#xkeybot #malware Email Swift Payment delivering #originbotnet Attachment: Swift.gz (c079296024238f82b1a019c712f5b8a6) -> Swift.exe (ce79ff49e2442108fb4eb3654d23dbad) veit-intl.]com/gate c2: veit-intl.]com (199.188.200.]87) @namecheap see: tria.ge/231005-3vdgnaaa62/be…

In September 2023, we collected Command and Control (C2) panels associated with diverse malwares . Over this timeframe, we identified 222 indicators of compromise, with Supershell leading the list, followed by Lokibot, Risepro, Unam, and Xkeybot. Additionally, our observations revealed the emergence of novel malware families, including Gotham Stealer, Bunny Loader, Xkeybot, and LOTO.

#malware #opendir on zzlsteel[.]cc serving malwares, notably #OriginBotnet / #XKeyBot which calls out to C2: nitrosoftwares[.]shop Both Domains registered @namecheap Other C2 registered via @namecheap : ltm-canada.]com/login/ turinapparrels.]com/login/

Looks it's a newer build of XKeyBot. Anyway, XKeyBot name is still better to use I think, as there is already an Origin named malware (previously Agent Tesla), which as you know some idiots calls a botnet too, so OriginBotnet name for XKeyBot would make confusion for some...

Seems #XKeyBot = #OriginBotnet #malware unpacked sample with string OriginBotnet here: unpac.me/results/33878a26-4a… Got me on google, to find a 6 days old article by @Fortinet : fortinet.com/blog/threat-res… Third Payload named after namespace. SAme C2 panel.

More #XKeyBot #malware C2 panels 1oxcv1.duckdns.]org/login/ 198.98.54.]161/login/ wjjiutia.]com/login/ ISO-> XLS-> s://motioncontorlshop.]com/mydoc/champ/champ[.exe tria.ge/230917-n84hnscg53

Thanks to @ViriBack (with additional chime-in by @James_inthe_box and @Jane_0sint) here for the hash and sandbox run for 2047004 - alerting on a XKeyBot C2 checkin/POST!

50 new OPEN, 54 new PRO (50 4) Pupy, WikiLoader, Win32/Trojan.Fruity, Win32/XKeyBot, MacOS/Realst, TA569 and more. Thanks @DrWeb_antivirus, @ViriBack, @SentinelOne community.emergingthreats.ne…

Let's go with XKeyBot for now. Can always update/rename rules and change Metadata when we have more info. Expect coverage for this today in ETOPEN. Thank you all for sharing this!

Well, I am fine with that, XKeyLoader or XKeyBot?

If that x-key header is so special/unique, then if still nothing better, what about just calling it XKeyBot? 😂