I also received a handful of #emotet (E4) emails today. I saw traffic to the same C2 as yesterday. Here are the IOCs: github.com/executemalware…

Saw a couple of Emotet messages land here this afternoon. First from this recent revival. Thread hijacking. XLM4.0 maldoc attachment. Epoch4 botnet. Sample: tria.ge/221104-m3qtyse…

Noticed an interesting registry export with powershell loader working completely on data stored in the registry Reg export hastebin.com/jadunepoke.pro… Sample virustotal.com/gui/file/67021…

anyone know of companies hiring director level folks? ideally mobile/web work? i have a good friend looking and he'd be an epic hire.

[UPDATE] Here's a #maldoc with (still) live C2 that is quite evasive and shows the detection capability ex-OSINT. Download URL has a "ski" gTLD. Download the sample with a user account (it's not on VT) for free: filescan.io/uploads/636586… // #DFIR #malware #analysis

🏭 In May, SentinelLabs has investigated a supply-chain attack against the Rust development community that we refer to as ‘CrateDepression’. Learn more sentinelone.com/labs/cratedepr… SentinelLabs #infosec #cybersecurity #supplychain

#TA551 HTML Attachments incoming ID 1559130321 #IcedID Loader C2: anisamnatyrel\.com bazaar.abuse.ch/sample/8df3333… tria.ge/221107-whz2kaa…

Also an few #Emotet today. James proxylife Ne0ne | Igal 0n3 Cryptolaemus Joe Roosen All of the sheets are visible in this one and each is the same as sheet 1? Did Ivan do a drunk again? tria.ge/221107-xd7raac…

#Bumblebee HTML Attachments rolling in. general pattern: Document_[0-9]{4]_Scan_(Nov8)\.html Looks like some updated evasion in this sample. bazaar.abuse.ch/sample/99deeff…

new Emotet E5 urls detected. [DLL] (1/2) hxxp://www[.]muyehuayi[.]com/cmp/8asA99KPsyA/v6lUsWbLen/ hxxps://wijsneusmedia[.]nl/cgi-bin/kFB/ hxxp://concivilpa[.]com[.]py/wp-admin/i3CQu9dzDrMW/

Here are some #icedid #bokbot IOCs from today. Arrived via email with a password protected .zip file attachment. github.com/executemalware…

Malware dirigido a empresas en Perú 🇵🇪 email > html > zip +password > vbs Descarga desde (#geofenced): /sunat-mail.xyz/2/ /easynsecureinvest.com/cobr/?id=1 Payloads/C2 desde: /gringox1.chickenkiller.com/g1/ +Header: UA-CPU Samples: bazaar.abuse.ch/browse/tag/gri… Sin atribución 🤔

New #socgholish stage 3 C2 seen today. Block all *[.]rate[.]coinangel[.]online .

so, #FlareOn9 is over! congrats to all the finishers! you can find some of my solution here: hshrzd.wordpress.com/tag/flareon9/ (work-in-progress, I will be adding more)

I added my solution for the Task 8: hshrzd.wordpress.com/2022/11/12/fla… // #FlareOn9

Anyone seeing #Socgholish using localsys-shield[.]com today?

#IcedID mixing it up today with CHM files BotID: 1609463178 Loader C2: trolspeaksunt\.com pw-protected, zipped ISO attachments tria.ge/221114-xg9eaad… bazaar.abuse.ch/sample/0306e59…

As others have mentioned, the "presidents" #qakbot #qbot distribution (obama221) is back to using "DLL Search Order Hijacking" today (see screenshot). Here are the IOCs: github.com/executemalware…