| GitHub | https://github.com/killamjr |
| Red Canary Link | https://redcanary.com/authors/jason-killam/ |
Suspicious Link
- 118 Followers
- 282 Following
- 11 Posts
Detection Engineer
I'm looking at you jq
Other Security Person: "Hey, check out all these cool super specific filter you can use with this tool, you just have to memorize the the CLI options"
me: tool.exe | grep/select-string "thingimlookingfor" | grep "othersubthing"
pr0xylife#Qakbot - obama224 - html > .zip > .iso > .vbs > .ps1 > .dll
wscript.exe WP.vbs
powershell.exe -ExecutionPolicy Bypass metaphysic\possessively.ps1
rundll32.exe C:\users\public\mercifulHaddock.txt DrawThemeIcon
Samples 👇
https://bazaar.abuse.ch/sample/ef43ad2327c74d2ac4343209325b004a15f4f858bb68e871adcca5a320573025/
https://bazaar.abuse.ch/sample/24d7bb336cff00af352ee187d6c215dc037ac3f39ef1936deca18bb3ac472eb7/
IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama224_30.11.2022.txt
Joe SÅ‚owik
Joshua SmallA feature too rarely used is Windows Defender's custom IOC configuration.
NSudo may well be a "legitimate tool", but my own telemetry has never seen it outside of the many malicious apps that disable Windows Defender. Nuke it.
haven't posted IOCs in a good while but seems like an interesting one to share #aurora #stealer #ioc
https://app.any.run/tasks/dbced6c7-322f-43c8-b252-2e92c23d1868/
#IOC 193.233.48.50 port 8082
geolocation check using get.geojs\.io
matches recon commands in:
https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/
#gootloader #malware has been changing a lot lately, great post from @redcanary
https://redcanary.com/blog/gootloader/
https://redcanary.com/blog/gootloader/
