Trying something new with #GitHub and posting my spam #UCE #UBE and suspect / #malicious #emails and their associated attachments. Putting everything in a #mastodon post was problematic with space limitations, and was hard to find/organize/search.

Providing the redacted headers and URLs to the malware sandboxes used:

https://github.com/obrientg/Analysis/blob/main/Fri%2C%2025%20Oct%202024%20JS%20Phish.AAL

Received two (2) of the same samples, with different file names & hashes but the same detection of JS/Phish.AAL
Both were sent to the email address I use for threat intel & incident response collaboration efforts.
Email SRC on both was Google Cloud (#GCP) with an #openproxy, abuse reporting submitted.

#MD5 5cf33dd39d6db60423ac89fd63e5f500
#SHA1 863c95b7e7ff0bb8299cbae93dfaed12cc619332
#SHA256 c4e40b137e43c89261ee89a34db843477a8c994a21a92c98c7b15193face8c35

#MD5 8a9af78b0a4cdade6df9f71e7e5b1362
#SHA1 b03fdf0891adacc1995fdd1e2f043343c20a45e5
#SHA256 317aaea9d9ef39c9b85b9ce6e0f68ec83a06b2f3298aded981b19063b2f44737

#malware #incidentResponse #malwareAnalysis
#InfoSec #informationSecurity #cybersecurity #cyberz #cyber #cybercrime
#phish #phishing
#threatIntel #IoC #threatIntelligence #cyberthreatintelligence #CTI

Today’s #malware sample is in #Spanish, leveraging a #ezmlm mailing list on the back end at facturanuevagenerada [DOT[ com which does not have an associated web site – just a placeholder.

#email #SRC 62.149.155.137 assigned to #aruba.it a hosting provider over in the #EU

Of interest:
#User-Agent: #Roundcube Webmail/1.6.0

#IP is not listed as an #openProxy

#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
1/3

Today’s #malware sample is anther #DHL spoof, in #Spanish and #pretending to be an individual in #Spain
#email #SRC 192.190.220.159 assigned to #liquidweb.com
their abuse address has bounced all #spamcop reports
#IP is listed on dnsbl.sorbs.net as #openProxy
Archive unpacked: DHL_ES567436735845755676678877988975877.7z (#application/x-rar-compressed; version=5, 4.80 kB)
#MD5:  594d7d00d0e80e84754b39b29a5347c8
#SHA1:  f5b4828c76d936a5f53e361086f8c787b1d1f2a4
#SHA256: 99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895
#SHA512: ec1279a7484e0c440823547887dc09807c29ef35501d292463701fca67d4f9965c190070f239fa0ffeb0b14a72d8ad85a6991866bd5fa419106acc081e3e95b5
https://www.filescan.io/uploads/662aad6e54bafb7d21ddc6aa
#VT - 11/62 detection rate as trojan.suspar
https://www.virustotal.com/gui/file/99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895/
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal

#malware received 4/18/2024 under the guise of a purchase order from 51.81.91.105 : ovh.us
Not listed as an #OpenProxy

This had 2 #zip file attachments:
The first is detected by my endpoint #AV/#EDR as #Trojan.GenericKD.72435855 Filename: PO_APRIL007.zip

The second is
Archive unpacked: company profile.zip (#application/zip, 1.26 kB)
#MD5:
a11c889ac7a9b4a151316687e5470fd2
#SHA1:
539338d7ca7091aa3d4486702c7cc7f8f2f14d98
#SHA256:
b72bb3fe7f6fcc48350382a261b42000832bcde7332d94bf8b0257bf54e5e7f7
#sha512
283a88b8acee1f1ca17a75b81bc02dd1fd5dff3df6d7b396d51e1455e9dc342fb075053cbefd848f3f0dba89f76ade6a1868bd1ad6be761de8187e39e0d935c3

https://www.filescan.io/uploads/66241c163137a4e0f3bc66a2

Only 6 detections via #VT as #trojan.sload
https://www.virustotal.com/gui/file/b72bb3fe7f6fcc48350382a261b42000832bcde7332d94bf8b0257bf54e5e7f7/detection/f-b72bb3fe7f6fcc48350382a261b42000832bcde7332d94bf8b0257bf54e5e7f7-1713491357

#spammers #scammers #malicious #suspectfiles
#malware #triage
#spam #infosec #infomantionSecurity #virustotal

The #malware from 4/18/2024

#SRC is 172.245.57.147 : chicagovps.net
Not listed as an #OpenProxy

Archive unpacked: Inquiry 2088547 Avalon Network Systems LLC.rar (#application/x-rar-compressed; version=5, 556.55 kB)
#MD5:
37dcfab00331d6dbb612c8f03be90d55
#SHA1:
cd7b3a4ef9668e13b94f7ecc94be59a1ec8bcee5
#SHA256:
28bd31f45151295768edd82659f00eb3237c64467c6d5e9ddd8d1054223852bb
#SHA512:
de34a9fe1c18a2561cce0c62591dc66dc0e7b547c970218dae7f4fa292cdf4bf714ef48d7eed136cb5df26ac935d3657711b6772945839af99facb99f49eaa84

https://www.filescan.io/uploads/6622e9f275339da04f97c592

#VT detection sit at 15
https://www.virustotal.com/gui/file/28bd31f45151295768edd82659f00eb3237c64467c6d5e9ddd8d1054223852bb/detection/f-28bd31f45151295768edd82659f00eb3237c64467c6d5e9ddd8d1054223852bb-1713473813

#spammers #scammers #malicious #suspectfiles
#malware #triage
#spam #infosec #infomantionSecurity #virustotal

The other bogus #attachment is a #fakeInvoice from #geeksquad

the #fraudster call center numbers are:
844-799-3440
719-297-8098

#MD5
073d0627ecd901979b2f7daca3812ccb
#SHA-1
91279035cd7c98e900cb61ed7c2567701d9d1e41
#SHA-256
70c263efabeb149c9d9d91c4d2f21162ad5f9537eb59cfa0b922780465dcc7c1

Bill5252067237.pdf

https://www.virustotal.com/gui/file/70c263efabeb149c9d9d91c4d2f21162ad5f9537eb59cfa0b922780465dcc7c1/detection

https://www.filescan.io/uploads/661f0200c5dabc22b200d489/reports/ca8370b2-4fbd-4ddb-8182-659606d54368/overview

The #SRC #IP of the email was 72.11.157.148 an #openproxy at (of course) #quadranet

#spammers #scammers #malicious #suspectfiles
#malware #triage
#spam #infosec #infomantionSecurity #virustotal

today's #malware submission

https://www.filescan.io/uploads/6616c4a3279698d249ed44de/reports/7f0283ad-ac3f-4c6f-a095-0908860e1747/overview

from our "friends" at #quadranet
in #LA
another #openproxy
#spammers #phishing #malicious #maliciousexe

Zabawy z testproxy.php ( https://nfsec.pl/ai/5907 ) #bot #openproxy #testproxy #fun #twittermigration

ScanSSH - Fast SSH Server And Open Proxy Scanner #ScanSSH #SSH #SecureShell #OpenProxy #CLI #Linux
https://www.ostechnix.com/scanssh-fast-ssh-server-open-proxy-scanner/

also, the new IP we got assigned last night by #Telenor apparently is blacklisted at #DroneBL due to an #OpenProxy back in 2017. I've already requested a removal, but that'll probably take a while to be processed.
Already tried power cycling the modem twice, but unfortunately that didn't seem to release the lease.