David Ledbetter

@1ZRR4H @malwrhunterteam @JAMESWT_MHT @StopMalvertisin @James_inthe_box @pr0xylife @0xToxin @ankit_anubhav Fished Decoding these 1 at a time. Interesting strings for sandbox checks

@1ZRR4H @malwrhunterteam @JAMESWT_MHT @StopMalvertisin @James_inthe_box @pr0xylife @0xToxin @ankit_anubhav

Malware dirigido a empresas en Perú 🇵🇪 email > html > zip +password > vbs Descarga desde (#geofenced): /sunat-mail.xyz/2/ /easynsecureinvest.com/cobr/?id=1 Payloads/C2 desde: /gringox1.chickenkiller.com/g1/ +Header: UA-CPU Samples: bazaar.abuse.ch/browse/tag/gri… Sin atribución 🤔

@GelosSnake Well it is on 'reddit' so ..🤷‍♂️

Today I learned that there is an AK-103. reddit.com/r/MilitaryPorn…

As others have mentioned, the "presidents" #qakbot #qbot distribution (obama221) is back to using "DLL Search Order Hijacking" today (see screenshot). Here are the IOCs: github.com/executemalware…

Anyone seeing #Socgholish using localsys-shield[.]com today?

#IcedID mixing it up today with CHM files BotID: 1609463178 Loader C2: trolspeaksunt\.com pw-protected, zipped ISO attachments tria.ge/221114-xg9eaad… bazaar.abuse.ch/sample/0306e59…

@c_APT_ure you can bck up most of the stuff, but If I remember correctly it doesn't do the DM's thoguh. I've done 2 backup's since i've been here

Is there a „Google takeout“ on Twitter? I wish I could just backup all content shared on here for the past 12 years 🙄

@t3ft3lb It looks like the site is down already. Is there a hash for what it downloaded ?

@t3ft3lb Ok thanks. I'll have to download this and take a closer look at the shellcode. Looks interesting.

#APT #Donot Malicious RTF file "ProtocolUpdate.doc" (MD5: 53dfa7deb28e449bbb20c7ad27aeefb6) virustotal.com/gui/file/47d85… Template URL: http://encureyou[.]buzz/QuINNYN6nvc9ZFW6/A04ih06yN8255rXL.php Metadata: ModifyDate & CreateDate - 2022:07:29 13:56:00 rtf -> macro -> shellcode -> dll

@hacks4pancakes I have several people that I have DM'd with and the DM's have disappeared but I'm not sure how they do it.

@Cryptolaemus1 I was waiting for a 'Ivan Season' to pop up.. 🤷‍♂️

Guess Ivan went hunting or something. Nothing happening on the botnets E4 or E5 in the way of distro/spam. Some modules and loader updates came down though earlier this morning. Will keep everyone posted. Qakbot BB/TR Distro is back heavy today though... 🤔Must be Duck Season.

@ankit_anubhav @1ZRR4H @Max_Mal_ @pr0xylife @0xToxin @Gi7w0rm I think my tool got it right. (Still a work in progress) It is just like all of those document links that download the rtf's with the Shellcode I wrote about here. inquest.net/blog/2022/08/2… There are a constant change of urls but they are abuse the "@" function.

Open this in chrome, this would open rick roll video for you. http://google.com@1157586937 This hiding of IP in plain sight by converting it to decimal value is also abused by #Smokeloader campaign , which is arriving via hacked sites. Payload lies in the "contract" folder.

I added my solution for the Task 8: hshrzd.wordpress.com/2022/11/12/fla… // #FlareOn9

@t3ft3lb I have not had time to look at this one yet 🤔 Just from the screenshots you got the "External Link/Template" I'll have to see what it downloads

@Ledtech3 But you could share your findings anyway.

@jms_dot_py Morning...☕️

*sips coffee* morning!

@jms_dot_py @lockdownurlife In that case.. (Thought I missed it) Morning... ☕️ 🤷‍♂️

@lockdownurlife hahaha I forgot my morning coffee message.

*sips…* shit!

@sherrod_im Um ... ✋..... never mind.. 😳

The consensus seems to be that InfoSec twitter is gone to other platforms. Does this mean I should convert my twitter to just sex and dating stories? Cause… 💥

@UK_Daniel_Card looks like a busy IP abuseipdb.com/check/80.66.76…

these two fuckers are costing me logging money!

@bryceabdo Make sure that is screenshots of the Sha-256 Hashes..

i will now only be disseminating threat intel and IOC’s in the format of screenshots of sha256 hashes and domains on a private Mastodong server

@Rumsfeld86 @Bandrel Ok i can't help myself 🤷‍♂️