VirITeXplorer Profile Banner
TG Soft Profile
TG Soft

@VirITeXplorer

Followers
3K
Following
6K
Media
203
Statuses
2K

Italian Software House active in antimalware research and antivirus development since 1992. VirIT eXplorer is the name of our antivirus suite.

Italy
Joined March 2011
Don't wanna be here? Send us removal request.
@VirITeXplorer
TG Soft
10 months
The email address used in the decoy isn't the official as reported previously, but it's similar. In this way the cyber actor can steal reserved informations about some subjects.
0
1
2
@VirITeXplorer
TG Soft
10 months
Hash:.9BB4204AF0CCF988D8967A1F54B228C6.8E83218EDB02F4D2BB6C25D4D6267D34.4B23C43FD0C5F1D6004EBA2BE8BEEB30.8129F32577B5A0986D1A937DCA5FAF60.882E8377B1D0248D95962CE93C527016.A9670434F9837E31D35648AC18A7181C.
0
0
2
@VirITeXplorer
TG Soft
10 months
The Excel macro drops a PDF decoy and run a shellcode that download from s://92.243.66.]237:8464 a new shellcode that contains the #Sliver framework with c2 rtxcore.]ru. The decoy is similar to 19th sept campaign , but the threat actor fix the email address with the official one.
2
1
3
@VirITeXplorer
TG Soft
10 months
We have discovered a new campaign targeting Russia from unknown #APT .The file 23.09.2024.7z was uploaded on VT from Russia yesterday. This is similar to the 19th sept campaign Infection chain:.7z->MSC->CertUtil->CMD->PowerShell->Excel.@58_158_177_102
Tweet media one
@VirITeXplorer
TG Soft
10 months
#apt on 19th september has been uploaded the MSC file 19_09_2024.msc from Russia with low detection. MSC->CertUtil->Powershell->Excel:.- Decoy pdf.- Shellcode x64-> #Sliver. Msc hash: 44c8565f05bc93f399c960dd44e66a9c. @58_158_177_102 @suyog41 @780thC
Tweet media one
Tweet media two
1
8
24
@VirITeXplorer
TG Soft
10 months
The PDF isn't a simple decoy, instead it asks some informations that must be send via email to.min-trud.gov@mail[.]ru. The email address mimics an offcial address but is a generic email service. In this way the cyber actor can steal reserved informations about some subjects.
0
1
4
@VirITeXplorer
TG Soft
10 months
The Powershell script creates an Excel macro on the fly, the macro extract the decoy pdf and execute the shellcode. As final stage the shellcode download from the IP s://213.183.54[.]123:8444 .the #Sliver framework with C2: techitzone[.]ru. Below the translated decoy.
Tweet media one
1
1
5
@VirITeXplorer
TG Soft
10 months
#apt on 19th september has been uploaded the MSC file 19_09_2024.msc from Russia with low detection. MSC->CertUtil->Powershell->Excel:.- Decoy pdf.- Shellcode x64-> #Sliver. Msc hash: 44c8565f05bc93f399c960dd44e66a9c. @58_158_177_102 @suyog41 @780thC
Tweet media one
Tweet media two
1
15
33
@VirITeXplorer
TG Soft
10 months
Interesting #CobaltStrike from "apt-99" with C2:.pythongo[.]online. LNK -> Silverlight.exe (sideloading coreclr.dll) -> bin.dat -> CS. C:\Users\admin\Desktop\Project\cs4.5(apt-99)\cs4.5 2\external\beacon\Release\beacon.pdb. @58_158_177_102 @StrikeReadyLabs
Tweet media one
1
17
43
@VirITeXplorer
TG Soft
11 months
@58_158_177_102 The file MSC download and run this MSI file:.
@StrikeReadyLabs
StrikeReady Labs
11 months
LDeviceDetectionHelper is another good one of triggering on another one in this cluster .6fae35.msi 34e915d93b541471a9f7e747303f456732cd48c52e91ef268e32119ea8c433c0
Tweet media one
1
0
2
@VirITeXplorer
TG Soft
11 months
Possible #plugx .Hash: 00619a5312d6957248bac777c44c0e9dd871950c6785830695c51184217a1437.Pg 151 vv nghi le Quoc khanh 2.9.msc. https://kxmmcdmnb[.]online/eciwrnjnx.Probably geofenced. targeting Vietnam 🇻🇳. @58_158_177_102.
1
2
14
@VirITeXplorer
TG Soft
11 months
@58_158_177_102 @JAMESWT_MHT Another MSC file 83457462d1885acce9f4e46ad4053d050d3b0c7f3935b61f378e52f0eed5a68b. Same campaign. .
1
0
4
@VirITeXplorer
TG Soft
11 months
#Kimsuky MSC ef8947d291107256cb5883ac3bc163d0.MSC -> PEST.EXE (pest.exe.manifest) -> sim.sid -> sif.bat. 21ED2CAD9DC18E453DA40BC3BA5DD756. p://rem.zoom-meeting.kro.]kr/0829_pprb/d.php?na=view.p://rem.zoom-meeting.kro.]kr/0829_pprb/d.php?na=myapp. @58_158_177_102 @JAMESWT_MHT
Tweet media one
3
7
26
@VirITeXplorer
TG Soft
11 months
TG Soft has been monitoring the abuse of MSC files by a Chinese APT that exploited a new diskless shellcode that download the Marte Beacon with Cobalt Strike. @58_158_177_102.@nao_sec.@AhnLab_SecuInfo.@elasticseclabs.@StrikeReadyLabs.@dez_.
0
12
38
@VirITeXplorer
TG Soft
11 months
d0c4eb52ea0041cab5d9e1aea17e0fe8a588879a03415f609b195cfbd69caafc. MSC->MSI->EXE side loading DLL + DAT.
2
3
10
@VirITeXplorer
TG Soft
11 months
#PlugX campaign from 07-30 to 08-01 via MSC files:.3e6772aca8bb8e71956349f1ea9fecda5d9b9cfa00f8cdbf846c169ab468a370.6784b646378c650a86ba4fdd4baaaf608e5ecdf171c71bb7720f83965cc8c96f.ca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5. @58_158_177_102 @nao_sec.
2
8
21
@VirITeXplorer
TG Soft
1 year
RT @780thC: A China-linked threat actor called APT17 has been observed targeting Italian companies and government entities using a variant….
0
31
0
@VirITeXplorer
TG Soft
1 year
#APT17 aka #DeputyDog strikes Italian government agencies and companies with sophisticated campaigns that use the #RAT9002 for cyber espionage operations. Read the full report on: @58_158_177_102 @sugimu_sec @JAMESWT_MHT.
0
15
31
@VirITeXplorer
TG Soft
1 year
RT @Europol: 🚨Largest ever operation against botnets hits dropper malware ecosystem. Operation Endgame, coordinated from Europol headquart….
0
280
0
@VirITeXplorer
TG Soft
2 years
#Italy Weekly malspam n.26 from 26 Jun to 2 Jul 2023.We have analyzed 51 campaigns, 15 in italian.🔥 #AgentTesla #FormBook #LokiBot #Rhadamanthys.New entry RAT spread via PEC.Total family 10. @58_158_177_102 @JAMESWT_MHT @sugimu_sec @rbreabin @zuinmichele .
0
2
4
@VirITeXplorer
TG Soft
2 years
#Italy Weekly malspam n.25 from 19 to 25 Jun 2023.We have analyzed 51 campaigns, 6 in italian.🔥 #AgentTesla #FormBook #SnakeLogger #Ave_Maria.#Ursnif hits Italy again with theme Pagamenti.Total family 8. @58_158_177_102 @sugimu_sec @JAMESWT_MHT @rbreabin.
0
4
8