DerekT2
@malz_intel
Tweets are mine. Intel junkie
ID:1124700872708173825
04-05-2019 15:42:38
125 Tweets
322 Followers
111 Following
#more_eggs A new sample of #Terraloader have been spotted and continue to be FUD to the AV engines. This keeps the same structure that the last sample of July with new exceptions loops and modified rounds on the algorithm.
2020-07-24: 🔥👁🗨 #more_eggs JS loader | #TerraLoader #Signed .ocx
Cert -> 🇨🇿 [AntiFIX s.r.o.] #Sectigo
base91 en|de|code | crc32 sum AV process check
BV = '6.6a'
🛑C2: maps.doaglas .com/update/check
MD5:C8AEF418DF5CE78AA55FDA9B4DA2B6A8
h/t MalwareHunterTeam
Intezer Correct. But it's not #TerraTV , this is new #TerraLoader version directly injecting #Meterpreter instead (c2 xo[.]mikeplein[.]com). There is somethig likely in common with TerraTV tho..the #GoldenChickens customer using it - #FIN6 (more on this to come, stay tuned)
For your Excel 4.0 Macro pleasure Malwrologist. These files are 'encrypted' 🔓 with the VelvetSweatshop password. Luckily Philippe Lagadec's oletools knows how to decrypt, but your #Yara rules might not!
🔗virustotal.com/gui/file/9e134…
📋gist.github.com/JohnLaTwC/55a6…
🧠nakedsecurity.sophos.com/2013/04/11/pas…