silence-is-best’s gists

silence-is-best / gist:e2af8aa61000e4b740934331291c619b

Last active January 3, 2022 15:14

December 2021 Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	12/1/2021,Shipping docs against 2nd Partial Shipment; zip -> agenttesla,Attachment,3
	12/1/2021,Subjects contain DocuSign, ascensionpm.com sender; link -> hancitor,Link,621
	12/1/2021,DHL CARGO ARRIVAL NOTICE; xlsx -> xloader,Attachment,3
	12/2/2021,Swift copy; 7z -> xloader,Attachment,2
	12/2/2021,ORDER CANCELLED.; 001 -> snakekeylogger,Attachment,4
	12/2/2021,Payment Notification from IREMIT EXCHANGER; uif -> snakekeylogger,Attachment,3
	12/3/2021,Sender IP is 185.222.57.142; zip -> agenttesla,Attachment,46
	12/4/2021,??: Booking 1 x 20 dv Shanghai; zip -> agenttesla,Attachment,2
	12/4/2021,Urgent Price request; 7z -> xloader,Attachment,2

silence-is-best / gist:fbef010bb311cb8b831dfdc5cd64c390

Created December 22, 2021 17:25

N-W0rm exil sig

alert tcp any any -> any any (msg:"N-W0rm Exfil"; flow:established,to_server; content:"|c0 00 00 00|"; fast_pattern; within:4; reference:md5,7315760f18f531d0e4d5ed6c7c95fa93; classtype:trojan-activity; sid:20166339; rev:1; metadata:created_at 2021_12_22;)

silence-is-best / gist:a7ea38ccde5923768c234cf6057bf518

Created December 1, 2021 15:41

November 2021 Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	11/1/2021,Re: PO #SAI-1007324 SUPPLIES NEEDED; lzh -> guloader -> formbook,Attachment,4
	11/1/2021,Re: I am an interesting and not boring girl; zip -> qakbot,Attachment,2
	11/1/2021,RE: Balance Payment [DBL-SI21070421}; zip -> formbook,Attachment,2
	11/1/2021,REQUEST FOR QUOTATION TO SUPPLY!; xz -> remcos,Attachment,2
	11/1/2021,Ref: Swift Transfer - Failure /Outstanding payment; zip -> lokibot,Attachment,2
	11/2/2021,FW: Request For Invoice - RFQ # 136562\|PAYMENT MADE INTO YOUR NEW BANK DETAILS.; arj -> formbook,Attachment,8
	11/2/2021,ENQUIRY FOR QUOTES; gz -> lokibot,Attachment,2
	11/2/2021,Re: order initiation - invoice No. 36/021-; rar -> agenttesla,Attachment,4
	11/2/2021,Fwd: Payment Problem; r02 -> lokibot,Attachment,2

silence-is-best / gist:9a61ba748a4e4bc7678efbb54f6b3ba2

Created November 1, 2021 14:51

October 2021 Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	10/1/2021,Payment Advice - Advice Ref:[GLV927530529] / Priority payment / Customer Ref:[1057139]; zip -> asyncrat,Attachment,3
	10/4/2021,RE: URGENT ORDER_NO.238275-ENQUIRY; r15 -> agenttesla,Attachment,3
	10/4/2021,Re: URGENT- Invoice For Shipment; doc -> formbook,Attachment,2
	10/5/2021,Attachment name is bl-invoice shipping docx.zip ;zip -> agenttesla continued to 8/6,Attachment,4
	10/5/2021,View Secured Document for Review & Printing; doc -> formbook,Attachment,4
	10/5/2021,Subjects contain DocuSign, FICCOB.COM sender; link -> hancitor,Link,3363
	10/5/2021,Docusign document; link -> zip -> iso -> bazaloader,Link,7
	10/5/2021,RE�:�STATEMENT�OF�ACCOUNT; link -> avemaria,Link,3
	10/5/2021,NEW PURCHASE ORDER-NO.Z21239-WMHL\|NEW QUOTATION REQUEST; ppt -> hagga -> agenttesla,Attachment,6

silence-is-best / gist:e1ac68d2039d61df1331ea65b620bddb

Created October 22, 2021 17:48

Una stealer yara sig

	rule unastealer3_other
	{
	meta:
	description = "Una Stealer"
	author = "James_inthe_box"
	reference = "https://www.hybrid-analysis.com/string-search/results/54fb74afabde582ae0a730401ea31ee5e0d9cf33582c8a64d634350150cdd78b"
	date = "2020/07"
	maltype = "Stealer"

	strings:

silence-is-best / gist:dc4f4ee214955ad8e41b2ef366b5f06f

Created October 21, 2021 20:38

Swivelload yara

	rule swivelload_bin
	{
	meta:
	description = "Swivelload"
	author = "James_inthe_box"
	reference = "https://app.any.run/tasks/34b3dc00-a855-49a0-a4be-0bc38b9007b9"
	date = "2021/10"
	maltype = "Loader"

	strings:

silence-is-best / gist:d8f8dd5a9f090d8db2811d229d454db4

Created October 19, 2021 21:07

IP src and raw

	Src

	112.196.98.172
	119.76.135.178
	122.160.66.84
	122.165.201.75
	144.64.141.199
	165.169.6.166
	179.42.192.95
	182.77.56.193

silence-is-best / gist:f69cc193cbe6223ba50063d3981b7177

Created October 1, 2021 14:42

September 2021 Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	9/1/2021,NEW EXPORT PURCHASE ORDER FOR APPLI TRADING GMBH; doc -> xloader,Attachment,3
	9/1/2021,Subjects start with Bill, gmail.com sender link -> trickbot,Link,5
	9/1/2021,RFQ-01-09-2021 - Q0160-11-2020 Rev.1; zip -> formbook,Attachment,3
	9/1/2021,The�dead�list�of�American�soldiers�at�the�airport�in�Kabul.; zip -> js -> griffon continued to 9/2,Attachment,11
	9/2/2021,Updated Invoice; 7z -> xloader,Attachment,2
	9/2/2021,Subjects contain DocuSign, farerata.com sender; link -> hancitor,Link,746
	9/2/2021,PO921806; iso -> xloader,Attachment,2
	9/2/2021,New Business Inquiry; xz\|gz -> nanocore,Attachment,2
	9/2/2021,BL COPY- CIF LCL SEA SHIPMENT; r00 -> avemaria,Attachment,2

silence-is-best / gist:de5ff413b823da0a08973d2976d12df4

Created September 13, 2021 18:19

Additional info

	206.189.205.251
	88.242.66.45
	36.65.102.42
	85.75.110.214
	93.78.214.187
	87.104.3.136
	207.244.91.171
	49.230.88.160
	91.149.252.75
	91.149.252.88

silence-is-best / gist:31a15d9366709d454284c30819b8b425

Created September 2, 2021 17:33

Java msi zloader yara

	rule zloader_new_bin
	{
	meta:
	description = "zloader_new odd"
	author = "James_inthe_box"
	reference = "3e39f52e05238299ed622b996be05792b025d18bc56c878d772ee9002fef1015"
	date = "2021/08"
	maltype = "zloader_new naughty"

	strings: