Unveiling a Sophisticated Phishing Attack
Tags
cmtmf-attack-pattern: | Code Injection |
maec-delivery-vectors: | Watering Hole |
attack-pattern: | Data Code Injection - T1540 Credentials - T1589.001 Ip Addresses - T1590.005 Javascript - T1059.007 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Tool - T1588.002 |
Common Information
Type | Value |
---|---|
UUID | 6a1ca3df-2196-4eeb-a683-5f0de1eef2db |
Fingerprint | a4059909a9fb07cb |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | Dec. 20, 2024, 6:04 p.m. |
Added to db | Dec. 21, 2024, 4:22 a.m. |
Last updated | Dec. 22, 2024, 9:30 p.m. |
Headline | Unveiling a Sophisticated Phishing Attack |
Title | Unveiling a Sophisticated Phishing Attack |
Detected Hints/Tags/Attributes | 57/3/68 |
Source URLs
URL Provider
RSS Feed
Details | Id | Enabled | Feed title | Url | Added to db |
---|---|---|---|---|---|
Details | 171 | ✔ | Malware on Medium | https://medium.com/feed/tag/malware | 2024-08-30 22:08 |
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 1 | redacted-fraud-transactions.zip |
|
Details | Domain | 1 | carsight.s3.amazonaws.com |
|
Details | Domain | 1 | comfucios.s3.us-west-2.amazonaws.com |
|
Details | Domain | 1 | java.zip |
|
Details | Domain | 159 | api.telegram.org |
|
Details | File | 1 | redacted-fraud-transactions.zip |
|
Details | File | 1 | transactions.js |
|
Details | File | 4 | transaction.js |
|
Details | File | 82 | favicon.ico |
|
Details | File | 1 | second.js |
|
Details | File | 5 | error.jpg |
|
Details | File | 1 | 404.jpg |
|
Details | File | 2 | windows.js |
|
Details | File | 40 | image.jpg |
|
Details | File | 418 | wscript.exe |
|
Details | File | 41 | style.css |
|
Details | File | 15 | unzip.exe |
|
Details | File | 3 | icon.jpg |
|
Details | File | 1 | java.zip |
|
Details | File | 95 | java.exe |
|
Details | File | 1 | deploy.jar |
|
Details | File | 1 | pgg.jar |
|
Details | File | 1 | edgecookie.tmp |
|
Details | File | 63 | data.txt |
|
Details | File | 1 | hostname-username-data.txt |
|
Details | File | 2 | done.txt |
|
Details | md5 | 1 | f7903ddbf7c0aa570c3e6db19ec4df8c |
|
Details | md5 | 1 | b8b9307c1aff8c9c2273987c509779e2 |
|
Details | md5 | 1 | 7649d0acf3ef3475010b611311605543 |
|
Details | md5 | 1 | 179ba30884f0b8508d6a58a0390ef065 |
|
Details | md5 | 1 | 5e6db038cc6564999fb8dead56a8b253 |
|
Details | md5 | 1 | f9dbd8870fbba439143ece4f18a6a0f5 |
|
Details | sha1 | 1 | deea562d593975ce6763e63d627f06407910cb94 |
|
Details | sha1 | 1 | 6e095dd4c824d04a256e5f4b5a588e0224dd0b48 |
|
Details | sha1 | 1 | 322816adfd4a3867fe9d54210c122e306698e792 |
|
Details | sha1 | 1 | 5fee4209d604f219cccda8260d5702636e4860e1 |
|
Details | sha1 | 1 | 3f9439dae261c497c389e8d3ebbe35429d695990 |
|
Details | sha256 | 1 | 9f439d1d1789c661b9b1e7fbc861637b4aa573337072d2bbdf043b6711140fb1 |
|
Details | sha256 | 1 | 66e5597e0efa4fb7f042acf8bb0beb85ce7aa07cb9c3cc049f7e7ea76d299e2a |
|
Details | sha256 | 1 | 28b2511978695d81939e846347d6a8718f60737dc59f43c215d3e67e65e5256a |
|
Details | sha256 | 1 | 93c5e90688d426fa2e01c84780e87fac862f7f9e7bffd797c2be471fa86f3e15 |
|
Details | sha256 | 1 | babe574bef561df025c8686128bc6a8d84da93a412e7513ee0c221b6358e35db |
|
Details | IPv4 | 12 | 149.154.167.220 |
|
Details | IPv4 | 1 | 3.5.70.162 |
|
Details | IPv4 | 1 | 52.92.162.90 |
|
Details | IPv4 | 1 | 52.216.41.65 |
|
Details | IPv4 | 1 | 83.149.72.49 |
|
Details | IPv4 | 1 | 3.5.68.152 |
|
Details | IPv4 | 1 | 34.204.254.212 |
|
Details | IPv4 | 2 | 104.26.9.44 |
|
Details | IPv4 | 1 | 3.5.30.214 |
|
Details | IPv4 | 1 | 3.5.25.23 |
|
Details | IPv4 | 1 | 52.216.50.153 |
|
Details | IPv4 | 1 | 3.5.25.22 |
|
Details | IPv4 | 1 | 52.217.4.28 |
|
Details | IPv4 | 1 | 3.5.28.162 |
|
Details | IPv4 | 1 | 3.5.24.151 |
|
Details | IPv4 | 1 | 3.5.17.191 |
|
Details | Url | 1 | https://carsight.s3.amazonaws.com/favicon.ico |
|
Details | Url | 1 | https://carsight.s3.amazonaws.com/error.jpg |
|
Details | Url | 1 | https://comfucios.s3.us-west-2.amazonaws.com/404.jpg |
|
Details | Url | 1 | https://comfucios.s3.us-west-2.amazonaws.com/image.jpg |
|
Details | Url | 1 | https://comfucios.s3.us-west-2.amazonaws.com/style.css |
|
Details | Url | 1 | https://comfucios.s3.us-west-2.amazonaws.com/icon.jpg |
|
Details | Url | 1 | https://carsight.s3.amazonaws.com |
|
Details | Url | 6 | https://api.telegram.org |
|
Details | Url | 1 | https://comfucios.s3.us-west-2.amazonaws.com |
|
Details | Yara rule | 1 | rule Zoomer_Stealer_Malware { meta: description = "YARA rule for detecting this Zoomer stealer malware based on provided IOCs and User-Agent" author = "Oluwatomiwa Amuda" date = "20241210" reference = "IOC Collection" threat_level = "High" malware_family = "Stealer Malware" strings: $ip1 = "149.154.167.220" $ip2 = "3.5.70.162" $ip3 = "52.92.162.90" $ip4 = "52.216.41.65" $ip5 = "83.149.72.49" $ip6 = "3.5.68.152" $ip7 = "34.204.254.212" $ip8 = "104.26.9.44" $ip9 = "3.5.30.214" $ip10 = "3.5.25.23" $ip11 = "52.216.50.153" $ip12 = "3.5.25.22" $ip13 = "52.217.4.28" $ip14 = "3.5.28.162" $ip15 = "3.5.24.151" $ip16 = "3.5.17.191" $url1 = " https://carsight.s3.amazonaws.com " $url2 = " https://api.telegram.org " $url3 = " https://comfucios.s3.us-west-2.amazonaws.com " $md5_1 = "f7903ddbf7c0aa570c3e6db19ec4df8c" $md5_2 = "b8b9307c1aff8c9c2273987c509779e2" $md5_3 = "7649d0acf3ef3475010b611311605543" $md5_4 = "179ba30884f0b8508d6a58a0390ef065" $md5_5 = "5e6db038cc6564999fb8dead56a8b253" $md5_6 = "f9dbd8870fbba439143ece4f18a6a0f5" $sha1_1 = "deea562d593975ce6763e63d627f06407910cb94" $sha1_2 = "6e095dd4c824d04a256e5f4b5a588e0224dd0b48" $sha1_3 = "322816adfd4a3867fe9d54210c122e306698e792" $sha1_4 = "5fee4209d604f219cccda8260d5702636e4860e1" $sha1_5 = "3f9439dae261c497c389e8d3ebbe35429d695990" $sha256_1 = "9f439d1d1789c661b9b1e7fbc861637b4aa573337072d2bbdf043b6711140fb1" $sha256_2 = "66e5597e0efa4fb7f042acf8bb0beb85ce7aa07cb9c3cc049f7e7ea76d299e2a" $sha256_3 = "28b2511978695d81939e846347d6a8718f60737dc59f43c215d3e67e65e5256a" $sha256_4 = "93c5e90688d426fa2e01c84780e87fac862f7f9e7bffd797c2be471fa86f3e15" $sha256_5 = "babe574bef561df025c8686128bc6a8d84da93a412e7513ee0c221b6358e35db" $user_agent = "Zoomer" condition: any of ($ip*) or any of ($url*) or any of ($md5_*) or any of ($sha1_*) or any of ($sha256_*) or $user_agent } |