Aaron Jornet's Avatar

Aaron Jornet

@rexorvc0.bsky.social

Threat Researcher at @socradar | Malware Researcher | Threat Hunter | CTI ¦ Former @ElevenPaths @Panda_Security rexorvc0.com twitter.com/RexorVc0

58 Followers  |  4 Following  |  14 Posts  |  Joined: 14.10.2023  |  1.9571

Latest posts by rexorvc0.bsky.social on Bluesky

Post image

#IOC

936888d84b33f152d39ec539f5ce71aa
5adfa76b72236bf017f7968fd012e968
3323777ca4ac2dc2c39f5c55c0c54e3c
f3c087a0be0687afd78829cab2d3bc2b
ee7e3e39dd951f352c669f64bd8ec1b5
144928fc87e1d50f5ed162bb1651ab24
0253b33cfb3deb6a1d4bb197895c4530
[...]

VT: virustotal.com/gui/collecti...

20.02.2025 07:16 — 👍 0    🔁 0    💬 0    📌 0
Post image Post image Post image Post image

#TTP

📩[T1566.001] Spear-Phishing
📇[T1027.012] LNK file
📜[T1059] PS & BAT script execution
🔃[T1620] Load SC (.BAT execution)
🧩[T1140] Decrypt PE (#RokRat)
🗑️[T1070] Delete traces of Samples | Scripts
📡[T1071.001] C&C

20.02.2025 07:16 — 👍 0    🔁 0    💬 1    📌 0
Post image

#APT #APT37 #RicochetChollima #ScarCruft #RokRat #threat #malware

📍🇰🇵
💥🇰🇷🌏

⛓️#Phishing > RAR|ZIP > #LNK extract .bat/PS/DOCs > #PS > #BAT execution > #PS decrypt #RokRat SC > Load + RUN #RAT> #C2

🔗360 Advanced Threat Research: mp.weixin.qq.com/s?__biz=MzUy...

20.02.2025 07:16 — 👍 0    🔁 0    💬 1    📌 0
Post image

#IOC

48c179680e0b37d0262f7a402860b2a7
8ebca0b7ef7dbfc14da3ee39f478e880
1bb8b1d0282727ab9bc2deb3570cf272
bc14c3ab8316e7ec373829ea7a6e2166
61279d5e30f493bbdae9eab8ca99e9a4
2a8e4281213e4aaa485612f9ded261a2
457bb40c6fc10b3cd5a3b51e4eb672b2
...
🔗VT: virustotal.com/gui/collecti...

22.01.2025 08:56 — 👍 0    🔁 0    💬 0    📌 0
Post image Post image Post image Post image

#TTP

📦[T1566] #Phishing using SS
📇[T1204.002] Mal file
↪️[T1036] Compressed mal js files
📜[T1059.007] .js to execute next stage
📥[T1105] Download new files
💰[T1657] Steal wallets
⌨️[T1056.001] Keyboard monitoring
📡[T1071] C&C

22.01.2025 08:56 — 👍 0    🔁 0    💬 1    📌 0
Post image

#Lazarus #LabyrinthChollima #HiddenCobra APT-C-26 #Threat #APT #malware

📍🇰🇵
💥🌏

⛓️ Social media mal delivery > Exe (Electron #bot) > .js compress > steal wallet info > Download plugins+Run > Monitor host & steal info > #C2

🔗360 Advanced TRI: mp.weixin.qq.com/s?__biz=MzUy...

22.01.2025 08:56 — 👍 0    🔁 0    💬 1    📌 0
Preview
Analysis 2024-12-17_74d8e8b3c9bfc6d93f88bb3f54721612_frostygoop_poet-rat_snatch (MD5: 74D8E8B3C9BFC6D93F88BB3F54721612) Malicious activity - Interactive analysis ANY.RUN Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

🧬Behaviour seen similar to this 👇

#Lumma:

app.any.run/tasks/37bcc2...
app.any.run/tasks/d80962...

#Emmenhtal+#Lumma:

app.any.run/tasks/c620f7...
app.any.run/tasks/813ae6...
app.any.run/tasks/b3f870...
app.any.run/tasks/abe139...

20.12.2024 06:07 — 👍 0    🔁 0    💬 0    📌 0
Post image

#IOC

https[:]//kankrfilez.b-cdn[.]net/
https[:]//new64.oss-ap-southeast-1.aliyuncs[.]com/
https[:]//getfilet23.b-cdn[.]net/
https[:]//denek.local-wanderer[.]shop
[...]

🔗Graph:https://virustotal.com/graph/embed/g36af090df0bc429a9b41822134061dab94f7052689f84f38a2b276e8ce31f3a4?theme=dark

20.12.2024 06:07 — 👍 0    🔁 0    💬 1    📌 0
Post image Post image Post image

#TTP

🤖[T1204.001] Mal Links using fake CAPTCHA
📜[T1059.001] PS execution
🧩[T1027] Obfuscated scripts | commands
📥[T1105] Download .txt | .mp4 obfuscated scripts
👥[T1218] Abuse of mshta or white files to load mw
💉[T1055] Inject into another process
📡[T1071] C&C

20.12.2024 06:07 — 👍 0    🔁 0    💬 1    📌 0
Post image

Tracking #Lumma & #Emmenhtal #loader through weeks targeting LATAM - #threat #malware

📍🏴
💥🇨🇴🇲🇽🇦🇷🌎

⛓️ #Link | Mal domain > Fake CAPTCHA | ZIP/RAR > Encoded PS | mshta (HTA) > download next > Obfuscated script exec > File | ZIP dropped > Injection over file > #LummaStealer

20.12.2024 06:07 — 👍 0    🔁 0    💬 1    📌 0
Preview
Cybersecurity Services, Solutions & Products. Global Provider | Group-IB Leading provider of cybersecurity solutions: Threat Intelligence, antifraud, anti-APT. Protect better, respond faster to network security attacks and threats.

+Info

socradar.io/apt-profile-... freebuf.com/articles/net... group-ib.com/blog/dark-pi... mp-weixin-qq-com.translate.goog/s/_WMljf41eT...

16.10.2023 06:12 — 👍 0    🔁 0    💬 0    📌 0
Post image

#IOC

dd9146bf793ac34de3825bdabcd9f0f3 5504799eb0e7c186afcb07f7f50775b2 c5331b30587dcaf94bfde94040d4fc89 ac28e93dbf337e8d1cc14a3e7352f061 fefe7fb2072d755b0bfdf74aa7c9013e 6a3948a3602f11e58d8a9300d50984d6 91fb57a2a87ac72a5f65bc1123b02ef6

16.10.2023 06:12 — 👍 0    🔁 0    💬 1    📌 0
Post image Post image Post image Post image

#TTP

[T1566.001] Spear-Phishing
[T1574.002] Dll side-loading
[T1190] Winrar exploit
[T1140] Decrypt info from fake PDF
[T1548.002] UAC bypass over \shell\open\command\ RegKey

16.10.2023 06:11 — 👍 0    🔁 0    💬 1    📌 0
Post image Post image

#APT #DarkPink #Saaiwc CVE-2023-38831 #TelePowerBot #KamiKakaBot #threat #malware

#Phishing > RAR + #CVE > Dropp dll > Side-Loading > Injection > Persistence + UAC bypass > Telegram API connection

Nsfocus Report: blog.nsfocus.net/aptdarkpinkw...

16.10.2023 06:10 — 👍 2    🔁 0    💬 1    📌 0

@rexorvc0 is following 4 prominent accounts