silence-is-best

Date,Details,Payload Type,Users Targeted
2/4/2025,Request for Quotation; docx -> xloader,Attachment,4
2/4/2025,RE: RE: RE: RE: A PROFORMA INVOICE REQUEST FOR YOUR TODAY'S IMMEDIATE PAYMENT !!!; zip -> xloader,Attachment,6
2/6/2025,OC4503585788; 7z -> originlogger,Attachment,4
2/6/2025,RE: TNT Express //Arrival Notice // AWB #8013580 2/06/2025; zip -> snakekeylogger,Attachment,2
2/7/2025,RE: T/T EUR 78845.10; doc -> snakekeylogger,Attachment,5
2/10/2025,Re: GPRI PO #24090838; docx -> -> rtf -> xloader,Attachment,2
2/12/2025,PAGOS|INFORME MODELO 347; rar|tar -> snakeykeylogger,Attachment,4
2/12/2025,Purchase Order #PO240145|New Order PO240145; lzh -> xloader continued to 2/14,Attachment,8
2/13/2025,Orden de compra; 001 -> originlogger,Attachment,3

silence-is-best

Date,Details,Email Payload Type,Users Targeted
1/8/2025,Copy shipping docs/ PO EV1786/ LY ECO PAK/ EV1; z -> vipkeylogger,Attachment,4
1/9/2025,Invoice; zip -> lumma ,Attachment,2
1/9/2025,PO#17971; rar -> vipkeylogger,Attachment,4
1/11/2025,Order Confirmation#011025; 7z -> xloader,Attachment,3
1/13/2025,Enquiry - RFQ; z -> vipkeylogger,Attachment,4
1/13/2025,QUOTATION REQUIRED_Enatel s.r.l.; rar -> vipkeylogger,Attachment,8
1/13/2025,Re: Invoice AJL2024/12/13. - Payment Receipt (OCEAN HOPE LLC); 7z -> snakekeylogger,Attachment,4
1/13/2025,Re: Payment Authourisation for Order9000168504; r15|r00 -> xloader,Attachment,2
1/13/2025,RE: PI-KMM289108//Payment Transfer Issue; zip -> xloader,Attachment,2

silence-is-best

Raw

Jan 24 09:30:06 kernel: [1433155.925803] NEW IN= OUT= SRC=87.190.21.11 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=120 ID=47161 DF PROTO=TCP SPT=19000 DPT=44322 WINDOW=13173 RES=0x00 SYN URGP=0 
Jan 24 09:30:06 kernel: [1433156.317801] NEW IN= OUT= SRC=35.131.74.82 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=115 ID=62149 DF PROTO=TCP SPT=19000 DPT=1971 WINDOW=18474 RES=0x00 SYN URGP=0 
Jan 24 09:30:06 kernel: [1433156.322783] NEW IN= OUT= SRC=82.79.112.58 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=29898 DF PROTO=TCP SPT=19000 DPT=4343 WINDOW=27164 RES=0x00 SYN URGP=0 
Jan 24 09:30:06 kernel: [1433156.443998] NEW IN= OUT= SRC=72.12.122.239 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=46847 DF PROTO=TCP SPT=19000 DPT=8006 WINDOW=25819 RES=0x00 SYN URGP=0 
Jan 24 09:30:06 kernel: [1433156.642991] NEW IN= OUT= SRC=170.250.142.171 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=41878 DF PROTO=TCP SPT=19000 DPT=8042 WINDOW=26227 RES=0x00 SYN URGP=0 
Jan 24 09:30:06 kernel: [1433156.659971] NEW IN= OUT= 

silence-is-best

Details,Email Payload Type,Users Targeted
Copy Of Payment Just Made.; arj -> filerenamer,Attachment,5
RE: GLTB-PO/24/10002; zip -> xloader,Attachment,2
Request for Quotation; rar -> snakekeylogger,Attachment,5
Payments; rar -> xloader,Attachment,2
QUOTATION REQUEST - BQS058; zip -> snakekeylogger,Attachment,2
SHIPPING DOCUMENTS - PO#EV1786/loading: 07/11/2024 - SC: HKLE-DS240912; rar -> vipkeylogger,Attachment,4

expiro-xloader, 0629d06c5aa9b9c33a5b7f9fb029023c3c6140bd475e6b68645beca7d85203bd, www.snyp.shop/4nyz
expiro-xloader, 77fff1c59aace50f9bbb9184b1086cccb57df0cb5d3b10589a9b6b91283aa719, www.d48dk.top/9ffw

silence-is-best

Date, Details,Email Payload Type,Users Targeted
11/1/2024,New Purchase Orders for Span|PO018 | Hydraulic Parts | Spare Parts; rar -> xloader,Attachment,8
11/3/2024,Purchase Order; zip -> snakekeylogger,Attachment,2
11/3/2024,IRS Customer Service; zip -> lnk -> vidar,Attachment,3
11/4/2024,PR # 3000005991 - Quotation Required | Spare Parts; rar -> xloader,Attachment,4
11/4/2024,re:payment; z -> xloader,Attachment,4
11/5/2024,New Inquiry // INQ24561; iso -> xloader,Attachment,4
11/5/2024,Novaj Aĉeto-Mendoj por Span; rar -> xloader,Attachment,4
11/5/2024,Request of payment - 364898 FD PO# B2023-21508; zip|rar -> xloader,Attachment,4
11/6/2024,Shipping docs and schedule; tar -> xloader,Attachment,3

silence-is-best

Date,Details,Email Payload Type,Users Targeted
10/1/2024,FACTURA N.º 240073; lzh -> xloader,Attachment,46
10/1/2024,Payment Advice ***** Advice Ref:[A20A9o6tNQd2] / ACH; rar -> xloader,Attachment,3
10/3/2024,SOA AUG 2024 - / CMA CGM; rar -> xloader,Attachment,4
10/3/2024,Payment Reference SOA Pending Balance Updated; rar -> xloader,Attachment,4
10/6/2024,Re: Ref: Payment Advice 081 // Customer Ref:23486903|NEW ORDER; rar -> xloader,Attachment,4
10/6/2024,SOA (Statement Of Account); rar -> xloader,Attachment,4
10/7/2024,Request for Quotation Plug Valve; z -> vipkeylogger,Attachment,4
10/7/2024,Quotation Accepted; lzh -> xloader,Attachment,3
10/9/2024,NEW PO; z -> xloader,Attachment,4

silence-is-best

Date,Details,Email Payload Type,Users Targeted
9/2/2023,<email address> You have an incoming invoice; rar -> formbook,Attachment,3
9/2/2024,QUOTE - REQUIRED ITEMS_4001244; rar -> viplogger,Attachment,2
9/2/2024,Business /lease agreements.; 7z -> vbe -> snakekeylogger,Attachment,2
9/2/2024,JUSTIFICANTE -Carta de pago; rar -> viplogger,Attachment,3
9/2/2024,Quote #011698; lzh -> xloader,Attachment,3
9/3/2024,New Order PO#86637 03_09_2024; lzh -> xloader,Attachment,3
9/3/2024,Re: Urgent; 7z -> vbe -> snakekeylogger,Attachment,3
9/4/2024,New Shipment - Order 103; lzh -> xloader,Attachment,3
9/5/2024,New Order PO 011824; lzh -> xloader,Attachment,3

silence-is-best

Date,Summary ,Details,Email Payload Type,Users Targeted
8/1/2024,Malicious email campaign; morning,Purchase Order; rar ->,Attachment,3
8/1/2024,Malicious email campaign; evening,SIGNED ORDER CONFIRMATION FOR; zip -> xloader continued to 8/5,Attachment,4
8/1/2024,Malicious email campaign; evening,ARRIVAL NOTICE FOR YOUR; zip -> originlogger continued to 8/5,Attachment,9
8/2/2024,Malicious email campaign; evening,Purchase Order PO0001277 - N34 PAX SUITES SO0002124; z -> xloader,Attachment,5
8/3/2024,Malicious email campaign; evening,RE: UPDATED SOA FOLLOW UP PAYMENT; rar|zip -> originlogger,Attachment,3
8/3/2024,Malicious email campaign; evening,Fw: PAYMENT NOTIFICATION; zip -> snakekeylogger,Attachment,2
8/6/2024,Malicious email campaign; morning,DHL BILL OF LANDING SHIPPING INVOICE DOCUMENTS; lzh -> originlogger,Attachment,2
8/6/2024,Malicious email campaign; evening,Re: Payment for Proforma Invoice 0000000056789007689-pdf; zip -> purelogs,Attachment,3
8/7/2024,Malicious email campaign; morning, PI-J/005 : PF

silence-is-best

Date,Summary ,Details,Category,Sub Category,Email Payload Type,Users Targeted
7/1/2024,Malicious email campaign; morning,Top Urgent Order; 7z -> vbs -> guloader,Email,Malware,Attachment,4
7/1/2024,Malicious email campaign; morning,Re: Solicita��o de Pagamento - Fatura Proforma 924318184; 7z -> formbook,Email,Malware,Attachment,2
7/1/2024,Malicious email campaign; evening,Urgent files; 7z -> vbs -> guloader continued to 7/2,Email,Malware,Attachment,3
7/2/2024,Malicious email campaign; morning,INQUIRY 2024-SP0006-B(01) INQ24-012207; rar -> xloader continued to 7/8,Email,Malware,Attachment,16
7/2/2024,Malicious email campaign; morning,Re: Revised Proforma; tar -> vbs -> guloader,Email,Malware,Attachment,3
7/4/2024,Malicious email campaign; morning,Attachment name is revised pi_2024.lzh; lzh -> originlogger continued to 7/12,Email,Malware,Attachment,8
7/8/2024,Malicious email campaign; evening,Re: Your Proforma Pending Payments; 7z -> vbs -> guloader,Email,Malware,Attachment,2
7/9/2024,Malicious email campaign; m

silence-is-best

// Get ConfigStateUpdate and SensorHeartbeat events
#event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/ event_platform=Win 
// Narrow search to Channel File 291 and extract version number; accept all SensorHeartbeat events within impact window
| case{
    #event_simpleName=ConfigStateUpdate | regex("\|1,123,(?<CFVersion>.*?)\|", field=ConfigStateData, strict=false) | parseInt(CFVersion, radix=16);
    #event_simpleName=SensorHeartbeat | rename([[@timestamp, LastSeen]]);
}


| case{