#lokibot
-> PO 23-085.docx 13e634ba7f184f19b2b5db44dc5ffdda
->http://212.87.204[.]200/5021/vbc.exe
9bc4bdba6f7246afc51513d0bbcb038b
C2: http://208.67.105[.]148/okuma/five/fre.php

Gurcu Stealer
build.bat (bd19c59dd5861a3283fc6b534c51e3c7)
-> decode and run embedded base64 binary via certutil
build.exe (716D01D18140EC5E18B1A15C17FB213F)
Exfiltrate data via telegram
#GurcuStealer #Stealer #IOC

Remcos v4.3.1
Tinny msil downloader 3b72806a1bef1df123acba5e4de82b24 downloads remcos from https://www.grandatek[.]com/siixgroup.com/panel/uploads/Ksaymh.png
#Remcos #IOC

ToxicEye RAT
25744844f569ba89f39995efdf9b830f downloads
rat.exe 5b45640a3bd4fdc32df75aa462f5a167
#ToxicEyeRAT #RAT #IOC

Venom RAT 5.0.5
- > 024f6e716b7c4158243ef8c4fdb6fd58 (loader)
loads dll from
->http://195.2.79[.]233/panel2/uploads/Gekzg.dll
C2 : 193.188.22[.]218
seems same threat actor loading dll remotely https://twitter.com/suyog41/status/1625470495494918144?s=20 (xworm)
#VenomRAT #RAT #ioc

Mercurial Grabber
1f0364f083c3a8d1c471677389c64316

#formbook
-> RE_ AL HARAM MAKKAH PROJECT.msg
-> RFQ-4536789234.doc
-> sheiform2.1.exe
17f6df036368cca2f2edf4b44295bb02

Enstealer go based stealer
53740b90ee5a8fb4fc85dd00186493d4
#stealer #gostealer #Enstealer

#OneNote campaign
drops highly obfuscated .cmd file
File Name
Payment_02_16_#506.one
Payment_02_16_#995.one
Payment_02_16_#948.one
Payment_02_16_#365.one
RegEx: Payment_[\d]{2}_[\d]{2}_#[\d]{3}.one
85 sample https://pastebin.com/rkpLW7hT
#IOC

#Redline #OneNote
->RE_ Mar_Apr Bulk Order - Boreco Revised Stamped Order ref-35906253IIR.eml
-> Boreco Revised Stamped Order ref-35906253IIR[.]one
->http://playmore.zzux[.]com/files/Package.zip
->oskired.exe
4872ccfe192e6a809e05d3e04cea16a1
c2:45.128.234[.]73