Fox_threatintel
@banthisguy9349
Followers
11,059
Following
191
Media
2,493
Statuses
7,549
Just a person who is against cyber crime. Special thanks to | | | for making my research easier.
Joined November 2021
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#今月描いた絵を晒そう
• 180721 Tweets
Mombasa
• 73780 Tweets
Griezmann
• 57232 Tweets
#JusticeForBruce
• 55307 Tweets
#CDTVライブライブ
• 44882 Tweets
PASTEL FRESHTORY X GF
• 25737 Tweets
OUROAD GRAND OPEN HOUSE
• 18731 Tweets
Grizou
• 17820 Tweets
おはスタ
• 17412 Tweets
シャウエッセン
• 16084 Tweets
#chibalotte
• 15190 Tweets
Deschamps
• 14657 Tweets
フルサイズ
• 13662 Tweets
OHMLENG IDEA LIVE
• 11390 Tweets
Pinned Tweet
http://45.120.107.43:8080/
#opendir
full with malware and suspicious files.
Malware analysers. Do your thing :D
2
38
227
malware analysers i need help.
i am looking at a file with 0 detections that is most like
#mirai
#elf
but it seems to be obfuscated or some shit.
@UK_Daniel_Card
@500mk500
@tosscoinwitcher
@tolisec
39
48
536
12
78
453
who can help? these apks are 0 detections on VT although i am almost 100% sure they are malicious.
26
38
303
Scraping with cyberchef + Virustotal Guide in order to find as much malicious urls/files/c2's
Step 1 find a suspected malicious ip through , honeypot , web crawlers , twitter posts
Chuck the ip in Virustotal as such and click graph
4
62
304
http://91.92.242.200/3.txt
who can debunk this encoded Potential malware?
its on the malicious asn 394711, Limenet
20
26
256
i am fairly positive that a zero-day exploit is being used in this shellscript
c2: 194.9.172.135:8080
ce07d922a8fd26f647a3d1cf653c6a579cbc77c18f4f8801bceda9c7ee750525
htop
hxxp://194.9.172.135/htop (MALWARE DOWNLOAD, DOWNLOAD WITH CAUTION)
0 detections
#elf
7
38
225
stupidity level 1337 ✅ by leaving the
#botnet
api exposing his credentials + other ip that he operates from
http://94.156.71.166/api.php
with a fake
#Operation
#PowerOFF
😆
8
26
214
Some repos that are used amongst hackers.
hxxps://github.com/NullCode1337/NullRAT/releases/tag/v7.0
hxxps://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/tag/v0.5.7B
hxxps://github.com/quasar/Quasar/releases/tag/v1.4.0
hxxps://github.com/rapiz1/rathole/releases/tag/v0.4.0
2
29
187
want to analyse malware?
browse through here to new find new malware urls that were send in for a deeper analyses
cc:
@500mk500
@malwrhunterteam
2
43
198
roblox stealer with discord api webhook making use of 3500 different proxies from p.webshare[.]io
5
26
181
is anyone with high expertise of malware analysis able to investigate this one??
0 hits on VT on the ''fuckingdllENCR.dll" file
although i think its
#ransomware
.
#opendir
hxxp://5.42.64.3/dll/
16
27
174
i have discovered a ip that keeps track of ransomware victims. hxxps://93.127.195.88/
share this to dark_web intelligence trackers
@DarkWebInformer
@DailyDarkWeb
@Gi7w0rm
7
33
175
hxxp://107.172.46.157:80
#cobaltstrike
c2
hxxp://107.172.46.157:8000/
#opendir
@abuse_ch
how good is your chinese?
7
29
166
i have just found a malicious domain that reveals a
#Opendir
that is found and shows the exact same contents on like 1500+ other ips?
anyone got a explanation for this?
@UK_Daniel_Card
@Gi7w0rm
hxxp://mijnbelastingdienst-bs3819122.info/
18
17
138
When the VPN drops connection and your in the middle of a hunt.
15
13
139
Its been a pleasure exfiltrating all the data from these
#botnet
#chinese
#threatactors
Here one of the many archives we retrieved
http://45.61.184.159/1.tar.gz
has been under control for 11 months. This ip is most likely the C2 for these botnet owners. they go by the name
#sjy
hxxps://api.telegram.org/bot6663236764:AAHYupAG9Xlz5JD7ukC8jt2FMYJRmG3Ek3M/getChatAdministrators?chat_id=-1001919880242
4
2
24
5
26
128
5
19
123
sometimes i get asked ''how you find these panels"
well sometimes its just very simple.
just ask the threatactor.
3
8
121
http://47.92.29.211:8001/
http://121.196.200.127:7890/
http://202.79.168.65/
enjoy some more curiousity on these ones ;)
@JustWantToQ1
@banthisguy9349
@TalosSecurity
@MichalKoczwara
@StopMalvertisin
@WhichbufferArda
@h2jazi
Legit, probabily it is a common toolset for Chinese actor, But, there are matches on what Talos was describing on February. Idk if it could be apt41 or some other groups in that spectrum.
But triggered my curiosity
1
1
8
2
22
118
Guys. huge shoutout for
@censysio
automating to threatfox.
@thehappydinoa
is going for these credits!
3
9
117
After tracking the same botnet over and over again we finally caught the botnet actor slipping pretty big time.
Here a sample of the code that we retrieved
6
21
112
#opendir
with very suspicous files on a known Malicious ASN
http://94.156.8.104/
Malware analysers, do your thing ;)
4
15
110
New
#googledork
discovered to track down
#Ransomware
intext:"How_to_back_files.html" intitle:"index of"
4
16
105
lets break their security?
how does this shit still exist.
RemcosRAT was observed to be bought and abused 9 months ago by a “heavy” threatactor.
6
7
39
3
13
102
People sometimes wonder:
How does malware get spread?
Google Ads
Mail
Youtube
Telegram
LinkedIN
Github
Pastebin etc.
Filesharing services
Hacking forums
(and more.)
Look at the picture for the typical malware hidden within fake software.
12
24
101
5
18
96
LMAO
this webhost actually gave me the email from the cybercriminal without me asking for it.
8
6
93
time to wipe the threatactors datacenter in abit :)
6
8
91
Threat actor serbian maffia
Pov of the hacker + his search history
6
11
95
195.18.23.81:8000
#Opendir
Russia INFKOM-AS (51153)
Yeah! thats the way to go. Just leave all your malicious files exposed
cc;
@RacWatchin8872
@NDA0E
@BlinkzSec
6
21
97
hook panel interface.
threat actor tested the malware on himself.
9
11
96
Seems like the Brutal C4 author is a little bit butthurt that there is a cracked version going around.
Can you imagine blocking me without even have spoken to me. Geesh some people really weird 😅
12
78
453
9
7
90
took me 1minute to find this shit on pfcloud[.]io ASN
#ransonware
#opendir
@@@
@GO
here on your own risk@@@@
hxxp://193.35.18.38/
7
12
90
#asyncrat
IOC!
Active ips:
23.26.108.141
23.94.126.49
51.81.30.54
104.243.47.92
109.199.101.109
149.102.147.106
154.216.20.112
185.150.190.160
206.53.55.147
active malware urls:
3
21
90
How to detect whether your ip's devices are potentially compromised?
These are botnet samples retrieved from this ip address that also host the c2
Its very common for the botnet to only contact 300 infected clients per sample.
4
28
90
#opendir
with a bunch of exploits
http://148.135.35.177:3389/
"namespace bing.Exploits.Local"
2
16
85
well. whoever want some samples. to analyse some malware. here is a public dir from a threat lab.
2
22
85
Phishing framework found on 87.121.113.251
Targetting serveral know banks.
2
16
83
http://91.215.85.223/
#opendir
full of malware.
my Virustotal is not running in VM :(.
who can check this out and put into triage/vt/
@abuse_ch
?
11
15
81
63.147.117.146 < this ip is under control by a cybercriminal that make use of Redlinestealer.
He goes by the name Josh Zimmermen which is not confirmed to be his actual name.
The email that he uses o7lab.me
@gmail
.com
Pov of his cybercriminal activities below:
7
19
81
https://t[.]me/bf_scams
These are the type of people responsible for the typicale phishing page
1
18
78
whos able to help me investigate this ip?
This one is connected to a massive fake casino scam + 129 supershell panels.
seems to be the main dataserver from the threat actor
6
15
79
@banthisguy9349
@vxunderground
Shut up furry, do ur malware investigation stuff and leave the dude alone
1
0
0
7
7
77
Geroin c2 panel?
hxxp://91.214.78.195/tabak/login.php
when faulty login Russian text appear
seems like a new c2 panel to my knowledge.
3
13
76
i have written a query with
@censys
that discovered 400 ips that are currently
#compromised
by
#mirai
#malware
and are actively part of a botnet.
@thehappydinoa
this is crazy.
1
17
75
0
11
75
2
21
74
3
14
72
attack observed! coming from 27.25.151.236
target.txt exposes the targetted site. hxxp://ejt.myjjzd.com
4
9
73
#opendir
hxxp://173.212.248.30
@ContaboCom
with full of malicious files
cc:
@NDA0E
@RacWatchin8872have
fun analysing
cc:
@UK_Daniel_Card
ROCKYOUUUUUUUUUUUU!
#cve
-2023-4911 poc
4
14
71
Almost 7k followers and i appreciate every single one of you. ❤️🙏🏻
Yes threatactors who follow me for intelligence you to… i know you have a good heart down there, that do have possibility to make a change into being better human being.
3
4
73
#attention
#allegedly
this domain is spreading ransomware
domain registration with
@Namecheap
hosting with
@awscloud
8
27
72
2
11
72
hxxp://68.183.92.154:3000/login html title says Botnet.
😅
5
9
70
Looking good!
Virustotal literally listed all ips as malicious.
definition of a malicious ASN.
2
6
69
well welll well..
#potential
#malicious
#powershell
#exposed
from the looks of it to target
@Steam
users with malware
2
14
69
#apt33
alfa team webshell was observed.
The alfa team webshells is used by alot of other APTs
after some digging with
@tosscoinwitcher
we have observed over 380 alfa webshells and seen APT's such as
#fsociety
#turkhackteam
[ ./AlfaTeam © 2012-2024 ]
Donate Us ! solevisible[at]
#APT33
ALFA TEAM have their root
#Opendir
🤣🤣🤣🤣
http://34.101.157.124/bins/
4
7
46
2
9
67
have you ever wondered what a desktop of a malware maker looks like?
Well see the following picture.
I may or may not reported him to the canadian police with his full name + adres :)
8
6
67
hxxp://93.123.39.69/admin/dashboard.php
hxxp://93.123.39.80/admin/dashboard.php
hxxp://93.123.39.108/admin/dashboard.php
hxxp://93.123.39.127/admin/dashboard.php
hxxp://93.123.39.139/admin/dashboard.php
New phishing framework found.
7
8
65
Another operation that i infiltrated in 2022.
Pov of the Info stealer and malware that was used.
4
2
60
I have found a ip that reveals logs of infected devices by
#elf
malware.
visit only in secure environment
211.215.19.94
4
15
63
All i gotta say for cybercriminals like this. (2nd picture)
9
4
64
I need help.
there is about 85 discord phishing pages connected to a botnet infrastructure that spreads
#bobik
malware.
Allthough the phishing pages download gives 0 VT.
I suspect the TA to have a zero day to avoid detection.
http://31.31.203.206:606/
8
20
63
4
14
64
Russian threatactor targetting senate[.]gov and house[.]gov emailadresses with ''mcafee
Malicious url seems to be suspended.
http://185.66.9.215:81/
#opendir
5
13
63
opendir c2's through
@censysio
hxxps://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=labels%3D+%60c2%60+and+labels%3D+%60open-dir%60
@thehappydinoa
2
15
63
#new
#ransomware
extension found ".hmallox" in the same directory of a
#locked
#ransomware
victim
careful with traveling to this directory since there is malware active in there.
the how_to_back_files.txt seems to be from .hmallox although the output is scrambled.
4
13
62
With the following urlscan query i have retrieved a 8month history of all types of ddos tool domain/advertisement websites
related to my earlier findings:
1
18
62