Discover and read the best of Twitter Threads about #FlareVM

Most recents (1)

Profile picture
Steve
@stvemillertime
This is malware analysis 101 for most folks, but I thought I'd share a quick thread on easy .NET analysis using a recent wave of a malicious xlsx downloading PUBNUBRAT. cc @issuemakerslab @blackorbird and @navSi16 who all tweeted about this in Jan. #threathunting #dfir
88017e9f2c277fa05ee07ecc99a0a2dc (홍삼6품단가 .xlsx) is a doc that has multiple follow-on payloads including 05683b9a13910d768b7982d013c31cb9 (U3.conf)... see also 홀리데이 와이퍼(Operation Holiday Wiper)로 귀환한 로켓맨 APT 캠페인 by @alac blog.alyac.co.kr/2089
05683b9a13910d768b7982d013c31cb9 (U3.conf) is a backdoor that uses the PubNub API (a legit service) for C2 (see @MITREattack's T1102). It's a .NET binary and without its config it doesn't do much a sandbox. How do you detect network C2 over PubNubApi?
Read 8 tweets

Related hashtags

#threathunting #dfir #PUBNUBRAT #FlareVM

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!