RedDrip Team

476 posts

RedDrip Team

@RedDrip7

Technical Twitter of QiAnXin Technology, leading Chinese security vendor. It is operated by RedDrip Team which focuses on malware, APT and threat intelligence.

เข้าร่วม Nisan 2018

29 กำลังติดตาม16.6K ผู้ติดตาม

ทวีตที่ปักหมุด

RedDrip Team@RedDrip7·5 Ara

#APT_Digital_Weapon We have categorized #IOCs, mostly #APT related, from public resources and sample details are available on #VT. The #GitHub project will keep updated and hope to help the security community fight against malware and targeted attack. github.com/RedDrip7/APT_D…

English

126

214

RedDrip Team@RedDrip7·1d

#Malware #SmartLoader disguised using OpenClaw-related topics Threat actor built malicious Github repo on the basis of a legimate one. Report: mp.weixin.qq.com/s/q-86GR8g_p3N… hxxp://89.169.12[.235/api/ hxxp://213.176.73[.145/api/ hxxp://213.176.73[.162/api/

English

2.3K

RedDrip Team@RedDrip7·3d

#Malware #DCRAT JS -> powershell extracts loader from remote JPEG -> loader gets DCRAT from Github ("albaluzzgom-byte/032026666") 1bfed54ae970308843d0e55ee96eddd9 (js) 8159845a1821df1e5067703af2fa0fb8 (loader) 05aff2b6242e9b2618ade8d34178d46a (DCRAT) vps30002026.kozow[.com:3000

English

3.6K

RedDrip Team@RedDrip7·13 Mar

Related #APT malware (DLL written in Rust) 9a95078a7a5f1045c61fe95ab308ec3f a70e0e057bb9cc33913ca035fb3a1138 hxxps://support.cc-cvbs-sco.workers[.dev:443/api/analytics/collect hxxps://cms.bahria-edu.workers[.dev:443/api/analytics/collect

RedDrip Team@RedDrip7

Suspected #APT #Sidewinder VBA macros in .xls downloads EXE + malicous DLL (Rust trojan). Cloudflare workers domain is abused for C2 infra. 753bb1b5d8b879f478babb21ed4d9696 (xls) f310ee836f88cc43d3939f8a88b20495 (dll) *.goldibrowhoami.workers[.dev *.desco-gov-bd.workers[.dev

English

5.7K

RedDrip Team@RedDrip7·11 Mar

#APT #Bitter 3ee66f56461fc046f600230d11ebe731 (MSI) f57975b8bc1169b35ae17b975327195e (EXE) hxxps://99media.com[.]pk/scvz zoemagicbook[.]com

2.7K

RedDrip Team@RedDrip7·5 Mar

#APT #Lazarus #IoC d6296ad786e76b2dd1d7e6de897491d4 45[.]83.140.55:1244

Italiano

9.4K

RedDrip Team@RedDrip7·3 Mar

Related 7c5116f2412ebcbce7ab99ccfbb2a21a 79ca03e5f149f6cddfbc92262d3f6da9 officesite.onrender[.]com 8b9a7fec4bbb53bb7f9b8c673fd4ab52 mnjkuilhgftrew.baiduwebhost[.]com

1.6K

RedDrip Team@RedDrip7·3 Mar

Suspected #APT #Donot samples VBA uses plenty of comment statements to seperate malicious code which creates scheduled tasks and drops BAT files. cab89ee28820b38d1626806f9c1acb9f e5f0a8b4ab983a1457ec2b0a4bff89eb 04cce783b42af18f9208fe5527fa04a8 shop.gladiolus[.]live

English

4.7K

RedDrip Team@RedDrip7·27 Şub

#APT #Bitter trojan 8523f2ff3ff13e510a9bf75665562b3b ashersoftlib[.]com:44908

English

3.8K

RedDrip Team@RedDrip7·10 Şub

e3b8be98de37a64d72b20e71b92f7adb ("Rastriya satarkata kendra NIDEPT Audit Schedule.vhdx") 6b8efd4e7eb44f3149bbe23703a1efc2 ("CryptBase.dll")

Română

2.4K

RedDrip Team@RedDrip7·10 Şub

#APT #Bitter targeted Nepal. VHDX file contains hidden malicious DLL which creates a scheduled task named "VerifiedTaskMS". C2 domain is overlapped with previous campaign. www.joelgardens[.]com/gvb.php?uq=%username%_%computername%

RedDrip Team@RedDrip7

#APT #Bitter #IoC f04e4f5e197e47a89c406734c4c14a21 e828f8cacbe8df690a2e82410f307362 be1ff48fd155a44293c9b121c7735268 florabrocuisine[.]com oscarskatingcoach[.]com joelgardens[.]com

English

11.8K

RedDrip Team@RedDrip7·5 Şub

#APT #Bitter 5afab8e66a9c92c6818a90bee737353a ("Annexure-1.accdr") 6f572f39afa365b54c25929aaffde084 ("BTRC Meeting Notice.accdr") www.pinkrosesandmore[.]com/vbdfsbad.php?d=%username%_%computername% www.prolukemarion[.]com/ceszvd.php?d=%username%_%computername%

English

4.3K

RedDrip Team@RedDrip7·3 Şub

db52ad75d66ef6f4a76d3ea3c9fb214e ("%programdata%\\USOShared\\Logs\\User\\FlightConfig.dll") 35b83f9021299e4ba69eb000eac3ba46 ("%programdata%\\Microsoft\\DeviceSync\\8acd6e71-bf10-4800-aeee-7de00edc9781\\background.png")

English

RedDrip Team@RedDrip7·3 Şub

#APT Suspected #APT28 malware VBA in xls drops dll + png. Dll extracts shellcode from png and loads .NET trojan in memory. Trojan abuses Filen API as C2 channel. 575d6f5c4d098079c4e947b38aa774b5 ("Дані для зустрічі.xls")

112

8.6K

RedDrip Team@RedDrip7·30 Oca

#APT #Patchwork used Punjab PHATA application form as decoy LNK -> EXE + DLL -> BadNews trojan variant in memory a410d0169642afac5f1332867fdf4eaa (lnk) 051a3a3f6926642b1e9e85c75d367b13 (SAMLIB.dll) be38c3b2447204261c120cc7c29fa1ef (trojan PE) peeca[.site webmajic[.org

English

4.6K

RedDrip Team@RedDrip7·28 Oca

#APT #MysteriousElephant Related .NET backdoor 69e93946271cd7e3273129784d54a5f0 134.255.210[.]127:443

RedDrip Team@RedDrip7

#APT #MysteriousElephant targeted Pakistan and Bangladesh Decoy CHM files c463ae1ba749ad0b99a51c57cefa018b 6cd49dd6ce96c7bc92155850272b10e8 Backdoor 51b6300980982a20e1464831c21988d3 79a31fd09d2d327d5a816643ae2bbe4d 83.243.121[.]87:443 185.193.50[.]233:443

English

RedDrip Team@RedDrip7·23 Oca

#APT #Bitter "Economic Policy Advisory.accdr" 594335680b2f5f64d6c3b3a7997d1708 70237a7df7f72d98f7a90495661e7b90 www.crudestopics[.]com/hcfq.php?d=%username%_%computername%

Français

3.6K

RedDrip Team@RedDrip7·19 Oca

Related samples: b53aba6a17a156a865c62d84d7e0e367 ("CrowdStrike-Deployment-Status.xls") 90311c17ed09780d9a359a3d16c90252 (dll) *.netof66867.workers[.dev *.ahsaanullaahkhan.workers[.dev