#keyloger and builder | Explore Tumblr posts and blogs

suzanneshannon · 6 years ago

Text

Popular Web Tools and Services Among Designers & Developers (Sponsored)

Today we will present you the most popular 30 web tools and services among designers and developers. We handpicked solutions that are offering the best functionalities, support, and pricing on the market.

You will find probably the best logo design creating software, the very well-known Hotjar, Landigi that can be used by non-programmers to build brilliant landing pages that quickly convert, a huge icon library and many other different solutions.

Check them and let us know which solution you will start using.

Tailor Social – The Smarter Social Media Management Tool

If you need to quickly build a social media presence for your most recent web project without expending too much effort, the Tailor Social, social media management tool is a good solution, it helps you quickly create a full social media campaign that covers Facebook and Twitter in minutes thanks to AI and a variety of templates.

When you first register, you’ll answer a few questions about your industry, as well as choose the types of posts you’re more interested in seeing on your feeds. Once complete, the Content Guru AI will get to work populating your initial social media calendar with ready-to-post content that is slotted for uploading. All you must do is approve the posts and add a unique message or twist.

Furthermore, you can track how effective your campaigns are, and which content is resonating the most with your audience with the built in social analytics feature. For a more hands-off approach, you can also set your social media management on Autopilot and continue focusing on improving your websites.

If you’re working with only two accounts, you can choose the Basic plan for $10 a month. If you need to handle more accounts, or have other team members who require access to your campaigns, you can select the Professional plan ($15 a month and up to 7 accounts) or the Corporate plan ($50 a month and up to 30 accounts).

Hotjar – See how your visitors are really using your site

Hotjar is the most popular solution on the market to understand how people interact with your website. There are more than 210,000 companies using with great success this solution that is affordable for any kind of company, from startups to Fortune 500 corporations.

Heatmaps will show you where your visitors click, tap, and scroll. Check what users want, care about and do on your site, it is mandatory for every website. Recordings will help you see videos of their behavior and discuss it with your team.

You can also easily find out where is the dropping off point for your customers, on which page they leave or at which step. Forms on your website will be analyzed so you can make improvements.

Pricing plans are adapted for any kind of needs and budgets. There are a free forever plan and different packages for startups, companies, and agencies.

Landingi – A Powerful Landing Page Builder

Landingi is a popular choice among marketers and designers who want to build highly converting landing pages within their team, quickly, with a budget-friendly solution, and without having any coding skills. The process takes hours or days and it is straightforward.

You can start from one of the 200 gorgeous included templates and fully customized them with a video background from YouTube or Vimeo, with the 5,000 free images and 800 Google fonts. Integrate with MailChimp, SalesForce, Hubspot and many others.

Start a free 14-day trial and check how easy to use it is and how the landing pages look like.

Orion – 6014 Free SVG Vector Icons

Orion is one of the best icon libraries on the web, which is offering 6,014 free to use, gorgeous icons and another 2,599 premium icons in the pro plan which starts at $5 per month and at $7 per month for teams. The plans can be upgraded, downgraded and canceled at any time. Check their powerful web app that is packed with tens of advanced functionalities that will help you customize and organize the icons. They also have a fall deal with an exclusive 68% discount for the forever Pro version: https://orioniconlibrary.com/falldeal

WP Page Builder

Do you want to build a gorgeous website without spending even $1? WP Page Builder is one of the fastest and powerful WordPress page builder on the market that is super simple to use, you don’t need to have any coding skills or previous experience.

Design a stunning new website with WP Page Builder, it works with all WordPress themes.

Format – Free Website Template Using Bootstrap For Portfolio

Format is a gorgeous free portfolio website theme that you can use for your next project. It is packed with excellent features and the latest technologies, being a perfect a perfect fit for a gorgeous portfolio for web designers, agencies and web studios. Download it for free.

AppBeat Monitoring

AppBeat is one of the best monitoring services on the market. You will notified via SMS, Email and 10 other ways if something happens with your website, domain, ping, email and much more. The system is reliable, fast and very easy to use. Check it.

BrowseEmAll

Every web designer and developer needs a reliable and powerful cross-browser testing service. This is what BrowseEmAll will do for you, it supports both manual and automated testing and it is the easiest and most professional service on the market. Try it once and you will never let it go.

MultiBrowser

Another great cross-browser testing service is MultiBrowser. It supports manual and automated testing, you will find powerful mobile browser emulators that you can use from the same computer, real sandboxed browsers, responsive design screenshots and the excellent built-in screen and mobile recorder.

Try it.

Codester

Codester is a huge marketplace that is quickly growing every month. It is packed with tens of thousands of products for web designers and developers. There are scripts, codes, graphics, themes and much more. Everything is structured very well and they even have a flash sale section where hugely discounted items are being sold.

Visme

Regardless of the type of visual content you’re trying to create, Visme has you covered. Whether you’re looking for a Venn diagram maker, a presentation design tool, something to create compelling Infographics or all of the above – you’ll find everything you need right here.

48HoursLogo

Whenever you need a gorgeous logo design and you want to spend as minimum as possible, 48HoursLogo is an excellent option. Let web designers compete for your design and you can choose the one you like most. It is a very fast service and the results are remarkable.

Designhooks

Designhooks is probably the best free resources website for designers and developers where they can find handpicked items with an outstanding quality. There are thousands of products, very well structured into several categories: PSD Mockups, Sketch, HTML templates, WordPress themes and others.

MailMunch

MailMunch is the most powerful landing page builder on the market, is packed with everything you need to grow your business, including hugely increasing conversions. You will find an excellent drag and drop builder and gorgeous themes that will help you build your landing pages and forms.

What is even great with MailMunch is that you can build dedicated squeeze pages that will help you convert website visitors into email subscribers. It is super simple to build the lead magnet and start heavily converting.

Userfeel

Userfeel is the best web app that will let you have real-life persons test your website. It is super simple to use and the process is straightforward. Find out what they think about your website and how they feel it. For $49 you will get a video with the tester voiceover that is explaining his or her opinion about your website. This is the best way to test a website and make improvements.

Unlayer – Email Editor

Unlayer is the perfect email editor and page builder for SaaS, it is packed with lots of powerful features and the latest technologies. This is probably the best embeddable editor that your customers will love, let your customers create beautiful mobile-ready emails or landing pages right from your app.

Signup for free and see how it works.

PingPong

PingPong is a powerful user research that you can do remotely and fast. Everything can be done in one place, from the interview phase to payouts. You start by choosing from ten of thousands of testers, you schedule the discussions, have the video interview with their built-in function and end by selecting the ones you want to work with and pay them. It is as easy as it sound and the process is straightforward.

Racks

Racks is an excellent free software website theme that is packed with premium features that you normally find on expensive templates. It is super simple to fully customize, it is SEO friendly and pixel-perfect.

Start a new project with Racks.

Controlio

Controlio can be used to monitor employee PC activity from anywhere you are. It is packed with powerful features and functions: real-time surveillance, continuous screen recording, keylogging and many others. Increase productivity over your team and the security level.

Track active and idle time per app and website and get rid of bottlenecks in your workflow.

Brizy

Brizy is a top website builder that you can work for 100% free. It comes loaded with a powerful drag-and-drop builder and more than 150 gorgeous premade blocks that will help you build a stunning design in less than 30 minutes.

MeridianThemes

MeridianThemes is a powerful WordPress developer that is quickly growing every month. On their website, you will find beautiful and functional WordPress themes that are pixel-perfect and are very easy to fully customize to fit your project.

Browse their portfolio and pick what you need.

FreelanceLogoDesign

Feelance Logo Design can build a gorgeous logo for you in 60 minutes or less. Let 3 logo designers compete and you can choose from 6 custom logos. The results are outstanding and the service is fast. Give it a try any time you need a beautiful logo without spending a fortune.

actiTIME

actiTIME is a time tracking software that provides rich functionality covering almost any management and accounting needs. actiTIME facilitates the business process and helps its users organize their work better, increase company performance and collect critical billing and payroll information. More than 9000 companies in 70 countries are choosing actiTIME.

MediaLoot

Medialoot is a huge marketplace where designers and developers with find thousands of high-quality graphics, fonts, icons, templates and much more. Everything is handpicked and the website is very well structured.

Logoshi – Logo Maker

Logoshi’s no-nonsense logo maker creates knockout logos instantly. The pricing starts at $5 per logo and the results are impressive. Buy confidently. If you notice a mistake in your logo, send Logoshi an email. The guy who runs it will send you a fixed logo absolutely free.

Pixpa

Pixpa is one of the best portfolio builders on the market for creatives. Photographers, artists and designers can create their stunning portfolio website easily on Pixpa with integrated e-commerce, client galleries, and blogging tools – all in one place..

Try it for free for 15 days, credit card is not required.

WordPress SEO Plugin – Rank Math

Rank Math is the fastest and the most powerful SEO WordPress plugin. It is packed with great features and functionalities, practically Rank Math configures itself and bring traffic to your website. Soon more interesting features will be added.

Goodie

Goodie is a professional and friendly development service that is most used by web designers looking to have a reliable developer on their side and by companies looking to amplify their online presence. Pricing per website starts at $999.

Discuss with Goodie your next project details.

Inspectlet

Have you ever wondered what are visitors doing on your website, and even more important, why? Inspectlet will let you record and playback their actions in seconds like you were over their shoulders. Understand what you need to improve and let your website convert better.

Try the demo and signup for the free forever plan that can be upgraded it anytime you need.

Freelance Invoice

Freelancers need a dedicated invoicing platform and Bonsai is recognized in the market as the most powerful, complete and easy to use solution. There are more than 100,000 happy designers, developers, photographers and many others using it with great success.

Create and fully customize a smart invoice in seconds with Bonsai.

Start a free trial.

The post Popular Web Tools and Services Among Designers & Developers (Sponsored) appeared first on David Walsh Blog.

Popular Web Tools and Services Among Designers & Developers (Sponsored) published first on https://deskbysnafu.tumblr.com/

0 notes

keyloggerapp-blog · 8 years ago

Text

Best free keylogger for android

In fact, Hoverwatch has a feature that means that you can pay attention in on incoming and outgoing phone calls. It permits you to maintain monitor of what is happening on your laptop. Sms observe track saw Elite Keylogger tracks person activity absolutely invisibly: seize keystrokes, chats, emails, passwords, screenshots, far more. The aircraft is just a little bit low and primary wanting yet it did meet up with the wishes of the Countrywide Aviation Authority and consist of handed the limitations more than the airplane’s bodyweight and effectiveness. Yet, there are numerous ways for it to happen and in reality, you are extra exposed to the risk while traveling abroad.

Researchers say that some CERT groups are extra responsive than others. The following are the remaining seven that aren’t the best, but are nonetheless efficient keylogger apps in their own rights. Keylogger for Mac - Aobo Mac Keylogger Free Trial for three-day use without restrictions.

https://9spyapps.com/best-hidden-keylogger-android/. Learn how to Make A Hidden Keylogger Free Mp3 Songs For Iphone. Throughout the late 90’s and early 2000’s Amadeus Consulting was doing work in the direction of make personalized software bundle for a number of the initially customer cellular methods. Additional, as it’s straightforward to break into accounts over public connections, you would possibly need to make a brand new e-mail account specifically for your travels. This one can also be offering a keylogger among the many array of spying features, which is rather vast: SMS and call logs, e-mail and many social networks messages monitoring, geo-fencing, locking and wiping the phone. Name Logs.

Displays and logs calls and call background. It works identical as a Key-Logger work on Computer that detect and document the important thing strokes and password of E mail account after which despatched all particulars to a attacker. For thus a few years I've warned you about how to spot a phishing email. Sitemakes it moisturizermy on-linei use have use frizzing lookmy when amplifies sizesi. Apple’s iMessage app is built into iOS, so if in case you have an iPhone or iPad you may have encrypted conversations with any other Apple fan. Bitdefender additionally presents real-time antivirus and anti-phishing safety, but users can trigger manual scans too.

Bitdefender promotion assist you save quite a lot of bucks on Bitdefender. Nonetheless, I can not get the mail option to work. Not burdensome Spy will work in any countrified. App stealth keylogger android Use bb curve to spy in a cellphone! The thought is to use the context of the consumer's accessing sources to determine a level of confidence that it is the consumer slightly than a malicious actor that has compromised their account credentials. How finest to use the Android tracker for spying? Jul 20, 2014 · Typing trackers: the five best free keylogging instruments for Home windows and Mac. Builder and Lazarus, supporting Windows, Mac OS X, iOS, Android, Linux, Free BSD for 32-bit and 64-bit platforms. Offenders can even purchase affordable "assault toolboxs," making cybercrime simple and modest to perform. Check out these listening devices. That is the primary seen type within the app. Random Popups - continually redirected to Play Store app install web page and prompt you with a fake virus warning and update notifications throughout idle time of your cellphone which is not regular.

#keylogger for android

0 notes

error404-store · 4 years ago

Text

Hacking Tools and tatorial

I’m Cyber Security Professional and do all kinds of related works and givethe

100% satisfaction and confidential to my clients.

https://error404-store.blogspot.com

1-- Carding & Tools ,

2-- PHP Exploits with shell and mailer

3-- OTP verications Bypass with Bulletproof Scam-page and Otp control Panel<br>

4-- Company Ceo or cfo leads Any country

5-- Rat virus with builder

6-- Cookies Stealers and Builder

7-- keyloger and builder

8-- Credit card Scam-pages

9-- Bank login Scam-pages

10- debit card topup scam page

11- donation scam-page

12- dhl login and tracking scam-page

13- fedax login and tracking scam-page

14- Shipping Tools

--- Spamming tools --

1-- cpanel https ssl secure

2-- shell ssl secure

3-- web-mail

4-- Hacked smtp bulk inbox sender

5-- Admin rdp with send bluster

6-- Encrypted bulitproof scam pages

7-- ceo or cfo leads bulk quantity

8-- Cpanel whm multiple domain list user and password

--- Spy virus slinet Exploits --

1-- privet windows spy rat Virus

2-- crypter exploits Pdf doc text filetype

3-- privet rdp hosting

4-- os andriod spy virus get Root privileges

5-- iso iPhone spy virus get Root privileges

6-- Nokia spy virus

--- scanners brute-force ---

1-- Vps linux roots Scanner

2-- cpanel scanner Password cracker

3-- PHP shell scanner

4-- smtp scanner Password cracker

5-- zimbra scanners Password cracker

cpanel,shell,smtp,scampages,sender,ceo or cfo leads,rdp,spyvirus,crypter,exploits,scanners

Telegram:- @Donsmith000

icq :- @Donsmith000

https://error404-store.blogspot.com

#blogger #Cpanel #phpshell #smtp #scmapages #rdp #sendbluser #turbomail #spy tools #rat virus #stealers wheel #cpanel scanner cracking #smtp scanner and cracking #kelogers #stealer virus #ms office leads

1 note · View note

terabitweb · 6 years ago

Text

Original Post from FireEye Author: Nart Villeneuve

We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware, including:

PDFs with download links

DOC and XLS files with malicious macros

Archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads

The PDF and DOC/XLS campaigns primarily impacted the United States and the Archive campaigns largely impacted the Unites States and South Korea.

FormBook Overview

FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016. Figure 1 and Figure 2 show the online advertisement for the malware.

Figure 1: FormBook advertisement

Figure 2: FormBook underground pricing

The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.

One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective. The malware author calls this technique “Lagos Island method” (allegedly originating from a userland rootkit with this name).

It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence.

The malware author does not sell the builder, but only sells the panel, and then generates the executable files as a service.

Capabilities

FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities include:

Key logging 

Clipboard monitoring 

Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests

Grabbing passwords from browsers and email clients

Screenshots

FormBook can receive the following remote commands from the C2 server:

Update bot on host system

Download and execute file

Remove bot from host system

Launch a command via ShellExecute

Clear browser cookies

Reboot system

Shutdown system

Collect passwords and create a screenshot

Download and unpack ZIP archive

Infrastructure

The C2 domains typically leverage less widespread, newer generic top-level domains (gTLDs) such as .site, .website, .tech, .online, and .info.

The C2 domains used for this recently observed FormBook activity have been registered using the WhoisGuard privacy protection service. The server infrastructure is hosted on BlazingFast.io, a Ukrainian hosting provider. Each server typically has multiple FormBook panel installation locations, which could be indicative of an affiliate model.

Behavior Details

File Characteristics

Our analysis in this blog post is based on the following representative sample:

Filename

MD5 Hash

Size (bytes)

Compile Time

Unavailable

CE84640C3228925CC4815116DDE968CB

747,652

2012-06-09 13:19:49Z

Table 1: FormBook sample details

Packer

The malware is a self-extracting RAR file that starts an AutoIt loader. The AutoIt loader compiles and runs an AutoIt script. The script decrypts the FormBook payload file, loads it into memory, and then executes it.

Installation

The FormBook malware copies itself to a new location. The malware first chooses one of the following strings to use as a prefix for its installed filename:

ms, win, gdi, mfc, vga, igfx, user, help, config, update, regsvc, chkdsk, systray, audiodg, certmgr, autochk, taskhost, colorcpl, services, IconCache, ThumbCache, Cookies

It then generates two to five random characters and appends those to the chosen string above

followed by one of the following file extensions:

.exe, .com, .scr, .pif, .cmd, .bat

If the malware is running with elevated privileges, it copies itself to one of the following directories:

%ProgramFiles%

%CommonProgramFiles%

If running with normal privileges, it copies itself to one of the following directories:

%USERPROFILE%

%APPDATA%

%TEMP%

Persistence

The malware uses the same aforementioned string list with a random string to create a prefix, appends one to five random characters, and uses this value as the registry value name.

The malware configures persistence to one of the following two locations depending on its privileges:

(HKCU|HKLM)SOFTWAREMicrosoftWindowsCurrentVersionRun

(HKCU|HKLM)SOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun

Startup

The malware creates two 16-byte mutexes. The first mutex is the client identifier (e.g., 8-3503835SZBFHHZ). The second mutex value is derived from the C2 information and the username (e.g., LL9PSC56RW7Bx3A5).

The malware then iterates over a process listing and calculates a checksum value of process names (rather than checking the name itself) to figure out which process to inject. The malware may inject itself into browser processes and explorer.exe. Depending on the target process, the malware installs different function hooks (see the Function Hooks section for further detail).

Anti-Analysis

The malware uses several techniques to complicate malware analysis:

Timing checks using the RDTSC instruction

Calls NtQueryInformationProcess with InfoClass=7 (ProcessDebugPort)

Sample path and filename checks (sample filename must be shorter than 32 characters)

Hash-based module blacklist

Hash-based process blacklist

Hash-based username blacklist

Before communicating, it checks whether the C2 server is present in the hosts file

The results of these tests are then placed into a 16-byte array, and a SHA1 hash is calculated on the array, which will be later used as the decryption key for subsequent strings (e.g. DLL names to load). Failed checks may go unnoticed until the sample tries to load the supporting DLLs (kernel32.dll and advapi32.dll).

The correct 16-byte array holding the result of the checks is:

00 00 01 01 00 00 01 00 01 00 01 00 00 00 00 00

Having a SHA1 value of:

5b85aaa14f74e7e8adb93b040b0914a10b8b19b2

After completing all anti-analysis checks, the sample manually maps ntdll.dll from disk into memory and uses its exported functions directly in the code. All API functions will have a small stub function in the code that looks up the address of the API in the mapped ntdll.dll using the CRC32 checksum of the API name, and sets up the parameters on the stack.

This will be followed by a direct register call to the mapped ntdll.dll module. This makes regular debugger breakpoints on APIs inoperable, as execution will never go through the system mapped ntdll.dll.

Process Injection

The sample loops through all the running processes to find explorer.exe by the CRC32 checksum of its process name. It then injects into explorer.exe using the following API calls (avoiding more commonly identifiable techniques such as WriteProcessMemory and CreateRemoteThread):

NtMapViewOfSection

NtSetContextThread

NtQueueUserAPC 

The injected code in the hijacked instance of explorer.exe randomly selects and launches (as a suspended process) a built-in Windows executable from the following list:

svchost.exe, msiexec.exe, wuauclt.exe, lsass.exe, wlanext.exe, msg.exe, lsm.exe, dwm.exe, help.exe, chkdsk.exe, cmmon32.exe, nbtstat.exe, spoolsv.exe, rdpclip.exe, control.exe, taskhost.exe, rundll32.exe, systray.exe, audiodg.exe, wininit.exe, services.exe, autochk.exe, autoconv.exe, autofmt.exe, cmstp.exe, colorcpl.exe, cscript.exe, explorer.exe, WWAHost.exe, ipconfig.exe, msdt.exe, mstsc.exe, NAPSTAT.EXE, netsh.exe, NETSTAT.EXE, raserver.exe, wscript.exe, wuapp.exe, cmd.exe

The original process reads the randomly selected executable from the memory of explorer.exe and migrates into this new process via NtMapViewOfSection, NtSetContextThread, and NtQueueUserAPC.  

The new process then deletes the original sample and sets up persistence (see the Persistence section for more detail). It then goes into a loop that constantly enumerates running processes and looks for targets based on the CRC32 checksum of the process name.

Targeted process names include, but are not limited to:  

iexplore.exe, firefox.exe, chrome.exe, MicrosoftEdgeCP.exe, explorer.exe, opera.exe, safari.exe, torch.exe, maxthon.exe, seamonkey.exe, avant.exe, deepnet.exe, k-meleon.exe, citrio.exe, coolnovo.exe, coowon.exe, cyberfox.exe, dooble.exe, vivaldi.exe, iridium.exe, epic.exe, midori.exe, mustang.exe, orbitum.exe, palemoon.exe, qupzilla.exe, sleipnir.exe, superbird.exe, outlook.exe, thunderbird.exe, totalcmd.exe

After injecting into any of the target processes, it sets up user-mode API hooks based on the process.

The malware installs different function hooks depending on the process. The primary purpose of these function hooks is to log keystrokes, steal clipboard data, and extract authentication information from browser HTTP sessions. The malware stores data in local password log files. The directory name is derived from the C2 information and the username (the same as the second mutex created above: LL9PSC56RW7Bx3A5).

However, only eight bytes from this value are used as the directory name (e.g., LL9PSC56). Next, the first three characters from the derived directory name are used as a prefix for the log file followed by the string log. Following this prefix are names corresponding to the type of log file. For example, for Internet Explorer passwords, the following log file would be created:

%APPDATA%LL9PSC56LL9logri.ini.

The following are the password log filenames without the prefix:

(no name): Keylog data

rg.ini: Chrome passwords

rf.ini: Firefox passwords

rt.ini: Thunderbird passwords

ri.ini: Internet Explorer passwords

rc.ini: Outlook passwords

rv.ini: Windows Vault passwords

ro.ini: Opera passwords

One additional file that does not use the .INI file extension is a screenshot file:

im.jpeg

Function Hooks

Keylog/clipboard monitoring:

GetMessageA

GetMessageW

PeekMessageA

PeekMessageW

SendMessageA

SendMessageW

Browser hooks:

PR_Write

HttpSendRequestA

HttpSendRequestW

InternetQueryOptionW

EncryptMessage

WSASend

The browser hooks look for certain strings in the content of HTTP requests and, if a match is found, information about the request is extracted. The targeted strings are:

pass

token

signin

account

persistent

Network Communications

The malware communicates with the following C2 server using HTTP requests:

www[.]clicks-track[.]info/list/hx28/

Beacon

As seen in Figure 3, FormBook sends a beacon request (controlled by a timer/counter) using HTTP GET with an “id” parameter in the URL.

Figure 3: FormBook beacon

The decoded “id” parameter is as follows:

FBNG:134C0ABB 2.9:Windows 7 Professional x86:VXNlcg==

Where:

“FBNG” – magic bytes 

“134C0ABB” – the CRC32 checksum of the user’s SID

“2.9” – the bot version 

“Windows 7 Professional” – operating system version

“x86” – operating system architecture 

“VXNlcg==” – the Base64 encoded username (i.e., “User” in this case)

Communication Encryption

The malware sends HTTP requests using hard-coded HTTP header values. The HTTP headers shown in Figure 4 are hardcoded.

Figure 4: Hard-coded HTTP header values

Messages to the C2 server are sent RC4 encrypted and Base64 encoded. The malware uses a slightly altered Base64 alphabet, and also uses the character “.” instead of “=” as the pad character:

Standard Alphabet:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

Modified Alphabet:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_

The RC4 key is created using an implementation of the SHA1 hashing algorithm with the C2 URL. The standard SHA1 algorithm reverses the DWORD endianness at the end of the algorithm. This implementation does not, which results in a reverse endian DWORDs. For example, the SHA1 hash for the aforementioned URL is “9b198a3cfa6ff461cc40b754c90740a81559b9ae,” but when reordering the DWORDs, it produces the correct RC4 key: 3c8a199b61f46ffa54b740cca84007c9aeb95915. The first DWORD “9b198a3c” becomes “3c8a199b.”

Figure 5 shows an example HTTP POST request.

Figure 5: Example HTTP POST request

In this example, the decoded result is:

ClipboardrnrnBlank Page – Windows Internet ExplorerrnrncEXN{3wutV,

Accepted Commands

When a command is sent by the C2 server, the HTTP response body has the format shown in Figure 6.

Figure 6: FormBook C2 server response with command

The data begins with the magic bytes “FBNG,” and a one-byte command code from hex bytes 31 to 39 (i.e., from “1” to “9”) in clear text. This is then followed by the RC4-encoded command data (where the RC4 key is the same as the one used for the request). In the decrypted data, another occurrence of the magic FBNG bytes indicates the end of the command data.

The malware accepts the commands shown in Table 2.

Command

Parameters (after decryption)

Purpose

‘1’ (0x31)

<pe_file_data>FBNG

Download and execute file from %TEMP% directory

‘2’ (0x32)

<pe_file_data>FBNG

Update bot on host machine

‘3’ (0x33)

FBNG

Remove bot from host machine

‘4’ (0x34)

<command_string>FBNG

Launch a command via ShellExecute

‘5’ (0x35)

FBNG

Clear browser cookies

‘6’ (0x36)

FBNG

Reboot operating system

‘7’ (0x37)

FBNG

Shutdown operating system

‘8’ (0x38)

FBNG

Collect email/browser passwords and create a screenshot

‘9’ (0x39)

<zip_file_data>FBNG

Download and unpack ZIP archive into %TEMP% directory

Table 2: FormBook accepted commands

Distribution Campaigns

FireEye researchers observed FormBook distributed via email campaigns using a variety of different attachments:

PDFs with links to the “tny.im” URL-shortening service, which then redirected to a staging server that contained FormBook executable payloads

DOC and XLS attachments that contained malicious macros that, when enabled, initiated the download of FormBook payloads

ZIP, RAR, ACE, and ISO attachments that contained FormBook executable files

The PDF Campaigns

The PDF campaigns leveraged FedEx and DHL shipping/package delivery themes (Figure 7 and Figure 8), as well as a document-sharing theme. The PDFs distributed did not contain malicious code, just a link to download the FormBook payload.

The staging servers (shown in Table 3) appeared to be compromised websites.

Figure 7: Example PDF campaign email lure with attachment

Figure 8: Example PDF campaign attachment

Sample Subject Lines

Shorted URLs

Staging Servers

<Recipient’s_Name> – You have a parcel awaiting pick up

<Recipient’s_Name> – I shared a file with you

tny[.]im/9TK

tny[.]im/9Uw

tny[.]im/9G1

tny[.]im/9Q6

tny[.]im/9H1

tny[.]im/9R7

tny[.]im/9Tc

tny[.]im/9RM

tny[.]im/9G0

tny[.]im/9Oq

tny[.]im/9Oh

maxsutton[.]co[.]uk

solderie[.]dream3w[.]com

lifekeeper[.]com[.]au

brinematriscript[.]com

jaimagroup[.]com

Table 3: Observed email subjects and download URLs for PDF campaign

Based on data from the tny.im-shortened links, there were a total of 716 hits across 36 countries. As seen in Figure 9, most of the malicious activity from the PDF campaign impacted the United States.

Figure 9: Geolocation statistics from tny.im URL shortener

The DOC/XLS Campaigns

The email campaigns distributing DOC and XLS files relied on the use of malicious macros to download the executable payload. When the macros are enabled, the download URL retrieves an executable file with a PDF extension. Table 4 shows observed email subjects and download URLs used in these campaigns.

Sample Subject Lines

Staging Server

URL Paths

61_Invoice_6654

ACS PO 1528

NEW ORDER – PO-074

NEW ORDER – PO#074

REQUEST FOR QUOTATION/CONTRACT OVERHAUL MV OCEAN MANTA//SUPPLY P-3PROPELLER

URGENT PURCHASE ORDER 1800027695

sdvernoms[.]ml

/oc/runpie.pdf

/sem/essen.pdf

/drops/microcore.pdf

/damp/10939453.pdf

/sem/essentials.exe

/oc/runpie.pdf

/sem/ampama.pdf

/js/21509671Packed.pdf

/sem/essen.pdf

Table 4: Observed email subjects and download URLs for the DOC/XLS campaign

FireEye detection technologies observed this malicious activity between Aug. 11 and Aug. 22, 2017 (Figure 10). Much of the activity was observed in the United States (Figure 11), and the most targeted industry vertical was Aerospace/Defense Contractors (Figure 12).

Figure 10: DOC/XLS campaign malicious activity by date

Figure 11: Top 10 countries affected by the DOC/XLS campaign

Figure 12: Top 10 industry verticals affected by the DOC/XLS campaign

The Archive Campaign

The Archive campaign delivered a variety of archive formats, including ZIP, RAR, ACE, and ISO, and accounted for the highest distribution volume. It leveraged a myriad of subject lines that were characteristically business related and often regarding payment or purchase orders:

Sample Subject Lines

HSBC MT103 PAYMENT CONFIRMATION Our Ref: HBCCTKF8003445VTC

MT103 PAYMENT CONFIRMATION Our Ref: BCCMKE806868TSC Counterparty:.

Fwd: INQUIRY RFQ-18 H0018

Fw: Remittance Confirmation

NEW ORDER FROM COBRA INDUSTRIAL MACHINES IN SHARJAH

PO. NO.: 10701 – Send Quotaion Pls

Re: bgcqatar project

Re: August korea ORDER

Purchase Order #234579

purchase order for August017

FireEye detection technologies observed this campaign activity between July 18 and Aug. 17, 2017 (Figure 13). Much of the activity was observed in South Korea and the United States (Figure 14), with the Manufacturing industry vertical being the most impacted (Figure 15).

Figure 13: Archive campaign malicious activity by date

Figure 14: Top 10 countries affected by the Archive campaign

Figure 15: Top 10 industry verticals affected by the Archive campaign

Conclusion

While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of varying skill levels. In the last few weeks, FormBook was seen downloading other malware families such as NanoCore. The credentials and other data harvested by successful FormBook infections could be used for additional cyber crime activities including, but not limited to: identity theft, continued phishing operations, bank fraud and extortion.

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Nart Villeneuve Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea Original Post from FireEye Author: Nart Villeneuve We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and…

#FireEye

0 notes

terabitweb · 6 years ago

Text

Original Post from Security Affairs Author: Pierluigi Paganini

Due to the growing demand for Android banking malware, threat actors continue using Anubis even is the creator has vanished.

Introduction

Besides being the Egyptian God associated with mummification and afterlife, Anubis is also an Android banking malware that has caused quite some trouble for over 300 financial institutions worldwide since 2017.

Anubis II is the Android banking Trojan created and advertised by an actor with the nickname “maza-in”. This malware family goes beyond the well-known overlay attacks by combining advanced features such as screen streaming, remote file browsing, sound recording, keylogging and even a network proxy, making it an efficient banking malware but also a potential spying tool. Effectively, Anubis can be considered one of the most used Android banking Trojans since late 2017.

As banking malware, Anubis operates by tricking its victims into providing personal and sensitive information such as online banking credentials, banking security codes and even credit card details. Many victims do not realise that the malware application does not pretend to be the bank, it mostly hides as a third-party app and therefore remains under the radar of the average user. Disguises used by Anubis where for example: fake mobile games, fake software updates, fake post/mail apps, fake flash-player apps, fake utility apps, fake browsers and even fake social-network and communication apps.

The malware was rented privately to a limited number of “customers”; criminals willing to use such malware to perform fraud. At the moment of writing, the renting service is supposedly disrupted due to the author being under arrest or having simply vanished with customers’ money, but the malware itself is alive and kicking.

Through this blog post ThreatFabric experts revisit major stages of Anubis’ evolution and explain what changes can be expected on the threat landscape.

Origins: It all started with BankBot

In December 2016 the actor “maza-in” wrote an article named “Android BOT from scratch” in which he shared source code of a new Android banking Trojan capable of sending and intercepting text messages as well as performing overlay attacks to steal credentials.

The article received a lot of attention as it contained sources of both the C2 panel and the Android client (bot), giving actors the tools to create a working banking Trojan with minimum effort. The first malware based on the code from this article was spotted by Dr. Web in Jan 2017 and was dubbed “Android.BankBot.149.origin”. Although being a generic name for banking malware, “BankBot” became the name attributed to all Trojans derived from the shared source code.

Throughout 2017, many actors used Bankbot for their fraudulent operations, but without proper support and updates most abandoned the malware months later. Some however used the source code to build their own malware. Some examples are:LokiBot (2017) – the actor behind this malware adapted the original code and introduced the ransomware and proxy capabilitiesRazdel (2017) – a banking malware that primarily target Central European banks, introduced a novel trick to implement overlay attacksMysteryBot (2018) – another malware from the same actor that was behind “LokiBot”, introduced a novel keylogging approach and on-device fraud techniqueCometBot (2019) – a copy of the original code with minor modifications, primarily targeting German banks at the moment

Although most actors reusing the original code changed the Trojan into something that suited their respective needs, all of them also kept the original features from the original shared code. The list of these original features is very limited compared to recent banking Trojans but enough to steal personal information from the victims:Overlaying: Dynamic – C2 based (possibility to remotely modify the list of targeted application)SMS blocking (hiding messages from the victim)SMS sending (capability to send messages from the infected device)SMS harvesting (possibility to send a copy of all message to the C2 server)

About Anubis

Rise of maza-in

By publishing the aforementioned article, maza-in earned himself a reputation of Android expert on underground forums. He started to share tips and tricks to help other threat actors deal with technical issues and enhance their own malware. Shortly after the initial article, the actor even conducted an interview with Forbes magazine named “I Want To Expose Google’s Mistakes”, stating that he published the malicious code to improve the state of Android security, by showing design flaws in the system that can be easily abused.

He also frequently reviewed each new Android banking Trojan available for renting. In his reviews, he evaluated the technical capabilities and provided his opinion about the actor. Later, a review by maza-in almost became a de facto step to start rental of Android banking malware, as users of forums were asking for the review before they would buy/rent a new Trojan.

Although claiming to have the most noble intentions, maza-in also pursued more nefarious goals. Information from forums shows that at the same time he shared the code of the Trojan in the tutorial article, he was developing a “full” version of the Trojan privately. After some time he started to privately rent it.

The malware was heavily enhanced compared to its original version, adding modern overlaying techniques, device screen recording and streaming, a network proxy feature, keylogging and the ability to steal files from the infected device. maza-in names the malware Anubis and used the following logo in his advertisement of the malware:

The list of bot features below shows how much maza-in improved upon the original shared BankBot code to create (the latest version of) Anubis:Overlaying: Static (hardcoded in bot)Overlaying: Dynamic (C2 based)KeyloggingContact list collectionScreen streamingSound recordingSMS harvesting: SMS forwardingSMS blockingSMS sendingFiles/pictures collectionCalls: USSD request makingRansomware: CryptolockerRemote actions: Data-wipingRemote actions: Back-connect proxyNotifications: Push notificationsC2 Resilience: Twitter/Telegram/Pastebin C2 update channels

In addition to the new features and improvements made, Anubis also has a larger (default) target list. In the Appendix you can find a full list of apps targeted by Anubis (437 applications in total).

Distribution

As a rented Trojan, Anubis was distributed using a wide range of delivery techniques:Google Play campaigns: using self-made or rented droppers actors were able to bypass Google Play security mechanisms and spread the Trojan using the official app store, potentially infecting thousands of victims at a time.Spam campaigns: using SMS or email, actors sent messages to social engineer the victims with a request to install or update some legitimate application, instead linking to the malware.Web-redirection of the victim to a fake landing page containing a request to install or update some legitimate application, instead linking to the malware; using advertisement on websites, hacked sites, traffic exchanges and other black hat SEO methods

It is in the interest of the actors to infect as many devices as possible as it increases the chances to commit fraud successfully. The problem for Play Store users is that even without being social-engineered, due to the increasing number of Google Play malware campaigns, the risk of downloading a dropper mimicking a benign application has increased significantly. Therefore the statement “only download apps from the official app store” is not enough to remain safe from malware.

Recent updates

The rental of Anubis II was open from Q4 2017 until February 2019. During Q1 2019, actor maza-in vanished from the threat landscape, leaving existing customers without support and updates. Although exact details about the vanishing of the actor remain unclear at the time of writing, a chain of events confirms that some abnormal activity took place around Anubis and its author.On December 13 2018 maza-in announces the release of Anubis 2.5; seemingly only redesigning the backend web interface, while actually stating that he rewrote the whole bot code.On January 16 2019 Anubis code is leaked in an underground forum (both backend code and unobfuscated APK).On February 14 2019 for the first time an Anubis sample seen targeting Russian banks only is spotted (indicating a new campaign / new operator).On February 25 2019 some complaints from Anubis customers appear in underground forums stating that maza-in and Anubis support no longer reply to messages.On March 04 2019, the admin of one underground forum states maza-in got arrested. Shortly after this, accounts of maza-in are banned on multiple forums.During March 2019, actor Aldesa (who shares a connection with maza-in) creates a post to sell the so-called “Anubis 3” malware on an underground forum. His post gets removed by the admin quite quickly.

We can conclude that the Anubis Trojan is no longer officially rented. However, ThreatFabric experts have observed certain Anubis customers having access to the builder and admin panel, which explains why the operations have not been totally disrupted.

Although it is hard to say why maza-in really vanished, the fact that some code has been leaked combined with recent observations of unobfuscated Anubis samples in the wild, may suggest that the malware will be used by other actors and thus remain active.

What we learned from history

In the past, several other banking Trojans have seen their operations being disrupted and/or source code leaked. It often results in a decrease in the operations and number of samples generated, but most often activity resumes after some quiet time.

There might be some explanations to this such as actors/operators being scared of sudden changes, possibly indicating take-downs or arrests; the time needed to get hands on the right resources and accounts to resume operations; delay between the moment operations stop and leaking of source code; etc… In some cases, the calm after the storm resulted in some new variants appearing on the threat landscape, indicating the delay was probably due to the need for other actors to build their own malware version/variant based on the leaked code.

Marcher

In 2016, the operations of another popular Android banking malware named Marcher were disrupted in a similar way to what happened to Anubis. The actor behind the Marcher Trojan got banned and the renting service was discontinued. The renting model of that Trojan allowed purchase of the APK (bot) builder, therefore a number of Marcher actors obtained the source code of the admin panel and the bot itself.

Some of them resold the sources and some of them used them as a base for their own banking malware; therefore, although operations were disrupted the Trojan remained active for a while and new malware families emerged. Examples of modern families based on Marcher are:ExoBotGustuffDiseaseBotBubabotNeobot

Even now it sometimes happens that some new Marcher-based Trojans appear on the threat-landscape.

The story repeats itself

Looking at actual situation for Anubis, several scenarios are possible:Actors having access to relevant resources continue using Anubis in it’s actual stateSome actor or actor group will step in and will become the new maintainer of Anubis, business starts overActors stop using Anubis and wait for some new banking malware to become availableActors having access to relevant resources will start to modify and improve the existing code base to create their own malware

As mentioned before, Anubis itself is based on the Bankbot Trojan, which was made public on purpose. This resulted in the appearance of at least 4 distinctive malware families/variants as shown in the picture hereunder:

We can say that Anubis itself also sprung into existence from the publicly available BankBot code. Considering the increasing demand for Android banking malware and the fact that unobfuscated versions of the bot and the code of the admin panel of Anubis are publicly available we can definitely expect similar events.

Anubis statistics

As Anubis is a rented banking Trojan, each buyer/operator can decide the effective list of applications the Trojan should target. This results in many different campaigns with different objectives.

Although there have been several different campaigns targeting different sets of applications, when considering the average Anubis sample, the number of targets is approximately 370 unique applications.

Target locations

Based on the countries for which the targeted applications are made, it is possible to make statistics of the number of targets per region.

As can be seen in following chart, it is clear that there is a strong interest in institutions providing services in Europe, Asia and the Americas:

When we narrow this down to subregions we can see that the targets are in fact institutions active in Europe, West-Asia, North-America and Australia.

Interestingly, those locations match banking malware’s “usual suspects”; many of the previously observed banking malware families have been seen primarily targeting financial institutions in those subregions.

Anubis has been targeting applications from financial institutions present in more than 100 different countries. The top 20 victim countries are visible in following chart:

Keep in mind that statistics can be slightly biased due to certain applications serving a large number of different countries.

Target types

Based on the application types provided by Google, we can see based on the targeted applications that although the Anubis Trojan is a banker and therefore mainly targets “Finance” apps, it also has interest in other types of apps.

As visible in following chart, the application types in second and third position of interest are “Shopping” and “Business” apps, which can be explained by the fact that is shouldn’t look suspicious to the victim when such applications are requesting update of payment details or other sensitive information.

After “Finance” apps, the app types of second choice are “Shopping” and “Business” followed by “Tools”, “Communication” and “Social” apps. Therefore, understand that although such malware is called banking malware its aim is to perform fraud and therefore targets more than only financial apps to achieve its goal.

In conclusion, what’s next

Considering the growing demand for Android banking malware, we can definitely expect actors to continue using Anubis. Although the creator has vanished the threat is still real; the malware will continue to operate and provide its advanced features to ill-intentioned actors.

We can expect the following events to take place:Anubis customers having sufficient resources will continue to use the Trojan.As some actors have access to both the Anubis admin panel and builder it’s likely they will try to sell it by themselves.Some disgruntled customers having access to the sources might leak additional code and resources as retaliation.As it’s known that some actors have access to the right resources we can expect some enhancement and maybe even new features.

If those events indeed take place, it will result in new actors using Anubis, new campaigns and maybe even new malware variants or malware families based on the Anubis code.

Knowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect yourself from fraud; Anubis is only one of the many Trojans active in the wild!

Further info including Anubis II samples are reported in the original analysis published by the ThreatFabric.

https://www.threatfabric.com/blogs/anubis_2_malware_and_afterlife.html

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – malware, Anubis II)

The post Anubis II – malware and afterlife appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini Anubis II – malware and afterlife Original Post from Security Affairs Author: Pierluigi Paganini Due to the growing demand for Android banking malware, threat actors continue using Anubis even is the creator has vanished.

#Security Affairs blog

0 notes

terabitweb · 6 years ago

Text

Original Post from Talos Security Author:

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Feb. 22 and March 01. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Win.Malware.Bladabindi-6872031-8 Malware njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim’s webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.

Win.Malware.Vbtrojan-6871444-0 Malware This is a malicious tool used to exploit Visual Basic 5.

Win.Malware.Ekstak-6871246-0 Malware This malware persists with SYSTEM privileges by installing itself as a new service called “localNETService.”

Win.Trojan.Zbot-6871232-0 Trojan Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.

Win.Trojan.Bifrost-6871028-0 Trojan Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. In order to mark its presence in the system, Bifrost uses a mutex that may be named “Bif1234,” or “Tr0gBot.”

Doc.Malware.Emotet-6866090-1 Malware Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.

Threats

Win.Malware.Bladabindi-6872031-8

Indicators of Compromise

Registry Keys

SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN

Value Name: internat.exe

SystemCurrentControlSetServicesNapAgentShas

SystemCurrentControlSetServicesNapAgentQecs

SoftwareMicrosoftWindowsCurrentVersionExplorerStartPage2

SystemCurrentControlSetServicesNapAgentLocalConfig

SYSTEMCONTROLSET001SERVICESNAPAGENTLOCALCONFIGEnrollHcsGroups

SYSTEMCONTROLSET001SERVICESNAPAGENTLOCALCONFIGUI

Software76cbed672042da4827cdb3dabad9650b

SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN

Value Name: 76cbed672042da4827cdb3dabad9650b

SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN

Value Name: 76cbed672042da4827cdb3dabad9650b

Mutexes

N/A

IP Addresses contacted by malware. Does not indicate maliciousness

75[.]115[.]14[.]18

Domain Names contacted by malware. Does not indicate maliciousness

aaasssddd[.]ddns[.]net

Files and or directories created

%AppData%MicrosoftWindowsStart MenuProgramsStartup5489098719807719809090807918.exe

%LocalAppData%Temprat.exe

%AppData%MicrosoftWindowsStart MenuProgramsStartup76cbed672042da4827cdb3dabad9650b.exe

%SystemDrive%Documents and SettingsAdministratorStart MenuProgramsStartup5489098719807719809090807918.exe

File Hashes

00c1545a8341307c8fbfbe10315ddd6742ff0a7471e959a25569456e901e3b64

0c828e0e7c690afcf42c619562baf06eb2054fb2a76528c6e3d6374e6deee1b7

17dc39add1ec5e7823521ef2b19f5a38525a20fd8af022f3f984b9b2c52fabcd

23be58294c82887a32eddf964f9aa636092ab0199bbeebbc01027dac24ac741d

2ee7564a6f0efbeb49e5e18a9bc922c9dee4b6a9825b442eab6c24b1e5c178d8

36ac1e4bdb49d9a8e344daedded3f7135e5529b9170448ac640ad9887ec7cc3c

3c49af04461bcf44feff0a1476d4c2aa0e8727589c5bcdd94ff61801dc606cd2

3e6dc73e416087dff822e7b1155dacd150f8f55e522a0ea2c669ffb070b7349b

4011bacd5f28a2ea3d6f5cb8aa6f903a11d724de952efb43fec2c4dc6290b1c0

56f7759b5a937d04cc3b52b4776002621b1cbb4cca2a8c03e9a663dd0685bddc

5710aca5b05ba6e9936dbbb64f09f634bd0d7aabafa805bc1e898af204bc842e

5a8894812ad5ffb8786ece426c56316907d57cf690991eaf1f36ba31abcd8f1d

5ef1459ea87c9092b343f92cae360bdde926b0d160e46fa0202bb2575d4bb16b

6440a66af66551ca6997993e14acca0c00cf7d608b189e62ce9621cf66db371f

64dba074080613d0d1950f4edda64830a5aa5c94dc4170de00b90470b925fcdc

673f48756e3692c5bb50c1e4b73973eace36e1b4e1f23925864d570508efd1ab

aa491525b45991154405aa5382b354494d69d24130bc61c96f02b2b13598d2e7

b44fa6d7da5bc0dccd76440f17ed79b0accd7229f7f380ebfad498ef4bab71de

e0bec776e2059e85dbae9ccead0ad5404f7ff1be4e44fec99fc1905ea9d82dd5

fbe3e1d761cc96909caa72abc3443dd15236adb17091abdac00fde2044554496

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Vbtrojan-6871444-0

Indicators of Compromise

Registry Keys

N/A

Mutexes

N/A

IP Addresses contacted by malware. Does not indicate maliciousness

N/A

Domain Names contacted by malware. Does not indicate maliciousness

N/A

Files and or directories created

%LocalAppData%TempAhk2Exe.tmp

%LocalAppData%TempAutoHotkeySC.bin

%LocalAppData%Tempdnfahk.tmp

%LocalAppData%Tempupx.exe

%SystemDrive%ReadMe.txt

%SystemDrive%SetInterval.bat

%SystemDrive%keyboard.reg

File Hashes

050f57560e1691e7b09ccd86e92ec1c2c4ac361ba09862697ad908d6dfa93090

2d2358fa90431448800c75dce6080b7c6132fcb574a3a0ef7eff8d6d90808ec7

38eb2684819f7ae15b5b66bfabf0a123ff7af22dca1f014d52e8de8f88011cc6

39ef144fefb739ea1ff1582e9c3da0f42566855c6769f9ed4c2d7f9427edf717

4113c20eefdb7e002a631e2216e26b80c654f3e77f80908049176ccc7c105db3

707c28b3f66d708609d8f31b506dade16aad80b157582abbcb90aa1352513160

78bb2e2c086a0252e83307667178ed3e5d64a73dfcef3b82b05f4c64e4496009

7b670e0cfa7367552b892ff42a79c2a79f80d91511f6a34f01dc1250ffe2a538

7da38b9e6dbe8e58d688fe1488505275d54749bf063cf35cba4b151f0bfab0c7

9ea4fceafec0c30c58c33314c97a17084681cfc0caeeec45eead64d3a94f2ba7

a82ae00d8c84291c08a8edf86a8ca60bdca351ad94dd06135414636312b64809

cfdea8ab0d2f4b82bf9d103b053b8a10eb456bd7e7896f29bed3d1f3649d2001

dae4d4b71a86a15defa8f63fe3ef28e11436069d6869092b3b23fd0f95f465dd

e3bd392d634b990676115698db9344201480c0cf6fd27bfaa6247f0728d41625

e698f2b3d4b2d0b9544592ae05270bedfdedbdd01d356cb6bab740791f5b0263

f0c556af8fab1d03cdd7592d0dfd999233555a0e7622b54c5f2cab6fae2d95da

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware

Win.Malware.Ekstak-6871246-0

Indicators of Compromise

Registry Keys

SYSTEMCONTROLSET001SERVICESlocalNETService

SYSTEMCONTROLSET001SERVICESLOCALNETSERVICE

Value Name: Start

SYSTEMCONTROLSET001SERVICESLOCALNETSERVICE

Value Name: ImagePath

SOFTWAREWOW6432NODELOCALNETSERVICE

Value Name: Value_42632

Mutexes

N/A

IP Addresses contacted by malware. Does not indicate maliciousness

216[.]218[.]206[.]69

Domain Names contacted by malware. Does not indicate maliciousness

N/A

Files and or directories created

%AllUsersProfile%localNETServicelocalNETService.exe

%LocalAppData%Temptsc131118.dat

File Hashes

02aebb6edf1d2ae7df3d9adca31b397c9032b6e0844a2796e0028b17c19cf345

055f622eae00bf5cbe062b706bbf55ff4b4d9ac0ae4ac91b0552d2b32f4ccb05

220a6e183611bd6730eeb2cfdd4536eca6829283566e2c0d5c410adc6552a058

387a3f8e33297a952ab2b93dd4f6c0a97fe797e18ead0c9cf050f0918758d1dc

3bd06213aae4214b81d1dd83d8d456a593122584708b86980e02f3f2e0472710

3bd551b75a97dda9d0aa66d9ae24fbee3e0d4dcae0b4a4aa98be994a4ec59d9f

5d6ce39c286eca1777a5e5bd93bd52e76ce042d0249db6ca32648611d30a5b2d

6073475e3a8bd7eba6a13f771a51245c929e49e40afe97c0eccf3887df18826d

63806671769e485496408fd6c1c4e845ef35087c74b02fb104dc06a52b90d636

6f0702d5a7a8a07c0f27da9850c0953634577bbfef272016d26795c40b1e95c7

7372e040d1d26c864f261ac7df8c7a509594c3efce26e03c3e14389e55c526bf

81376a8e386940982bd552e0be5fd0cbfffb9ae39bbb97280e7f6096fc4a7af1

81cc82b599e1cc44fd7dde9366315886f5a1c40e7cae7f4edbbcb2dd104a69e9

825b8e7b877bacf8d24afe1e1082eff72e43633b3a411104d624d0b66e3f8dce

9fbe12ce5275b09a48bd1efdd6208b7ffae37878febf82fd1805db49212578e1

a24a1a691d04ff091d2b99970d40108726c188224dc4503b1e3a7f9a22df4ebb

a295919ff4794ccccaf3750a5540476e6868766512d13db1a859bb64b4af59db

b4ac2fb4da484e90e08e20db2270de2f15d6684e614d239abe2586896076a7f1

b52449f5249e1937b6130149f59e6771605a0e64635d151ce8e2f5819c99d93c

b5cb0d3df17907248b6d84a57279b26fa39c123c4a240b1507ae7b8233f2ec0d

b9b0fea1d1dbc027dd27c1b4d07d5411a35cc60d43ed137d00a958a34292f4bb

c48fbacb48492d59dac5fd7d2e9d8474e7282ca84d2605b23794e49f15229693

c7974f414e32a93836f9e3a710251a23c4163a89cb2967bc99010c080034d9e3

cc4bd522847f7673dcfdc37b7e330b470eacf5e9a47bd0f6d466267f5b152e3e

d98eb303771aed9508601074db1e05dedeb028d1c09aa7313b0b15eff40f7eb7

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Zbot-6871232-0

Indicators of Compromise

Registry Keys

SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN

Value Name: internat.exe

SoftwareMicrosoftInternet ExplorerPhishingFilter

SOFTWAREMICROSOFTQaygra

SoftwareMicrosoftWindowsCurrentVersionRun

SoftwareMicrosoftNabu

Mutexes

N/A

IP Addresses contacted by malware. Does not indicate maliciousness

23[.]253[.]126[.]58

104[.]239[.]157[.]210

Domain Names contacted by malware. Does not indicate maliciousness

macrshops[.]eu

Files and or directories created

%LocalAppData%Temptmpa9735385.bat

%AppData%Icda

%AppData%Icdaehday.exe

%AppData%Vyarqeerezu.loe

%SystemDrive%DOCUME~1ADMINI~1LOCALS~1Temptmp2ad79550.bat

%AppData%Kybaryisl.ubo

%AppData%Leveyhqy.exe

File Hashes

21a58e23e14143301c847d9f6151d024a8f38db8922e2797b2548a9b1e6b9b47

2531e7bbc454b8b643c5f21fbd7ed88c71aed73dc3a4fcf20815092eefeefbe7

2c8c8e0b5b378425b6a5d2ccff3e2274230734ffe419970a49c87c26d8d41047

399dad77516c27f0b2f5a36605a5fa25aff0e6a0ec66feae6854838336ee8b0d

3f32cdf15d079fe250d8b42a5abd58d1ff3012599f8478b074dd096bb25b537f

48d0fd82b8625c9c789284fc23cd0ee9cb9bb3ef96728c61de4a25ce7d6fc21c

5827e6c1a8a5ca100482c127b7c0402788ca4d870057eed2af089bc9d858bfb2

5c46b61ca41c03433e5ab3f156116e312cda1b50079189af82f1df8721e3a73b

739b9fec48a683f39fd924a24eaa0dcde0207cac1bcad4463223ff731f007ad3

9f3129449f2ece4a84ddef0b071d9721945db8fa93bb06ac6bdb3b7f0388c35c

abc68f3b8db8e6a50c56605c2f7fb153717a7c7f96a905b527059182fbdb8688

bde83f62cdf8f9565146e44b2796c35368f81b9a38fed73670879cff44bc2956

Coverage

Screenshots of Detection

ThreatGrid

Umbrella

Win.Trojan.Bifrost-6871028-0

Indicators of Compromise

Registry Keys

SOFTWAREBifrost

SoftwareBifrost

Mutexes

BaseNamedObjectsBif1234

IP Addresses contacted by malware. Does not indicate maliciousness

148[.]81[.]111[.]121

204[.]95[.]99[.]100

Domain Names contacted by malware. Does not indicate maliciousness

xyinyb[.]com

rfyeoc[.]com

owiueu[.]com

paredx[.]com

qlotay[.]com

vlocie[.]com

wbrthv[.]com

pozswe[.]com

kucqey[.]com

tnsamu[.]com

pydquj[.]com

lbeewo[.]com

pkoitz[.]com

ufhspo[.]com

qyevsy[.]com

qsayev[.]com

yvmoie[.]com

lybcri[.]com

ypauhr[.]com

qdhoas[.]com

Files and or directories created

%System32%driversetchosts

%ProgramFiles%Bifrostserver.exe

File Hashes

0040b9166f09670f4c3b16d247f4fbfae7aa5e989407dcf5237f05594c4c150e

0082f04583eabadaa51f3f4a91c82d363eef5f553973765aacc58462c9b83525

0ea44f69cdee613bd907dc2e4c97fc942d2f4807f28f69914514d1737709f223

1eb3fb26576b32630aaf3f1ae2b81140e083639608a5ff4b695ee7805a70a87a

2225b77359e3ad87306d38a22713167c33846488d0b091fe1a6890b3b6560979

230afd73943ecb538ed51a50fda07b4ba0e37ee805dab7e263e2623a2dbb4dd9

27d6fd04978ac887712c25756e03b14152bcc3a0649307c4d0e6fe491b68a41e

2bbd0c136832d5e091ecae568a017e04ab6f3757e5e1a376c4700a4117e1b94e

31ff3f68aa25f1200040f390297a044ab8d313ff9b1f377e23d016267d092fca

4cf558585a8bef563e37238f9459092c627538e2fadb99ac1dbe9f22b63eb346

4cfa43c370fc0a19826f19f48f60a3abba75ee4811c6df4d0313d0f0c3274f58

50eba44b2ee65fc0c95539b3197a10ccafca91df34717b0f48f60553f6d694ee

59c8baa550d491782d9b3899c2252fc8d71971b2c399a807f81b1917a4e31c65

5e62499136f6391316d72edb7924744f2bc289776308c89a4b3a1a0d3ae081c1

64ddbc85e24f4acf10ca1945110b16e2b7f0d53f68be8ca711b025ae4561dade

6e5a78dc6bc5435005e4b5134d41d2469d76101e561e84dc23ce8bbf80e937d5

778d3552da4d5b5d5586962b6f0d092c2f0b5c029ed514c13ad4f39847f771cb

77b9574204c60ee0eb588ae3afbdf14912634fce0aefca81ffd0822c48f3468d

82858882f23741cd930cff314994761b135b06d8d04cc8be09fa54567dcb94f8

837301f97cdc69d729ab753bf6f284a988c0ff6793fe89924e3f360f467d0fba

872f04d1d11643a224e8535e71139b3074aa4f98c157ade42da7c74dda4208f2

875b76f081746c6299421dad1963ff5f212b43b0bb6217fe6681465e06a5d2b8

8d72e7115a4564541d30649d2f3203306cccab27c543d58ba6267b4752c4528f

914a3fb08cce05e93bfd8b2e41a8202341d8b7857f73b692190477a2bd0a1797

9917d5deaa1b02d329454f1e08e548f750d3f0b09a0f38d55e6c94f84243ab4d

Coverage

Screenshots of Detection

ThreatGrid

Umbrella

Doc.Malware.Emotet-6866090-1

Indicators of Compromise

Registry Keys

SYSTEMCONTROLSET001SERVICESstartedturned

SYSTEMCONTROLSET001SERVICESSTARTEDTURNED

Value Name: Start

SYSTEMCONTROLSET001SERVICESSTARTEDTURNED

Value Name: ImagePath

Mutexes

N/A

IP Addresses contacted by malware. Does not indicate maliciousness

212[.]83[.]51[.]248

159[.]65[.]186[.]223

74[.]59[.]106[.]11

Domain Names contacted by malware. Does not indicate maliciousness

lenkinabasta[.]com

Files and or directories created

%UserProfile%880.exe

%WinDir%SysWOW64d1Ltzcv.exe

%LocalAppData%TempCVR3F73.tmp

%LocalAppData%Tempysrbsuxx.yb3.ps1

%LocalAppData%Tempzh5htpos.q5s.psm1

File Hashes

26bda8a7e04a3b4ba47ff57f776cb65b0ed11870bc5fa65b33353c53ab718566

363371e71bfd3a0f6e8e0ffe1017918d65d5afe7ce1c6d7ea26f5604b26144ce

3a162a09d1f8a4ee0248d72a60ff0ddbc2cef8084c3d2aed1cfb73192f628d42

3d48920206c69924bd3c388e2d7a48845e48ba6a525f06ae466db235deaa6832

415eda47173d571207d420861a66ea7419cea30d59a901f716354c8167c8373b

4c70e7e49082dc78f27ac863bfaf671ce823ed43575d608e309cb6e839f093ce

6055cf5b67690819f88a3a96685386afd8819377dd31454fab559809fc9ef6eb

949bd24349829221977de531f8a1dc80d401bf5e0a8fc69a1b386261b474ee43

9fa9d852c7f7a94a022347e7bf2325d41032163fb7ec61d362bfeb94a0ed9ee8

ba0b908255f68bff48e58cc7d2ac0caa55e369b7a282fce5b9d58ae1df34b681

bd1f913c5ceaf2042070666fba37fa0a8108f1e82ac19e516a7f74e9d5da5ea8

cb83759cf47a4b6e44e5afcf6f85f64b475a6f4bbcd0bff82b31b45f048a64c9

d523914940ef79338eeba96e8befae59574d1552f13ddff5c41500bf43d9192d

db0478556a516ed5d8508f165251efd10fd3e68c84fda7d720730f6409af61b8

e881930c362396744a2338740d28ac26377cf19c33b460cdac987fcb1255f804

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Go to Source Author: Threat Roundup for Feb. 22 to March 1 Original Post from Talos Security Author: Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb.

#Talos Security

0 notes