A Hunting Story

More documents

Recommendations

Info

This njRAT sample connects to ihebrakrouni.linkpc[.]net which currently resolves to 67[.]214[.]175[.]75 (Colostore.com, Indiana). Recorded Future Intel Card for IP address 67[.]214[.]175[.]75. Related indicators for IP address 67[.]214[.]175[.]75. Recorded Future Threat Intelligence Report 18
Now that we have positively identified useful base64 encoded malicious strings through a Recorded Future list and search, we will save the search and alert on future references or events that match our criteria, because a hunting team’s work is never done. Recorded Future email alert based on new “FromBase64String” references. 4. Examples of base64 encoded strings in web favicons. Our fourth example involves favicons, because they are specifically referenced in the above nation-state attack observables. Favicon references containing base64 encoded strings. Recorded Future Threat Intelligence Report 19
Page 1 and 2: RECORDED FUTURE THREAT INTELLIGENCE
Page 3 and 4: Now you know, defender, that your f
Page 5 and 6: function bDm { Param ($h1xFnaU, $zP
Page 7 and 8: The sample_drive_infector.ps1 scrip
Page 9 and 10: around PowerShell. Adversaries imme
Page 11 and 12: Instant insight with the first sect
Page 13 and 14: VirusTotal’s extension returns an
Page 15 and 16: The base64 strings decodes to a PE
Page 17: 3. Third Pastebin base64 encoded (r
Page 21 and 22: {“count”: 4, “time_first”:
Page 23 and 24: Appendix Autonomous Systems ››
Page 25 and 26: hxxp://pastebin.com/CWxhrrZ9 http:/

A Hunting Story

Create successful ePaper yourself

Delete template?

Save as template?