Tumgik
Visit Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Fun Fact
In 2020, 44% of users from Denmark used Tumblr daily.
#CoDN Week 5
cultofdionysusnet · 1 year
Text
ೄྀ࿐ ˊˎ- Ficrec Week 5: Strangers To Lovers
Tumblr media
ATEEZ
four in the morning. by @ateezmakemeweep (M)
violet roses by @bngchnsi (M)
Fic 3: 'You're Such A Tease' by @whatudowhennooneseesyou (M)
Kishi Kaisei by @flurrys-creativity (M)
My Heros by @anyamaris
Addicting Kitten by @tenelkadjowrites (M)
♥ Lonely in Gorgeous ♥ by @tenelkadjowrites (M)
Everyday at the Bus Stop ♡ by @tenelkadjowrites (M)
Stray Kidz
-
Tomorrow X Together
-
Others
-
#cultofdionysusnet#ೄྀ࿐ ˊˎ- Fanfiction Recommendations#CoDN Week 5#Strangers to Lovers AU#strangers to lovers au#strangers to lovers#ateez#stray kids#txt
9 notes · View notes
lbcybersecurity · 7 years
Text
Threat Round-up for Apr 21 – Apr 28
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 21 and April 28. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net. This week's most prevalent threats are:
Doc.Macro.MaliciousHeuristic-6298845-0 Office Macro Office macro code is used to further compromise a target system. Macros can leverage external system binaries to execute other binaries to further compromise the system. This signature looks for code associated with hiding the core functionality by including junk code.  
Win.Dropper.DarkComet-6301230-0 Trojan/RAT dropper This is a malware dropper. It currently drops the DarkComet RAT. The file is a slightly modified version of wextract.exe, a legitimate Windows tool to unpack archives. The malware payload is stored in the resource section of the binary. The dropper binary is actually a multi-format file, and can be interpreted both as a PE executable as well as a cab archive. The modified Windows binary will extract the payload binary from itself and run the extracted file.  
Win.Trojan.ServStart Trojan ServStart is a trojan that installs a persistent service on the victim’s machine. The service exfiltrates information about the infected computer including machine name, username, keyboard language, and computer performance specifications. The malware server can respond with commands to download and execute files, or execute shell commands. ServStart has been observed using multiple dynamic DNS providers for its command and control infrastructure.  
Win.Trojan.Agent-6298180-0 Trojan (credential stealer) This sample attempts to collect stored credentials from a number of installed applications and then attempts to transmit those credentials back to a PHP application on a possibly compromised server.  
Win.Trojan.PWS-6299789-0 Password stealer, injector PWS (also known as Fareit or Chisburg) is a credential & sensitive information harvester. Select information such as banking credentials or web browser password databases are queried for on the infected host. Any discovered data is propagated to a C2. These recent samples are protected with the Armadillo packer & rely on both code injections & dropped VBScript code.  
Win.Dropper.Emotet-6301061-0 Dropper This dropper is delivered through different mechanism, most of the time the victims is redirected to a website to get it through malicious pdf, http iframe injected. Once running on the computer the binary is gathering details on volume disk drive and other details, injecting process, dropping itself and contacting internet to execute more. Websites observed delivering ransomware and trojan banker.
Threats
Doc.Macro.MaliciousHeuristic-6298845-0
Indicators of Compromise
Registry Keys
N/A
Mutexes
N/A
IP Addresses
N/A
Domain Names
storefronts[.]pl
File Hashes
23b90b1c55fdbbd371655da0ccf359e891deb51ed5bbc0ac772c5d572f4b3a42
2471636a92daa0a54095aa66b55ad2fea5fd5d6372b0be9d65d1d1e2cef31bd5
2b24221aabc8cd18e756a579b29a005fc9c33213f5ec963b9b6ccf4e6187b23b
4b781b8370f973b9204b44c8ce3615692fc66c1613967a44924984d35fba7bc4
4ee6b9bb8e903bed9a82c7dad6d62163e3a4f759ade5f5f8fcf899945bfd9264
564c37dcd8322bd6e8cabc788f982a35f7d3e335c3d736ce544fc17a6b090183
59b54e7c4e052adbc1d64dc61623af6f55db1a8692b373cb6ca871ba087feaac
6930d456c506c94b9e19a08659181b7d376254dca652d0e56c305764867578d2
6a0eae0addd6ce84966ac1bd006e9582036eaaa1011a38190f700871cc37de24
7045d8f339cab73cf0ec7f31a7b3a31a84057f0b275f789f4bfed9dffee35564
7638745d08de218fa16e9c0828ed0a1139223d3ebddf4bb528bc3ae185cea90e
81cdded9aa21513ad9c6ae04455a7fce68129135f3358b9c5e28a80139e78f21
93472e054b4b4fcc54a71a32b6275f8b35c8ef84490248d21c094f19a537c773
a0bfeb90468ddf50a3c85d5074e002b1d89995d6377eceeb0781ba5292facbcc
b3dfdfcfea160ed34eb69da55909294f78d2b5a6320cbf5151a3da01c6449631
c185559d0a38e782167beacff78a7a72544d82890b5e5723e6a25a70e6e16d59
d2c1b89129e3e26544bfbef3fac4567c3629817a98ded9ce5c7dee485d0364a9
f2e4fe273c4a8cc1cd7799d5558c58b8a08dfe160235dfa2eb2a8bad9bba40aa
02481825e922c38ba797ebc18d5a8273ede8c5a4d52eecd2f58eb569533d780b
06736e5f3127a54bbe6bb25f4a82ca95371e5cc8654a893c02d3d4e677e0b916
21b039f3171f26911290dad3e1ce0da6d6d3545e11f9a119408922ac2ae06db6
2643f9f8dce45983eac80feeebd16adbd498e3a644ef8b05bc40448be9342ddf
2ac6b5487c69427476b48bcbbddd7646842e02363a0d4ebe1b1998da6d1f55a8
2dad87b69ee91bfa71d911b791e5468efb6ce689ccc4cde3e91626cbfcfc14ab
2f4853b54c36adf9ca9fbb163dacedee78b6b027fac3c24c72120e9d8cc6f01e
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
Malware
Win.Dropper.DarkComet-6301230-0
Indicators of Compromise
Registry Keys
N/A
Mutexes
N/A
IP Addresses
N/A
Domain Names
N/A
File Hashes
05C8DE4B97737440913F5C714082AD647281FA50F1904B1BF11EDB8560294FAC
07D9D6DA8C6CD162DD9FC78AC48EAF82BC49D4239908AF354E44C4822FE06D62
099ADD24586D77C5F2B8EFB9C33A8A11B5A0C11001A8534D9635A674ADC260AD
0A155F4F20367E4D23B6D238208FA5F943A1341E47BDBB2DBC520CCB27AD120B
150420EDB4BF00DADCF71601781DBE3BD6E34CBA767153B9F82307EDDF391395
15F2BB3B4A12A6F5B0965FDE62AE21B2796D7659BBA8011FC22AF40D465984BE
318B2A4F06345E95C63E4623F52E0E7C57257548C74E0C7A272FCB64D3F49692
4B0BB06E09ED0B2EDB085641E125490E9B1A6CC5652C05C77C78E47CF9448D35
507874BA705282183F928D3AE11ED5497A0F1EAC3368DE75C392D17749CB8EE9
55FDFC65C0C10A958239E0447E5696989FE66557437EB725849BB578D882D74E
5D31C073C4B7322A7DE871D533D520DE2444466D0C944CB06F6244D2CE57D49D
6597E2DD82FC203BA2C609B358B2E0CAE37A4309808626DA27BD58614077D646
6A23031FDD70C6D57D8FE9C8D3EFE6A423C38BF2D46B9B24959E5CA7D0714FCA
6C652B0E4998456F150515EBF50CA569CF373BA709442F6909DD7D4330C83D2E
6EB12C46F0605D8F915C8E895FC70D189D9E8825775EBDB464A9A24834887E60
776B2679819B1E0385E1630EEEC50190DAAAEC0EEF9F659EE728C47991FABFBB
77FA104262E3FF983B3418540FF744E0EAAE5E66388333ED785EF6F5AA2801F9
7D6765A1F6589A554457D9363F702F65E81DDDA52EB62C600250E0F94C473A16
8590486CD299DAA9BF42497EF28028364E4E18B6C60B725736A7D2DDC73BBC2F
92EABA06563800BA670249E90D91C32F9D315889439BCAA73F24D2C08E285B84
Coverage
Detection Screenshots
AMP
ThreatGrid
Win.Trojan.ServStart
Indicators of Compromise
Registry Keys
HKLM\SYSTEM\CONTROLSET001\SERVICES\NATIONALLWC\Description "Providesufl a domain server for NI security."
Mutexes
Nationallwc
IP Addresses
N/A
Domain Names
syhaw1516.codns[.]com
wrop0422.codns[.]com
ansbase.9966[.]org
File Hashes
fbbc6852ff1947fcd820b90e60ab71af93ffad079bd13a0d2b514955bb1c9d62
40eddfac964b69ee2e26742faaacfe50960fa0232a1b9a11c382e61cecd700ff
6106eda3ae39449fec42db2caf4f1b5f994d72b5a759dddfd77a8a29ebb3f497
c106435a2aced27d03ee5531eda025b14cec106106a1c7ca750127090f6d2039
8d4366eff17da1c18ab3fed1692628756a8f41f3145877f895b7ef950055262f
3be7ab79f032cf24b09fc05b08544fd61ec7e3fd355f8ab7b4580eb43d8c3e55
ff6b7320d6b75a638c0f2d024f43853dd78993276a8f6b5f7463d6317858dd9c
c9a193d273f606860bee0dd4a878a6421233b05ac4c6faf357d9324f0d6a575a
932d8d5829570237e9ab7688dd2d3c03812a05157f72af124cabf530be583789
ba07a79a2f4d51eaac585b0f50e3b1e61d8fc555592aadb1e5d3916fb26b0e27
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
Win.Trojan.Agent-6298180-0
Indicators of Compromise
Registry Keys
N/A
Mutexes
N/A
IP Addresses
212.129.14[.]211
Domain Names
tranexestin[.]com
File Hashes
afc3ba4941b89a4467e2f1a4ab0df2c88ef5e39264182a4b3a2dbbfa5b022e3f
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
Win.Trojan.PWS-6299789-0
Indicators of Compromise
Registry Keys
USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
\MACHINE\Software\Wow6432Node\Microsoft\Tracing
\MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASMANCS
USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft
USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Visual Basic\6.0
\MACHINE\Software\Wow6432Node\Microsoft\Tracing\tmpVtFw4a_RASAPI32
USER\S-1-5-21-2580483871-590521980-3826313501-500\Software
USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
USER\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\Visual Basic
USER\S-1-5-21-2580483871-590521980-3826313501-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
Mutexes
N/A
IP Addresses
92.53.96[.]120
Domain Names
cv42569.tmweb[.]ru
File Hashes
dddde27836842e0f950b5622e1be7a0f51072db573b2f2e41d20d4b4c45028d8
dc086f745c35b2abe58675e546b475ed64f15ea6e9d4492a0502476f784ea85c
97cd05c529002b85ae756a9e7b7da7a538026583f0886a235cf48b72c378551a
2992c6ce7ccda6fef751a912eafb8a31e3426bde8964ccf31b0512390bd61615
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
Win.Dropper.Emotet-6301061-0
Indicators of Compromise
Registry Keys
N/A
Mutexes
N/A
IP Addresses
188.165.220[.]214
Domain Names
N/A
File Hashes
f566fdc382f6988599cb16894d8a9a92e291d83574834de705d6367b520b6b50
dda1fffa38e3f9d30833d201b542422aed15a41253b2a72797ad38dfba8fe535
6d4fa878e2930cb3bedc2078855f6d7db7b6b136464f6dff256d8c62657b505f
8ad1c1655d6d3b2a4931ae2dd9eb4e3b7be488a7f39b9c396fe1eeda2eda05a7
c0e8a92ba6ce12d803ecfccd01432f855e6fd9ad19825602a74a081459e25389
5598fdcc6c0c2e7bdb095193a5f986e6cf22fdcca26c2e8451c46d787ef18435
Coverage
Detection Screenshots
AMP
ThreatGrid
Umbrella
from Threat Round-up for Apr 21 – Apr 28
0 notes
Last Seen Blogs
morceaux
fearlived-blog
* LET'S FUNK DOWNTOWN.
michaelvernon
Michael E. Vernon
dmbluerose
my blog
fedaytripper
Senza titolo