Aaron Jornet
@rexorvc0.bsky.social
Threat Researcher at @socradar | Malware Researcher | Threat Hunter | CTI ¦ Former @ElevenPaths @Panda_Security
rexorvc0.com
twitter.com/RexorVc0
rexorvc0.com
twitter.com/RexorVc0
#IOC
936888d84b33f152d39ec539f5ce71aa
5adfa76b72236bf017f7968fd012e968
3323777ca4ac2dc2c39f5c55c0c54e3c
f3c087a0be0687afd78829cab2d3bc2b
ee7e3e39dd951f352c669f64bd8ec1b5
144928fc87e1d50f5ed162bb1651ab24
0253b33cfb3deb6a1d4bb197895c4530
[...]
VT: virustotal.com/gui/collecti...
936888d84b33f152d39ec539f5ce71aa
5adfa76b72236bf017f7968fd012e968
3323777ca4ac2dc2c39f5c55c0c54e3c
f3c087a0be0687afd78829cab2d3bc2b
ee7e3e39dd951f352c669f64bd8ec1b5
144928fc87e1d50f5ed162bb1651ab24
0253b33cfb3deb6a1d4bb197895c4530
[...]
VT: virustotal.com/gui/collecti...
February 20, 2025 at 7:16 AM
#IOC
936888d84b33f152d39ec539f5ce71aa
5adfa76b72236bf017f7968fd012e968
3323777ca4ac2dc2c39f5c55c0c54e3c
f3c087a0be0687afd78829cab2d3bc2b
ee7e3e39dd951f352c669f64bd8ec1b5
144928fc87e1d50f5ed162bb1651ab24
0253b33cfb3deb6a1d4bb197895c4530
[...]
VT: virustotal.com/gui/collecti...
936888d84b33f152d39ec539f5ce71aa
5adfa76b72236bf017f7968fd012e968
3323777ca4ac2dc2c39f5c55c0c54e3c
f3c087a0be0687afd78829cab2d3bc2b
ee7e3e39dd951f352c669f64bd8ec1b5
144928fc87e1d50f5ed162bb1651ab24
0253b33cfb3deb6a1d4bb197895c4530
[...]
VT: virustotal.com/gui/collecti...
#TTP
📩[T1566.001] Spear-Phishing
📇[T1027.012] LNK file
📜[T1059] PS & BAT script execution
🔃[T1620] Load SC (.BAT execution)
🧩[T1140] Decrypt PE (#RokRat)
🗑️[T1070] Delete traces of Samples | Scripts
📡[T1071.001] C&C
📩[T1566.001] Spear-Phishing
📇[T1027.012] LNK file
📜[T1059] PS & BAT script execution
🔃[T1620] Load SC (.BAT execution)
🧩[T1140] Decrypt PE (#RokRat)
🗑️[T1070] Delete traces of Samples | Scripts
📡[T1071.001] C&C
February 20, 2025 at 7:16 AM
#TTP
📩[T1566.001] Spear-Phishing
📇[T1027.012] LNK file
📜[T1059] PS & BAT script execution
🔃[T1620] Load SC (.BAT execution)
🧩[T1140] Decrypt PE (#RokRat)
🗑️[T1070] Delete traces of Samples | Scripts
📡[T1071.001] C&C
📩[T1566.001] Spear-Phishing
📇[T1027.012] LNK file
📜[T1059] PS & BAT script execution
🔃[T1620] Load SC (.BAT execution)
🧩[T1140] Decrypt PE (#RokRat)
🗑️[T1070] Delete traces of Samples | Scripts
📡[T1071.001] C&C
#IOC
48c179680e0b37d0262f7a402860b2a7
8ebca0b7ef7dbfc14da3ee39f478e880
1bb8b1d0282727ab9bc2deb3570cf272
bc14c3ab8316e7ec373829ea7a6e2166
61279d5e30f493bbdae9eab8ca99e9a4
2a8e4281213e4aaa485612f9ded261a2
457bb40c6fc10b3cd5a3b51e4eb672b2
...
🔗VT: virustotal.com/gui/collecti...
48c179680e0b37d0262f7a402860b2a7
8ebca0b7ef7dbfc14da3ee39f478e880
1bb8b1d0282727ab9bc2deb3570cf272
bc14c3ab8316e7ec373829ea7a6e2166
61279d5e30f493bbdae9eab8ca99e9a4
2a8e4281213e4aaa485612f9ded261a2
457bb40c6fc10b3cd5a3b51e4eb672b2
...
🔗VT: virustotal.com/gui/collecti...
January 22, 2025 at 8:56 AM
#IOC
48c179680e0b37d0262f7a402860b2a7
8ebca0b7ef7dbfc14da3ee39f478e880
1bb8b1d0282727ab9bc2deb3570cf272
bc14c3ab8316e7ec373829ea7a6e2166
61279d5e30f493bbdae9eab8ca99e9a4
2a8e4281213e4aaa485612f9ded261a2
457bb40c6fc10b3cd5a3b51e4eb672b2
...
🔗VT: virustotal.com/gui/collecti...
48c179680e0b37d0262f7a402860b2a7
8ebca0b7ef7dbfc14da3ee39f478e880
1bb8b1d0282727ab9bc2deb3570cf272
bc14c3ab8316e7ec373829ea7a6e2166
61279d5e30f493bbdae9eab8ca99e9a4
2a8e4281213e4aaa485612f9ded261a2
457bb40c6fc10b3cd5a3b51e4eb672b2
...
🔗VT: virustotal.com/gui/collecti...
🧬Behaviour seen similar to this 👇
#Lumma:
app.any.run/tasks/37bcc2...
app.any.run/tasks/d80962...
#Emmenhtal+#Lumma:
app.any.run/tasks/c620f7...
app.any.run/tasks/813ae6...
app.any.run/tasks/b3f870...
app.any.run/tasks/abe139...
#Lumma:
app.any.run/tasks/37bcc2...
app.any.run/tasks/d80962...
#Emmenhtal+#Lumma:
app.any.run/tasks/c620f7...
app.any.run/tasks/813ae6...
app.any.run/tasks/b3f870...
app.any.run/tasks/abe139...
Analysis 2024-12-17_74d8e8b3c9bfc6d93f88bb3f54721612_frostygoop_poet-rat_snatch (MD5: 74D8E8B3C9BFC6D93F88BB3F54721612) Malicious activity - Interactive analysis ANY.RUN
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
app.any.run
December 20, 2024 at 6:07 AM
#IOC
https[:]//kankrfilez.b-cdn[.]net/
https[:]//new64.oss-ap-southeast-1.aliyuncs[.]com/
https[:]//getfilet23.b-cdn[.]net/
https[:]//denek.local-wanderer[.]shop
[...]
🔗Graph:https://virustotal.com/graph/embed/g36af090df0bc429a9b41822134061dab94f7052689f84f38a2b276e8ce31f3a4?theme=dark
https[:]//kankrfilez.b-cdn[.]net/
https[:]//new64.oss-ap-southeast-1.aliyuncs[.]com/
https[:]//getfilet23.b-cdn[.]net/
https[:]//denek.local-wanderer[.]shop
[...]
🔗Graph:https://virustotal.com/graph/embed/g36af090df0bc429a9b41822134061dab94f7052689f84f38a2b276e8ce31f3a4?theme=dark
December 20, 2024 at 6:07 AM
#IOC
https[:]//kankrfilez.b-cdn[.]net/
https[:]//new64.oss-ap-southeast-1.aliyuncs[.]com/
https[:]//getfilet23.b-cdn[.]net/
https[:]//denek.local-wanderer[.]shop
[...]
🔗Graph:https://virustotal.com/graph/embed/g36af090df0bc429a9b41822134061dab94f7052689f84f38a2b276e8ce31f3a4?theme=dark
https[:]//kankrfilez.b-cdn[.]net/
https[:]//new64.oss-ap-southeast-1.aliyuncs[.]com/
https[:]//getfilet23.b-cdn[.]net/
https[:]//denek.local-wanderer[.]shop
[...]
🔗Graph:https://virustotal.com/graph/embed/g36af090df0bc429a9b41822134061dab94f7052689f84f38a2b276e8ce31f3a4?theme=dark
#TTP
🤖[T1204.001] Mal Links using fake CAPTCHA
📜[T1059.001] PS execution
🧩[T1027] Obfuscated scripts | commands
📥[T1105] Download .txt | .mp4 obfuscated scripts
👥[T1218] Abuse of mshta or white files to load mw
💉[T1055] Inject into another process
📡[T1071] C&C
🤖[T1204.001] Mal Links using fake CAPTCHA
📜[T1059.001] PS execution
🧩[T1027] Obfuscated scripts | commands
📥[T1105] Download .txt | .mp4 obfuscated scripts
👥[T1218] Abuse of mshta or white files to load mw
💉[T1055] Inject into another process
📡[T1071] C&C
December 20, 2024 at 6:07 AM
#TTP
🤖[T1204.001] Mal Links using fake CAPTCHA
📜[T1059.001] PS execution
🧩[T1027] Obfuscated scripts | commands
📥[T1105] Download .txt | .mp4 obfuscated scripts
👥[T1218] Abuse of mshta or white files to load mw
💉[T1055] Inject into another process
📡[T1071] C&C
🤖[T1204.001] Mal Links using fake CAPTCHA
📜[T1059.001] PS execution
🧩[T1027] Obfuscated scripts | commands
📥[T1105] Download .txt | .mp4 obfuscated scripts
👥[T1218] Abuse of mshta or white files to load mw
💉[T1055] Inject into another process
📡[T1071] C&C
+Info
socradar.io/apt-profile-... freebuf.com/articles/net... group-ib.com/blog/dark-pi... mp-weixin-qq-com.translate.goog/s/_WMljf41eT...
socradar.io/apt-profile-... freebuf.com/articles/net... group-ib.com/blog/dark-pi... mp-weixin-qq-com.translate.goog/s/_WMljf41eT...
Cybersecurity Services, Solutions & Products. Global Provider | Group-IB
Leading provider of cybersecurity solutions: Threat Intelligence, antifraud, anti-APT. Protect better, respond faster to network security attacks and threats.
https://group-ib.com/blog/dark-pink-episode-2/…
October 16, 2023 at 6:12 AM
#IOC
dd9146bf793ac34de3825bdabcd9f0f3 5504799eb0e7c186afcb07f7f50775b2 c5331b30587dcaf94bfde94040d4fc89 ac28e93dbf337e8d1cc14a3e7352f061 fefe7fb2072d755b0bfdf74aa7c9013e 6a3948a3602f11e58d8a9300d50984d6 91fb57a2a87ac72a5f65bc1123b02ef6
dd9146bf793ac34de3825bdabcd9f0f3 5504799eb0e7c186afcb07f7f50775b2 c5331b30587dcaf94bfde94040d4fc89 ac28e93dbf337e8d1cc14a3e7352f061 fefe7fb2072d755b0bfdf74aa7c9013e 6a3948a3602f11e58d8a9300d50984d6 91fb57a2a87ac72a5f65bc1123b02ef6
October 16, 2023 at 6:12 AM
#IOC
dd9146bf793ac34de3825bdabcd9f0f3 5504799eb0e7c186afcb07f7f50775b2 c5331b30587dcaf94bfde94040d4fc89 ac28e93dbf337e8d1cc14a3e7352f061 fefe7fb2072d755b0bfdf74aa7c9013e 6a3948a3602f11e58d8a9300d50984d6 91fb57a2a87ac72a5f65bc1123b02ef6
dd9146bf793ac34de3825bdabcd9f0f3 5504799eb0e7c186afcb07f7f50775b2 c5331b30587dcaf94bfde94040d4fc89 ac28e93dbf337e8d1cc14a3e7352f061 fefe7fb2072d755b0bfdf74aa7c9013e 6a3948a3602f11e58d8a9300d50984d6 91fb57a2a87ac72a5f65bc1123b02ef6
#TTP
[T1566.001] Spear-Phishing
[T1574.002] Dll side-loading
[T1190] Winrar exploit
[T1140] Decrypt info from fake PDF
[T1548.002] UAC bypass over \shell\open\command\ RegKey
[T1566.001] Spear-Phishing
[T1574.002] Dll side-loading
[T1190] Winrar exploit
[T1140] Decrypt info from fake PDF
[T1548.002] UAC bypass over \shell\open\command\ RegKey
October 16, 2023 at 6:11 AM
#TTP
[T1566.001] Spear-Phishing
[T1574.002] Dll side-loading
[T1190] Winrar exploit
[T1140] Decrypt info from fake PDF
[T1548.002] UAC bypass over \shell\open\command\ RegKey
[T1566.001] Spear-Phishing
[T1574.002] Dll side-loading
[T1190] Winrar exploit
[T1140] Decrypt info from fake PDF
[T1548.002] UAC bypass over \shell\open\command\ RegKey