Much excite fur #FOR578

#cobaltstrike #TA505: .dll: ://www.ceder-invest[.]be/sass/capital.php C2: ://onecoloradosport[.]com:443/jquery-3.3.2.slim.min.js .xls Sample: bazaar.abuse.ch/sample/54094b2… .dll Sample: bazaar.abuse.ch/sample/1c8de01… Malware Config: tria.ge/210315-1f91e3f…

#IcedID: .dll's: ://45.140.146.34/44270.7073414352.dat ://185.82.219.160/44270.7073414352.dat ://188.127.254.114/44270.7073414352.dat C2: asforthemines99[.]uno .xls Sample: bazaar.abuse.ch/sample/2baf563… .dll Sample: bazaar.abuse.ch/sample/8e51ccc… Malware Config: tria.ge/210315-3lcddwd…

#Gozi #IFSB (5513 botnet): .doc dropper Sample: bazaar.abuse.ch/sample/8a87c11… C2: greenwoodgrace[.]website Malware Config: tria.ge/210316-1tdtkqq… JAMESWT_MHT

#Trickbot (rob78 botnet) #TA505: .dll: ://www.linkinc.es/scss/water.php .dll Sample: bazaar.abuse.ch/sample/162bfeb… .xlsm Sample: bazaar.abuse.ch/sample/3812b84… C2 Traffic: pastebin.com/raw/XBy2rJF3 Malware Config: tria.ge/210316-brmdt7s… JAMESWT_MHT

Unconfirmed #Trickbot: PE32 .dll: itelsys[.]ma/prod/education.php PE32 .dll Sample: bazaar.abuse.ch/sample/b7ce29f… .xls Sample: bazaar.abuse.ch/sample/5f8e3b1… Looks to be the same actors with new tricks. Share your findings. app.any.run/tasks/515ae891…

#Trickbot (mon156 botnet): PE32 .dll Source: s://ozpinarco.com/wp-content/themes/archi-child/images/prettyPhoto/156.dll PE32 .dll Sample: bazaar.abuse.ch/sample/9ec541b… C2 Traffic: pastebin.com/raw/Ap9UKSy1 Malware Config: tria.ge/210319-2neldc7… JAMESWT_MHT

#Trickbot (mon147 botnet): .dll: s://ozpinarco.com/wp-content/themes/archi-child/images/prettyPhoto/147.dll .dll Sample: bazaar.abuse.ch/sample/aed2b8d… C2 Traffic: pastebin.com/raw/HLE7pSaL Malware Config: tria.ge/210319-qaxfy9s… JAMESWT_MHT

#Trickbot #opendir (mon### botnet payloads): ://wajirmaternityandnursinghome.co.ke/vendor/phpunit/phpunit-mock-objects/tests/MockObject/ Malware Config (C2s for mon156 botnet): tria.ge/210319-tcpzt1j… JAMESWT_MHT

#Gozi #IFSB (1100 botnet) #opendir (with #Trickbot): s://wajirmaternityandnursinghome.co[.]ke/vendor/phpunit/phpunit-mock-objects/tests/MockObject/ C2s: api10[.]laptok[.]at/api1 golang[.]feel500[.]at/api1 go.in100k[.]at/api1 Malware Config: tria.ge/210319-6ybds9f… JAMESWT_MHT

#IcedID (from ThreatFox abuse.ch) ☢️Low detection (2/69) virustotal.com/gui/file/2b31a… ➡️C&C /24savetonnofmaoney[.xyz /shaxtugel[.fun /kripotopliv[.website /geasgeolander[.fun /anewknowwhere[.website /kdbploxokrocks[.uno /kosmolitopor[.space /teacupshotter[.space MalwareHunterTeam

#Trickbot (rob86 botnet): .dll: ://shatteredglass.io/uo/date.php .dll Sample: bazaar.abuse.ch/sample/9097b0a… .xlsm Sample: bazaar.abuse.ch/sample/abc8440… C2 Traffic: pastebin.com/raw/j7xYstCk Malware Config: tria.ge/210325-8achp8s… app.any.run/tasks/a9271d1d…

Have you set up a hunting alert on URLhaus yet? With this new feature, you can get real-time notifications of key events, including: ✅ URL pattern (exact or wildcard match) ✅ Tag match (exact) ✅ Payload of a URL changes (URL ID) ✅ Signature for payload matches (exact)

Testing a PoC. <img src=x onerror=alert('XSS_FROM_FEED')>