Joined December 2015
- Tweets 31,320
- Following 289
- Followers 3,483
- Likes 17,229
3,362 Photos and videos
David Ledbetter retweeted
14 Nov 2022
As others have mentioned, the "presidents" #qakbot #qbot distribution (obama221) is back to using "DLL Search Order Hijacking" today (see screenshot).
Here are the IOCs:
github.com/executemalware/Ma…
10
45
David Ledbetter retweeted
14 Nov 2022
Anyone seeing #Socgholish using localsys-shield[.]com today?
1
2
#IcedID mixing it up today with CHM files
BotID: 1609463178
Loader C2: trolspeaksunt\.com
pw-protected, zipped ISO attachments
tria.ge/221114-xg9eaada24/be…
bazaar.abuse.ch/sample/0306e…
13
32
David Ledbetter retweeted
14 Nov 2022
I added my solution for the Task 8: hshrzd.wordpress.com/2022/11… // #FlareOn9
12 Nov 2022
so, #FlareOn9 is over! congrats to all the finishers! you can find some of my solution here: hshrzd.wordpress.com/tag/fla… (work-in-progress, I will be adding more)
3
10
47
David Ledbetter retweeted
12 Nov 2022
so, #FlareOn9 is over! congrats to all the finishers! you can find some of my solution here: hshrzd.wordpress.com/tag/fla… (work-in-progress, I will be adding more)
29
141
11 Nov 2022
Hey... I'm thinking of a blog post for my site about "Understanding obfuscation" Is there anything special that anyone would like to see explained ?
2
2
4
11 Nov 2022
Ok got this post started if anyone wants a "Certain type" of obfuscation added
1
David Ledbetter retweeted
11 Nov 2022
New #socgholish stage 3 C2 seen today. Block all *[.]rate[.]coinangel[.]online .
5
17
David Ledbetter retweeted
10 Nov 2022
Malware dirigido a empresas en Perú 🇵🇪
email > html > zip password > vbs
Descarga desde (#geofenced):
/sunat-mail.xyz/2/
/easynsecureinvest.com/cobr/?id=1
Payloads/C2 desde:
/gringox1.chickenkiller.com/g1/
Header: UA-CPU
Samples: bazaar.abuse.ch/browse/tag/g…
Sin atribución 🤔
4
21
36
David Ledbetter retweeted
9 Nov 2022
Here are some #icedid #bokbot IOCs from today.
Arrived via email with a password protected .zip file attachment.
github.com/executemalware/Ma…
10
20
David Ledbetter retweeted
9 Nov 2022
new Emotet E5 urls detected. [DLL] (1/2)
hxxp://www[.]muyehuayi[.]com/cmp/8asA99KPsyA/v6lUsWbLen/
hxxps://wijsneusmedia[.]nl/cgi-bin/kFB/
hxxp://concivilpa[.]com[.]py/wp-admin/i3CQu9dzDrMW/
1
5
12
#Bumblebee HTML Attachments rolling in.
general pattern: Document_[0-9]{4]_Scan_(Nov8)\.html
Looks like some updated evasion in this sample.
bazaar.abuse.ch/sample/99dee…
2
13
35
David Ledbetter retweeted
7 Nov 2022
Also an few #Emotet today. @James_inthe_box @pr0xylife @0xToxin @0n315 @Cryptolaemus1 @JRoosen
All of the sheets are visible in this one and each is the same as sheet 1? Did Ivan do a drunk again?
tria.ge/221107-xd7raaceb2/be…
2
16
#TA551 HTML Attachments incoming
ID 1559130321
#IcedID Loader C2: anisamnatyrel\.com
bazaar.abuse.ch/sample/8df33…
tria.ge/221107-whz2kaagd2/be…
18
35
David Ledbetter retweeted
5 Nov 2022
🏭 In May, SentinelLabs has investigated a supply-chain attack against the Rust development community that we refer to as ‘CrateDepression’. Learn more
sentinelone.com/labs/cratede…
@LabsSentinel #infosec #cybersecurity #supplychain
17
24
David Ledbetter retweeted
4 Nov 2022
[UPDATE] Here's a #maldoc with (still) live C2 that is quite evasive and shows the detection capability ex-OSINT. Download URL has a "ski" gTLD. Download the sample with a user account (it's not on VT) for free: filescan.io/uploads/6365860b… // #DFIR #malware #analysis
1
11
24
David Ledbetter retweeted
anyone know of companies hiring director level folks? ideally mobile/web work?
i have a good friend looking and he'd be an epic hire.
4
11
13
David Ledbetter retweeted
4 Nov 2022
Noticed an interesting registry export with powershell loader working completely on data stored in the registry
Reg export
hastebin.com/jadunepoke.prop…
Sample
virustotal.com/gui/file/6702…
3
34
93
4 Nov 2022
RT @phage_nz: Saw a couple of Emotet messages land here this afternoon. First from this recent revival. Thread hijacking. XLM4.0 maldoc att…
10
David Ledbetter retweeted
3 Nov 2022
I also received a handful of #emotet (E4) emails today. I saw traffic to the same C2 as yesterday.
Here are the IOCs:
github.com/executemalware/Ma…
10
30