-
Today we have received 628 eMails of this malicious campaign!
Our #MISP Feed is full of details!
Thanks to the whole Twitter community for spreading information and fighting these campaign!
#ursnif#malware#italy#malspam#maldoc https://twitter.com/reecdeep/status/1224620543632125952 …
#Ursnif#malware targets#Italy
from #maldoc XLS > VBA > DLL hxxps://romaitaliacommerciale.site/etis?<GUID> romaitaliacommerciale].site milanoofficialfatt.]online barifattonumero[.pw officebuysell].pro@VK_Intel@JAMESWT_MHT@matte_lodi@merlos1977#DFIR#cybersecurity pic.twitter.com/K3kdwNEWa6 -
Subject: Sollecito di pagamento - Received From: 93.46.44.198 - Attachment: 579486_sollecito_SOL20A4760324.xls - MD5 Hash: 99C177598FA892CB999816EF94E1D041
#Maldoc#Malware#CyberSecurity#ThreatIntel#InfoSec -
2020204
#malspam#maldoc target Italy xls -> wmic -> PowerShell ->#Ursnif xls: https://app.any.run/tasks/f5a6b13a-f9c6-4f59-adf3-de7373db6d0e/ … Payload from: s://romaitaliacommerciale[.]site/etis?<UUID>(37.221.114[.]86) Ursnif: https://app.any.run/tasks/219ee59c-19e6-47d0-a742-6e10401bf0d8/ …Prikaži ovu nit -
#Ursnif#malware#Italy from #maldoc XLS > VBA > DLL c2: 2020lhjfhf.]xyz 2020lplm.]xyz version=214112 server=12 id=2052 https://twitter.com/reecdeep/status/1224620543632125952?s=20 …@VK_Intel@JAMESWT_MHT@James_inthe_box@merlos1977@matte_lodi@Bl4ng3l#threatintel#threathunting#infosec#CyberSecuritypic.twitter.com/nImOXYw3J1
-
#Ursnif#malware targets#Italy from #maldoc XLS > VBA > DLL hxxps://romaitaliacommerciale.site/etis?<GUID> romaitaliacommerciale].site milanoofficialfatt.]online barifattonumero[.pw officebuysell].pro@VK_Intel@JAMESWT_MHT@matte_lodi@merlos1977#DFIR#cybersecuritypic.twitter.com/K3kdwNEWa6
-
#HTML >#MalDoc (macro) HTML: a5e91dcc988768fe55d10ba1ce6ebef8 (obfuscated JS) --> MalDoc: 3d64db988c898b9232863d1a31674c28 (sleeps ~5 min) --> hxxps://194.36.188[.]132/random.png@James_inthe_box -
What kind of malware is dropped by this
#maldoc in Czech?
Is this #ostap downloader? Subject: Připomenutí o splacení dluhu FileName: F-44011156.doc https://www.virustotal.com/gui/file/fa9678e101c7985f03efff98ded8dde8ef2cc748dc8687b44787221b2a76f6f9/detection …https://app.any.run/tasks/62f827f2-5502-4504-9ca0-2d306372b1b3 … -
Kazakstan Bank themed
#maldoc#macro on close from hxxps://nationalbank.bz/Doc/Prikaz.doc PS -> hxxps://wateroilclub.com/file/dwm.exe einmrmdmy.exe 6/68 on VT (SSL) -> formixing[.]com Not sure what this but it crashes in AnyRun or appears to. AnyRun: https://app.any.run/tasks/de4 -
Interesting
#maldoc! doc -> Macro -> PowerShell -> Shellcode -> ?? https://app.any.run/tasks/6253182c-f554-4276-9f88-df619115bafd … …pic.twitter.com/NV7RSuhmWo
-
#maldoc doc -> Macro -> Unknown malware (C2 is overflowingmind[.]pw) https://app.any.run/tasks/572c47b1-7d2d-404d-9a1a-b310c5321db9 … … https://app.any.run/tasks/da7f0efc-ceaf-48d5-aece-7674b9e4e68e … …pic.twitter.com/RWu96172s7
-
Interested in learning how to debug macros or learn more about the structure of user forms? In my latest video, I show you how to use the Office IDE to debug a recent
#emotet#maldoc https://youtu.be/xcRPhm5iRdo pic.twitter.com/ALBIp7wq2Q
-
#brushaloader#malware#maldoc#PowerPoint targets#Italia
hxxps://vedaastrology.com/faktura.zip
POST to hxxps://panikolsos.]xyz
@JAMESWT_MHT@matte_lodi@James_inthe_box@malwrhunterteam@merlos1977@VK_Intel#DFIR#infosec#cybersecurity#ThreatIntel#threathuntingpic.twitter.com/80zMnbjwCe
-
#MuddyWater#APT compromised Advanced Ortho Center's website and uses#maldoc (72e371542ad6fda96bb3fc3b1ee68d92) to communicate w/ the C2 server advanceorthocenter[.]com/wp-includes/editor[.]php.#opendir. Persistence in the System32 directory.pic.twitter.com/iQ0VgSUTVG
-
Low AV detection
#maldoc leverages hex-encoded content in semantic layer to pivot to Emotet/Trickbot payload hosted on Github. Initial sample: https://labs.inquest.net/dfi/sha256/c430b2b2885804a638fc8d850b1aaca9eb0a981c7f5f9e467e44478e6bc961ee … 78 related samples found via context pivot: https://labs.inquest.net/dfi/search/ext/ext_context/67697468756275736572636F6E74656E742E636F6D2F6A6F686E646F657465 …#YARA rule:https://github.com/InQuest/yara-rules/blob/master/Hex_Encoded_Powershell.rule …Prikaži ovu nit -
#ursnif#Gozi#malware#geofenced#italy #malspam#maldoc h/t@JAMESWT_MHT hxxps://chucelo.fun/nuf[.php<GUID> https://app.any.run/tasks/42beb273-323f-4b4a-9896-c0f9643793e7 … c2: hxxp://oeurhbf[.xyz#ThreatIntel#infosec#CyberSecurity#PowerShell@James_inthe_box@matte_lodi@merlos1977@VK_Intel@luc4mpic.twitter.com/dr4WnLXShM
Prikaži ovu nit -
found this
#maldoc on anyrun https://app.any.run/tasks/b91da4d8-e3b0-4ad1-a541-647ffd0fd049 … it starts notepad.exe in the background, and i think it injects a coinminer throttled to 50% cpupic.twitter.com/4nzZCkNeHm
Prikaži ovu nit -
#maldoc SOC report 10 22 2019.doc Fake Security Operations Center (SOC) report attack. Sample upload at 2019-10-21,So maybe attack Starting at 10-22. Test sample name : Maldoc3 (1),submit from us IOC List: https://github.com/blackorbird/Black-IOC/blob/master/2019-10-22.txt …pic.twitter.com/oPRkqEOSqA
-
Did you know that you can protect your VBA code in MS Office documents from being viewable? Here's a walkthrough from our very own Carrie Roberts! https://bit.ly/2SmvqBs
#Security#Maldoc@OrOneEqualsOnepic.twitter.com/9rg1467Pyp
-
#encrypted#maldoc dropping#trojan#loda VT: 0 / 54 c2: http://faith.dns-cloud.net port: 5000 ( c2 is down ) Pass : 201908 https://app.any.run/tasks/9654615e-a7d4-4f08-b29a-3a05d7012646 …@James_inthe_box@JAMESWT_MHT@luc4m@malwrhunterteam@JayTHL@DrunkBinary@P3pperP0tts@pollo290987@JRoosen@lazyactivist192pic.twitter.com/sucpLIxKHv
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.