Why, hello there, #solarmarker.

Low detection #bumblebee .Distributed disguised as NetSetMan.msi . "LLC Onixgroup".--.I don't post every cert we report. But if you want to see what gets reported, use Cert Central or the Cert Central API. certcentral[.]org

Files on MB Didn't do any in the sandbox analysis. 🤔. AnyRun flags the file as sus due to the code-signing signature

Pro tip:.If you receive a screen saver named "Coinbase_incident_report.scr"* you shouldn't run it. *file format SCR is identical to EXE.--.Disguised as PDF.Code-signed by "GeoTech-IT Oy". h/t @g0njxa .also uploaded to MB by @JAMESWT_WT ❤️.🔗🧵

#bumblebee signed "LLC Ugurmana". Distributed disguised as Advanced IP Scanner and NetSetMan . https://bazaar.abuse[.]ch/sample/a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2/. https://tria[.]ge/250716-nltd7avzcy/behavioral2. h/t @g0njxa .@JAMESWT_WT.

Add to DB:.certCentral -s VT -# 8bfdd239da6948b4903a92287cd6e15f86d96187c36ed75e796d99adcc09f66f -p -t OdysseyStealer. -s specifies to use VT.-# passes a hash (Cert Central requires SHA256 right now).-p requires Cert Central API key.-t assigns malware name.

Have you wanted to report signed Mac binaries like this one?.Now you can with certReport 3.3* (pip install certreport). You can also add them to the Cert Central DB with -p, and tag a malware family with -t. Easy. See thread for more detail. *VT API key required

Note: Some certificates have multiple entries because when they don't get revoked, they get resold. Cert Central exists to stop this problem. You can continue to help by reporting via Cert Central or using the certReport to report files! .

1337 entries in Cert Central. This represents ~1300* unique code-signing certificates issued to cybercriminals for abuse; a lot of disrupted malware delivery; a lot of wasted money; and a lot of headaches for cybercriminals. Thank you all for your support. *see thread for note

Thats the way I like my libssl.dll: signed by a Indian company that makes nutrients for livestock "GAUAMRIT NUTRICARE PRIVATE LIMITED". MD5: ae0912ba4a5bff3f3543f5f393446adb. https://bazaar.abuse[.]ch/browse.php?search=serial_number:737c5c461d3864ac4f089e26.h/t @g0njxa

Fake DBeaver signed by "LLC Vtorsintez" 🇷🇺.MD5: 4fa9f678df14a33e2e5480d63604f811.(Too big for MalwareBazaar). https://tria[.]ge/250711-n4tsnst1fs/behavioral1. Anti-analysis: wmic memorychip get Capacity -> exits.h/t @g0njxa .@JAMESWT_WT

#bumblebee disguised as NetSecMan, installs real thing as decoy. Signed: "LLC Resource+". https://bazaar.abuse[.]ch/sample/cd454d80b75cbd4b23f9ec4a3e5746e53552f5a2a30c3ea1d5d3215cf41484aa/. https://tria[.]ge/250711-nmnkbstygy/behavioral2. h/t @g0njxa .@JAMESWT_WT

@g0njxa Triage report:

Dear #Bumblebee malware dev, do you really need 199 dga domains?.--.Signed "LLC Invest Center". Appears to be delivered via ads for Advanced IP Scanner and ManageEngine-OpManager. https://bazaar.abuse[.]ch/browse.php?search=serial_number:073b9b32fe16b00a4268f97b. h/t @g0njxa

More often than not, when I see a malware config extracted by VirusTotal, it is due to a config extractor in CAPE Sandbox. Thanks to all the folk who contribute.

Low detection #Latrodectus .signed "LLC Jupiter". MD5: 2c2b6ab5549fe70cd9befe1ef5ac63a3.MB: https://bazaar.abuse[.]ch/browse/tag/LLC-Jupiter/. C2: gorahripliys[.]com, aliondrifdions[.]com.@JAMESWT_WT

Wondering if a code-signing certificate has been reported? See it in one of your favorite tools: Cert Central's blocklist is now appears in MalwareBazaar!. We've reported ~300 certs so far this year; it is on pace for a record. Keep an eye out and keep uploading. :)

RT @ExpelSecurity: ⚠️ New version of the malware disguised as PuTTy. The files are signed “Alternative Power Systems Solutions LLC”. Fake P….

RT @1ZRR4H: ⚠️ "New" #CrazyEvil campaign 🇷🇺.Landing domain: rivatalk[.]com. As usual, there is a signed malware for Windows ("Heze Hongwei….

Low detection pre-ransomware.Signed "TOLEDO SOFTWARE LLC". C2: 45.86.230.77, 185.208.158.119, 85.239.52.99. VT: 3d6da75764c043cd2ceb7b35028ec79b. https[:]//bazaar.abuse.ch/browse.php?search=serial_number:33000373da29c35a6ac0484d690000000373da

TribeWars scam signed "Al-Base Trading Corp.". Actors commonly abusing code-signing certificates targeting cryptowallets. Launches a CAPTCHA for anti-analysis by sandboxes.