silence-is-best’s gists

silence-is-best / gist:e76ee417422d7b3fa31a1f9fae6ec7c4

Created October 3, 2022 14:24

September 2022 Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	9/1/2022,Reminder!!!: Our PO100001863\|Request For Quote; z -> snakekeylogger,Attachment,4
	9/1/2022,RE: Purchase orders--revised; rar -> agenttesla,Attachment,2
	9/1/2022,T.C. Ziraat Bankas? �deme Plani; rar -> guloader,Attachment,2
	9/1/2022,NEW ORDER (CONTRACT RQF:234223).; doc -> formbook,Attachment,3
	9/5/2022,Asking supplier for quotation <domain>; doc -> agenttesla,Attachment,2
	9/5/2022,DUE DATED INVOICES !!; jar -> adwind,Attachment,2
	9/5/2022,RE: DHL FAILED DELIVERY NOTIFICATION; doc -> agenttesla,Attachment,4
	9/6/2022,Re:; zip -> formbook continued to 9/7,Attachment,15
	9/7/2022,Your Copy Invoice HANR000116758 with; rar -> agenttesla,Attachment,2

silence-is-best / gist:63adc51dbc4631c898a1ba1adca15fe9

Created September 27, 2022 17:49

Scans

	Sep 25 06:45:21 kernel: [263816.815139] NEW IN= OUT= SRC=104.219.250.45 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=30305 PROTO=TCP SPT=48139 DPT=5001 WINDOW=1024 RES=0x00 SYN URGP=0
	Sep 25 06:47:36 kernel: [263952.059660] NEW IN= OUT= SRC=104.219.250.193 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=30153 PROTO=TCP SPT=49010 DPT=10001 WINDOW=1024 RES=0x00 SYN URGP=0
	Sep 25 06:53:10 kernel: [264285.714766] NEW IN= OUT= SRC=104.219.251.194 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=34457 PROTO=TCP SPT=50098 DPT=15001 WINDOW=1024 RES=0x00 SYN URGP=0
	Sep 25 07:18:25 kernel: [265801.094104] NEW IN= OUT= SRC=104.219.250.45 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=35062 PROTO=TCP SPT=50428 DPT=5002 WINDOW=1024 RES=0x00 SYN URGP=0
	Sep 25 07:41:55 kernel: [267210.594806] NEW IN= OUT= SRC=104.219.250.45 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=46317 PROTO=TCP SPT=52718 DPT=5003 WINDOW=1024 RES=0x00 SYN URGP=0
	Sep 25 07:44:09 kernel: [267345.168385] NEW IN= OUT= SRC=104.219.250.193 DS

silence-is-best / gist:aa09d5340b68414e75a555ef2386566d

Created September 1, 2022 14:28

August 2022 Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	8/1/2022,RE: FINAL INVOICE ATTACHED; docx -> formbook,Attachment,3
	8/1/2022,Attachment name is new order.rar; rar -> agenttesla,Attachment,2
	8/1/2022,PURCHASE ORDER; arj -> guloader,Attachment,2
	8/1/2022,New P. O. No A01/2223/POS/PM1/00033 dt. 01.07.2022 for Tube Al. PTD DGGE; docx -> agenttesla,Attachment,3
	8/2/2022,Re: Partnership Opportunity; zip -> iso -> icedid,Attachment,14
	8/3/2022,Re: Shipping Advice - ETD AUG. 2022; zip -> agenttesla,Attachment,6
	8/3/2022,Re: Payment; gz -> agenttesla,Attachment,2
	8/4/2022,New Order for August; z -> agenttesla,Attachment,2
	8/4/2022,Purchasing Inquiry; z -> agenttesla,Attachment,2

silence-is-best / gist:5099394d746623abf10db1584aea6ecc

Created August 1, 2022 15:02

July 2022 Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	7/5/2022,New july order; xlsx -> lokibot,Attachment,2
	7/5/2022,RE: Jickson Corporation Pte Ltd - SOA OVERDUES as at 15 Jun 2022; docx -> avemaria,Attachment,3
	7/5/2022,Re: Invoice Attached--PO 20220605; rar -> avemaria,Attachment,17
	7/6/2022,?2nd Invoice reminder on outstanding invoices; img -> guloader,Attachment,3
	7/6/2022,CHINA TO UK / CROSS TRADE/ DDU Charges Importance: High; zip ->,Attachment,3
	7/7/2022,Hi; rar -> dcrat,Attachment,2
	7/7/2022,shipment Shipping Bill copy; img -> nanocore,Attachment,2
	7/8/2022,Attachment name is invoice-remit no89566383.zip; js -> strrat,Attachment,4
	7/8/2022,FW:RE Invoice Paid; zip -> js -> vjw0rm,Attachment,3

silence-is-best / gist:ccb6eb00017e86a09665ca0fceddd621

Created July 22, 2022 19:59

Hashes

	658142bdeec19fb3ff0556a38a592458b7f005f69d11a39c34d67fd9efe6222c ./oKSCQ.exe
	488cf6110cc37722a8ef0043ab8d85d403adad7aefa9b487e7a71c2d3c8a0bde ./HaBQB.exe
	488cf6110cc37722a8ef0043ab8d85d403adad7aefa9b487e7a71c2d3c8a0bde ./fBLPb.exe
	73493f393423de3502be624402e63b53216a91ec15cb5ab1357661a75c2ad29e ./RsBRM.exe
	488cf6110cc37722a8ef0043ab8d85d403adad7aefa9b487e7a71c2d3c8a0bde ./MpFzZ.exe
	fbfe88287fb3b8aac62cc5fdec1b2ed91f5af483e479415da6e2c679e20295ff ./DzXbP.exe
	488cf6110cc37722a8ef0043ab8d85d403adad7aefa9b487e7a71c2d3c8a0bde ./aPABQ.exe
	488cf6110cc37722a8ef0043ab8d85d403adad7aefa9b487e7a71c2d3c8a0bde ./YnPaY.exe
	e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635 ./bYCQn.exe
	336d071d4adb6318e90bdfc18666c5d1f95b9db1ffb659438054680b56da1dc3 ./LzYAJ.exe

silence-is-best / gist:7b71542e9713d9e8c2546090a1358789

Created July 1, 2022 14:32

June 2022 Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	6/1/2022,Re: Nuevo Orden (PO 973/ PO998); lzh -> img -> lokibot,Attachment,11
	6/2/2022,RI: TT Transmitted Copy TRV/TT/02-06-2022; r00-> avemaria,Attachment,3
	6/2/2022,New Order; z -> agenttesla continued to 6/3,Attachment,8
	6/5/2022,RE: 4th SHIPMENT //1 x 20 �OMT TEXTILS / EVASION / TUTICORIN- VALENCIA SPAIN - OMT/5646-4; zip -> agenttesla,Attachment,6
	6/6/2022,Fw: Reminder/MAY, 2022 Statement - 22387;zip -> remcos,Attachment,2
	6/7/2022,RE: Shipment Documents Copies (ETD: May 22----ETA: MAY 29)]]]; r00 -> avemaria,Attachment,2
	6/7/2022,RE: Purchase Order_Request for QUOTE Specs; r01 -> avemaria,Attachment,2
	6/7/2022,Delivery Order; z -> agenttesla,Attachment,4
	6/7/2022,RE: RE: New order 70275213; iso -> agenttesla,Attachment,4

silence-is-best / gist:f5e025b89524c2e79de13057c841eea7

Last active June 22, 2022 18:42

Unknown rat stealer snort suricata yara sig

	alert tcp any any -> any any (msg:"Unknown Rat Initial Connect"; flow:established,to_server; content:"domaindetect"; fast_pattern; within:13; dsize:<20; classtype:trojan-activity; sid:20166343; rev:1; metadata:created_at 2022_06_22;)

	rule unknownrat1_mem
	{
	meta:
	description = "Unknown rat with ties to Redline"
	author = "James_inthe_box"
	reference = "https://app.any.run/tasks/468748fc-c2b2-45c4-afb5-476c8fe9f026/#"
	date = "2022/06"
	maltype = "RAT"

silence-is-best / gist:1bc62a53c1a0ddb3a8bcdff19bc80c3e

Created June 21, 2022 15:47

Matanbuchus yara

	rule Matanbuchus_name_only
	{
	meta:
	description = "Matanbuchus"
	author = "James_inthe_box"
	reference = "https://twitter.com/pr0xylife/status/1537511268591992840"
	date = "2022/06"
	maltype = "Loader"

	strings:

silence-is-best / gist:aed87420d90f50abf6e33cd8bff94ec5

Created June 13, 2022 19:33

GALLIUM PingPull snort suricata yara

	alert icmp any any -> any any (msg:"GALLIUM PINGPULL Detected"; content:"PROJECT_PINGPULL"; fast_pattern; within:20; dsize:<100; classtype:trojan-activity; sid:20166342; rev:1; metadata:created_at 2022_06_13;)

	rule PingPull_bin
	{
	meta:
	description = "GALLIUM PingPull"
	author = "James_inthe_box"
	reference = "https://unit42.paloaltonetworks.com/pingpull-gallium/"
	date = "2022/06"
	maltype = "APT horsecrap"

silence-is-best / gist:ee1a7774fdb176cd32299dc3286623e9

Created June 8, 2022 20:49

Recordbreaker yara

	rule Recordbreaker_bin
	{
	meta:
	description = "Recorderbreaker stealer"
	author = "James_inthe_box"
	reference = "https://app.any.run/tasks/631b83d3-0f5d-4766-9b84-c35919fc4db0"
	date = "2022/06"
	maltype = "Stealer"

	strings: