Mastodawn

Obrientg Oct 27, 2024

Trying something new with #GitHub and posting my spam #UCE #UBE and suspect / #malicious #emails and their associated attachments. Putting everything in a #mastodon post was problematic with space limitations, and was hard to find/organize/search.

Providing the redacted headers and URLs to the malware sandboxes used:

https://github.com/obrientg/Analysis/blob/main/Fri%2C%2025%20Oct%202024%20JS%20Phish.AAL

Received two (2) of the same samples, with different file names & hashes but the same detection of JS/Phish.AAL
Both were sent to the email address I use for threat intel & incident response collaboration efforts.
Email SRC on both was Google Cloud (#GCP) with an #openproxy, abuse reporting submitted.

#MD5 5cf33dd39d6db60423ac89fd63e5f500
#SHA1 863c95b7e7ff0bb8299cbae93dfaed12cc619332
#SHA256 c4e40b137e43c89261ee89a34db843477a8c994a21a92c98c7b15193face8c35

#MD5 8a9af78b0a4cdade6df9f71e7e5b1362
#SHA1 b03fdf0891adacc1995fdd1e2f043343c20a45e5
#SHA256 317aaea9d9ef39c9b85b9ce6e0f68ec83a06b2f3298aded981b19063b2f44737

#malware #incidentResponse #malwareAnalysis
#InfoSec #informationSecurity #cybersecurity #cyberz #cyber #cybercrime
#phish #phishing
#threatIntel #IoC #threatIntelligence #cyberthreatintelligence #CTI

Analysis/Fri, 25 Oct 2024 JS Phish.AAL at main · obrientg/Analysis

documenting alaysis of suspect & malicious emails and their attachements - obrientg/Analysis

GitHub

IrishMASMS Apr 29, 2024

Today’s #malware sample is in #Spanish, leveraging a #ezmlm mailing list on the back end at facturanuevagenerada [DOT[ com which does not have an associated web site – just a placeholder.

#email #SRC 62.149.155.137 assigned to #aruba.it a hosting provider over in the #EU

Of interest:
#User-Agent: #Roundcube Webmail/1.6.0

#IP is not listed as an #openProxy

#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
1/3

IrishMASMS Apr 25, 2024

Today’s #malware sample is anther #DHL spoof, in #Spanish and #pretending to be an individual in #Spain
#email #SRC 192.190.220.159 assigned to #liquidweb.com
their abuse address has bounced all #spamcop reports
#IP is listed on dnsbl.sorbs.net as #openProxy
Archive unpacked: DHL_ES567436735845755676678877988975877.7z (#application/x-rar-compressed; version=5, 4.80 kB)
#MD5: 594d7d00d0e80e84754b39b29a5347c8
#SHA1: f5b4828c76d936a5f53e361086f8c787b1d1f2a4
#SHA256: 99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895
#SHA512: ec1279a7484e0c440823547887dc09807c29ef35501d292463701fca67d4f9965c190070f239fa0ffeb0b14a72d8ad85a6991866bd5fa419106acc081e3e95b5
https://www.filescan.io/uploads/662aad6e54bafb7d21ddc6aa
#VT - 11/62 detection rate as trojan.suspar
https://www.virustotal.com/gui/file/99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895/
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal

Filescan.IO - Next-Gen Malware Analysis Platform

Submit malware for analysis on this next-gen malware assessment platform. Filescan GmbH develops and licenses technology to fight malware with a focus on Indicator-of-Compromise (IOC) extraction at scale.

IrishMASMS Apr 20, 2024

#malware received 4/18/2024 under the guise of a purchase order from 51.81.91.105 : ovh.us
Not listed as an #OpenProxy

This had 2 #zip file attachments:
The first is detected by my endpoint #AV/#EDR as #Trojan.GenericKD.72435855 Filename: PO_APRIL007.zip

The second is
Archive unpacked: company profile.zip (#application/zip, 1.26 kB)
#MD5:
a11c889ac7a9b4a151316687e5470fd2
#SHA1:
539338d7ca7091aa3d4486702c7cc7f8f2f14d98
#SHA256:
b72bb3fe7f6fcc48350382a261b42000832bcde7332d94bf8b0257bf54e5e7f7
#sha512
283a88b8acee1f1ca17a75b81bc02dd1fd5dff3df6d7b396d51e1455e9dc342fb075053cbefd848f3f0dba89f76ade6a1868bd1ad6be761de8187e39e0d935c3

https://www.filescan.io/uploads/66241c163137a4e0f3bc66a2

Only 6 detections via #VT as #trojan.sload
https://www.virustotal.com/gui/file/b72bb3fe7f6fcc48350382a261b42000832bcde7332d94bf8b0257bf54e5e7f7/detection/f-b72bb3fe7f6fcc48350382a261b42000832bcde7332d94bf8b0257bf54e5e7f7-1713491357

#spammers #scammers #malicious #suspectfiles
#malware #triage
#spam #infosec #infomantionSecurity #virustotal

Filescan.IO - Next-Gen Malware Analysis Platform

IrishMASMS Apr 20, 2024

The #malware from 4/18/2024

#SRC is 172.245.57.147 : chicagovps.net
Not listed as an #OpenProxy

Archive unpacked: Inquiry 2088547 Avalon Network Systems LLC.rar (#application/x-rar-compressed; version=5, 556.55 kB)
#MD5:
37dcfab00331d6dbb612c8f03be90d55
#SHA1:
cd7b3a4ef9668e13b94f7ecc94be59a1ec8bcee5
#SHA256:
28bd31f45151295768edd82659f00eb3237c64467c6d5e9ddd8d1054223852bb
#SHA512:
de34a9fe1c18a2561cce0c62591dc66dc0e7b547c970218dae7f4fa292cdf4bf714ef48d7eed136cb5df26ac935d3657711b6772945839af99facb99f49eaa84

https://www.filescan.io/uploads/6622e9f275339da04f97c592

#VT detection sit at 15
https://www.virustotal.com/gui/file/28bd31f45151295768edd82659f00eb3237c64467c6d5e9ddd8d1054223852bb/detection/f-28bd31f45151295768edd82659f00eb3237c64467c6d5e9ddd8d1054223852bb-1713473813

#spammers #scammers #malicious #suspectfiles
#malware #triage
#spam #infosec #infomantionSecurity #virustotal

Filescan.IO - Next-Gen Malware Analysis Platform

IrishMASMS Apr 16, 2024

The other bogus #attachment is a #fakeInvoice from #geeksquad

the #fraudster call center numbers are:
844-799-3440
719-297-8098

#MD5
073d0627ecd901979b2f7daca3812ccb
#SHA-1
91279035cd7c98e900cb61ed7c2567701d9d1e41
#SHA-256
70c263efabeb149c9d9d91c4d2f21162ad5f9537eb59cfa0b922780465dcc7c1

Bill5252067237.pdf

https://www.virustotal.com/gui/file/70c263efabeb149c9d9d91c4d2f21162ad5f9537eb59cfa0b922780465dcc7c1/detection

https://www.filescan.io/uploads/661f0200c5dabc22b200d489/reports/ca8370b2-4fbd-4ddb-8182-659606d54368/overview

The #SRC #IP of the email was 72.11.157.148 an #openproxy at (of course) #quadranet

#spammers #scammers #malicious #suspectfiles
#malware #triage
#spam #infosec #infomantionSecurity #virustotal

VirusTotal

IrishMASMS Apr 10, 2024

today's #malware submission

https://www.filescan.io/uploads/6616c4a3279698d249ed44de/reports/7f0283ad-ac3f-4c6f-a095-0908860e1747/overview

from our "friends" at #quadranet
in #LA
another #openproxy
#spammers #phishing #malicious #maliciousexe

Filescan.IO - Next-Gen Malware Analysis Platform

Patryk Krawaczyński Nov 14, 2022

Zabawy z testproxy.php ( https://nfsec.pl/ai/5907 ) #bot #openproxy #testproxy #fun #twittermigration

NF.sec – Bezpieczeństwo systemu Linux - Zabawy z testproxy.php

B oty skanują Internet 24 godziny na dobę, 365 dni w roku. Niektóre są dobre, niektóre złe, a jeszcze inne neutralne. Mnie osobiście podobnie, jak innych użytkowników zaczęło zastanawiać dlaczego ktoś pyta o adres /testproxy.php szukając otwartych serwerów proxy? Szczególnie, że podszywa się pod host: testX.pospr.waw.pl lub testX.piwo.pila.pl. Większość zwrotnych adresów IP prowadzi do polskiej […]

OSTechNix Oct 9, 2019

ScanSSH - Fast SSH Server And Open Proxy Scanner #ScanSSH #SSH #SecureShell #OpenProxy #CLI #Linux
https://www.ostechnix.com/scanssh-fast-ssh-server-open-proxy-scanner/

ScanSSH - Fast SSH Server And Open Proxy Scanner - OSTechNix

ScanSSH is a free and open source utility that scans the given list of addresses or networks for open proxies, SSH protocol servers, Web and SMTP servers.

OSTechNix

Show thread

FiXato (fallback)Jul 9, 2019

also, the new IP we got assigned last night by #Telenor apparently is blacklisted at #DroneBL due to an #OpenProxy back in 2017. I've already requested a removal, but that'll probably take a while to be processed.
Already tried power cycling the modem twice, but unfortunately that didn't seem to release the lease.