ULTRAFRAUD
@ULTRAFRAUD
Followers
2K
Following
3K
Media
152
Statuses
217
Underground bon vivant hunting for #malware
Buncoverse
Joined April 2022
#QuasarRAT C2 π¦ 212.192.31[.211 https://t.co/HJZUcm1tCC Sample (no longer available) spread by 37.1.200[.46:8081 #opendir π°
1
2
37
#100DaysofYARA Day83: Suspicious files attempting to impersonate Google Update Utilities https://t.co/4m0w7E2Yv6 Thanks to @ULTRAFRAUD for sharing the signed malware sample which allowed me to build this YARA
ζ¨ηζ΅θ§ε¨ηζ¬θΏδ½οΌθ―·εηΊ§ζ΅θ§ε¨ηζ¬ Signed #AsyncRAT stealer dressed as @googlechrome targeting chinese users π Low detection rate π¦ /download-updata.com C2 /s2.download-updata.com https://t.co/qnjSMss16v
3
8
18
ζ¨ηζ΅θ§ε¨ηζ¬θΏδ½οΌθ―·εηΊ§ζ΅θ§ε¨ηζ¬ Signed #AsyncRAT stealer dressed as @googlechrome targeting chinese users π Low detection rate π¦ /download-updata.com C2 /s2.download-updata.com https://t.co/qnjSMss16v
0
16
46
Interesting loader disguised as CreateStudio Pro, dropping an obfuscated Python payload via @pythonanywhere π³ /download-createstudioo.com /kingkh.pythonanywhere.com βͺοΈ/kingkh.pythonanywhere.com/SRC/test.zip
1
8
26
Byakugan stealer panel π /207.244.251.87:8080/auth πΊπΈ
4
10
23
LOLBin @AteraCloud agent dressed as @Adobe Acrobat Reader installer targeting Brasil π§π· /acrobat-download.pages.dev (auto DL) 7c166c4e8e31346574caf94a1eb609c1 https://t.co/q9bhK8sjY1
0
1
6
Same #Smokeloader C2 still active β’οΈ Working #opendir at /109.186.217[.138 with several samples π https://t.co/TIoDOQumB6
For a good time, search for 77.91.68[.]29 on @anyrun_app ; 19 pages of #smokeloader starting June 26th
1
4
24
#Mars C2 panel source β
via /pushpointdelivery.com/panel/login.php https://t.co/KpOmoOJUQK
we in baby. Time to safe the victims and find the threatactor.
4
9
68
1
3
30
#BlazeStealer sample π¦ /blazest4ler.000webhostapp.com/BlazeStealer.zip MD5: 9a6681622d3f2f766bada7972b0fc8aa
1
9
52
Another great analysis from @bridewellsec @BridewellCTI π£ Thank you guys @josh_penny @RustyNoob619 for credits. #EasyStealer
@RustyNoob619 and I uncovered "Easy Stealer" infrastructure and take you through our initial findings. Will update our blog as we continue to work through what we found. Welcome feedback and contribution from our security community friends. #InformationStealer
#EasyStealer
1
2
6
Active #Doenerium stealer dressed up as @anydesk π΄ββ οΈ /anydesks.co/en/downloads/AnyDesk.exe 229037ea33eb267cc08621c8967ab4022f811461f716592ae95be23a8191bfe6 C2 /doenerium.kqnfkpoccicxiudstqonfotuwsrhuxkwhqjjfsbjhonoubrccy.nl
0
8
14
Recently I've been finding several suspicious samples communicating with C2 via MeshAgent π Take this #opendir for example: /2.155.18[.40:9000 C2 /serrapirate2121.duckdns.org https://t.co/AJ1D9Wd9LE
0
16
74
There are those who look for MATLAB malware and those who instead are spreading midi cyber weapons. Dunno.. aw. much respect fo' free malware β€οΈ
2
2
15
Watch out for this #DarkGate campaign, quite possibly through Malvertising and using signed MSI files with very low (or zero) detection. #SIGNED "PFO GROUP LLC" Other sites on 154.56.47.156: https://openvpnhub[.]com/
https://angryipscanner[.]net/
https://www.putty-ssh[.]com/
Unclassified malware disguised as @WinSCP distributed via @Dropbox. No VT detection RN π /easywinscp.xyz βͺοΈ /winscphub.com C2 178.236.247[.102 π·πΊ 510af6dd87757c71cf084db4d924f5c7b6ff8cdfffc5084b98256b42078bcd5f
3
67
184