Brad

2020-02-03 - #malspam with attachment for #Emotet epoch 2 - Paste of headers/message text: https://pastebin.com/aQZn1dmn  - Pastebin raw: https://pastebin.com/raw/aQZn1dmn  - Sandbox analysis of Word doc: https://app.any.run/tasks/13a73aba-e252-4c6b-bd08-9a0873efb55d …pic.twitter.com/lFeCudMQJG

2020-02-03 - #malspam pushing #Qbot (#Qakbot) - email spoofed a Gmail address from a mailbox on a lab host I infected last year - The message is completely made up - Paste: https://pastebin.com/errfGxRE  - Pastebin raw: https://pastebin.com/raw/errfGxRE  - Sandbox analysis: https://app.any.run/tasks/4ace2530-6150-4e12-8796-f2b84fe00406 …pic.twitter.com/MutzPv4gBv

2020-02-03 - #Trickbot gtag ono29 - from PDF attachments in emails: Example of the PDF attachment available at: https://app.any.run/tasks/8a60dd51-7760-494c-8e6c-aaff0fef0446/ … - Link in PDF file --> password-protected zip archive (password in PDF message text) --> Trickbot EXE disguised as some sort of document/reportpic.twitter.com/zJFnsFHUmJ

2020-02-03 - #Trickbot EXE files from URLs ending in ".png" - caused by Trickbot's mshareDll/mwormDll/TabDll modules - Paste of info: https://pastebin.com/j7jPxYaF  - Pastebin raw: https://pastebin.com/raw/j7jPxYaF pic.twitter.com/L1eGZMBMpu

Don't forget registration for training classes at @BSidesTampa 2020 on Friday, Feb 28th (the day before the conference proper on Saturday Feb 29th) - Link: https://isc2tampa.regfox.com/b-sides-tampa-training-class … - My full-day workshop is at the end of the list - You'll have a great time at any of these classes!pic.twitter.com/AQ8dCthI37

D'oh! I got everything else right except for the picture... Thanks, @Ledtech3, for the DM letting me know about this!pic.twitter.com/YV8JYzH2mj

2020-01-30 - Traffic Analysis Exercise: Sol-Lightnet - You get a #pcap and a list of alerts - You're asked to write an incident report - Join the fun at: https://malware-traffic-analysis.net/2020/01/30/index.html … - #TrafficAnalysisExercisepic.twitter.com/cxVFZvOqvK

2020-01-29 - #Qbot (#Qakbot) infection - #pcap of the infection with the associated malware/artifacts, and a list of IOCs available at: https://www.malware-traffic-analysis.net/2020/01/29/index.html …pic.twitter.com/8chonLfUPW

2020-01-27 - #Trickbot EXE files from URLs ending in ".png" caused by Trickbot's mshareDll/mwormDll/tabDll modules - Paste of info: https://pastebin.com/YxFc5dgG  - Pastebin raw: https://pastebin.com/raw/YxFc5dgG pic.twitter.com/noEG4Suaxu

2020-01-24 - Italian #malspam pushes #Ursnif - 4 email examples, a #pcap of the infection traffic, the associated malware/artifacts, and some IOCs available at: https://malware-traffic-analysis.net/2020/01/24/index.html …pic.twitter.com/0ntfDSMfBp

Of note, I've noticed this German #malspam on Tuesday 2020-01-21 (info_01_21.doc), Wednesday 2020-01-22 (info_01_22.doc), and Thursday 2020-01-23 (info_01_23.doc) - Will it continue tomorrow on Friday 2020-01-24? - We will soon find out!pic.twitter.com/Jo4tJC0uBA

2020-01-23 - German #malspam pushes #Ursnif - 4 email examples, a #pcap of the infection traffic, the associated malware/artifacts, and some IOCs available at: https://www.malware-traffic-analysis.net/2020/01/23/index.html …pic.twitter.com/cpDnDXBwJB

2020-01-22 - Quick post: #Hancitor infection with #Ursnif - example of the #malspam, a #pcap of the infection traffic, and the associated malware available at: https://www.malware-traffic-analysis.net/2020/01/22/index.html …pic.twitter.com/i2eoj1gCgN

2020-01-23 - I wasn't able to get a #Hancitor infection today, but I got one on Tuesday 2020-01-21 with #CobaltStrike - You can find a #malspam example, #pcap of the infection, associated malware/artifacts, and some IOCs at: https://www.malware-traffic-analysis.net/2020/01/21/index2.html … - Better late than neverpic.twitter.com/WKnQayG4yk