Twitter | Search | |
Search Refresh
F5 Labs May 7
[In Review] registers itself as a service using the Name & Description of another DLL’s (Sens.dll) resource strings in order to look like a legitimate service (see image). It is not showing in services.msc, while it does show in ServiWin (service enumeration by Nirsoft).
Reply Retweet Like
TomasP Mar 20
New way of email distribution spotted. After seeing TAR and 7Zip in the past weeks, XLS is now attached: Downloads DanaBot with ID=3
Reply Retweet Like
lc4m Nov 13
Replying to @luc4m
Reply Retweet Like
Andrea De Pasquale Oct 2
DanaBot Gains Popularity and Targets US Organizations in Large Campaigns
Reply Retweet Like
Vitali Kremez Jul 24
7-24-2018 🇵🇱 Targets Customers of Polish FINTECH & Crypto Zeus-style inject | WebFilter | Cryptoprocess Check Process: {svchost -> rundll} MD5: 169f6a14aa69cf063b2cc2b7166b6af986b6c7f7 ☑️Inject -> Server: //*my9rep/* -> 176.119[.1.112 Thx: 👍
Reply Retweet Like
Vitali Kremez Dec 28
2018-12-28: Banking : Targets Customers of 🇵🇱 Financials | Injected Controller "ProxyDll.dll" w/ THttpInject -> Zeus-Style Template (debug: proxy.lst & injects\test.txt ) | Project PDB: E\Merz\Proxy\UProxyServer ab74c9fb499d2b46b3e4b1791f5ae636 h/t
Reply Retweet Like
NETSCOUT Threat Intelligence Dec 19
is an actively supported banking trojan steadily approaching the sophistication of mature crimeware families such as and . See our findings here:
Reply Retweet Like
Vitali Kremez Jul 20
7-20-2018: {subbotnet:"frr"; bot: "2"} 🇵🇱 Targets Customers of Polish FINTECH & Crypto -Style Inject | Webfake VBS -> Body: {svchost -> rundll32.exe -> DLL} MD5: 215eaf22ed099dba0b8bbb095eeef6a7 Thx: 👍 ☑️Inj Serv: /my9rep/ -> 176.119.1[.11
Reply Retweet Like
Karsten Hahn May 9
We () made a new series about strange bits we find in malware samples. I started with a write-up about HTML smuggling in downloaders and hosted coinminers.
Reply Retweet Like
TomasP Nov 12
has started a new week with an updated config. Lots of Italian banks and webmails were added again. Beside the IT targets, there have been few AT/DE targets added again as well as the following Swiss targets for the first time: *.bluewin.ch
Reply Retweet Like
James Apr 27
An interesting sample found by c2 is https://frezyderm-orders[.]gr/sites/all/notused/not/ponto.php traffic is interesting...note the PLUG1M hash 4dd8d8778c7fb45a189a5759771c08c37de1fa4fb722f265c4d78e3c826610e7 on
Reply Retweet Like
Bank Security Nov 13
HookAds Malvertising Installing Banking Trojan via the Fallout Exploit Kit which tries to exploit Windows CVE-2018-8174 VBScript vulnerability
Reply Retweet Like
tildedennis Oct 2
Reply Retweet Like
TomasP Apr 1
returns to Canada again. New webinject config contains a number of Canadian financial institutions + PayPal. ID=14 Sample:
Reply Retweet Like
Jiri Kropac Feb 7
DanaBot updated with a more complicated protocol for C&C communication via
Reply Retweet Like
ANY.RUN Apr 11
is interesting in using different techniques to infect and hold on in a system. Let's take a detailed view of it! Downloader > 2 DLLs x86/x64 in ProgramData > Stealing data > Bypass UAC (WUSA) > Creates Service > Injects to system processes
Reply Retweet Like
TheAnalyst Dec 11
Another targeting Poland: on the Polish endpoint it connected to s/connecctswell.info/chkesosod/downs/lutcmep that dropped (not in possesion of that)
Reply Retweet Like
TomasP Oct 1
meets America... North American banks freshly added to a new Danabot config: *bankofamerica.* *wellsfargo.* *tdbank.* *royalbank.* *rbcroyalbank.*
Reply Retweet Like
Picus Security Inc. 12 Jun 18
First half of 2018 witnessed a stark increase in the number of . Realizing the imminent trend shift, we have enriched our extensive database with +160 Banking Malware including the most recent banking and Malware!
Reply Retweet Like
Pietro Riva Feb 7
New malspam wave. Target: . This one of the inside the VBS script:
Reply Retweet Like