Unveiling a Sophisticated Phishing Attack
Common Information
Type Value
UUID 6a1ca3df-2196-4eeb-a683-5f0de1eef2db
Fingerprint a4059909a9fb07cb
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 20, 2024, 6:04 p.m.
Added to db Dec. 21, 2024, 4:22 a.m.
Last updated Dec. 22, 2024, 9:30 p.m.
Headline Unveiling a Sophisticated Phishing Attack
Title Unveiling a Sophisticated Phishing Attack
Detected Hints/Tags/Attributes 57/3/68
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 171 Malware on Medium https://medium.com/feed/tag/malware 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1
redacted-fraud-transactions.zip
Details Domain 1
carsight.s3.amazonaws.com
Details Domain 1
comfucios.s3.us-west-2.amazonaws.com
Details Domain 1
java.zip
Details Domain 159
api.telegram.org
Details File 1
redacted-fraud-transactions.zip
Details File 1
transactions.js
Details File 4
transaction.js
Details File 82
favicon.ico
Details File 1
second.js
Details File 5
error.jpg
Details File 1
404.jpg
Details File 2
windows.js
Details File 40
image.jpg
Details File 418
wscript.exe
Details File 41
style.css
Details File 15
unzip.exe
Details File 3
icon.jpg
Details File 1
java.zip
Details File 95
java.exe
Details File 1
deploy.jar
Details File 1
pgg.jar
Details File 1
edgecookie.tmp
Details File 63
data.txt
Details File 1
hostname-username-data.txt
Details File 2
done.txt
Details md5 1
f7903ddbf7c0aa570c3e6db19ec4df8c
Details md5 1
b8b9307c1aff8c9c2273987c509779e2
Details md5 1
7649d0acf3ef3475010b611311605543
Details md5 1
179ba30884f0b8508d6a58a0390ef065
Details md5 1
5e6db038cc6564999fb8dead56a8b253
Details md5 1
f9dbd8870fbba439143ece4f18a6a0f5
Details sha1 1
deea562d593975ce6763e63d627f06407910cb94
Details sha1 1
6e095dd4c824d04a256e5f4b5a588e0224dd0b48
Details sha1 1
322816adfd4a3867fe9d54210c122e306698e792
Details sha1 1
5fee4209d604f219cccda8260d5702636e4860e1
Details sha1 1
3f9439dae261c497c389e8d3ebbe35429d695990
Details sha256 1
9f439d1d1789c661b9b1e7fbc861637b4aa573337072d2bbdf043b6711140fb1
Details sha256 1
66e5597e0efa4fb7f042acf8bb0beb85ce7aa07cb9c3cc049f7e7ea76d299e2a
Details sha256 1
28b2511978695d81939e846347d6a8718f60737dc59f43c215d3e67e65e5256a
Details sha256 1
93c5e90688d426fa2e01c84780e87fac862f7f9e7bffd797c2be471fa86f3e15
Details sha256 1
babe574bef561df025c8686128bc6a8d84da93a412e7513ee0c221b6358e35db
Details IPv4 12
149.154.167.220
Details IPv4 1
3.5.70.162
Details IPv4 1
52.92.162.90
Details IPv4 1
52.216.41.65
Details IPv4 1
83.149.72.49
Details IPv4 1
3.5.68.152
Details IPv4 1
34.204.254.212
Details IPv4 2
104.26.9.44
Details IPv4 1
3.5.30.214
Details IPv4 1
3.5.25.23
Details IPv4 1
52.216.50.153
Details IPv4 1
3.5.25.22
Details IPv4 1
52.217.4.28
Details IPv4 1
3.5.28.162
Details IPv4 1
3.5.24.151
Details IPv4 1
3.5.17.191
Details Url 1
https://carsight.s3.amazonaws.com/favicon.ico
Details Url 1
https://carsight.s3.amazonaws.com/error.jpg
Details Url 1
https://comfucios.s3.us-west-2.amazonaws.com/404.jpg
Details Url 1
https://comfucios.s3.us-west-2.amazonaws.com/image.jpg
Details Url 1
https://comfucios.s3.us-west-2.amazonaws.com/style.css
Details Url 1
https://comfucios.s3.us-west-2.amazonaws.com/icon.jpg
Details Url 1
https://carsight.s3.amazonaws.com
Details Url 6
https://api.telegram.org
Details Url 1
https://comfucios.s3.us-west-2.amazonaws.com
Details Yara rule 1
rule Zoomer_Stealer_Malware {
	meta:
		description = "YARA rule for detecting this Zoomer stealer malware based on provided IOCs and User-Agent"
		author = "Oluwatomiwa Amuda"
		date = "20241210"
		reference = "IOC Collection"
		threat_level = "High"
		malware_family = "Stealer Malware"
	strings:
		$ip1 = "149.154.167.220"
		$ip2 = "3.5.70.162"
		$ip3 = "52.92.162.90"
		$ip4 = "52.216.41.65"
		$ip5 = "83.149.72.49"
		$ip6 = "3.5.68.152"
		$ip7 = "34.204.254.212"
		$ip8 = "104.26.9.44"
		$ip9 = "3.5.30.214"
		$ip10 = "3.5.25.23"
		$ip11 = "52.216.50.153"
		$ip12 = "3.5.25.22"
		$ip13 = "52.217.4.28"
		$ip14 = "3.5.28.162"
		$ip15 = "3.5.24.151"
		$ip16 = "3.5.17.191"
		$url1 = " https://carsight.s3.amazonaws.com "
		$url2 = " https://api.telegram.org "
		$url3 = " https://comfucios.s3.us-west-2.amazonaws.com "
		$md5_1 = "f7903ddbf7c0aa570c3e6db19ec4df8c"
		$md5_2 = "b8b9307c1aff8c9c2273987c509779e2"
		$md5_3 = "7649d0acf3ef3475010b611311605543"
		$md5_4 = "179ba30884f0b8508d6a58a0390ef065"
		$md5_5 = "5e6db038cc6564999fb8dead56a8b253"
		$md5_6 = "f9dbd8870fbba439143ece4f18a6a0f5"
		$sha1_1 = "deea562d593975ce6763e63d627f06407910cb94"
		$sha1_2 = "6e095dd4c824d04a256e5f4b5a588e0224dd0b48"
		$sha1_3 = "322816adfd4a3867fe9d54210c122e306698e792"
		$sha1_4 = "5fee4209d604f219cccda8260d5702636e4860e1"
		$sha1_5 = "3f9439dae261c497c389e8d3ebbe35429d695990"
		$sha256_1 = "9f439d1d1789c661b9b1e7fbc861637b4aa573337072d2bbdf043b6711140fb1"
		$sha256_2 = "66e5597e0efa4fb7f042acf8bb0beb85ce7aa07cb9c3cc049f7e7ea76d299e2a"
		$sha256_3 = "28b2511978695d81939e846347d6a8718f60737dc59f43c215d3e67e65e5256a"
		$sha256_4 = "93c5e90688d426fa2e01c84780e87fac862f7f9e7bffd797c2be471fa86f3e15"
		$sha256_5 = "babe574bef561df025c8686128bc6a8d84da93a412e7513ee0c221b6358e35db"
		$user_agent = "Zoomer"
	condition:
		any of ($ip*) or any of ($url*) or any of ($md5_*) or any of ($sha1_*) or any of ($sha256_*) or $user_agent
}