Malicious @github repo at:
github/.com/charlie...
seen dropped via #xworm on a hijacked @operagxofficial installer
app.any.run/tasks/4be36a...
github/.com/charlie...
seen dropped via #xworm on a hijacked @operagxofficial installer
app.any.run/tasks/4be36a...
Analysis OperaGXSetup.exe (MD5: 331950DC665052789DC9FCB607CC10AF) Malicious activity - Interactive analysis ANY.RUN
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
app.any.run
March 6, 2025 at 5:37 PM
Malicious @github repo at:
github/.com/charlie...
seen dropped via #xworm on a hijacked @operagxofficial installer
app.any.run/tasks/4be36a...
github/.com/charlie...
seen dropped via #xworm on a hijacked @operagxofficial installer
app.any.run/tasks/4be36a...
If you'be been dealing with these janky downloaders ("pdfs" if MiTM the TLS), these have been #darkcloud #stealer so far:
app.any.run/tasks/925ce6...
Look for:
vbs file
showip\.net
LoginData
WebData
keyDBPath.db
in the run and
StrFtpServer
DCS V
in the dmp file
app.any.run/tasks/925ce6...
Look for:
vbs file
showip\.net
LoginData
WebData
keyDBPath.db
in the run and
StrFtpServer
DCS V
in the dmp file
March 5, 2025 at 10:34 PM
If you'be been dealing with these janky downloaders ("pdfs" if MiTM the TLS), these have been #darkcloud #stealer so far:
app.any.run/tasks/925ce6...
Look for:
vbs file
showip\.net
LoginData
WebData
keyDBPath.db
in the run and
StrFtpServer
DCS V
in the dmp file
app.any.run/tasks/925ce6...
Look for:
vbs file
showip\.net
LoginData
WebData
keyDBPath.db
in the run and
StrFtpServer
DCS V
in the dmp file
Some fresh (and I can't believe I'm typing this) #lokibot:
app.any.run/tasks/054d7a...
c2: http:// touxzw\.ir/fix/five/fre.php
app.any.run/tasks/054d7a...
c2: http:// touxzw\.ir/fix/five/fre.php
Analysis Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe (MD5: 5A4FC3780CFC0527D12D8BB5134A81F5) Malicious activity - Interactive analysis ANY.RUN
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
app.any.run
March 5, 2025 at 2:20 PM
Some fresh (and I can't believe I'm typing this) #lokibot:
app.any.run/tasks/054d7a...
c2: http:// touxzw\.ir/fix/five/fre.php
app.any.run/tasks/054d7a...
c2: http:// touxzw\.ir/fix/five/fre.php
A csv formatted list of #malspam campaigns that crossed my path in February to include #malware name, c2, hash, subject, and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt
gist.github.com/silence-is-b...
#retrohunt
March 3, 2025 at 8:31 PM
A csv formatted list of #malspam campaigns that crossed my path in February to include #malware name, c2, hash, subject, and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt
gist.github.com/silence-is-b...
#retrohunt
Huh...first time I've seen threat actor's using @ThinkstCanary :
https:// assistance-newton-adam-indiana.trycloudflare\.com
https:// assistance-newton-adam-indiana.trycloudflare\.com
February 26, 2025 at 3:17 PM
Huh...first time I've seen threat actor's using @ThinkstCanary :
https:// assistance-newton-adam-indiana.trycloudflare\.com
https:// assistance-newton-adam-indiana.trycloudflare\.com
Badness at:
144.91.79.54/10022025/
app.any.run/tasks/70b515...
Ultimately #darkcloud (the txt file); c2 juguly\.shop
144.91.79.54/10022025/
app.any.run/tasks/70b515...
Ultimately #darkcloud (the txt file); c2 juguly\.shop
February 26, 2025 at 3:03 PM
Badness at:
144.91.79.54/10022025/
app.any.run/tasks/70b515...
Ultimately #darkcloud (the txt file); c2 juguly\.shop
144.91.79.54/10022025/
app.any.run/tasks/70b515...
Ultimately #darkcloud (the txt file); c2 juguly\.shop
If you're not blocking trycloudflare\.com at the perimeter, now's the time: #opendir 's:
https:// em-ash-announcements-alpha.trycloudflare\.com/1DSAHJKSA/ ->
https:// did-efficiency-than-lenses.trycloudflare\.com ->
https:// reached-theoretical-regular-impact\.trycloudflare.com
https:// em-ash-announcements-alpha.trycloudflare\.com/1DSAHJKSA/ ->
https:// did-efficiency-than-lenses.trycloudflare\.com ->
https:// reached-theoretical-regular-impact\.trycloudflare.com
February 20, 2025 at 2:34 PM
If you're not blocking trycloudflare\.com at the perimeter, now's the time: #opendir 's:
https:// em-ash-announcements-alpha.trycloudflare\.com/1DSAHJKSA/ ->
https:// did-efficiency-than-lenses.trycloudflare\.com ->
https:// reached-theoretical-regular-impact\.trycloudflare.com
https:// em-ash-announcements-alpha.trycloudflare\.com/1DSAHJKSA/ ->
https:// did-efficiency-than-lenses.trycloudflare\.com ->
https:// reached-theoretical-regular-impact\.trycloudflare.com
February 17, 2025 at 5:51 PM
http:// account\.empireaccelerate.com:9200/empire_account/account/account.do 🤨
February 12, 2025 at 10:10 PM
http:// account\.empireaccelerate.com:9200/empire_account/account/account.do 🤨
February 7, 2025 at 2:23 PM
A csv formatted list of #malspam campaigns that crossed my path in January to include subjects, hashes, c2's, #malware type, and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt
gist.github.com/silence-is-b...
#retrohunt
February 3, 2025 at 4:36 PM
A csv formatted list of #malspam campaigns that crossed my path in January to include subjects, hashes, c2's, #malware type, and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt
gist.github.com/silence-is-b...
#retrohunt
A fairly sizable distributed port scan (all source port 19000) about 30 minutes ago; raw logs and sources here:
gist.github.com/silence-is-b...
gist.github.com/silence-is-b...
January 24, 2025 at 5:16 PM
A fairly sizable distributed port scan (all source port 19000) about 30 minutes ago; raw logs and sources here:
gist.github.com/silence-is-b...
gist.github.com/silence-is-b...
January 23, 2025 at 8:30 PM
#webshell #opendir #netsupport #rat at:
https:// appointedtimeagriculture\.com/wp-includes/blocks/post-content/
GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA
https:// appointedtimeagriculture\.com/wp-includes/blocks/post-content/
GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA
January 22, 2025 at 10:20 PM
#webshell #opendir #netsupport #rat at:
https:// appointedtimeagriculture\.com/wp-includes/blocks/post-content/
GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA
https:// appointedtimeagriculture\.com/wp-includes/blocks/post-content/
GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA
As much as I was excited about #telegram cooperating with LE...I haven't noticed much of a change:
app.any.run/tasks/694cb9...
app.any.run/tasks/694cb9...
January 16, 2025 at 2:34 PM
As much as I was excited about #telegram cooperating with LE...I haven't noticed much of a change:
app.any.run/tasks/694cb9...
app.any.run/tasks/694cb9...
January 9, 2025 at 2:52 PM
A late (due to holiday vacation) and sparse csv formatted list of #malspam campaigns that crossed my path in December to include subjects, #malware, hashes, c2's, and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt
gist.github.com/silence-is-b...
#retrohunt
January 6, 2025 at 5:25 PM
A late (due to holiday vacation) and sparse csv formatted list of #malspam campaigns that crossed my path in December to include subjects, #malware, hashes, c2's, and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt
gist.github.com/silence-is-b...
#retrohunt
An #expiro (believe it or not) dropping #xloader
app.any.run/tasks/43f807...
fake c2 and campaign:
http ://www.sunnyz.store/px6j
app.any.run/tasks/43f807...
fake c2 and campaign:
http ://www.sunnyz.store/px6j
Analysis MA-DS-2024-03 URGENT.exe (MD5: B5C0BC1CA5223C4B18328235497A2EF6) Malicious activity - Interactive analysis ANY.RUN
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
app.any.run
December 10, 2024 at 5:08 PM
An #expiro (believe it or not) dropping #xloader
app.any.run/tasks/43f807...
fake c2 and campaign:
http ://www.sunnyz.store/px6j
app.any.run/tasks/43f807...
fake c2 and campaign:
http ://www.sunnyz.store/px6j
An unsurprisingly light csv formatted list of #malspam campaigns that crossed my path in November to included subjects, #malware type, hashes, c2's and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt #infosec #cybersecurity
gist.github.com/silence-is-b...
#retrohunt #infosec #cybersecurity
December 2, 2024 at 4:23 PM
An unsurprisingly light csv formatted list of #malspam campaigns that crossed my path in November to included subjects, #malware type, hashes, c2's and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt #infosec #cybersecurity
gist.github.com/silence-is-b...
#retrohunt #infosec #cybersecurity
A curious js file...
app.any.run/tasks/112848...
app.any.run/tasks/112848...
November 27, 2024 at 10:48 PM
A curious js file...
app.any.run/tasks/112848...
app.any.run/tasks/112848...
...nice place you got here...
November 14, 2024 at 8:48 PM
...nice place you got here...