silence-is-best

Date,Details,Email Payload Type,Users Targeted
3/1/2022,Fwd: Re: SALES ORDER CONFIRMATION 3150014594; doc -> formbook,Attachment,6
3/1/2022,SWIFT COPY Dated 28-Feb-2022; lzh -> guloader -> formbook continued to 3/15,Attachment,4
3/2/2022,FWD: DUE PAYMENT/NEW ORDER; doc -> formbook,Attachment,4
3/3/2022,DE PEDIDO PARA PO# 062618FPI; 7z -> lokibot,Attachment,2
3/6/2022,order confirmation 5648902; zip -> agenttesla,Attachment,2
3/7/2022,RV: Shipping advice - 2nd container under ct.876; zip -> agenttesla,Attachment,5
3/7/2022,RE: First Reminder - BL&CI&PL----50k of TLE4275; lzh -> vbs -> guloader,Attachment,4
3/7/2022,Attachment name is SKM_C3350191107102.zip -> agenttesla,Attachment,5
3/7/2022,Outstanding Statement; r15 -> agenttesla,Attachment,3

silence-is-best

Src

118.32.148.39
126.28.86.219
174.96.17.10
185.165.190.34
193.124.7.9
201.211.31.43
211.192.162.213
219.100.37.238

silence-is-best

agenttesla, 155ab816f3fd97025b4fa4c1c96b9ebe860bd3d4fea3cefdfac3b5eb4c6a096c, mail.escueladeseguridadmaritima.com
agenttesla, 1e0d55597a70a2d001ebefb4d6f5bbe655eca5b8e144711f0bedc71d4f068117, mail.escueladeseguridadmaritima.com
agenttesla, 2b15750aeba3dd437e6b50b815a65bbed7e32de9819a1441693be4189b83a072, mail.escueladeseguridadmaritima.com
agenttesla, 39107316af5af4e51556e3b0aa56a075aff1806d7509d24a4fa54284bb803615, mail.escueladeseguridadmaritima.com
agenttesla, 3f837a1a838485620b0b465bd2dee11e20db87f3b64a242cc31fbe059c463cde, mail.escueladeseguridadmaritima.com
agenttesla, 4e2d44597e791e4e2177434ffe411b22557d005eb940cca7e7ad62b055d1cac5, mail.escueladeseguridadmaritima.com
agenttesla, 50a312e921a0c75d0cf9374f2c5384f21dc96efa1cb3a614c2147e117d7171f8, mail.escueladeseguridadmaritima.com
agenttesla, 52a174adf98c963af2ab985dde25f97e68657355d6bac68c55b8fc0dff84412a, mail.escueladeseguridadmaritima.com
agenttesla, 58ce2309dea30b153cda70566249d5781f60da3658383e6a743fca38fe524d62, mail.escueladeseguridadmaritima.co

silence-is-best

Date,Details,Payload Type,Users Targeted
2/1/2022,New Order Inquiry | | RFQ NO.53902-QGC; xlsx -> xloader,Attachment,3
2/1/2022,Subjects contain DocuSign, powersandassociates.com sender; link -> hancitor,Link,205
2/2/2022,RE: OUTSTANDING BALANCE PAID//REF0000360261; xlsx -> lokibot,Attachment,13
2/2/2022,Payment Advice - Advice Ref:[GB1860369674] / Priority payment / Customer Ref:[0000568988]; doc -> formbook,Attachment,4
2/6/2022,Re: Urgente RFQ_AP65425652_032421; iso -> formbook,Attachment,9
2/7/2022,Re: Quotation; xlsx -> formbook,Attachment,3
2/7/2022,HANDU CLIENT ORDER/ MARCH ORDER.; doc -> formbook,Attachment,4
2/7/2022,Re: new bank details; iso -> formbook,Attachment,9
2/8/2022,Re: new contract//PROFORMA INV-26099//2x20; lzh -> guloader -> formbook,Attachment,4

silence-is-best

http://ngdatas.pw/
https://www.icodeps.com/
http://www.channelinfo.pw/index.php/Home/Index/getExe
https://iplogger.org/1rDMq7
https://iplogger.org/1rd8N6
https://iplogger.org/1spuy7
https://iplogger.org/1uS4i7
https://iplogger.org/1uW6i7
https://iplogger.org/1TW3i7
https://iplogger.org/1q6Jt7

silence-is-best

alert tcp any any -> any any (msg:"Quasar Exfil"; flow:established,from_server; content:"|40 00 00 00|"; fast_pattern; within:4; classtype:trojan-activity; sid:20166340; rev:1; metadata:created_at 2022_02_16;)

[
  "quasar"
]
[
  {
    "config": {
      "attr": {
        "encryption_key": "dwAoBOHOpdZEOnd2XN64",

silence-is-best

Date,Details,Email Payload Type,Users Targeted
1/1/2022,Sending ip is 2.56.59.69; zip -> agenttesla continued to 1/14,Attachment,15
1/3/2022,From Inter Servis-M. Order of office paper 03 01 22; img -> formbook,Attachment,2
1/6/2022,RE: Overdue for December Shpt; rar -> agenttesla,Attachment,2
1/10/2022,New order comfirmation; docx-> agenttesla,Attachment,3
1/10/2022,DEKONT; r19 ->  formbook,Attachment,2
1/11/2022,PURCHASE ORDER - POR22-013018 - URGENT.; zip -> agenttesla,Attachment,3
1/12/2022,swift copy; r00 -> formbook,Attachment,2
1/12/2022,Payment Confirmation.; zip -> agenttesla,Attachment,4
1/12/2022,REQUEST FOR PI; z -> agenttesla,Attachment,2

silence-is-best

Src

101.132.134.165
101.132.150.105
101.132.227.11
101.132.245.119
101.132.73.116
101.132.73.144
101.132.77.235
101.133.174.132

silence-is-best

https://a344d849-fee7-49c5-8227-2da020fccf98.usrfiles.com/ugd/a344d8_b9fc8dfba0b44140aed25a811e731710.txt?dn=rendomtext
https://a344d849-fee7-49c5-8227-2da020fccf98.usrfiles.com/ugd/a344d8_cce54b16710f4aeaa27dbc1c60870b6d.txt?dn=rendomtext
https://a344d849-fee7-49c5-8227-2da020fccf98.usrfiles.com/ugd/a344d8_bca2d0c6129a4d14bec4a74e3b816afa.txt?dn=rendomtext
https://a344d849-fee7-49c5-8227-2da020fccf98.usrfiles.com/ugd/a344d8_4f680a2a4ed249c2baa4a2cf7b3ff39d.txt?dn=rendomtext
https://a344d849-fee7-49c5-8227-2da020fccf98.usrfiles.com/ugd/a344d8_5e4082b99ab344fc810d473289ae0bee.txt?dn=rendomtext
https://a344d849-fee7-49c5-8227-2da020fccf98.usrfiles.com/ugd/a344d8_9b80130257f34a93becf45596d5748db.txt?dn=rendomtext
https://a344d849-fee7-49c5-8227-2da020fccf98.usrfiles.com/ugd/a344d8_9259d295d72946b6ae67b4da65e90329.txt?dn=rendomtext
https://a344d849-fee7-49c5-8227-2da020fccf98.usrfiles.com/ugd/a344d8_2e2870578980402e97294000bc10e8be.txt?dn=rendomtext
https://a344d849-fee7-49c5-8227-2da020fccf98.usrfiles.com/ugd/a3

silence-is-best

rule Socelars_bin
{
    meta:
        description = "Socelars stealer"
        author = "James_inthe_box"
        reference = "https://app.any.run/tasks/6cd9a083-44e6-48e2-9c21-355c35cb9a57"
        date = "2022/01"
        maltype = "Stealer"

    strings: