You are supposed to get your BTC back AND receive your game keys/gifts -> emphasis on supposed! https://twitter.com/StopMalvertisin/status/1575080391119020033/photo/1 2022-09-28 11:10:03
75 pr0xylife #Qakbot - bb - url > .zip > .iso > .lnk > .js > .cmd > .dll cmd /c GalleryA.lnk wscript.exe mesenteric\gymnastsDenationalizes.js cmd /c mesenteric\debenturesLucerne.cmd regsvr32 /s mesenteric\overcomes.dll https://bazaar.abuse.ch/sample/8b440ad96f7ed8319419fbae878d48db0ad81107ede8ef862f8f0dc65ea8b527/ IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_28.09.2022.txt https://twitter.com/pr0xylife/status/1575057557143834624/photo/1 2022-09-28 09:39:19
76 500mk500 @StopMalvertisin @h2jazi @ShadowChasing1 @1ZRR4H @luigi_martire94 @JAMESWT_MHT Also related: https://www.virustotal.com/gui/file/c4f2b3b11d358879724df6c0fd57032f6dee38dcbe8625ba506860ea1411ee2b/detection with glove55.militora.ru as C2. 2022-09-28 09:37:14
77 BushidoToken ICYMI. threat actors on multiple underground forums are sharing around a copy of a cracked version of Brute Ratel (aka BRC4). brace for attacks "bruteratel_1.2.2.Scandinavian_Defense.tar.gz" https://www.virustotal.com/gui/file/591c2cd3a9b902a182fbf05bf5423cae17e3e6874c0d2e09107e914d86f39780 h/t @darkcoders_mrx for the pic https://twitter.com/BushidoToken/status/1575054022784208897/photo/1 2022-09-28 09:25:16
78 phishunt_io #SCAM ๐Ÿ‘ค https://twitter.com/SandboxGameStud ๐Ÿ”— /premint-app.live/Otherside-x-The-Sandbox https://twitter.com/phishunt_io/status/1575026089658765313/photo/1 2022-09-28 07:34:17
79 WhichbufferArda @cluster25_io https://bazaar.abuse.ch/sample/2d8f73c1f2e5b803ad6716644361c20b51ba49fa79361ef0bc1ae3a735968459/ cc @JAMESWT_MHT 2022-09-28 07:34:15
80 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /libertasmantova.it/language/it-IT/10/linkedln/index.html ๐Ÿšฉ 84.17.46.53 โ˜ Datacamp Limited ๐Ÿ”’ R3 https://twitter.com/phishunt_io/status/1575024666116227072/photo/1 2022-09-28 07:28:37
81 0xToxin @WellsFargo IOCs: transfer.sh/GKUvyx/test.pdf 209.127.20.13/woke.js 209.127.20.13/goat.txt 209.127.20.13/goa.jpg C2:mandingo.dvrlists.com:10171 all files can be find under the C2 tag on bazaar: https://bazaar.abuse.ch/browse/tag/mandingo-dvrlists-com/ 10/10 https://twitter.com/0xToxin/status/1575023293551157248/photo/1 2022-09-28 07:23:10
82 pcrisk Wizard Ransomware; Extension: .wizard; Ransom note: decrypt_instructions.txt https://www.virustotal.com/gui/file/5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-28 06:24:48
83 pcrisk Unique ransomware; Phobos ransomware family; Extension: .unique (also appends filenames with victim's unique ID and developers' email address); Ransom notes: info.txt and info.hta https://www.virustotal.com/gui/file/34e1a82f7334c825aab19a21d94361c3225ee8ad9a2027830aeea7d82f59ca15/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-28 04:57:16
84 nosecurething More #batloader #SystemBC RAT and #Ursnif https://www.virustotal.com/gui/file/3ed0cd277bc278432fd6f49b58fe25e87e7e9053c714216ebd7f5308206793b2/detection #batloader โžก๏ธInstaller6.0.msi. NetFramework_v4.7.2.msi > update.bat New domain: ๐ŸŒcloudupdatesss.com #systemBC Wow64 Sch Tsk โžก๏ธ3254390.exe #Ursnif Run key > cmd > lnk > threadactive.ps1 > IEX (Reg key value) https://twitter.com/nosecurething/status/1574964679280951297/photo/1 2022-09-28 03:30:15
85 entdark_ #Zanubis actors have updated their list of targets. and authored the sample. https://www.virustotal.com/gui/file/44dd79ed23516673af9084ea8120f3d412e815ab3df36e9c7e2028363cd086de/ https://www.virustotal.com/gui/file/6f643819b96ca4b0451293954100b1739865fc593d6c75048563ac5d9a34479a Screenshots attached because twitter has flagged my blog :( https://twitter.com/entdark_/status/1574959318331314181/photo/1 2022-09-28 03:08:57
86 ActorExpose @xiatianguo @CryptoScamDB @Iamdeadlyz @Sync_Pundit @milannshrestga Keep an eye out with any Chinese or Asia region actor possibly using this online service. //bazhan.wang https://twitter.com/ActorExpose/status/1574922231863468033/photo/1 2022-09-28 00:41:35
87 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /correosly-cliente-url.com/ ๐Ÿšฉ 108.167.172.194 โ˜ NETWORK-SOLUTIONS-HOSTING ๐Ÿ”’ R3 https://twitter.com/phishunt_io/status/1574882388785635354/photo/1 2022-09-27 22:03:16
88 Iamdeadlyz 6/ #RedLineStealer #malware cc03325caa93ead4a46e928172c4bc65829543bf32de050f83c1f9e63b0d4858 C&C: 185.106.92.22:34989 https://bazaar.abuse.ch/sample/cc03325caa93ead4a46e928172c4bc65829543bf32de050f83c1f9e63b0d4858/ @JAMESWT_MHT @malwrhunterteam @th3_protoCOL @1ZRR4H @dubstard @0xDanielLopez @ActorExpose C&C prev. seen: https://twitter.com/DmitriyMelikov/status/1553974740762722305 2022-09-27 19:41:10
89 SMarr311 @SOSIntel No idea. sorry - I'm just a ground-level grunt (#jobhunting). If it helps. IPs they used on 31 Aug for web content were 92.255.57.114 + 92.255.57.118 .. and this was the CS dll: https://www.virustotal.com/gui/file/88de34ad95486071b8796d95150461a8a7968d1eb8817772e892d258f3aa1c91 C2: 188.119.112.104 45.8.147.215 2022-09-27 18:22:51
90 James_inthe_box So @Namecheap how are you with handling scans? Asking for a friend (ok me really.) raw logs: https://gist.github.com/silence-is-best/63adc51dbc4631c898a1ba1adca15fe9 https://twitter.com/James_inthe_box/status/1574818758170120192/photo/1 2022-09-27 17:50:25
91 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /microsofl.com.pl/ ๐Ÿšฉ 84.17.46.54 โ˜ Datacamp Limited ๐Ÿ”’ R3 https://twitter.com/phishunt_io/status/1574815404760997888/photo/1 2022-09-27 17:37:05
92 pr0xylife #Qakbot - bb - url > .zip > .iso > .lnk > .js > .cmd > .dll cmd /c Accounting.lnk wscript.exe maliciously\undercutTestator.js cmd /c maliciously\massifsTorturousness.cmd regsvr32 maliciously\argentina.dll https://bazaar.abuse.ch/sample/803466687ed3365a621da7a1c1546d18d3323361a5acf985be42ffd391e9f48e/ IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_27.09.2022.txt https://twitter.com/pr0xylife/status/1574814916351086595/photo/1 2022-09-27 17:35:09
93 MBThreatIntel New #FakeUpdates/#SocGholish shadowed domain and C2 โžก๏ธ memorial.4tosocialprofessional.com โžก๏ธ C2: jobs.registermegod.online 159.69.101.84 https://twitter.com/MBThreatIntel/status/1574814847405101059/photo/1 2022-09-27 17:34:52
94 MBThreatIntel โ„น๏ธ Live @Blogger page redirects to tech support scam โžก๏ธ Blogspot: hotblackbeautygirls.blogspot.com/2022/09/hotblackgirls.html โžก๏ธ TSS: 206.189.194.206/systemerror-win-chx/?phone= .&# https://twitter.com/MBThreatIntel/status/1574812115369852928/photo/1 2022-09-27 17:24:01
95 MBThreatIntel โ„น๏ธ A live tech support scam abusing the Plesk cloud infrastructure. โžก๏ธ Redirect/decoy site: topchefrecipe.com โžก๏ธ TSS: infallible-visvesvaraya.72-167-53-42.plesk.page/?tk= LulXnaEsm2AJDq61SweQRyrfp9hxYBCM https://twitter.com/MBThreatIntel/status/1574810683161870336/photo/1 2022-09-27 17:18:20
96 InQuest Great write-up coupled with YARA rules for detection of a Fancy Bear (APT28) tactic abusing Microsoft PowerPoint's mouse-over functionality: https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ Sample available for download from: https://labs.inquest.net/dfi/sha256/d1bceccf5d2b900a6b601c612346fdb3fa5bb0e2faeefcac3f9c29dc1d74838d Zero initial AV detection for months.. https://twitter.com/InQuest/status/1574795658518749184/photo/1 2022-09-27 16:18:37
97 tosscoinwitcher @0xToxin @James_inthe_box @pr0xylife @0n315 Guloader. Comes loaded with all kinda of goodies. Possible TA505 wares? https://bazaar.abuse.ch/sample/05b1856548d6c31b2b3ad41a9ef91b88f808f4859628c907abfb54b147a02988/ https://tria.ge/220927-s574xadgf2 https://twitter.com/tosscoinwitcher/status/1574795450598666240/photo/1 2022-09-27 16:17:48
98 JayashreeMudi @IndianCERT @YouTube Malware found in "YouTube" app https://www.virustotal.com/en/file/44980bfaf7245238b6540e80f6ad576485ad1a3bf70fe8e2e342c89bd50dbc1b/analysis/ #VTMobile https://twitter.com/JayashreeMudi/status/1574784062367371264/photo/1 2022-09-27 15:32:33
99 JayashreeMudi @Google @GooglePlay @GooglePlayBiz @IndianCERT Malware found in "Google Play Service" https://www.virustotal.com/en/file/134d2e2ad6f8f807ab7b85d300708f91b3808a48e814460329bd91513b5d9fa0/analysis/ #VTMobile https://twitter.com/JayashreeMudi/status/1574783687514025984/photo/1 2022-09-27 15:31:03
100 kyleehmke Domains above are/were most likely administered under one of the same Cloudflare accounts as the domains identified in the reports. Ref: https://www.disinfo.eu/wp-content/uploads/2022/09/Doppelganger-1.pdf https://medium.com/dfrlab/russia-based-facebook-operation-targeted-europe-with-anti-ukraine-messaging-389e32324d4b https://about.fb.com/wp-content/uploads/2022/09/CIB-Report_-China-Russia_Sept-2022-1.pdf 2022-09-27 15:04:55
101 kyleehmke Couple straggler domains to tack on to the list of RU sites spotted by Meta. @DFRLab. and @DisinfoEU: nd-aktuell.co itcb.life dekommnt.live ukcommunity.vip reuters.sbs reuters.cyou repubblica.world repubblica.icu https://twitter.com/DavidAgranovich/status/1574749289481351169 https://twitter.com/kyleehmke/status/1574777104109129728/photo/1 2022-09-27 15:04:54
102 pollo290987 #AgentTesla tgz - tar - exe /onedrive.live.com/download?cid= 15C1B05F4CF9C424&resid= 15C1B05F4CF9C424!125&authkey= APXVs5Wxcez3xYk 0591d8c9440f64ff934b06492517c00c de2545b7df2607c54157c20e25f2e035 fddd6adedc6f2149ed1dc3ccb2265268 C2 /api.telegram.org/bot1884223853 2022-09-27 14:53:26
103 malwarelabnet @jpvigneault @executemalware This should be similar: https://bazaar.abuse.ch/sample/6cf4b6897928f8630040e5cb5db66fc6b979be1d3b8849986db9f0ac5bef1b84/ 2022-09-27 14:40:08
104 pollo290987 #NetSupport zip - lnk - ps - exe /drive.google.com/file/d/1FqmNmbxMtBmhjoRNEB9R2yAYJHnzH47V f30ad837ce1a7e47bdf66b1a7988d685 11a1c14e4b01e0e02be114cb193431bb /gunbj.top/94 32e21644ece38047ecec2d2a0e473e0c 252dce576f9fbb9aaa7114dd7150f320 C2 /78.47.81.171/fakeurl.htm 2022-09-27 14:36:54
105 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /netflix-es.com/ ๐Ÿšฉ 45.148.116.57 โ˜ 4b42 UG ๐Ÿ”’ R3 https://twitter.com/phishunt_io/status/1574754740273123329/photo/1 2022-09-27 13:36:02
106 pollo290987 #FormBook f1a51d89d108784d9fd93ac66df7fc18 : m21d 99128801351b81b164690fb32ddfe74f : tg49 ca266adea4aafb311d97bed9eec90ac4 : gski d9b7a393c95ae97707d02e75b4868004 : 4nfu dd5e073ffac4a782f687e2d5c5f498eb : rsea 2022-09-27 13:27:55
107 wallet_guard Details about the Mach-O Dropper/ https://www.virustotal.com/gui/file/fb1e0719a35635aa882fe5545d154f2d4349277e6a9ff89a29f1af229e29b034 2022-09-27 13:23:52
108 unreal4u @HeimdalSecurity Hi! One of our websites was flagged incorrectly as malicious by your tooling. I could not find a false positive report tool at your website. do you have any? https://www.virustotal.com/gui/url/79f293cb47eba3600109aadf3fbc67a94c45b39bc36fa1821838414dda6e9d04/detection 2022-09-27 12:55:41
109 yvesago #phishing VIA pdf file Document Confidentiel.pdf html form s://transfer.pcloud.com/fr/download.html?code= 5Z4V0SVZG0tDvdmKDsfZ3IXIZVLbAQxORjvLrYpVCBT1IQH7ai0jX&label= Transfer%20-%20files%20sent%20(to%20sender) POST to p://avocatcomores.com/smtpfr/cd/next.php ping @malwrhunterteam https://twitter.com/yvesago/status/1574734155056877577/photo/1 2022-09-27 12:14:14
110 pcrisk MMXXII ransomware; Phobos ransomware family; Extension: .MMXXII (also appends filenames with victim's unique ID and developers' email address); Ransom notes: info.txt and info.hta https://www.virustotal.com/gui/file/1f2c57feb6fcb80fe02d53778fa7c6b3bcba0319229fe9b9ff725a24d939c2b6/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-27 11:45:20
111 JAMESWT_MHT @webnic_cc mgcpakistan.com spread malware ๐Ÿ‘‡๐Ÿ‘‡๐Ÿ‘‡ https://www.virustotal.com/gui/domain/mgcpakistan.com/relations https://twitter.com/JAMESWT_MHT/status/1574712146503647233 https://twitter.com/JAMESWT_MHT/status/1574716063484370945/photo/1 2022-09-27 11:02:21
112 JAMESWT_MHT "Purchase order 2022-000011" spread #AgentTesla gz>chm>powershellscripts>injection aspnet_compiler.exe Samples ๐Ÿ‘‡๐Ÿ‘‡ https://bazaar.abuse.ch/browse/tag/mgcpakistan-com/ โš ๏ธps1 s://mgcpakistan.com/yimu.txt Exfil > FTP #compromised @WildWestDomains @GlobalHost_bh โšก๏ธftp.onogost.com User infoo@onogost.com https://twitter.com/JAMESWT_MHT/status/1574712146503647233/photo/1 2022-09-27 10:46:47
113 reecdeep ๐Ÿ‘ฝ#Azorult #Malware spotted by #malspam subject: Payment Proof Inquiry MD5: C7F6D53661D5A8A9428BCE65A5798BAF ๐Ÿ”ฅc2: hxxp://blsrs.shop/PL341/index.php #CyberSec #infosec #cybercrime #infosecurity https://twitter.com/reecdeep/status/1574709212311158784/photo/1 2022-09-27 10:35:07
114 reecdeep ๐Ÿ”ฅ#FormBook #Malware new c2 identified analysis: https://app.any.run/tasks/e4d7a628-2cef-42b6-9546-60b5b6b6e95a ๐Ÿ”ฅc2: tanaadd.info campaign: 4nfu #CyberSec #infosec #cybercrime #infosecurity 2022-09-27 09:16:53
115 Lvanoel https://cybersecure.eigenmagic.com/ Generate your own CyberSecureโ„ข rating label! 2022-09-27 09:06:03
116 JAMESWT_MHT "Fwd: Saldo fattura n.1046.2022 del 26.09.2022" spam email spread #AgentTesla #italy UniCredit-GP-1046.7z https://bazaar.abuse.ch/sample/f51a7947ff2708c119ee1d4505b2b32c92ec9a4acbd558895f6dde2f5344a88a/ UniCredit-GP-1046.exe https://bazaar.abuse.ch/sample/2aec2ff8f5bcb12ad1fe529e48bf408af0a0ac037d6cd44f12522215cf4c955d/ exfil via https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocument https://twitter.com/JAMESWT_MHT/status/1574684719853469699/photo/1 2022-09-27 08:57:48
117 0xToxin "New order" malspam mail contains inside of it a URL: https://files.catbox.moe/nuu2ky.zip zip -> exe -> #Azorult C2: http://ble33n.shop/PL341/index.php Bazaar sample can be found by the C2 filter: https://bazaar.abuse.ch/browse/tag/ble33n-shop/ Triage: https://tria.ge/220927-kjxgaaeahj https://twitter.com/0xToxin/status/1574683613651664896/photo/1 2022-09-27 08:53:24
118 0xToxin @Bitbucket @AskAtlassian @ankit_anubhav @executemalware @Ledtech3 @James_inthe_box @JAMESWT_MHT @pr0xylife @embee_research @1ZRR4H @tosscoinwitcher @Max_Mal_ xls sample: https://bazaar.abuse.ch/sample/0755a10bbe45ec010a16f32e842c65be350eed0eb4b0e7cb1e2794986a34abb4/ 2022-09-27 08:29:13
119 SquiblydooBlog #SolarMarker pretending to be a chrome update. #Signed "Game Warriors Limited" https://tria.ge/220926-xqpq8schej/behavioral2 Back to PowerShell. file in the startup directory. PowerShell registry. C2: 146.70.53.146 Dropper: https://www.virustotal.com/gui/file/bb71d77ff7c7be3dc6957b08e57323092a43735df818b3150c41b8230c4d9be1/details Backdoor: https://www.virustotal.com/gui/file/db9dd6afce8addf2e6b61ab3a3ce9424168691b0f5dda4ce68dcbc4a79311101/details @JAMESWT_MHT https://twitter.com/SquiblydooBlog/status/1574669745651163137/photo/1 2022-09-27 07:58:17
120 pcrisk OkHacked Ransomware; Based on Chaos ransomware; Extension: .okhacked; Ransom notes: read_it.txt and desktop wallpaper https://www.virustotal.com/gui/file/d2238bcff8d4ff94256c8df702a31182763fa55325040cd484bc9abae2e69c5a/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-27 06:21:28
121 pcrisk Netlock Ransomware; MedusaLocker ransomware family; Extension: .netlock; Ransom note: how_to_back_files.html https://www.virustotal.com/gui/file/54b8ca90cd5c6b8053a612d2e8d99bf05f427b36e7fccc0f63427e1f386db186/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-27 06:09:01
122 JAMESWT_MHT #RecordBreaker disguises itself as #Malwarebytes and #DriverEasy spread #RaccoonStealer Samples cc @abuse_ch ๐Ÿ‘‡๐Ÿ‘‡๐Ÿ‘‡๐Ÿ‘‡ https://bazaar.abuse.ch/browse/tag/9178UTuitA24715UTuitA26909/ โš ๏ธ80.92.205.35/hfile.bin password 10619mlgrAGP7211mlgrAGP24753 โš ๏ธC2 94.131.107.206 https://twitter.com/JAMESWT_MHT/status/1574626812466180096/photo/1 2022-09-27 05:07:41
123 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /google.smartindiastore.com/ ๐Ÿšฉ 177.53.141.96 โ˜ Brasil Site Informatica LTDA ๐Ÿ”’ cPanel. Inc. Certification Authority https://twitter.com/phishunt_io/status/1574558112928890882/photo/1 2022-09-27 00:34:42
124 R3MRUM Go ahead and layer your payloads. bad guys. My OCD knows no bounds. Initial #DarkTortilla sample: https://www.virustotal.com/gui/file/21d70b6dc6d143150f513426c1dfc59dd3768e17c9f6864d2606637a611e7f17/detection #DarkCometRAT #BabylonRAT #AsyncRAT #WarzoneRAT C2s: dgorijan20785.hopto.org 45.74.4.244 https://twitter.com/R3MRUM/status/1574557389579120642/photo/1 2022-09-27 00:31:50
125 MBThreatIntel New domain shadowing host for #FakeUpdates/#SocGholish โžก๏ธ hair.2topost.com https://twitter.com/MBThreatIntel/status/1574509979784314880/photo/1 2022-09-26 21:23:26
126 gcjordi @JavaCat6 Hi ha tรจcnicament diverses maneres. mรฉs simple (que no millor ni mรฉs fidedigna. perรฒ si fร cil): agafa la IP objectiu. corrobora si tรฉ "banejos" Abusix a https://multirbl.valli.org/ i verifica si estร  "neta" a http://virustotal.com. Si "baneig" a un lloc i "net" a un altre sospita. 2022-09-26 19:57:50
127 pollo290987 #Astaroth #Guildma zip - lnk - zip - cmd - js /6fuaer.signaturedocusign.pics/%5BX9%5D/391749/Revisar_Documento1227027 074d6d707b3d293557a27369b5678689 bc8b1e0cdeb0fa3e324efd4cfc275218 465d4217bc8385624226eaaff3fa9985 c6a80baea2d09e856950bafde50ac634 C2 /61ou7i.vcestalivre.top 2022-09-26 18:48:27
128 pollo290987 #NetWire 4d3137651038dfe44ccf6440f6281dfb /192.3.194.246/P_O999.exe 3fbd38a88a5302483a14d8fa2510faf9 C2 /37.0.14.206:3384 2022-09-26 18:41:30
129 abyssdomainxprt sus #phishing domain https://loginoutlookonline.com hosted on a swiss IP 95.183.51.41 see also https://otx.alienvault.com/indicator/ip/95.183.51.41 2022-09-26 18:00:04
130 JohnTierney68 @BucksCouncil Forward to 7726 or report@phishing.gov.uk another good tool is https://www.virustotal.com owned by Microsoft all will act to kill these scammers customers all free to use quickest way to get them stopped allnetworks are working together on this !!! https://twitter.com/JohnTierney68/status/1574454162242289665/photo/1 2022-09-26 17:41:38
131 reecdeep ๐ŸŽ‰ Fresh #Formbook #Malware!!! Fresh #Formbook #Malware!!! targeting #italy ๐Ÿ‡ฎ๐Ÿ‡น using "Pagamento" as #malspam subject ISO > EXE https://app.any.run/tasks/c2a28d3b-0618-4d02-b82f-790b6518d656 ๐Ÿ”ฅ c2: grouppoprius.info campaign: hdzz #CyberSec #infosec #cybercrime #infosecurity 2022-09-26 16:46:53
132 pr0xylife #IcedID - .zip > .iso > .lnk > .js > .cmd > .dll Exec flow is the same as Qakbot all very exciting. rundll32.exe spurning\convolving.dll.#1 https://bazaar.abuse.ch/sample/8bac7df54648d64d943b80706db9de86ec5787d7cf3b330e860972568d100c4e/ c2 http://scainznorka.com/ IOC's https://github.com/pr0xylife/IcedID/blob/main/icedID_26.09.2022.txt https://twitter.com/pr0xylife/status/1574438784510427137/photo/1 2022-09-26 16:40:32
133 pollo290987 #FormBook 9841ea840eb4c5c2e761b161fa0b7ecc : o6ho 780958d2d7daf79013ab0ca478a96900 : lsg6 0ceac0981328007380508694cfe6a447 : jr22 59d24bcc44a883d21a48b2d368a1ff45 : nhg6 e73751f55731c2840cc0781c59ba32cc : gski 68e691b4ae0c4da9131e6bd536afc65d : 4nfu 2022-09-26 16:03:09
134 pr0xylife @James_inthe_box @JRoosen @k3dg3 @malware_traffic @0xhido @osipov_ar @0x49736b @Kostastsale @0xToxin https://timcunninghamhomes.com/dbi/ercetiasmxoeittne https://bazaar.abuse.ch/sample/75efc81fcd507e4f7956f5c3522b7e8a2f876118695d8c153e53f68360a77139/ 2022-09-26 15:45:36
135 yvesago one more @Dynadot #phishing s://sitebuilder178347.dynadot.com ping @malwrhunterteam @PhishStats https://twitter.com/yvesago/status/1574416396750028800/photo/1 2022-09-26 15:11:34
136 kyleehmke Suspicious domain msft-t.net was registered through Njalla on 9/25 and is hosted on a likely dedicated server at 195.54.175.154. Some similarly themed. registered. and hosted domains that may be related: msft-tools.net (195.54.174.154) mcsoft-cdn.com (195.54.174.51) https://twitter.com/kyleehmke/status/1574412697395167232/photo/1 2022-09-26 14:56:52
137 TaWeststrate Domain: http://rotterdamuas.com - AlienVault - Open Threat Exchange https://otx.alienvault.com/indicator/domain/rotterdamuas.com 2022-09-26 14:53:34
138 James_inthe_box @karbaladian @0xToxin @JAMESWT_MHT @embee_research @1ZRR4H @ankit_anubhav @Max_Mal_ @tosscoinwitcher @Ledtech3 @executemalware @pr0xylife https://www.elastic.co/security-labs/qbot-malware-analysis 2022-09-26 14:48:54
139 phishunt_io #SCAM ๐Ÿ‘ค https://twitter.com/BoredAplaYC ๐Ÿ”— /boredalpeyc.xyz https://twitter.com/phishunt_io/status/1574408734868004864/photo/1 2022-09-26 14:41:08
140 pollo290987 #NetSupport zip - lnk /drive.google.com/file/d/17bF8DQM1614iLQwkgOL631nxm8rNbV20 740e9d32eec45ca848eb403b22451ee4 632abf285ad60bbffc88c685ad8b66de /fygba.fun/22 whost.exe d46f79f8ebe259dbfb2a2e9391081365 C2 /88.198.178.95/fakeurl.htm 2022-09-26 13:51:23
141 pollo290987 #Raccoon zip - scr /drive.google.com/file/d/11F-xW2Kstwkc36XOMda0wL-gvKdELp9a/ 496bcbbc8f07379d2df350f39f8e31bb ae0561456b95cb469d1f39190605d971 C2 /20.163.204.239/ 2022-09-26 13:51:16
142 TaWeststrate Domain: http://arbeidsbureau.nl - AlienVault - Open Threat Exchange https://otx.alienvault.com/indicator/domain/arbeidsbureau.nl 2022-09-26 13:30:32
143 0xToxin #qakbot thread hijacking -> zip -> html -> zip (password protected) -> lnk -> js -> cmd -> dll Botnet: BB Campaign: 1664184863 all samples can be find under the campaign ID tag in bazaar: https://bazaar.abuse.ch/browse/tag/1664184863/ Triage: https://tria.ge/220926-ps571abhhq/behavioral7 https://twitter.com/0xToxin/status/1574380589439848448/photo/1 2022-09-26 12:49:17
144 suyog41 #kinsing 6ef46d2e92de0433521c859a03ec1205 https://www.virustotal.com/gui/file/e7e2df43143b416dd16b7789ff9bcc87789ef4e776720344b398463baa994361/detection 2022-09-26 11:55:58
145 yvesago #phishing @bitrix24 s://b24-5nwqhm.bitrix24.site/crm_form_amdsq/ ping @malwrhunterteam @PhishStats https://twitter.com/yvesago/status/1574362109454032897/photo/1 2022-09-26 11:35:51
146 yvesago #phishing with false frame ! s://placebore-github-io-1fhc.vercel.app/#su@gmail.com POST to 92.205.3.115 s://newmaxbattery-kr.co/hl/nnenee.php ping @malwrhunterteam @PhishStats https://twitter.com/yvesago/status/1574342385068146688/photo/1 2022-09-26 10:17:29
147 dubstard @Namecheap @MetaMask @ActorExpose @CryptoPhishing @CryptoScamDB @illegalFawn @JAMESWT_MHT @JCyberSec_ @sniko_ @nullcookies @Spam404 @Namecheap I am not sure how honest would a website be. given that the site currently -has John Doe as CEO -the team description is Lorem Ipsum -is just a template -used to be a fake donation charity website https://web.archive.org/web/20220115130028/ https://harvestspringskenya.org/ This is just a few red flags. among many. https://twitter.com/dubstard/status/1574334936219197440/photo/1 2022-09-26 09:47:53
148 yvesago #phishing s://communication.froward.bar/verifications.aspx?net= su@gmail.com ping @malwrhunterteam @PhishStats https://twitter.com/yvesago/status/1574314383039160320/photo/1 2022-09-26 08:26:12
149 pcrisk TeamDarkAnon Ransomware; Based on Chaos ransomware; Extension: .anon; Ransom notes: read_it.txt and desktop wallpaper https://www.virustotal.com/gui/file/a7355b23eff46052ef8c726773db604237a4705b14ef75a22d2b0a3a1f49b3c7/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-26 07:26:20
150 pcrisk Spartan Hack Ransomware; Based on Chaos ransomware; Extension: 4 random characters; Ransom note: read_it.txt; Probably still in-dev https://www.virustotal.com/gui/file/b54084d97459d6acac3a9e3c10fca562b0abd9744c027fc92cb6588896b609cb/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-26 07:03:52
151 JAMESWT_MHT #netsupport #Rat 7Z https://bazaar.abuse.ch/sample/9703d6d48c3f7a589f126f0218c59616899ad52b59b6b27d59370c57d218a854/ exe https://bazaar.abuse.ch/sample/c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f/ client32. ini https://bazaar.abuse.ch/sample/5fd2c01d98281f6b7603b772f4e204565735ffb1caf289ecf7ef51c28b7eec44/ Url https://urlhaus.abuse.ch/url/2313947/ โš ๏ธlive remote connection at 9:09 https://app.any.run/tasks/144a7da9-8cf9-4d06-b034-74d184b8d5fb #netsupport #rat #config > Gateway :3412 Bretvenyzer19.com Bretvenyzer17.com https://twitter.com/JAMESWT_MHT/status/1574291044778360832/photo/1 2022-09-26 06:53:28
152 pcrisk Wanqu Ransomware; Extension: .Wanqu; Ransom notes: RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt https://www.virustotal.com/gui/file/e1b3163dcfffe7a34040668ebd72528d50c22575d776751c4e0f5b091cf87fc8/detection @Amigo_A_ @LawrenceAbrams @demonslay335 @struppigel @JakubKroustek 2022-09-26 06:50:15
153 dubstard @Namecheap @MetaMask @ActorExpose @CryptoPhishing @CryptoScamDB @illegalFawn @JAMESWT_MHT @JCyberSec_ @sniko_ @nullcookies @Spam404 @Namecheap /harvestspringskenya.org is a fake website. disable it entirely. not just with 403! This placeholder "site" was created today ONLY to server fraud. nothing else! You keep doing this for the http://metamask.io. subdomain pattern and it is annoying Stop it. please https://twitter.com/dubstard/status/1574277223510482944/photo/1 2022-09-26 05:58:33
154 x512dbg malware adwind https://bazaar.abuse.ch/sample/129c188a40001cfc54c92bbe1d88dde350133c2456fa3b4e8efe3b5af702faff/ 2022-09-26 05:40:28
155 dubstard ๐ŸŽฏ @MetaMask โš  /metamask.io.merge.mdtransition.org โš  /metamask.io.merge.harvestspringskenya.org โ˜ฃ AS16276 199.188.200.218 | 162.213.251.215 ๐ŸŒ @Namecheap @ActorExpose @CryptoPhishing @CryptoScamDB @illegalFawn @JAMESWT_MHT @JCyberSec_ @sniko_ @nullcookies @Spam404 https://twitter.com/dubstard/status/1574269325028065282/photo/1 2022-09-26 05:27:10
156 bunnymaid @dubstard @Uniswap @tucows @PrivateLayer @ActorExpose @B0R444 @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @illegalFawn @sniko_ @nullcookies @Spam404 @uniyj1 @abuse_ch @enisa_eu @Swisscom_B2B @SWITCH_ch @KapoZuerich @SwitzerlandOSCE @GenevePolice @jsdBS @PoliceBern @CantonduJura /xn--etheeum-job.org (Obvious #Cryptoscam) and #punycode heretic. (funny r if you look closely) /tomadoge.one (#shitcoin) /teluspartner.support (ORLY?) /themerge.network (#Crypto #Scam) /themerge.foundation (Ditto) /ethereummerge.link (Getting tired now) /nieccock.finance (ew!) 2022-09-26 05:12:40
157 bunnymaid @dubstard @Uniswap @tucows @PrivateLayer @ActorExpose @B0R444 @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @illegalFawn @sniko_ @nullcookies @Spam404 @uniyj1 @abuse_ch @enisa_eu @Swisscom_B2B @SWITCH_ch @KapoZuerich @SwitzerlandOSCE @GenevePolice @jsdBS @PoliceBern @CantonduJura Let's keep looking. Just for this month. Get your barf bucket (XXL size) ready. /powsea.finance (#NFTurd) /dontorrent.vin (#BitTorrent movies of course) /astrashop.cards (no idea. looks fake) /seecdlify.fund (#cryptoscam) /aus-post.direct (Still not Australia) 2022-09-26 05:05:38
158 bunnymaid @dubstard @Uniswap @tucows @PrivateLayer @ActorExpose @B0R444 @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @illegalFawn @sniko_ @nullcookies @Spam404 @uniyj1 @abuse_ch @enisa_eu @Swisscom_B2B @SWITCH_ch @KapoZuerich @SwitzerlandOSCE @GenevePolice @jsdBS @PoliceBern @CantonduJura โญ๏ธ These are all DNS by our friends "njalla" who think it is cool to say "you can get no info" in their NS. aka. "1337 Services LLC" Let's have a look at the sort of qwolity 1337 they are. /degemeth.claims (#NFTurd) /aus-post.link (Not Australia) /fiatmoney.rip (web3 scam) 2022-09-26 04:56:54
159 dubstard @Uniswap @tucows @PrivateLayer @ActorExpose @bunnymaid @B0R444 @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @illegalFawn @sniko_ @nullcookies @Spam404 @uniyj1 #fraud @privatelayer โ˜ฃ AS51852 179.43.167.58 ๐Ÿ‡จ๐Ÿ‡ญ /uni5wap.org /unisvvap.claims /uniswap.airdrops.gifts /uniswap.claims /unl5wap.org /xn--uniswp-tta.org @abuse_ch @enisa_eu @Swisscom_B2B @SWITCH_ch @KapoZuerich @SwitzerlandOSCE @GenevePolice @jsdBS @policebern @CantonduJura https://twitter.com/dubstard/status/1574258195274825728/photo/1 2022-09-26 04:42:56
160 dubstard ๐ŸŽฏ@Uniswap โš  /app.unl5wap.org โ˜ฃ AS51852 179.43.167.58 ๐ŸŒ @tucows ๐ŸŽซ621702 ๐Ÿ–ง @privatelayer @ActorExpose @bunnymaid @B0R444 @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @illegalFawn @sniko_ @nullcookies @Spam404 @uniyj1 #phishing #cybercrime #web3 #fraud #scam https://twitter.com/dubstard/status/1574252800283918336/photo/1 2022-09-26 04:21:30
161 _tweedge .@ContaboCom Hey y'all can you remove the abuser from 154.53.51.77 or confirm they've already been booted? They are/were running part of a malware command & control scheme from your IPs. References: https://virustotal.com/gui/domain/privatproxy-schnellvpn.xyz. https://malwareremoval.com/forum/viewtopic.php?f= 11&t= 66857. https://pluribus-one.it/company/blog/84-cybersecurity/150-detecting-powershell-cryptostealer. etc 2022-09-26 02:50:48
162 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /itaucmc.repl.co/ ๐Ÿšฉ 34.149.204.188 โ˜ GOOGLE ๐Ÿ”’ R3 https://twitter.com/phishunt_io/status/1574134939880235010/photo/1 2022-09-25 20:33:10
163 1ZRR4H @MichalKoczwara @malwrhunterteam Apparently it is a kind of Keylogger/Infostealer written in Borland Delphi (C:\Users\Admin\Desktop\FUD\Original\Unit1.pas) It sends the collected information to: /170.187.188.177/cms/gate81afcdd49a3b.php + https://bazaar.abuse.ch/sample/f34d178d34f3173b7f7f0686901603565936f6b6d988fa4fbd7183dd4dd84625/ /cc: @James_inthe_box @da_667 @Jane_0stin https://twitter.com/1ZRR4H/status/1574128884987138048/photo/1 2022-09-25 20:09:06
164 MichalKoczwara Ransomware actors still active. Two new files added. https://www.virustotal.com/gui/file/f34d178d34f3173b7f7f0686901603565936f6b6d988fa4fbd7183dd4dd84625/detection https://www.virustotal.com/gui/file/c562503c84ad2dab477e925bf8c0620363c7621f9a21d44574b4cd4f61413998/detection https://twitter.com/1ZRR4H/status/1571933868747378691 https://twitter.com/MichalKoczwara/status/1574103025693622277/photo/1 2022-09-25 18:26:21
165 petikvx Look at the Analysis of "0445ed81104c1189b3118b4eaf21aa9e1c4df489788e56a88b2e44e2bcd0971d" with malicious activity. https://app.any.run/tasks/088e74b3-cfa5-452b-93c3-cbff4e51a9d6 #ransomware @anyrun_app https://twitter.com/petikvx/status/1574069872719548416/photo/1 2022-09-25 16:14:37
166 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /steam-communilty.ru/ ๐Ÿšฉ 47.242.148.192 โ˜ Alibaba US Technology Co. Ltd. ๐Ÿ”’ Encryption Everywhere DV TLS CA - G1 https://twitter.com/phishunt_io/status/1574046906082381824/photo/1 2022-09-25 14:43:21
167 jfreeluv 9. https://morguefile.com 10. http://littlevisuals.co โš ๏ธ A Virus Can Be Added In Image Too Before Downloading Any Files Scan It With http://VirusTotal.com For Your Safety Also Use At Your Own Risk โ—๏ธ 2022-09-25 13:25:34
168 adityaar_sharma @Gtarafdarr @wpdocsxyz Can you check. got some alerts for the page? Need to whitelist the domain for some engines - https://www.virustotal.com/gui/url/5ce2e5ad524a96dbe7e337c0f0fe2a45abb0b08f25d3e00828483808c28aa979 https://twitter.com/adityaar_sharma/status/1573970412907933696/photo/1 2022-09-25 09:39:24
169 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /apply-for-online-work-from-home.site.rich42.com/ ๐Ÿšฉ 148.72.158.202 โ˜ AS-30083-GO-DADDY-COM-LLC ๐Ÿ”’ cPanel. Inc. Certification Authority https://twitter.com/phishunt_io/status/1573956814986792960/photo/1 2022-09-25 08:45:22
170 petikvx Look at the Analysis of "84c06f4b2fd1ebc6a931f112520fb13300f3b36c45cacb956f6045e6f388e5fb" . https://app.any.run/tasks/b6fb6f22-df80-4e77-967a-2c2ae99a975f #ransomware @anyrun_app https://twitter.com/petikvx/status/1573951917969084417/photo/1 2022-09-25 08:25:54
171 500mk500 @r3dbU7z Looks like IP: 1.117.144.20 is in use for Cobaltstrike samples: https://www.virustotal.com/gui/ip-address/1.117.144.20/relations 2022-09-25 07:51:06
172 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /facebook-login.top/ ๐Ÿšฉ 84.17.46.54 โ˜ Datacamp Limited ๐Ÿ”’ R3 https://twitter.com/phishunt_io/status/1573871419338940417/photo/1 2022-09-25 03:06:02
173 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /apple-reactivate.firebaseapp.com/ ๐Ÿšฉ 199.36.158.100 โ˜ FASTLY ๐Ÿ”’ GTS CA 1D4 https://twitter.com/phishunt_io/status/1573792140915777540/photo/1 2022-09-24 21:51:00
174 xiatianguo t.me/shendepindao666666/184 #telegram #phishing #carding #cvv #ๆ”ถ่ดง This video was recorded at one of ๆ”ถ่ดงๅœฐๅ€๏ผŒa carding scammerโ€™s delivery addresses. Can anyone guess where they are? ๐Ÿ“Download https://mega.nz/folder/I9kElIoL#TEUbFbNywPmK1C_72i4WLg https://twitter.com/xiatianguo/status/1573747595549310978/photo/1 2022-09-24 18:54:00
175 500mk500 @malwrhunterteam C2: 182.16.42.18:10102 for related samples: https://www.virustotal.com/gui/ip-address/182.16.42.18/relations 2022-09-24 17:55:26
176 chuksjonia One of the PEs that has evaded people analyzing #Albanian Cyber attack. I have just uploaded it here. Suitrellne.exe https://www.virustotal.com/gui/file/8508c59edf4114a4f566b58050bf162260713deac06ded4363a9524bda610e79/details 2022-09-24 17:16:41
177 JAMESWT_MHT @idclickthat @telegram @GoDaddy @malwrhunterteam @ULTRAFRAUD @1ZRR4H @dubstard @JRoosen @AlvieriD @ActorExpose @nullcookies @GoDaddyHelp @GoDaddyPro @GoDaddyCanada from /pjyhee.com/data/tsetup-x64.4.1.0.exe MD5 b9e5b303ba2da7d31664a58754131267 https://www.virustotal.com/gui/file/59cbb523d6284c5f3ad5078cd08d585be0b64d92bef6bbc331c46c10141be85a/details looks like genuine telegram as download from https://updates.tdesktop.com/tx64/tsetup-x64.4.1.0.exe MD5 b9e5b303ba2da7d31664a58754131267 2022-09-24 17:15:25
178 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /apply-for-online-work-from-home.site/ ๐Ÿšฉ 107.161.183.163 โ˜ DIMENOC ๐Ÿ”’ R3 https://twitter.com/phishunt_io/status/1573721134448738307/photo/1 2022-09-24 17:08:51
179 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /myamazon.de.apsigninen.103-198-26-94.plesk.page/ ๐Ÿšฉ 172.66.44.250 โ˜ CLOUDFLARENET ๐Ÿ”’ GTS CA 1P5 https://twitter.com/phishunt_io/status/1573660337802514435/photo/1 2022-09-24 13:07:16
180 techworldaleant Recensioni false e fretta per ritirare il premio sono il giusto mix per un bel #malware una truffa o del #phishing https://www.virustotal.com/gui/url/6775c42ba8fc68cedbfb72bc5617a190c9a8db177995ac035ffec54e976c6175?nocache= 1 #scam https://twitter.com/techworldaleant/status/1573646363828666370/photo/1 2022-09-24 12:11:44
181 adl_bdh ู„ู„ู‡ูˆุงุชู ูˆุงู„ุขูŠุจุงุฏ ู…ูˆุณูˆุนุฉ ู†ุถุฑุฉ ุงู„ู†ุนูŠู… ููŠ ู…ูƒุงุฑู… ุฃุฎู„ุงู‚ ุงู„ุฑุณูˆู„ ุงู„ูƒุฑูŠู… ูƒุงู…ู„ุฉ ููŠ ู…ู„ู ูˆุงุญุฏ ุฑุงุจุท ุฅุซุจุงุช ุฎู„ูˆ ุงู„ู…ู„ู ู…ู† ุงู„ููŠุฑูˆุณุงุช https://www.virustotal.com/gui/file/690e888a5bec5d866bc9bfbdb8abc7c0d6a15dca43eb1a0e54e87dfb13b6a2c6?nocache= 1 ุฑุงุจุท ุชู†ุฒูŠู„ ุงู„ูƒุชุงุจ ู…ู„ู epub https://u.pcloud.link/publink/show?code= XZFjGhVZoY90Q09Eh7YsyhJt1CAxzjgkAEYV ุฃูˆ https://archive.org/download/20220924_20220924_1036/%D9%85%D9%88%D8%B3%D9%88%D8%B9%D8%A9%20%D9%86%D8%B6%D8%B1%D8%A9%20%D8%A7%D9%84%D9%86%D8%B9%D9%8A%D9%85%20%D9%81%D9%8A%20%D8%A3%D8%AE%D9%84%D8%A7%D9%82%20%D8%A7%D9%84%D8%B1%D8%B3%D9%88%D9%84%20%D8%A7%D9%84%D9%83%D8%B1%D9%8A%D9%85%20%D9%83%D8%A7%D9%85%D9%84%D8%A9.epub ุงู„ู…ูˆู‚ุน https://adel-ebooks.mam9.com/t4832-topic#18825 https://twitter.com/adl_bdh/status/1573632384209133568/photo/1 2022-09-24 11:16:11
182 500mk500 "Matches rule APT_PupyRAT_PY.." Refs: https://www.virustotal.com/gui/file/b7db1b9c1d3ae7d2345c9d9670e8f504c21a6a692048b725637a2ea04f877fa8/detection https://www.virustotal.com/gui/file/c342cdce7cdc2fa915c124d3114cdf2d61ab441ce61ba68b34d3e0f4a16e5a77/detection https://www.virustotal.com/gui/file/065681acd95662e3a38aaf09c6cdad7d3fe0b8896c6c15be2d579e086936daa0/detection Connections: ac1dbath.duckdns.org forexlive.duckdns.org postbox.serveftp.com Detection: https://github.com/stamparm/maltrail/commit/2646dfb507dd1fcc75aac94acfc6c94f9eb0e640 https://twitter.com/500mk500/status/1573630709222236162/photo/1 2022-09-24 11:09:32
183 techworldaleant Attenzione #phishing #malware YะพuTubะต Suppะพrt ha condiviso un elemento Copyright Warning.pdf - Non aprire/scaricare l'allegato - Non cliccare sul collegamento a Google Drive https://www.virustotal.com/gui/url/887ea49034023bdda04c737ebb6d9aa37280a7b428468be38e4cda15e84e6dbc?nocache= 1 @YouTubeCreators @YouTube https://twitter.com/techworldaleant/status/1573624617033515010/photo/1 2022-09-24 10:45:19
184 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /instagram-login-page.ga/ ๐Ÿšฉ 172.67.210.63 โ˜ CLOUDFLARENET ๐Ÿ”’ E1 https://twitter.com/phishunt_io/status/1573598224056819713/photo/1 2022-09-24 09:00:27
185 JAMESWT_MHT fixed the "loader bat" added "/get/" https://bazaar.abuse.ch/sample/cfe8b67cc2046f6c85e068f77498d85be2198bd69615d9c3746fac87fba51357/ Run https://app.any.run/tasks/3c6c45d2-f174-4178-a76e-c06f75b0a95a/ 151.5.20.184 Wind Tre S.p.A. 85.25.204.244 Servereasy Srl ๐Ÿ”ฅโš ๏ธ147.53.196.47 FritzBox router @eolo_it โš ๏ธ๐Ÿ”ฅ https://twitter.com/JAMESWT_MHT/status/1573576804442509312/photo/1 2022-09-24 07:35:20
186 JAMESWT_MHT Samples Collection Updated https://bazaar.abuse.ch/browse/tag/morpheus/ Urls https://urlhaus.abuse.ch/browse/tag/Morpheus/ "MORPHEUS TRADING INSTITUTE" "Contatta admin@morpheustradinginstitute.com" ๐Ÿ”ฅHELLO "ALE from ITALY" #RAT Users\Ale\Desktop\victim\core\upload\upload.go github .com\gonutz\w32\v2@v2.5.0\constans.go https://twitter.com/JAMESWT_MHT/status/1573558813390692352/photo/1 2022-09-24 06:23:51
187 dubstard @charliek3lly @balancerlabs @msftsecresponse @googlecloud @Balancer_Esp @bunnymaid @CryptoPhishing @DefiGod5 @gerrrrrrrrrg @JCyberSec_ @sniko_ @nullcookies @Spam404 @fcmartinelli @msftsecurity @MsftSecIntel @charliek3lly @msftsecresponse @msftsecurity @MsftSecIntel The abuse on 52.172.251.202 continues. despite the report sent. Please wake up. https://twitter.com/dubstard/status/1573535766805970945/photo/1 2022-09-24 04:52:16
188 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /netflix-regularisation.fr/login.php ๐Ÿšฉ 45.148.116.57 โ˜ 4b42 UG ๐Ÿ”’ R3 https://twitter.com/phishunt_io/status/1573512793357262851/photo/1 2022-09-24 03:20:59
189 malware_traffic 2022-09-23 (Friday) - #IcedID (#Bokbot) infection with #CobaltStrike - Cobalt Strike server on 78.128.112.139:443 using self-signed certificate for HTTPS traffic - #pcap. associated malware. and IOCs available at: https://www.malware-traffic-analysis.net/2022/09/23/index.html https://twitter.com/malware_traffic/status/1573471048699346954/photo/1 2022-09-24 00:35:06
190 ozuma5119 โš ๏ธ #Phishing Alert hxxp://loqqnd.ln123.cc/ โ†’ hxxp://yahoo-jp.rg123.cc/ IP: 202.61.137.58 202.61.137.39 (AS64050 BGPNET) Registrar: ้˜ฟ้‡Œไบ‘ Alibaba Cloud IoC: https://otx.alienvault.com/pulse/632e33cafcb91e3e5e5ced86 Brand: Yahoo! JAPAN๐Ÿ‡ฏ๐Ÿ‡ต ใƒคใƒ•ใƒผ ๐Ÿ“ need SrcIP= JP๐Ÿ‡ฏ๐Ÿ‡ต to access the Phishing Site. https://twitter.com/ozuma5119/status/1573441542031044608/photo/1 2022-09-23 22:37:51
191 phishunt_io #NewPhishing | #phishing #scam ๐Ÿ”— /facebook-help-1001745492514101.web.app/ ๐Ÿšฉ 199.36.158.100 โ˜ FASTLY ๐Ÿ”’ GTS CA 1D4 https://twitter.com/phishunt_io/status/1573433395857838084/photo/1 2022-09-23 22:05:29
192 louzaonet Y aquรญ el anรกlisis de @virustotal del archivo. para los paranoicos ๐Ÿ˜Ž https://www.virustotal.com/gui/file/c86e1dac5e238febbf5c833f041587665aed40b7f598bfaac459432ed9e9d52c/detection 2022-09-23 21:59:53
193 da_667 https://www.bleepingcomputer.com/news/security/npm-packages-used-by-crypto-exchanges-compromised/ grabbed a copy of the python script and dumped it to VT. https://www.virustotal.com/gui/file/5ef1a86c852a771b3975b87c0f34f6a92a4c6c54929d6464d6cb96b7e19d8e86 2022-09-23 20:10:15
194 MBThreatIntel Domain shadowing host observed in #SocGholish/#FakeUpdates campaign โžก๏ธ custom.usmuchmedia.com C2 (same): .moments.abledity.com https://twitter.com/MBThreatIntel/status/1573403271292919808/photo/1 2022-09-23 20:05:46
195 pollo290987 @1ZRR4H @StopMalvertisin @luigi_martire94 @JAMESWT_MHT Spain and Argentina are also affected. ๐Ÿค” Curious fact. in the logs of MX.SP.AR the first victim registered is: DESKTOP-5D77G58 n3 WIndows 10 Windows Defender 187.71.66.108 Brazil - Brasilia - Federal District https://twitter.com/pollo290987/status/1573386398689906688/photo/1 2022-09-23 18:58:44
196 Cyb3rTldr https://www.virustotal.com/gui/ip-address/20.226.7.111/detection 2022-09-23 18:39:15
197 pollo290987 #NetSupport zip - lnk - ps - exe /drive.google.com/file/d/1evaa5luF-6hapdNN21XACfQXTEdYEgiu/ 6df80e8a6bb8d7cd9cc48cdb57a5adcc a5e5b57cdf5de758260e5e76435eaa73 /fygba.fun/17 d46f79f8ebe259dbfb2a2e9391081365 252dce576f9fbb9aaa7114dd7150f320 C2 /88.198.178.95/fakeurl.htm 2022-09-23 18:17:19
198 pollo290987 #AveMaria 475519f550f6023c7673f07bd1a14164 C2 /81.161.229.75:5200 2022-09-23 17:24:51
199 pollo290987 #Formbook 2c917e3f516966c9678467a44a75e7b3 /208.67.105.179/samuelzx.exe 58f0875c2e801df99d7524daf4bc8a41 Campaign: dmpz 2022-09-23 17:24:45
200 yvesago #phishing @Dynadot s://sitebuilder177991.dynadot.com/ ping @malwrhunterteam @ANSSI_FR @PhishStats https://twitter.com/yvesago/status/1573361097104830466/photo/1 2022-09-23 17:18:11