Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@brad-duncan
brad-duncan authored Jan 29, 2024
1 parent 9d03787 commit 4d68178
Show file tree
Hide file tree
Showing 9 changed files with 626 additions and 0 deletions.
37 changes: 37 additions & 0 deletions 2022-04-05-IOCs-for-Bumblebee-and-Cobalt-Strike.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
2022-04-05 (MONDAY) - BUMBLEBEE INFECTION WITH COBALT STRIKE

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1512146449345171459

NOTES:

- Bumblebee malware associated with threat actor EXOTIC LILY was reported by Google's Threat Analysis Group (TAG) in March 2022.

- For more information, see: https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

- Was not able to recover Cobalt Strike binary from this infection example.

ASSOCIATED MALWARE:

- SHA256 hash: a3e023f9666dfacbbc028212682390de436a78e4291c512b0b9f022a05b138f8
- File size: 2,555,904 bytes
- File name: documents-0405-13.iso
- File description: Malicious ISO file with Bumblebee malware

- SHA256 hash: 9dfb32ed9b5756151623a8049eaa7785bf761601eb6c7165beff489cce31bb08
- File size: 1,199 bytes
- File name: documents.lnk
- File description: Windows shortcut to run Blumblebee DLL
- Shortcut: rundll32.exe setting.dll,IternalJob

- SHA256 hash: 131f7e18bc3ea50cdcf74b618c24f5ae1b38594f8649d80538566b1cceeec683
- File size: 2,502,144 bytes
- File name: setting.dll
- File description: Windows DLL for Bumblebee malware
- Run method: rundll32.exe setting.dll,IternalJob

TRAFFIC FROM AN INFECTED WINDOWS HOST:

- 192.236.198[.]63 port 443 - 192.236.198[.]63 - Bumblebee HTTPS C2 traffic
- 23.108.57[.]23 port 443 - cuhitiro[.]com - Cobalt Strike traffic
74 changes: 74 additions & 0 deletions 2022-04-12-IOCs-for-SpringShell-exploitation-by-Enemybot.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
2022-04-12 (TUESDAY) - SPRINGSHELL EXPLOITATION BY ENEMYBOT

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1513951086356406279

NOTE:

- At least 62 samples of Gafgyt-based Linux botnet, Enemybot, exploiting the SpringShell vulnerability, were spotted on VirusTotal on 2022-04-11 and 2022-04-12.

- The SHA256 file hashes are listed below.

00bc1ce81f79089670a7d2956df112ff29ee86d51ecad0d7fb5012d54cbfaf4a
01c758742f333d897b6d6fead725d91841f8a17bed6fb7fcc1226d7bd9a70c12
07177233647e1ff382dde4803bc0651e5b052112a5450bd78858d945c4bc2e0b
0801d8f5c028457b5bad66917d39d17471659eb522c5813f893c76bf4bc3148e
12be4047b17c39993ea540b7bd857a665be2e205d455d0664dd4a96d763348ce
12fd76f12e860d2931cc7e8b263933d9b82525f10116738fbd493c7666471cc5
1416877edd6c4b18cbca4598b4c91b023113c51e9e8dbaef2266254727f223dc
1adfc65c5ba75668d6f45e65ccb31100f9f8bf510435960b6038c7c7b746be62
1c441e606233bbac68175731b0f35c0760a2da8e4002ef3ea36f341cf342cc79
200c0d1c71d5c3faaba9ec5abcd1445b34c14fa66001557c11c574776b8baea7
208ffbdc18d19de0691d523fc3acddc1390223d8f5a5e62f2526e26626086c38
23e718def31c7a37bcbfae15a4eb0725e106f7b73b238d9ae42a19036e618dd7
27b5e1f1bbde28fbd2d6d31f64a1b96c32d064a23f5832c7f6b04f32886c1929
2c91a412ecedf9e6998997d90467398e2a55373c0b9b3395848184210705d7e6
2ec4d6fad356e771ecc18491d931c3cf510e10d3ff49d8ab06e0da0e5eb8d120
2f08cab642d4da5ab2a1d9ed6e816b5dd20bff21b10b7014d0ff19bde5b7890f
336008e2b7f2bf194a44984b36d0594d03103e3636540273eed82c01af407001
3b1bbec6edbaf072ef57fa257279497e74ebf80ff038d21a4043ac79656d7e28
3d73aea855fc012e2a49a4c98f293dc4836a284ddf7481486b9948f6b6adbc00
4485c594dce7c8444c2d9fbffc180a44795c98531d41ebd9a46f76ca052c8fa3
4aa7b83b9d83db23b2a3dbfb6078a866928fc61655d0bc8ecc2fce5c3679c6b4
4c31d578ad4bac892f0dcb307080f24196360765fe007c316c6f1878f9310d03
4dc210da4efc55c32442a87eeeb3c45fc1e4001a99536503698708ff668ff262
563cb8c26e7a5867f24f3ba21ad1d7cf923703e02788a96984c6a7f38f2d481e
57594c0ebdf7365f6ccd6a576f32870e14bd87e627789de43626093e51d63050
59845f9e4a5ad158c9021dbe7dcdec5ec7fe388549c01ca6207badfb24133d2b
5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9
5d38e81de505e6eeb887e10566ac09796db4bfeb9f4c13054c490064f1ff2eba
5dc6318d8d50fb903ee4a79080769fd25a04ec6633cab32b0f890875c0780290
5f6b65a372bfe982bca49e99f1ba17a57cbb5976a007bc07f1f645a2e9e6c22a
631ddce47e2af455dcd985eb5f5e3fd8319b16b3db97b8ed915bba077d12ce49
6381ea65b83ea2e2a4eed2c9f6fe6c2b0e31d4df2daf8201fa901782bfa5b019
65dbdc04b1574683304457cd7c78541ead165201f89a1b2a7285313bc9b08bff
72d34977b8f4b4734e89da4a1e8a9468173b69364ebf6150ab0fe3605123e98e
73808dc4480bf696a4abc90c41b988886a6fa749c0b56098958471bb9c867af7
81891ec2d391fb3ef95f04aa7c13cd99a7c4f939fec7ccddada2dc4811b78411
8f8f61f95649f523e12533051dd55dd0d4da84da56873cb544dd12f01ea81ee0
9482dccd63983272e610041d4bbf262b9e2ac23d721c097074e405fcd9a897c0
97684ae157687ede7bf91bebe6d495da66e8496c0c273255a8e6134697994966
98121e22dcb0b5ff2a05e49072b623ffd497b08c655ad200352b8fbfd94f4bc3
9936afc821410d4ee8cc0a3d0bce6ef6b490392f4f13ae31f84a94c959a2fc03
a00f249d4d86941b2b2d66c3431467ae8abac4ef8111c3b9d0f5b631e07d702b
b11676e7e98d54c983b87a6e69054e70670169bdba0bf440eafcf06267b485b3
b351a8b608f6e223ad8afd75d2f7121a4c7eec04ae1fd501619204bdac35a8ba
b3f05948bdcff16464125fbb87bd6dab3b55510b8ed093abb37a7ba2b7e78297
c1566f52e2f69008aa9afd6ea9a82972bdf2a51d90a7a85842858134ea74de40
c3bff052096f85673dcbdf9038114d55b9a7b9b84b4049caee5612d50a8a734b
c495527a844ddb6220ec8c333477e8d630b7552db38082a32f692f3b892ca9ce
cadac6b80362ccc22e5f25ec1c57c43d66c893539306193a271ad78afa7d47c0
d1f4dfba13d5407d367a847f213826f3a434e7af8f3daae482909473550c4e89
d437b362e0bade3bdbb0e0e729b28b0068225671eda83df4309cea5898353289
dd607c9a74ce0183b94b06e550f77814678c23cb11c67841e5a75c842c36c0ad
e880481a7a40b7b13dc50241646d64a61814c11f0e7edb65006fc61da4f9f52a
ea0762fbdd49c6be02ef533ca14c8f33303ce21f3510ab12b1164a2299480cfe
edff8ce767dcec6300e05e7eb0712ab25673571503c2ac68690c7d257d2b2e29
efc1fc9efefb96e31f887681bcdea337c3ab3312b4d55c7541b1e7f272a1bf41
effddfe0e246b069f48e91e03dcd361998b773283834d9ebfd9703369bf663e4
f0b828e78df7156fd9213947c1542e9aedcb797595da5374bce05cc5af5c8255
f0cd9e36e2cdf45e59efab2761d606debd085fb7a6477b8be0e3cc813a279d42
f566e89c45af2300900a522ab004bb1ac1a63301f4dac99e0de85ac5a2aa83f6
f97d74ac49a75219ac40e8612a0ec0a829ed9daac2d913221115562c219c99b7
fd07ef316187f311bec7d2ff9eb793cc3886463ebae9445c9f89903b66727832
55 changes: 55 additions & 0 deletions 2022-04-14-IOCs-for-aa-Qakbot-with-Cobalt-Strike.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
2022-04-14 (THURSDAY) - AA DISTRIBUTION QAKBOT (QBOT) WITH COBALT STRIKE

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1514716895861256192

INFECTION CHAIN:

- email --> link --> zip --> extracted .msi file --> dropped Qakbot DLL --> Qakbot C2 --> Cobalt Strike

NOTES:

- Also known as TA577, aa distribution Qakbot started using .msi files in downloaded zip archives as of Monday 2022-04-11.
- Reference: https://twitter.com/k3dg3/status/1513514251788464132
- Reference: https://twitter.com/Max_Mal_/status/1513539551070937093

- Saw the same Cobalt Strike C2 domain and IP address on Monday 2022-04-11 for 172.241.27[.]237 using kuxojemoli[.]com.
- Reference: https://twitter.com/malware_traffic/status/1513556366346137605

ASSOCIATED MALWARE:

- SHA256: 5c3b39ec6ffbfe05ac0246d98d6ce7287de442896c90d24e256a03da21f3ada9
- File size: 817,162 bytes
- File location: hxxps://geobram[.]com/ist/iseerroaemtefspidnle
- File location: hxxps://geobram[.]com/ist/NO_2950435796.zip
- File name: iseerroaemtefspidnle.zip
- File description: ZIP archive downloaded from link in email

- SHA256: 2b9861436d994bee6a332cbaf71a9fd6f157089062f414207c9effe84bf556e5
- File size: 977,920 bytes
- File name: 281.msi
- File description: MSI file extracted from above ZIP archive

- SHA256: f642fe6b372183af134c1c8cd5f806de37dcea27d6eab2ef53663d61795416e0
- File size: 1,399,296 bytes
- File location: C:\Users\[username]\AppData\Local\SetupTest\1.dll
- File description: Windows DLL for Qakbot (aa distribution tag)
- Run method: regsvr32.exe [filename]

TRAFFIC TO DOWNLOAD THE INITIAL ZIP ARCHIVE:

- 208.91.198[.]131 port 443 - hxxps://geobram[.]com/ist/iseerroaemtefspidnle
- 208.91.198[.]131 port 443 - hxxps://geobram[.]com/ist/NO_2950435796.zip

QAKBOT C2 TRAFFIC:

- 47.158.25[.]67 port 443 - attempted TCP connections
- 45.46.53[.]140 port 2222 - HTTPS traffic
- port 443 - www.openssl[.]org - connectivity check (not inherently malicious)
- 23.111.114[.]52 port 65400 - TCP traffic
- 75.99.168[.]194 port 443 - HTTPS traffic

COBALT STRIKE TRAFFIC:

- 172.241.27[.]237 port 443 - kuxojemoli[.]com
51 changes: 51 additions & 0 deletions 2022-04-19-IOCS-for-infection-from-Brazil-malspam.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
2022-04-19 (TUESDAY) - MALWARE INFECTION FROM BRAZIL EMAIL

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1516878897341681665

INFECTION CHAIN:

- email --> link --> zip --> .msi file --> DLL run by legit EXE --> post-infection traffic

EMAIL HEADERS:

- Date: Tue, 19 Apr 2022 21:20:30 +0000 (UTC)
- Return-Path: <[email protected][.]com>
- Received: from mail51.notadobairro[.]com (mail51.notadobairro[.]com [137.184.189[.]240])
- Subject: Nota Fiscal Eletronica 8286498
- From: [email protected] [spoofed sender]

LINK FROM MESSAGE TEXT:

- hxxps://projeto-nota[.]com/?cid=[recipient's email address]

ASSOCIATED MALWARE:

- SHA256 hash: 3a4da1e6bbd311133b1232f8b4080ebd2a9e747afd96f8c3eadde8f1dd949d84
- File size: 14,940,993 bytes
- File location: hxxp://download.kicks-ass[.]org/PREFEITURAfds.zip
- File name: PREFEITURAfds.zip
- File description: zip archive downloaded from link in email

- SHA256 hash: de8dc757ae084e180d13d97afb93b64b678a786dc968657c85004b5a84fef10d
- File size: 15,470,080 bytes
- File name: ji89UHECQSfP.msi
- File description: MSI file extracted from the above zip archive

- SHA256 hash: 3847c039ec8f75424201032f288b86d79822cd9c993e9b9f51bd2f904eed4dfe
- File size: 14,278,656 bytes
- File location: C:\Users\[username]\AppData\Roaming\Segun�a\Aplicativo\zlibai.dll
- File description: Malware DLL installed from above MSI file
- Run method: loaded by legitimate file intune.exe in the same directory

INFECTION TRAFFIC:

- 208.109.26[.]144 port 80 - projeto-nota[.]com - GET /?cid=[recipient's email address]
- 20.226.20[.]129 port 80 - sgfghfhdghdd.doesntexist[.]org - GET /
- 20.226.20[.]129 port 80 - sgfghfhdghdd.doesntexist[.]org - GET /nfe.jpg
- 20.226.20[.]129 port 80 - sgfghfhdghdd.doesntexist[.]org - GET /loading2.gif
- 20.226.20[.]129 port 80 - sgfghfhdghdd.doesntexist[.]org - GET /favicon.ico
- 20.226.20[.]129 port 80 - gssfsfgf.scrapping[.]cc - GET /354386&tyGUuguyGUYGU435483962329378273892738973492380403UIGIUGGGG438746783/
- 20.226.20[.]129 port 80 - download.kicks-ass[.]org - GET /PREFEITURAfds.zip
- 20.226.20[.]129 port 80 - iofajfioshnguiosfui.from-pa[.]com - POST /novidades/inspecionando.php
92 changes: 92 additions & 0 deletions 2022-04-25-IOCs-for-Emotet-epoch4.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
2022-04-25 (MONDAY) - EMOTET EPOCH 4 MALSPAM WITH WINDOWS SHORTCUT (.LNK) ATTACHMENTS

REFERENCE:

- reference unavailable

NOTES:

- On Friday 2022-04-22, Emotet stopped sending Excel spreadsheets as attachments and began using Windows shortcut (.lnk) files.

- The .lnk file can be directly attached to the emails, or they can be contained in a password-protected zip archive.

- These shortcuts have embedded script appended to the file.

- The shortcut command copys the embedded script to a .vbs file saved to and run from the victim's AppData\Local\Temp directory.

ATTACHMENTS: .LNK FILES:

- f1228e3fc8d14b670dcd05a73e9d8082c5468e7f869c04e4e2a192c24029cb0b Electronic form 04.25.2022, USA.lnk
- 4cfaec3d5afa0acd05aeea77cbd77f705659716849c4ffb1c00711e018e7e1d9 Electronic form 04.25.2022.lnk
- de32b7042c9acd86b5f446c334a415f5f38df8dd71f74d0f826dc3e04e8b735c Electronic form Dt 04.25.2022.lnk
- e3a4e4b4fd779cb449b69d2831fe49e22c95eb917bc875a8ff9dea69699a2b75 Form Dt 04.25.2022.lnk
- 193cf39b5c1d4174fbecc8ed34d476eab20129659e2f16a71341a53f3649819f form 04.25.2022.lnk

ATTACHMENTS: PASSWORD-PROTECTED ZIP ARCHIVES:

- 4dfcc035699f72fe818d3862985043d7c9507c8fb41fa6daff6b040bd35f2fdb Electronic form Dt 04.25.2022, United States.zip
- 175926369c94fbbf586767836fdeb3d1eb23e0b6adaaa4f62d0437d7c1c3ffc5 Form 04.25.2022, US.zip
- b4cef643571c26d7c96180c665250b3e2a64e6ff6957458c56dc8842640e20b9 form 04.25.2022, US.zip
- 212b5544fd55f5d5060beec77d80ea600d29fbbce8cd3d6d7ab54af369e59363 INV 2022-04-25_1114, US.zip
- 6bdac1eb612c6a9f7725a87d19d6a4e9f24012185d33cad66f0234cf0d572f07 INV 2022-04-25_1237, US.zip

.LNK FILES EXTRACTED FROM THE ABOVE ZIP ARCHIVES:

- 846a1548e1f1eb25c026060be4b132aef84c6e72d459ae4ba586e10bd3452e89 Electronic form Dt 04.25.2022, United States.lnk
- 02eccb041972825d51b71e88450b094cf692b9f5f46f5101ab3f2210e2e1fe71 Form 04.25.2022, US.lnk
- de494235193ae2144df12e3b5dddfee7f18fe155b71b8d816a010cf2ef95ed5a form 04.25.2022, US.lnk
- 406a50eb3bd3815a556e35015d65918b82cba4780c413f2028e3f8c346a5c283 INV 2022-04-25_1114, USA.doc.lnk
- 19c4740ef48735d8fca435e54bb5ca4f0dea47c14d0a8ebf6f6278469b901eec INV 2022-04-25_1237, United States.doc.lnk

EXAMPLES OF WINDOWS SHORTCUT COMMANDS:

- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Electronic form 04.25.2022, USA.lnk"
- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Electronic form 04.25.2022.lnk"
- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Electronic form Dt 04.25.2022, United States.lnk"
- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Electronic form Dt 04.25.2022.lnk"
- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "form 04.25.2022.lnk"
- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Form 04.25.2022, US.lnk"
- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "form 04.25.2022, US.lnk"
- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Form Dt 04.25.2022.lnk"
- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "INV 2022-04-25_1114, USA.doc.lnk"
- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "INV 2022-04-25_1237, United States.doc.lnk"

VBS SCRIPT APPENDED TO .LNK FILES FOR EMOTET:

- SHA256 hash: c9182a9101d90a24fc6367d62e31abdd930b2c7f5e69d53d65468259ce1e295d
- File size: 3,008 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\YlScZcZKeP.vbs

URLS IN VBS SCRIPT TO RETRIEVE EMOTET DLL:

- hxxps://creemo[.]pl/wp-admin/ZKS1DcdquUT4Bb8Kb/
- hxxp://filmmogzivota[.]rs/SpryAssets/gDR/
- hxxp://demo34.ckg[.]hk/service/hhMZrfC7Mnm9JD/
- hxxp://focusmedica[.]in/fmlib/IxBABMh0I2cLM3qq1GVv/
- hxxp://cipro[.]mx/prensa/siZP69rBFmibDvuTP1L/
- hxxp://colegiounamuno[.]es/cgi-bin/E/

EXAMPLE OF 64-BIT DLL FOR EMOTET:

- SHA256 hash: d0c671e54b36dce0f652ef7fa8e18d609a89efff1a05b133d7c2cd536f65f15f
- File size: 543,744 bytes
- File location: C:\Users\[username]\AppData\Local\Kfichjg\cbun.zia
- File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- File description: 64-bit DLL for Emotet
- Run method: regsvr32.exe [filename]

EMOTET C2 TRAFFIC:

- 49.231.16[.]102 port 8080 - HTTPS traffic
- 51.210.176[.]76 port 443 - HTTPS traffic
- 91.207.181[.]106 port 8080 - HTTPS traffic
- 93.104.209[.]56 port 8080 - HTTPS traffic
- 131.100.24[.]199 port 7080 - HTTPS traffic
- 138.197.147[.]101 port 443 - HTTPS traffic
- 138.201.142[.]73 port 8080 - attempted TCP connections
- 176.31.163[.]17 port 8080 - HTTPS traffic
- 217.160.107[.]189 port 8080 - HTTPS traffic

EMOTET SPAMBOT TRAFFIC:

- various IP addresses over various TCP ports - encrypted SMTP traffic
71 changes: 71 additions & 0 deletions 2022-05-03-IOCs-for-Contact-Forms-Bumblebee-and-Cobalt-Strike.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
2022-05-03 (TUESDAY) - CONTACT FORMS CAMPAIGN --> BUMBLEBEE --> COBALT STRIKE

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1521831026024239107

CHAIN OF EVENTS:

- Contact form-generated email --> link to URL at storage.googeapis.com --> ISO file download --> Bumblebee infection --> Cobalt Strike activity

NOTES:

- "Contact Forms" is a campaign that has distributed IcedID, Sliver, BazarLoader, and more recently Bumblebee malware.

- This campaign uses a web site's contact form to email recipients messages with malicious links to download malware.

- The Contact Forms campaign most often uses a DMCA violation notice that directs victims to a "Stolen Images Evidence" web page hosted on a URL at storage.googeapis.com.

- In 2021 the Contact Forms campaign also used a "DDoS Attack Proof" theme.

- An initial write-up about this campaign can be found at: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

- SHA256 hash: c632b56628303f523b22a26231ae80836fed54df87c8a004f2d348d1b6f951b2
- File size: 4,521,984 bytes
- File name: StolenImages_Evidence.iso
- File description: ISO file downloaded through link in contact forms email

- SHA256 hash: 3c600328e1085dc73d672d068f3056e79e66bec7020be6ae907dd541201cd167
- File size: 1,623 bytes
- File location: StolenImages_Evidence.iso\documents.lnk
- File description: Windows shortcut in the above ISO file
- Windows shortcut: %windir%\system32.exe /c start
rundll32.exe mkl2n.dll,KXlNkCkgFC

- SHA256 hash: 0a9efce2cb38eb9e215d4ea308ccdc711659ab75b124dfd49561d6226c431ac2
- File size: 3,023,872 bytes
- File location: StolenImages_Evidence.iso\mkl2n.dll
- File location: C:\ProgramData\96796b3c800e87fc\d99821d3530f702f.dll
- File description: Bumblebee malware DLL
- Run method: rundll32.exe [filename],KXlNkCkgFC

- SHA256 hash: 330b74d26d0f25bd9b7cc147c9641241fea4a2a65965039c7a437ef739e51521
- File size: 140 bytes
- File location: C:\ProgramData\96796b3c800e87fc\d99821d3530f702f.vbs
- File description: VBS file made persistent through scheduled task, used to run Bumblebee malware DLL

MALWARE NOTE:

- No binaries for Cobalt Strike were found saved to disk during a forensic investigation on the infected Windows host.

EXAMPLE OF LINK IN CONTACT FORM-GENERATED EMAIL FOR "STOLEN IMAGES EVIDENCE" PAGE:

- port 443 - hxxps://storage.googleapis[.]com/sf796cw3zbj6nk.appspot.com/sh/f/pub/m/0/fileyxuMxCXbRc2e.html?f=308238708665803200

EXAMPLES OF URLS RETRIEVED BY THE ABOVE PAGE THAT RETURN BASE64 TEXT TO GENERATE ISO FILE:

- 172.67.183[.]217 port 443 - hxxps://baronrtal[.]com/images/logo.jpg
- 172.67.168[.]3 port 443 - hxxps://bunadist[.]com/images/logo.jpg

BUMBLEBEE C2 TRAFFIC:

- 45.153.243[.]93 port 443 - 45.153.243[.]93 - HTTPS traffic

COBALT STRIKE TRAFFIC:

- 179.60.150[.]125 port 443 - HTTPS traffic
- 172.93.201[.]12 port 443 - cevogesu[.]com - HTTPS traffic
- 23.106.215[.]100 port 443 - titojukus[.]com - HTTPS traffic
- 108.177.235[.]172 port 443 - xemigefav[.]com - HTTPS traffic
Loading

0 comments on commit 4d68178

Please sign in to comment.