Tarnkappe.info · @tarnkappeinfo
2424 followers · 4840 posts · Server social.tchncs.de
abuse.ch :verified: · @abuse_ch
567 followers · 36 posts · Server ioc.exchange

URLhaus is operational for over 5 years, notifying hosting providers + network operators about malware hosted in their network πŸͺ² It's a shame that some hosting providers ignore abuse reports, spreading malware for over four years 🀯

Here's our current πŸ’©-list πŸ‘‡

AS38841 kbro πŸ‡ΉπŸ‡Ό, spreading :
🌐 urlhaus.abuse.ch/url/86646/

AS23520 Columbus Networks πŸ‡§πŸ‡Έ, spreading :
🌐 urlhaus.abuse.ch/url/91891/

AS29873 Newfold Digital πŸ‡ΊπŸ‡Έ, spreading :
🌐 urlhaus.abuse.ch/url/117832/

AS58955 Bangmod πŸ‡ΉπŸ‡­, spreading :
🌐 urlhaus.abuse.ch/url/200073/

#Hajime #formbook #emotet

Last updated 2 years ago

Today in our section on "uncoventional delivery": archives! πŸ“¦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. , or

You can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: twitter.com/angealbertini/stat

As an example we dug up a sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common tick, e.g. .pdf.exe

IoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
➑️/alien/fre.php

PO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6

SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c

#malware #arj #agenttesla #formbook #GuLoader #lokibot #doubleextension #infosec #cybersecurity #blueteam

Last updated 2 years ago


-> RE_ AL HARAM MAKKAH PROJECT.msg
-> RFQ-4536789234.doc
-> sheiform2.1.exe
17f6df036368cca2f2edf4b44295bb02

#formbook

Last updated 2 years ago

Tarnkappe.info · @tarnkappeinfo
1901 followers · 4141 posts · Server social.tchncs.de

Quick Tip πŸ› οΈ: Threat Actors like to use archiving tools for delivery to avoid and reduce file size. Today we spotted a .ace Archive containing . This technique is not new and also occasionally used for , etc.

ACE is a proprietary, legacy compression format. Unpacking these archives is dependend on the ACE version, e.g. "unace" v1.2 cannot handle ACE 2.0. We recommend github.com/droe/acefile by @droe if you ever come across such a file (screenshots see below).

FormBook

Files:
Archive e91b62f7952825d6a87775166301d018
Executable d539fcc11b4f5b96a1d89928f1ef87e7

C2:
allthekey[.]com
mgconsultantlogistics[.]com
bonaccorso[.]online
vowlashes[.]co[.]uk

#malware #detection #formbook #infostealer #agenttesla #redline #ioc

Last updated 2 years ago

Colin Cowie · @th3_protoCOL
607 followers · 143 posts · Server infosec.exchange

Day 3️⃣​of : Detecting OneNote files

πŸ”—β€‹github.com/colincowie/100DaysO

In December TrustWave reported on OneNote being used to drop
- trustwave.com/en-us/resources/

Todays rule is designed to just detect OneNote files. In the future I'll expand on this to start detecting suspicious OneNote files

#100DaysofYARA #formbook

Last updated 2 years ago

Br3akp0int · @Br3akp0int
14 followers · 3 posts · Server infosec.exchange

trying to learn binref.github.io/#refinery.hex tool. :) this tool is awesome

good starting example is decoding simple string obfuscation of

#formbook #int3 #malwareanalysis #reverseengineering

Last updated 2 years ago

Br3akp0int · @Br3akp0int
33 followers · 12 posts · Server infosec.exchange

trying to learn binref.github.io/#refinery.hex tool. :) this tool is awesome

good starting example is decoding simple string obfuscation of

#formbook #int3 #malwareanalysis #reverseengineering

Last updated 2 years ago

ITSEC News · @itsecbot
687 followers · 32461 posts · Server schleuss.online
ITSEC News · @itsecbot
687 followers · 32461 posts · Server schleuss.online
ITSEC News · @itsecbot
687 followers · 32461 posts · Server schleuss.online