| 1 |
bad_packets |
4 transactions now. total received stands at
0.30863173 BTC (~$5.800 USD)
https://www.blockchain.com/btc/address/1Eo9FKmAkNg8UAR4xj6F15Y53phFutzSys https://twitter.com/bad_packets/status/1334991685021929472/photo/1
|
2020-12-04 22:43:15 |
| 2 |
OTX |
status Completed: An upgrade to the OTX Web site is complete. https://stspg.io/8qbycktrwnf2?u= m813w62v70kp
|
2020-12-04 21:46:09 |
| 3 |
malware_traffic |
From 2020-12-02 (Wednesday) to 2020-12-03 (Thursday). I ran a #Qakbot infection and saw #CobaltStrike activity several hours later - Also saw a small bit of HTTPS traffic to www.coolwick.com - Paste of info: https://pastebin.com/z36CxZ5z - Pastebin raw: https://pastebin.com/raw/z36CxZ5z https://twitter.com/malware_traffic/status/1334969751509094402/photo/1
|
2020-12-04 21:16:05 |
| 4 |
jaimeblascob |
@InQuest Fair amount of other payloads hosted there as well as files reaching out to the IP https://otx.alienvault.com/indicator/ip/216.170.114.70
|
2020-12-04 20:25:47 |
| 5 |
HeliosCert |
@HeliosCert
Sample analysed on #virustotal
VirusTotal-Score: 66
VirusTotal: https://www.virustotal.com/gui/file/6eab7bffc475c38a72197435609ca3a46551af56cc55540d793dd9329a00ee64/detection/f-6eab7bffc475c38a72197435609ca3a46551af56cc55540d793dd9329a00ee64-1579173798
Threat: Ransom_WCRY.SMALYM (TrendMicro)
|
2020-12-04 20:25:02 |
| 6 |
lazyactivist192 |
#Qakbot/#Qbot spun up their "041220.gif" campaign. using binaries signed by "APOTHEKA. s.r.o." again. Sheets are fairly low detection rate at 2/70.
https://pastebin.com/K9Ayg4Yq
|
2020-12-04 20:21:15 |
| 7 |
OTX |
status Completed: An upgrade to the OTX Web site is complete. https://stspg.io/d614vhs28ltn?u= 1rvbx4y6q9wy
|
2020-12-04 19:26:43 |
| 8 |
InQuest |
@FewAtoms Nice find.. looks like they did some storage refactoring since our first Tweet. That RTF document hash has changed as well. Now it's 0579b258d0be73b20cd434e8004e2bcd134f3277915f30f743f03f9b55fe0cf6
|
2020-12-04 19:12:23 |
| 9 |
HeliosCert |
@HeliosCert
Sample analysed on #virustotal
VirusTotal-Score: 64
VirusTotal: https://www.virustotal.com/gui/file/44533af9de63dd3fac4a9fbba9b6831496b9121eb3ce221145926c3d6b37310e/detection/f-44533af9de63dd3fac4a9fbba9b6831496b9121eb3ce221145926c3d6b37310e-1606723218
Threat: Ransom_WCRY.SMALYM (TrendMicro)
|
2020-12-04 19:05:02 |
| 10 |
bad_packets |
DNS-hijacking exploit attempts ongoing targeting D-Link and ZTE routers.
Rogue DNS server 192.95.59.130 (๐จ๐ฆ) still online.
Target: ๐ง๐ท banks. per @siimi_m_
#threatintel https://twitter.com/bad_packets/status/1330346587126632451 https://twitter.com/bad_packets/status/1334934875615326208/photo/1
|
2020-12-04 18:57:30 |
| 11 |
phishunt_io |
#NewPhishing | #phishing #scam
๐ /lnstagram-help-center-copyrght.ml/
๐ฉ 172.67.195.216
โ CLOUDFLARENET https://twitter.com/phishunt_io/status/1334930847129104384/photo/1
|
2020-12-04 18:41:30 |
| 12 |
James_inthe_box |
@bofheaded @malwrhunterteam @DissectMalware @Malwageddon @anyrun_app A few more:
https://www.hybrid-analysis.com/yara-search/results/6b47f8b4f94b047438dee92594c27ad1513ad2c3f55caec8d37a4db42d913c4a
|
2020-12-04 18:16:16 |
| 13 |
James_inthe_box |
@bofheaded @malwrhunterteam @DissectMalware @Malwageddon So your run is a bundle..attempts to drop:
http://212.80.219.173/googlemap.exe
http://185.243.113.10/lexus.exe
attrib is the same as the @anyrun_app I tweeted. https://twitter.com/James_inthe_box/status/1334921171570098177/photo/1
|
2020-12-04 18:03:03 |
| 14 |
HeliosCert |
@HeliosCert
Sample analysed on #virustotal
VirusTotal-Score: 62
VirusTotal: https://www.virustotal.com/gui/file/9395b8f1ef8bd964b349b320a5079816bae8b676caa2d8df17a69d41009eab1d/detection/f-9395b8f1ef8bd964b349b320a5079816bae8b676caa2d8df17a69d41009eab1d-1600061998
Threat: Ransom_WCRY.SMALYM (TrendMicro)
|
2020-12-04 17:55:02 |
| 15 |
OTX |
status Completed: An upgrade to the OTX Web site is complete. https://stspg.io/4rmxncld1xg3?u= x7wgvv1r3vlk
|
2020-12-04 17:32:52 |
| 16 |
ffforward |
Friday #qbot #qakbot #quakbot inc. Complaint-Letter_*_12042020.zip
XLS https://bazaar.abuse.ch/sample/bcc1731e3f2dc4772be5ad445247f717b82ec84eda5f86adc57824241dc77823/
โฌ https://urlhaus.abuse.ch/url/889019/
DLL https://bazaar.abuse.ch/sample/679f9013eedb140beadc91e4983d4cef7adbc6b5fdfdb77ad74ad82dd67d2e4e/
#Signed "AGRO - KOVO spol. s r. o."
Config by @hatching_ioโค๏ธ https://tria.ge/201204-6h2bnpww5a
cc @JAMESWT_MHT @James_inthe_box https://twitter.com/ffforward/status/1334893984901160962/photo/1
|
2020-12-04 16:15:01 |
| 17 |
ffforward |
Another #AgentTesla. Exfils to /mail.yandex.com with TLS so obviously Iranian APT trying to masquerade as Russian APT.
https://bazaar.abuse.ch/sample/37bac12dc8f7e3aa6ac6a2856d932c46b30945043f097097753cd9abf78323e7/
cc @JAMESWT_MHT https://twitter.com/ffforward/status/1334886010459738113/photo/1
|
2020-12-04 15:43:20 |
| 18 |
HeliosCert |
@HeliosCert
Sample analysed on #virustotal
VirusTotal-Score: 64
VirusTotal: https://www.virustotal.com/gui/file/1c4a7589d26c97c38d4f826242b6740b35441e43ddd7394d399dbf94ab868483/detection/f-1c4a7589d26c97c38d4f826242b6740b35441e43ddd7394d399dbf94ab868483-1606797618
Threat: Ransom_WCRY.SMALYM (TrendMicro)
|
2020-12-04 15:25:02 |
| 19 |
JAMESWT_MHT |
#VelvetSweatshop xlsx caught by @abuse_ch
https://bazaar.abuse.ch/browse/tag/VelvetSweatshop/
Drop #AgentTesla
https://bazaar.abuse.ch/sample/00f5c6bba9ef3a6af2ae5195c89e46529744e9cf4eabe9d1d8959a068970b93a/
https://bazaar.abuse.ch/sample/a72ee397635337a52d81d5a1d5bea4c48a375af13dc2848737f21c0577ab17b5/
https://bazaar.abuse.ch/sample/11984c9c8d7bfe34b27fd41ea7f08f7b97923a8c4cf0316138d34bd90cb1a38a
https://bazaar.abuse.ch/sample/b457e5f6faf9eb8c70d0350ff57869f011cd1c4abdf6db5d6335797e33ae7d10/
Urls
https://urlhaus.abuse.ch/browse/tag/VelvetSweatshop/
https://urlhaus.abuse.ch/url/888515/
cc @malwrhunterteam @FBussoletti @cocaman https://twitter.com/JAMESWT_MHT/status/1334878767714537472/photo/1
|
2020-12-04 15:14:33 |
| 20 |
ffforward |
Some skidware #agenttesla-like #stealer targeting ๐ช๐ธ . Exfils to /mail.crealuz.es. not the first to do so. https://bazaar.abuse.ch/sample/8e9adb1c076c14c7316dcba86cfa55987aa194f9cb189c79bc22e617c0d65252/
cc @JAMESWT_MHT https://twitter.com/ffforward/status/1334877492251938823/photo/1
|
2020-12-04 15:09:29 |
| 21 |
amitaiz |
ื"ืืืืชื" ืฉื ืฉืืจืืื ืืืืจ ืฉืืคืืืขื ืฉืื ืจืื ืคืืข ืืืืจื (ืื"ื ืงืืืจ ืกืงื) ืืืืื ืจืง ืขื ืืื 7 ืืชืื 70 ืืื ืื ืื ืืืจืืก. ืืชืืื ืืื ืกื ืืื ื ืืืื ๐ช
ืขืื ืชืืื: ืื ื ืื ืืืืข ืืื ืื ื ืืกืื ืืชืงืฉืืจืช ืขื ืืฉืจืช C&C ืืจื ื-DNS ืื ืืคืืืจืืื. ืืฉืื ืืฉืืืข ืืื ืฉืื ืฉืืืื ืื:
https://www.virustotal.com/gui/file/96cc69242a7900810c4d2e9f3f55aad8edb89137959f4c370f80a6e574ddc201/detection
|
2020-12-04 14:45:40 |
| 22 |
siri_urz |
.SYTCO 811C6DE9CE787C8D540A09795A5673C1
Conti Ransomware https://twitter.com/siri_urz/status/1334870080488939521/photo/1
|
2020-12-04 14:40:02 |
| 23 |
dubstard |
๐ฏ @fbsecurity @Facebook
โ /yazparaยญ.com
โฃ AS22612 199.188.201.148 ๐บ๐ธ
๐ง๐ Namecheap
๐ @SectigoHQ @sectigostore
@JAMESWT_MHT @JCyberSec_ @whale_it
๐ ๐Same IP already seen and reported before. abuse continues:
๐ https://twitter.com/dubstard/status/1313149617354272770
๐ https://twitter.com/JCyberSec_/status/1313434143691362305 https://twitter.com/dubstard/status/1334868056909209603/photo/1
|
2020-12-04 14:32:00 |
| 24 |
HeliosCert |
@HeliosCert
Sample analysed on #virustotal
VirusTotal-Score: 65
VirusTotal: https://www.virustotal.com/gui/file/07ddc1174619fa3982bf105cb95b1ba5bb7e55c2a6977ac8a387536c0bbd4f00/detection/f-07ddc1174619fa3982bf105cb95b1ba5bb7e55c2a6977ac8a387536c0bbd4f00-1605960378
Threat: Ransom_WCRY.SMALYM (TrendMicro)
|
2020-12-04 14:10:02 |
| 25 |
andpalmier |
https://verifica.ora-online.help/
๐๏ธ @hostinger
๐ @letsencrypt
โฃ๏ธ 2.57.89.81 (AS47583)
๐ https://urlscan.io/result/71bc0c40-c3f7-4ace-8b0c-f288a347ec83/ https://twitter.com/andpalmier/status/1334861854406021120/photo/1
|
2020-12-04 14:07:21 |
| 26 |
andpalmier |
https://normativacertificata-dati.com/
๐๏ธ @Namecheap
๐ @SectigoHQ
โฃ๏ธ 162.0.209.241 (AS22612)
๐ https://urlscan.io/result/60ef0633-24b6-424f-80c5-1da3ca0a886a/
https://accesso.clienti.portale.jameka.net
๐๏ธ @ardhosting
๐ @letsencrypt
โฃ๏ธ 103.20.190.12 (AS45731)
๐ https://urlscan.io/result/95802f7d-cc46-4351-9a1a-129df922aadc/ https://twitter.com/andpalmier/status/1334861849716781056/photo/1
|
2020-12-04 14:07:20 |
| 27 |
andpalmier |
https://lnformazionesicurezza-online.com/
๐๏ธ @internetbs
๐ @letsencrypt
โฃ๏ธ 185.224.137.56 (AS47583)
๐ https://urlscan.io/result/d6af7c26-fd4d-4512-b86f-4befabb28e82/
https://portalesanpaolo.com/index
๐๏ธ @Namecheap
๐ @SectigoHQ
โฃ๏ธ 162.0.209.240 (AS22612)
๐ https://urlscan.io/result/e9e431f7-5bb2-4863-9241-2fa75dbbf186/ https://twitter.com/andpalmier/status/1334861845514113026/photo/1
|
2020-12-04 14:07:19 |
| 28 |
andpalmier |
https://assistenzaappweb.com/
๐๏ธ @a2hosting
๐ @cpanel
โฃ๏ธ 70.32.23.76 (AS55293)
๐ https://urlscan.io/result/85ce5431-030f-4168-90ea-9beafca57c56/
https://aggiorna-dati-conto.com/index
๐๏ธ @Namecheap
๐ @SectigoHQ
โฃ๏ธ 68.65.120.126 (AS22612)
๐ https://urlscan.io/result/c7fc6ae8-9f84-4dc1-a366-54d7dc21f4e6/ https://twitter.com/andpalmier/status/1334861841370140672/photo/1
|
2020-12-04 14:07:18 |
| 29 |
andpalmier |
https://obblighiaggiornamenti.com/
๐๏ธ @a2hosting
๐ @cpanel
โฃ๏ธ 70.32.23.76 (AS55293)
๐ https://urlscan.io/result/eb9ada7b-05d2-4be9-a24b-5af99ce8bfd9/
https://portale-intesasp.com/index
๐๏ธ @Namecheap
๐ @SectigoHQ
โฃ๏ธ 162.0.209.246 (AS22612)
๐ https://urlscan.io/result/83be6939-5f70-4be7-9fc4-b3f7ed6dc241/ https://twitter.com/andpalmier/status/1334861837263904772/photo/1
|
2020-12-04 14:07:17 |
| 30 |
andpalmier |
https://informazione-conto.com/
๐๏ธ @internetbs
๐ @letsencrypt
โฃ๏ธ 82.221.136.4 (AS50613)
๐ https://urlscan.io/result/dd4a4bdc-b025-4b5e-bc79-fdd6d3e8f2da/
https://supporto-dati.com/
๐๏ธ @internetbs
๐ @letsencrypt
โฃ๏ธ 82.221.105.125 (AS50613)
๐ https://urlscan.io/result/64aa7c45-a72f-4a9c-aadc-bd6122752b0a/ https://twitter.com/andpalmier/status/1334861833124057089/photo/1
|
2020-12-04 14:07:16 |
| 31 |
andpalmier |
#mwitaly #phishing @IntesaSP_Help @UniCredit_IT @PosteNews ๐ฃ๐ฎ๐น
CC @JAMESWT_MHT
URLs: https://gist.github.com/andpalmier/060bc76e3de68ae361de160a42bb4835
โ ๏ธ exposed victims creds
Info โฌ๏ธ https://twitter.com/andpalmier/status/1334861828824895488/photo/1
|
2020-12-04 14:07:15 |
| 32 |
sdotknight |
Looks like another sample of the Lazarus fileless implant for macOS has popped up.
https://www.virustotal.com/gui/file/bb430087484c1f4587c54efc75681eb60cf70956ef2a999a75ce7b563b8bd694/details
|
2020-12-04 13:37:53 |
| 33 |
pcrisk |
@Emm_ADC_Soft @demonslay335 Sample - https://www.virustotal.com/gui/file/5af0f5b0bada5b7aaa681eddebc47734267af06eb39610590a625315f449d4de/detection
|
2020-12-04 13:37:22 |
| 34 |
PGRotondo |
La Threat Intelligence #ThreatIntelligence รจ utile solo se condivisa. https://xforce.io
Entra nel gruppo "Italy eXchange". condiviti e cerca informazioni su campagne di #malware in #Italia.
|
2020-12-04 13:36:20 |
| 35 |
Racco42 |
#malspam "Outstanding Invoices" with .js attachment brings #loda
https://app.any.run/tasks/c7fc7a6b-0d28-4994-a44c-0e07ebaf7d98
C2: tmlo.awsmppl.com:50253
|
2020-12-04 13:08:01 |
| 36 |
HeliosCert |
@HeliosCert
Sample analysed on #virustotal
VirusTotal-Score: 60
VirusTotal: https://www.virustotal.com/gui/file/75bd35501d9fe2df1205ea415754f5538926cd5ea2e35fde516f56ec8157d76b/detection/f-75bd35501d9fe2df1205ea415754f5538926cd5ea2e35fde516f56ec8157d76b-1550046656
Threat: Ransom_WCRY.SMALYM (TrendMicro)
|
2020-12-04 12:15:02 |
| 37 |
phishunt_io |
#NewPhishing | #phishing #scam
๐ /connect.faceboook-8280919741631.com/
๐ฉ 162.0.209.244
โ NAMECHEAP-NET https://twitter.com/phishunt_io/status/1334830362871144450/photo/1
|
2020-12-04 12:02:13 |
| 38 |
elgofo |
@ArthurHoaro l'analyse est lร https://www.virustotal.com/gui/file/c1dd9c26671fddc83c9923493236d210d7461b29dd066f743bd4794c1d647549/detection
|
2020-12-04 11:26:02 |
| 39 |
HeliosCert |
@HeliosCert
Sample analysed on #virustotal
VirusTotal-Score: 63
VirusTotal: https://www.virustotal.com/gui/file/690c35be19958fba1cb29a124eba641b7e3f9fb32c415ffead2df0875b025a42/detection/f-690c35be19958fba1cb29a124eba641b7e3f9fb32c415ffead2df0875b025a42-1601466110
Threat: Ransom_WCRY.SMALYM (TrendMicro)
|
2020-12-04 11:20:03 |
| 40 |
andpalmier |
Hey. these are still active:
dvla-vehicletax-rebate.com
re5512.com
4uk-app.com
ref427.com
24yrs.com
8r180.com
@Domaindotcom @HostGator @Cloudflare @Namecheap @SectigoHQ
cc @JAMESWT_MHT https://twitter.com/andpalmier/status/1334423259006328836 https://twitter.com/andpalmier/status/1334814772538249216/photo/1
|
2020-12-04 11:00:16 |
| 41 |
malwaretracekr |
#Malware #ํ๋ฐฐ #Parcel #์ค๋ฏธ์ฑ #Smishing #MoqHao
h**p://gg.gg/ndegg -> h**p://osyximjnob.duckdns.org/?ztdjvjtvrh @duckdns (185.223.167.64) @zenlayer #AS21859
Download app : <Random>.apk (Chrome)
https://www.virustotal.com/gui/file/4a81fc9f327245252f3ac0ca61143ec8038a61494d78384592af2c8e899719f8/detection https://twitter.com/malwaretracekr/status/1334814444199636993/photo/1
|
2020-12-04 10:58:57 |
| 42 |
olihough86 |
#404Keylogger #stealer
exfil SMTP 597 //orisinlog.com
related opendir: https://twitter.com/petrovic082/status/1334788350197248008
https://app.any.run/tasks/cd0a8bd5-81ad-4b5f-b225-6337f3179f2d
|
2020-12-04 10:37:12 |
| 43 |
Certego_Intel |
#Malware #Hancitor #Blocklist
Domain: freitasforcongress.com
VirusTotal: https://www.virustotal.com/gui/domain/freitasforcongress.com
#CyberSecurity #ThreatIntel (bot generated)
|
2020-12-04 10:20:01 |
| 44 |
abel1ma |
12ๆ4ๆฅ18ๆใใใซๆฅๆฌ่ช็sextortion๏ผๆง็่
่ฟซ๏ผใฎ่ฉๆฌบใกใผใซใๆฅใฆใใพใใ
ไปถๅ
้ซใฌใใซใฎๅฑ้บใใขใซใฆใณใใใใใญใณใฐใใใพใใใใใใซใในใฏใผใใๅคๆดใใฆใใ ใใใ
ๆฏ่พผๅ
3N1d4zihWWkLCRQA5S2iVamr7MMbEgQQq7
https://www.bitcoinabuse.com/reports/3N1d4zihWWkLCRQA5S2iVamr7MMbEgQQq7
|
2020-12-04 09:59:30 |
| 45 |
philofishal |
@howardnoakley MACOS_1373c52 is for an AdLoad variant. e.g. https://www.virustotal.com/gui/file/7e83221db0a6d3f89a3ccb9c7e2b9310d9856dec5e7e56b7bfce39cbc761003c/detection
|
2020-12-04 09:21:14 |
| 46 |
HeliosCert |
@HeliosCert
Sample analysed on #virustotal
VirusTotal-Score: 65
VirusTotal: https://www.virustotal.com/gui/file/f8ab8940fdcf249bf7cf2fde7f36f0ae5c4eac8d68344f7e9937e8eb0dce7619/detection/f-f8ab8940fdcf249bf7cf2fde7f36f0ae5c4eac8d68344f7e9937e8eb0dce7619-1581325665
Threat: Ransom_WCRY.SMALYM (TrendMicro)
|
2020-12-04 08:50:02 |
| 47 |
JAMESWT_MHT |
#quakbot #qbot #qakbot #signed "SHOECORP LIMITED"
Samples @ffforward
https://bazaar.abuse.ch/browse/tag/SHOECORP%20LIMITED/
C2๐ฝ๐ช@hatching_io
https://tria.ge/201204-asb3kj9nnx
@malwrhunterteam @FBussoletti @sugimu_sec @VK_Intel @Notwhickey @JRoosen @Jan0fficial @fr0s7_ @sec_soup @malware_traffic @dms1899 @guelfoweb https://twitter.com/JAMESWT_MHT/status/1334780369254625280/photo/1
|
2020-12-04 08:43:33 |
| 48 |
keweonOnline |
@IOitaliait removed this question from there Facebook page.
There App seems to be infected with a Trojan. Spyware and a Backdoor and they spread it to all Italian citizens.
https://www.virustotal.com/gui/file/c4ea2d04ac7de86c4be3a8e4a3b34ab379cce178de3d80ae4bbe7286fe05ac53/detection
@GooglePlay @Apple @ESETresearch
Can you double check this App please? https://twitter.com/keweonOnline/status/1334777606613463041/photo/1
|
2020-12-04 08:32:35 |
| 49 |
siri_urz |
.DEMON 42469BBD43954D8ED09B27899B25FFB0
BlackKingdom #Ransomware https://twitter.com/siri_urz/status/1334775963742314498/photo/1
|
2020-12-04 08:26:03 |
| 50 |
petrovic082 |
#Ransomware
https://app.any.run/tasks/cea5616d-ff0b-4026-919f-ca90921ab119/
notes
https://pastebin.com/raw/1kRkuJVE
|
2020-12-04 08:21:15 |