Scraping with cyberchef + Virustotal Guide in order to find as much malicious urls/files/c2's
Step 1 find a suspected malicious ip through , honeypot , web crawlers , twitter posts
Chuck the ip in Virustotal as such and click graph
i am fairly positive that a zero-day exploit is being used in this shellscript
c2: 194.9.172.135:8080
ce07d922a8fd26f647a3d1cf653c6a579cbc77c18f4f8801bceda9c7ee750525
htop
hxxp://194.9.172.135/htop (MALWARE DOWNLOAD, DOWNLOAD WITH CAUTION)
0 detections
#elf
Some repos that are used amongst hackers.
hxxps://github.com/NullCode1337/NullRAT/releases/tag/v7.0
hxxps://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/tag/v0.5.7B
hxxps://github.com/quasar/Quasar/releases/tag/v1.4.0
hxxps://github.com/rapiz1/rathole/releases/tag/v0.4.0
We have discovered that botnets are controlled through SSH. we have written a query that detects the ips that basically control the botnets.
The asn's come up are the typical ASN's that hosting botnet infrastructure.
cc:
@500mk500
@abuse_ch
@tolisec
Guide to hunt
#opendir
malware with
@censysio
and
@abuse_ch
urlhaus.
Step one 1: find a unique malware name. I am using hxxps://urlhaus.abuse.ch/browse/ in this case. (picture 1/2)
See comments for next steps.
is anyone with high expertise of malware analysis able to investigate this one??
0 hits on VT on the ''fuckingdllENCR.dll" file
although i think its
#ransomware
.
#opendir
hxxp://5.42.64.3/dll/
reversed tracking!
Knowing the c2 already although not knowing the malware being used?
1 of the possibilities of finding you the malware!
First find yourself a ip of a c2 through
@ViriBack
and or a webcrawler like
@censysio
i have just found a malicious domain that reveals a
#Opendir
that is found and shows the exact same contents on like 1500+ other ips?
anyone got a explanation for this?
@UK_Daniel_Card
@Gi7w0rm
hxxp://mijnbelastingdienst-bs3819122.info/
has been under control for 11 months. This ip is most likely the C2 for these botnet owners. they go by the name
#sjy
hxxps://api.telegram.org/bot6663236764:AAHYupAG9Xlz5JD7ukC8jt2FMYJRmG3Ek3M/getChatAdministrators?chat_id=-1001919880242
After tracking the same botnet over and over again we finally caught the botnet actor slipping pretty big time.
Here a sample of the code that we retrieved
People sometimes wonder:
How does malware get spread?
Google Ads
Mail
Youtube
Telegram
LinkedIN
Github
Pastebin etc.
Filesharing services
Hacking forums
(and more.)
Look at the picture for the typical malware hidden within fake software.
Seems like the Brutal C4 author is a little bit butthurt that there is a cracked version going around.
Can you imagine blocking me without even have spoken to me. Geesh some people really weird 😅
How to detect whether your ip's devices are potentially compromised?
These are botnet samples retrieved from this ip address that also host the c2
Its very common for the botnet to only contact 300 infected clients per sample.
63.147.117.146 < this ip is under control by a cybercriminal that make use of Redlinestealer.
He goes by the name Josh Zimmermen which is not confirmed to be his actual name.
The email that he uses o7lab.me
@gmail
.com
Pov of his cybercriminal activities below:
whos able to help me investigate this ip?
This one is connected to a massive fake casino scam + 129 supershell panels.
seems to be the main dataserver from the threat actor
uhmmm... undetectable?
#elf
#malware
0 detections
hxxp://194.48.250.71/http_storm
46d463a3ddd35d9b96d5e5d106a847a7fc986a3ebce58e5eca93d4264fd874a9
http_storm
no wonder why their telegram group has 4.5k is pretty huge botnet...
Almost 7k followers and i appreciate every single one of you. ❤️🙏🏻
Yes threatactors who follow me for intelligence you to… i know you have a good heart down there, that do have possibility to make a change into being better human being.
#Mirai
#C2
domains are using Round-Robin DNS to resolve to multiple hosts
Using "Resolve-DnsName" in PowerShell we can resolve the domains to their corresponding IPs.
Ports used for Mirai connection: 1337, 2222, 2474, 5555, 6969, 8745, 8932, 12381
IOCs:
#apt33
alfa team webshell was observed.
The alfa team webshells is used by alot of other APTs
after some digging with
@tosscoinwitcher
we have observed over 380 alfa webshells and seen APT's such as
#fsociety
#turkhackteam
have you ever wondered what a desktop of a malware maker looks like?
Well see the following picture.
I may or may not reported him to the canadian police with his full name + adres :)
I need help.
there is about 85 discord phishing pages connected to a botnet infrastructure that spreads
#bobik
malware.
Allthough the phishing pages download gives 0 VT.
I suspect the TA to have a zero day to avoid detection.
http://31.31.203.206:606/
Russian threatactor targetting senate[.]gov and house[.]gov emailadresses with ''mcafee
Malicious url seems to be suspended.
http://185.66.9.215:81/
#opendir
#new
#ransomware
extension found ".hmallox" in the same directory of a
#locked
#ransomware
victim
careful with traveling to this directory since there is malware active in there.
the how_to_back_files.txt seems to be from .hmallox although the output is scrambled.
With the following urlscan query i have retrieved a 8month history of all types of ddos tool domain/advertisement websites
related to my earlier findings: