π½π΄πππ΄ππ΄π²
@netresec
Followers
9K
Following
6K
Media
497
Statuses
4K
Experts in Network Forensics and Network Security Monitoring. Creators of #NetworkMiner, #CapLoader, #PacketCache, #PolarProxy and #RawCap.
Joined November 2011
Comparison of tools that extract files from #PCAP .π Chaosreader.βοΈ NetworkMiner.πΏοΈ Suricata.π tcpflow.π¦ Wireshark.ποΈ Zeek.
netresec.com
One of the premier features in NetworkMiner is the ability to extract files from captured network traffic in PCAP files. NetworkMiner reassembles the file contents by parsing protocols that are used...
0
23
52
New PO 102456688.exe on ANY RUN.
app.any.run
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
1
1
4
New PO 102456688.exe on Triage.
tria.ge
Check this report malware sample 5bcdc4a9e5f2ac4f4b9d51285b27a475fc62e5d203db79db31a372e90039db51, with a score of 7 out of 10.
1
0
0
Turns out the whole /wp-admin/js/ directory on VΓ€stkupan's website allows directory listing. Among the files in that directory is "New PO 102456688.exe", which drops #PureLogs. π₯ MD5: b2647b263c14226c62fe743dbff5c70a.π₯ C2: 147.124.219.201:65535
2
6
19
Writeup by khr0x and @Jane_0sint indicates that this traffic is caused by PureLogs or PureMiner (not PureCrypter).
any.run
Explore a detailed analysis of PureCrypter, PureLogs, and PureMiner, three representatives of the Pure malware family.
1
2
8
Do #PureLogs Stealer and #PureCrypter use the same C2 protocol, or is there some way to tell the C2 protocols apart?.C2 servers:.π₯ 45.141.233.100:7708.π₯ 144.172.91.74:7709.π₯ 62.60.235.100:9100.π₯ 65.108.24.103:62050.π₯ 91.92.120.102:62050.π₯ 192.30.240.242:62520
1
15
48
Two more #PureLogs Stealer DLL files found on vastkupan[.]com. The original blog post has been updated.
π§ Dropper connects to legitimate website.π Fake PDF is downloaded over HTTPS.πΎ Fake PDF is decrypted to a #PureLogs DLL.βοΈ InstallUtil.exe or RegAsm.exe is started.π PureLogs DLL is injected into the running process.πΎ PureLogs connects to C2 server.
1
12
39
IOCs in blog post:.π‘ 91.92.120.101:62520.π‘ 91.92.120.101:65535.πΎ 711d9cbf1b1c77de45c4f1b1a82347e6.πΎ 6ff95e302e8374e4e1023fbec625f44b.πΎ e6d7bbc53b718217b2de1b43a9193786.πΎ a9bc0fad0b1a1d6931321bb5286bf6b7.πΎ 09bb5446ad9055b9a1cb449db99a7302.πΎ 38d29f5ac47583f39a2ff5dc1c366f7d.
π§ Dropper connects to legitimate website.π Fake PDF is downloaded over HTTPS.πΎ Fake PDF is decrypted to a #PureLogs DLL.βοΈ InstallUtil.exe or RegAsm.exe is started.π PureLogs DLL is injected into the running process.πΎ PureLogs connects to C2 server.
0
1
13
π§ Dropper connects to legitimate website.π Fake PDF is downloaded over HTTPS.πΎ Fake PDF is decrypted to a #PureLogs DLL.βοΈ InstallUtil.exe or RegAsm.exe is started.π PureLogs DLL is injected into the running process.πΎ PureLogs connects to C2 server.
netresec.com
I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader...
0
8
32
CapLoader 2.0.1 Released.β οΈ IP lookup alert .π Better protocol identification.π Bug fixes.
netresec.com
This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader. Alert for IP lookup using ip-api.com in PCAP from tria.ge Transcript of...
0
3
14
RT @mSult4n: Just published a new blog post on how Microsoftβs βMouse Without Bordersβ can be abused for data exfiltration & lateral movemeβ¦.
0xsultan.github.io
Abusing Mouse Without Borders for Data Exfiltration and Lateral Movement
0
11
0
RT @malwrhunterteam: "cup.msi": eb2688341917d739b2048e39c9913c0c5e0e0d82346757970883c5098a0b77f3.From: https://dnsg-microsoftds-data[.]com/β¦.
0
5
0
There's some unknown but interesting C2 to 104.16.0.0/13 (@CloudFlare). C2 domains:.π₯event-time-microsoft[.]org.π₯windows-msgas[.]com.π₯event-datamicrosoft[.]live.π₯eventdata-microsoft[.]live. Does anyone know malware malware this is?.
infosec.exchange
Attached: 1 image @malware_traffic There's some unknown but interesting C2 traffic going on to net 104.16.0.0/13 (on CloudFlare). An HTTP POST is sent every 30 seconds (see Gantt chart) with gz...
1
5
13
Are you using Meta Pixel to track visitors on your website? Please stop! Hereβs why.
infosec.exchange
Attached: 1 image Researchers uncover how the Facebook app used localhost STUN communication with the browser to track visited websites in [Covert Web-to-App Tracking via Localhost on Android](http...
0
2
8
CapLoader 2.0 released today!.π Identifies over 250 protocols in #PCAP.π¨ Define protocols from example traffic.πΆ Extracts JA3, JA4 and SNI from QUIC.π» 10x faster user interface.
netresec.com
I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to...
1
41
100
Thank you @CISACyber, @NCSC, BSI et al. for publishing the advisory on Russian GRU Targeting Western Logistics Entities and Technology Companies. This list of mocking services is great for threat hunting!.
infosec.exchange
Attached: 1 image Thank you CISA, NCSC, @[email protected] et al. for publishing the advisory on [Russian GRU Targeting Western Logistics Entities and Technology Companies](https://www.cisa.gov/ne...
0
4
18
Did you know that NetworkMiner parses the #njRAT protocol? The following artefacts are extracted from njRAT C2 traffic:.π₯οΈ Screenshots of victim computer.π Transferred files.πΎ C2 commands and replies.π Stolen credentials/passwords.β¨οΈ Keylog data.
1
18
54
StealC v2 and Aurotun Stealer seem to be interconnected. They are sometimes deployed as part of the same infection chain and share C2 infrastructure. Example: StealC v2: 62.60.226.114:80.Aurotun: 62.60.226.114:40101
1
8
18