Twitter | Search | |
Search Refresh
Vitali Kremez Jul 24
7-24-2018 🇵🇱 Targets Customers of Polish FINTECH & Crypto Zeus-style inject | WebFilter | Cryptoprocess Check Process: {svchost -> rundll} MD5: 169f6a14aa69cf063b2cc2b7166b6af986b6c7f7 ☑️Inject -> Server: //*my9rep/* -> 176.119[.1.112 Thx: 👍
Reply Retweet Like
Vitali Kremez Dec 28
2018-12-28: Banking : Targets Customers of 🇵🇱 Financials | Injected Controller "ProxyDll.dll" w/ THttpInject -> Zeus-Style Template (debug: proxy.lst & injects\test.txt ) | Project PDB: E\Merz\Proxy\UProxyServer ab74c9fb499d2b46b3e4b1791f5ae636 h/t
Reply Retweet Like
stecar79 Apr 6
Reply Retweet Like
NETSCOUT Threat Intelligence Dec 19
is an actively supported banking trojan steadily approaching the sophistication of mature crimeware families such as and . See our findings here:
Reply Retweet Like
Maelstrom Security Jul 30
Hey , you are hosting dropper urls for a long time. Example IPs: 172.245.5.111 192.3.118.128 192.3.118.123
Reply Retweet Like
TomasP Nov 12
has started a new week with an updated config. Lots of Italian banks and webmails were added again. Beside the IT targets, there have been few AT/DE targets added again as well as the following Swiss targets for the first time: *.bluewin.ch
Reply Retweet Like
Vitali Kremez Jul 20
7-20-2018: {subbotnet:"frr"; bot: "2"} 🇵🇱 Targets Customers of Polish FINTECH & Crypto -Style Inject | Webfake VBS -> Body: {svchost -> rundll32.exe -> DLL} MD5: 215eaf22ed099dba0b8bbb095eeef6a7 Thx: 👍 ☑️Inj Serv: /my9rep/ -> 176.119.1[.11
Reply Retweet Like
TomasP Mar 20
New way of email distribution spotted. After seeing TAR and 7Zip in the past weeks, XLS is now attached: Downloads DanaBot with ID=3
Reply Retweet Like
Matteo Lodi Feb 13
dealers like to experiment this week: today malware is delivered via a javascript that has embedded the Danabot payload. js: payload extracted by :
Reply Retweet Like
ANY.RUN Apr 11
is interesting in using different techniques to infect and hold on in a system. Let's take a detailed view of it! Downloader > 2 DLLs x86/x64 in ProgramData > Stealing data > Bypass UAC (WUSA) > Creates Service > Injects to system processes
Reply Retweet Like
Picus Security Inc. Jun 12
First half of 2018 witnessed a stark increase in the number of . Realizing the imminent trend shift, we have enriched our extensive database with +160 Banking Malware including the most recent banking and Malware!
Reply Retweet Like
Josh Lemon Dec 8
Nice write up by the team on . defenders should take note that commodity malware is moving more towards attacking web based email. How well will your email services detect and prevent this?
Reply Retweet Like
Maelstrom Security Jul 29
campaign in Poland. EXE SHA1: 78958fd7a4d48ed82a4363bd434547ce45153a96 Dropper url: http://172.]245.]5.]111/ztfaxid/02681/[time]/fssdfpriver (runs every 9 s until payload is downloaded) AppAnyRun: cc:
Reply Retweet Like
Kamil J. Dudek Dec 9
New asking to download a RARed VBS "invoice" from hxxp://onlinecamerashop[.]mobi The payload tries to load something from losteoldmost[.]club Currently, nothing. By the way, seachidriver[.]fun still serves
Reply Retweet Like
Matteo Lodi Feb 11
dealers changed the method of delivery in Italy: from to a simple PE dropper Sample: Spam emails are always the same: "fattura" inside the subject
Reply Retweet Like
Bank Security Nov 13
HookAds Malvertising Installing Banking Trojan via the Fallout Exploit Kit which tries to exploit Windows CVE-2018-8174 VBScript vulnerability
Reply Retweet Like
Check Point Research Aug 2
campaign in Poland cont. VBS gets more sophisticated- sandbox evasion by request to fake domain: googlefaxidload.fidasasa/anats/testhtml URL: 172.245.158.17/ztfaxid/<id>/<num>/idsend VBS: cc:
Reply Retweet Like
Maelstrom Security Sep 11
Fresh domains targetting Polish Banks ( malware): readact[.]co endbars[.]co cc:
Reply Retweet Like
Andrea De Pasquale Oct 2
DanaBot Gains Popularity and Targets US Organizations in Large Campaigns
Reply Retweet Like
tildedennis Oct 2
Reply Retweet Like