MyDFIR Profile Banner
MyDFIR Profile
MyDFIR

@MyDFIR

Followers
3K
Following
314
Media
82
Statuses
346

I provide guidance to students and professionals looking to become amazing SOC analysts. Don't know where to start? DM for 1-on-1! I am always happy to help.

Joined December 2022
Don't wanna be here? Send us removal request.
@MyDFIR
MyDFIR
26 days
@CyberDefenders is doing a giveaway!. They’ve been a staple in blue team training and have played a big role in my growth. If you’re serious about leveling up your skills, don’t miss this!.
0
3
9
@MyDFIR
MyDFIR
20 days
RT @IAMERICAbooted: When I first started learning Proofpoint, I didn't think it was very hard because I already knew Exchange and had the u….
0
5
0
@MyDFIR
MyDFIR
1 month
Stay vigilant. especially when analyzing “harmless” looking lures with real-brand impersonation!. IOCS:. DochubSigner.exe - 523EE0DD45A11EBCAE4ABE94FFD20CC40D706A11FB1D904FF0D1614CA7B9AC9F. mfc100.dll - 483A7E0BD95B56751DF5A536C050A964A8C3CF81CFB5A4DBCD4EAFC93390D583.
1
0
7
@MyDFIR
MyDFIR
1 month
According to Microsoft Defender, the payload’s objective appeared to be:. Credential harvesting / infostealer behavior. This reinforces the need for proper sandboxing and endpoint monitoring, even if VirusTotal looks clean.
Tweet media one
1
0
4
@MyDFIR
MyDFIR
1 month
XPFix.exe was launched with: "C:\. \XPFix.exe" /u.VT detection: 1/72. PhotonM.exe made an outbound HTTP connection to: 94.181.203[.]50:80.
1
0
2
@MyDFIR
MyDFIR
1 month
After executing DochubSigner.exe, several files were dropped:. C:\ProgramData\ro_check\RecZip.dll .C:\ProgramData\ro_check\mfc100.dll .C:\ProgramData\ro_check\MSVCR100.dll .C:\Users\<user>\AppData\Roaming\ro_check\XPFix.exe .C:\Users\<user>\AppData\Local\Temp\PhotonM.exe.
1
0
2
@MyDFIR
MyDFIR
1 month
🛑 PSA for junior analysts:. A 0/72 score on VirusTotal does not mean a file is safe. It only means no AV vendor has flagged it yet. Always investigate further!!!.
1
0
3
@MyDFIR
MyDFIR
1 month
After entering the code, a ZIP file was downloaded: LiteSigner[.]zip. Inside were 6 files where the main executable was named: DochubSigner.exe. I searched for the SHA256 hash on VirusTotal and it showed 0/72 detections. Sounds safe? Not quite.
Tweet media one
1
0
3
@MyDFIR
MyDFIR
1 month
The email came from samsungfr[.]com, a domain that was only registered 31 days ago. It included a link to: sign[.]dochubsign[.]org which was created 26 days ago. The site mimicked a doc-signing portal and provided a code to enter.
Tweet media one
1
0
2
@MyDFIR
MyDFIR
1 month
This was the email I had received.
Tweet media one
2
0
3
@MyDFIR
MyDFIR
1 month
Fake Samsung Collaboration Attempt. Received a suspicious outreach claiming to be a Samsung partnership. Here’s the breakdown.
3
1
20
@MyDFIR
MyDFIR
3 months
Based on this finding, it is likely that this campaign is actively targeting YouTube creators using different brand names and file lures to bait them. At that point, I had what I needed. I could’ve kept going deeper into the infrastructure, digging into C2 servers or pivoting.
1
0
4
@MyDFIR
MyDFIR
3 months
I pulled the hash of the child process and checked it on VirusTotal. It was flagged by six vendors as a trojan. In the “Relations” tab, another sample showed up with the name: “OnePlus - YouTube exe”
Tweet media one
Tweet media two
1
0
0
@MyDFIR
MyDFIR
3 months
This version spawned a child process named GestVecinos.exe, launched Chrome, and attempted to contact a suspicious domains: .- hxxps://narrathfpt[.]top
Tweet media one
Tweet media two
1
0
0
@MyDFIR
MyDFIR
3 months
Once executed, it also got tagged as Lumma Stealer.
Tweet media one
1
0
0
@MyDFIR
MyDFIR
3 months
Next, I analyzed Lester’s file. Because it was over 16 MB, I used Joe Sandbox, which accepts larger files for free accounts.
Tweet media one
1
0
0
@MyDFIR
MyDFIR
3 months
Multiple connections and DNS requests were made from the child process.
Tweet media one
1
0
0
@MyDFIR
MyDFIR
3 months
There were over 15 Suricata alerts generated from the network activity.
Tweet media one
1
0
1
@MyDFIR
MyDFIR
3 months
The score for both processes was 100 out of 100 meaning that these files are indeed malicious as per
Tweet media one
Tweet media two
1
0
1
@MyDFIR
MyDFIR
3 months
Once executed, the sandbox immediately flagged it. The main process spawned a child process named OpenWith.exe, which was also identified as malicious.
Tweet media one
1
0
0
@MyDFIR
MyDFIR
3 months
I wanted to confirm the behavior, so I ran dynamic analysis using sandbox environments. Jorge’s file was smaller, so I uploaded it to
Tweet media one
1
0
1