Discover and read the best of Twitter Threads about #malspam
Most recents (8)
And some hot #zepplin zip -> js coming in..care out there...
#malspam subject: docs
app.any.run/tasks/66da55ab…
#malspam subject: docs
app.any.run/tasks/66da55ab…
exe drop:
https://erzurum[.]us/65376345273497600381/tjTyjrjywrdmJoaaenvF/123/storm.exe
https://erzurum[.]us/65376345273497600381/tjTyjrjywrdmJoaaenvF/123/storm.exe
And additional drops:
https://provantagemtn[.]co[.]za/cgg/65376345273497047251/storm.exe
https://quickdrive[.]ae/uploads/2020/storm.exe
https://trgn[.]us/65376345273497600381/tjTyjrjywrdmJoaaenvF/storm.exe
https://provantagemtn[.]co[.]za/cgg/65376345273497047251/storm.exe
https://quickdrive[.]ae/uploads/2020/storm.exe
https://trgn[.]us/65376345273497600381/tjTyjrjywrdmJoaaenvF/storm.exe
#ZLoader #malspam with .xls attachments.
Downloader URLs:
hxxp://merter.shop/wp-keys.php
hxxp://pasca.fapet.ub.ac.id/wp-keys.php
hxxp://pick20shop.shop/wp-keys.php
hxxp://posviat.ru/wp-keys.php
XLS sample:
app.any.run/tasks/798ee109…
Downloader URLs:
hxxp://merter.shop/wp-keys.php
hxxp://pasca.fapet.ub.ac.id/wp-keys.php
hxxp://pick20shop.shop/wp-keys.php
hxxp://posviat.ru/wp-keys.php
XLS sample:
app.any.run/tasks/798ee109…
#ZLoader C2s (1/2):
hxxp://draminski-retail.eu/wp-parsing.php
hxxp://duanyong.top/wp-parsing.php
hxxp://eternalstarculture.com/wp-parsing.php
hxxp://gh99.cn/wp-parsing.php
hxxps://nalighpicseracha.tk/wp-parsing.php
hxxp://glossy.vn/wp-parsing.php
hxxp://draminski-retail.eu/wp-parsing.php
hxxp://duanyong.top/wp-parsing.php
hxxp://eternalstarculture.com/wp-parsing.php
hxxp://gh99.cn/wp-parsing.php
hxxps://nalighpicseracha.tk/wp-parsing.php
hxxp://glossy.vn/wp-parsing.php
#ZLoader C2s (2/2):
hxxp://jiangchi.name/wp-parsing.php
hxxps://roeslidegeralic.gq/wp-parsing.php
hxxp://mawi.io/wp-parsing.php
DLL sample:
app.any.run/tasks/db4d0953…
IOCs also posted here:
pastebin.com/Jq35F99q
cc @JAMESWT_MHT
hxxp://jiangchi.name/wp-parsing.php
hxxps://roeslidegeralic.gq/wp-parsing.php
hxxp://mawi.io/wp-parsing.php
DLL sample:
app.any.run/tasks/db4d0953…
IOCs also posted here:
pastebin.com/Jq35F99q
cc @JAMESWT_MHT
#ZLoader #malspam campaign with .xls attachments:
app.any.run/tasks/b58e610b…
Downloader URLs:
s://wireborg.com/wp-keys.php
p://zmedia.shwetech.com/wp-keys.php
s://datalibacbi.ml/wp-keys.php
s://procacardenla.ga/wp-keys.php
Redirect to DLL located at:
gueberzehngemoonde[.]tk
app.any.run/tasks/b58e610b…
Downloader URLs:
s://wireborg.com/wp-keys.php
p://zmedia.shwetech.com/wp-keys.php
s://datalibacbi.ml/wp-keys.php
s://procacardenla.ga/wp-keys.php
Redirect to DLL located at:
gueberzehngemoonde[.]tk
#ZLoader C2s:
s://neomithirdseman.tk/wp-parsing.php
s://fernmasucsavidi.cf/wp-parsing.php
s://wireborg.com/wp-parsing.php
s://secretele-naturii.xyz/wp-parsing.php
s://legendcoder.com/wp-parsing.php
s://tiilearaphefanpa.gq/wp-parsing.php
s://sutoverlaopers.tk/wp-parsing.php
s://neomithirdseman.tk/wp-parsing.php
s://fernmasucsavidi.cf/wp-parsing.php
s://wireborg.com/wp-parsing.php
s://secretele-naturii.xyz/wp-parsing.php
s://legendcoder.com/wp-parsing.php
s://tiilearaphefanpa.gq/wp-parsing.php
s://sutoverlaopers.tk/wp-parsing.php
Current scam targeting political campaigns. Not sure if its purely a financial scam or if the links might include malspam. Campaign receives an ominous email saying its campaign web domain will expire if it not immediately renewed. #malware #spam #malspam #infosec #elections2020 
Clicking on the bit(.)ly URL shortened link takes the user through a javascript redirect chain & likely redirects depending on a variety of factors (victim fingerprinting) to another site. Here the user lands on domainremit(.)com #malware #spam #malspam #infosec #elections2020
Here the user is asked to enter their information and eventually enter online payment information. The thing is the domain in question was NOT in danger of expiring & the language is clever by saying "search engine registration" #malware #spam #malspam #infosec #elections2020
#netwire #malspam
URL(https): /www.mediafire.com/file/vx5sbtlu05a1ge3/t%25E0i_li%25u1EC7u_chuy%25u1EC3n_ph%25E1t_nhanh.7z/file
VT: virustotal.com/gui/file/1f6ba…
C2: 79.134.225.80:3360(tcp)
@James_inthe_box @malwrhunterteam @58_158_177_102 @ps66uk @JayTHL @FewAtoms @HazMalware
URL(https): /www.mediafire.com/file/vx5sbtlu05a1ge3/t%25E0i_li%25u1EC7u_chuy%25u1EC3n_ph%25E1t_nhanh.7z/file
VT: virustotal.com/gui/file/1f6ba…
C2: 79.134.225.80:3360(tcp)
@James_inthe_box @malwrhunterteam @58_158_177_102 @ps66uk @JayTHL @FewAtoms @HazMalware
#netwire again with different hash
URL(https): /www.mediafire.com/file/92vs4hqs16rm5gs/INVOICE_FOR_NEW_ORDER.7z/file
VT: virustotal.com/gui/file/cec3b…
@JayTHL @malwrhunterteam @James_inthe_box @58_158_177_102 @FewAtoms
URL(https): /www.mediafire.com/file/92vs4hqs16rm5gs/INVOICE_FOR_NEW_ORDER.7z/file
VT: virustotal.com/gui/file/cec3b…
@JayTHL @malwrhunterteam @James_inthe_box @58_158_177_102 @FewAtoms
Another C2:
/79.134.225.122:3360(tcp)
/79.134.225.122:3360(tcp)
#formbook #malspam
Sender: info@bawzmaan-ss.com
Sub.: Proof of Remittance COPY/ACH
File: MT103_Fln_040919.exe
MD5: 18a7d2645840030752882037742e21ef
C2:
/www.joyhoundinc.com
/www.margaretminguy.com
/www.racooncity.net
/www.seastarways.com
/www.szahjw.com
/www.tp-hostel.com
Sender: info@bawzmaan-ss.com
Sub.: Proof of Remittance COPY/ACH
File: MT103_Fln_040919.exe
MD5: 18a7d2645840030752882037742e21ef
C2:
/www.joyhoundinc.com
/www.margaretminguy.com
/www.racooncity.net
/www.seastarways.com
/www.szahjw.com
/www.tp-hostel.com
Another C2:
/www.travelersintheworld.com
/www.travelersintheworld.com
#malspam with #Ursnif
Sender: papanas@nimbra-solutions.eu
URL(http): /moodswingmusic.io/wp-content/uploads/2019/07/reds2.html
GET: /intrade-support.at:80
Callback: 66.181.168.248:80
VT: virustotal.com/gui/file/0188b…
@HazMalware
@executemalware @neonprimetime @James_inthe_box
Sender: papanas@nimbra-solutions.eu
URL(http): /moodswingmusic.io/wp-content/uploads/2019/07/reds2.html
GET: /intrade-support.at:80
Callback: 66.181.168.248:80
VT: virustotal.com/gui/file/0188b…
@HazMalware
@executemalware @neonprimetime @James_inthe_box
All DNS queries:
/powerprivat.ru
/myip.opendns.com
/trading-secrets.ru
/resolver1.opendns.com
/vaslbnt.ru
/intrade-support.at
/powerprivat.ru
/myip.opendns.com
/trading-secrets.ru
/resolver1.opendns.com
/vaslbnt.ru
/intrade-support.at
@cyb3rops
Same factura.js file with your comment in VT.
Same factura.js file with your comment in VT.
#malspam campaign from 2.11 delivers both #LokiBot and #azorult interchangeably, archived in ISO files.
Files are packed with VB6 packer with file size of 524KB.
All C2 domains were active 31.10-2.11.
Sender: finances@ketmarine.nl
Subject: “Roxanne Heijt - Payment Swift Copy FYR”
Files are packed with VB6 packer with file size of 524KB.
All C2 domains were active 31.10-2.11.
Sender: finances@ketmarine.nl
Subject: “Roxanne Heijt - Payment Swift Copy FYR”
#LokiBot #IOCs:
virustotal.com/#/file/71156ab… -> jadak[.]cf/minel/fre.php
virustotal.com/#/file/e7e002f… -> barzenkiyader[.]cf/Panel/five/fre.php
virustotal.com/#/file/71156ab… -> jadak[.]cf/minel/fre.php
virustotal.com/#/file/e7e002f… -> barzenkiyader[.]cf/Panel/five/fre.php
#AZORult #IOCs:
virustotal.com/#/file/f559f89… -> welcome2nov[.]ga/mine/index.php
virustotal.com/#/file/75ecba2… -> welcome2novv[.]gq/tuneshi/index.php
virustotal.com/#/file/12da76d… -> goodnovember[.]ml/denyo/index.php
virustotal.com/#/file/f559f89… -> welcome2nov[.]ga/mine/index.php
virustotal.com/#/file/75ecba2… -> welcome2novv[.]gq/tuneshi/index.php
virustotal.com/#/file/12da76d… -> goodnovember[.]ml/denyo/index.php
