هیچی برگر [﷼]
الذهاب إلى القناة على Telegram
shit/schizo posting
إظهار المزيدلم يتم تحديد البلدالفئة غير محددة
219
المشتركون
لا توجد بيانات24 ساعات
+17 أيام
+230 أيام
أرشيف المشاركات
Repost from vx-underground
oh sorry
if youre a threat intel nerd, or anti malware nerd, who is designated to track potential state sponsored activity in south america
final payload: 5a979c309aff96456ba4482653fc213997387956c24e376645e4e0cfaa6b878a
obfuscated js payload (fragmented utf16le):
87eac5fa290387bd90d71424f8a65f2b2c7436a415f6e7f033915ef8e833ef86
file sent to colombia ppl i guess idk:
193b98595f44935e79413aeb474cd8d75e8d5ba63caf0d52470cadbeb8139c03
theyre all on VT now
Repost from vx-underground
+2
> get dm
> "government ppl in Colombia getting weird file"
> lolwtf
> send link
> look inside
> phishing page (looks good tho tbh)
> image 1
> i dont speak spanish, idk wtf it says
> look inside .html
> .zip hidden inside it as base64
> lol ok
> bonk with stick
> "Oficio 2231" zip file
> idk what that means still
> look inside
> .zip has .js inside of it
> look inside
> big ass fuck off obfuscated bs trying to trick u
> image 2
> utf16 bullshit
> utf16 makes another file
> ???
> extract from tiny little fragments of js
> look inside
> .dll .net file
> wtf lol
> look inside
> heavily obfuscated .net malware
> image 3
> tiny .js fragments contain powershell script
> ???
tl;dr
.html does something that triggers .js which extracts .zip. the .js from .html executes the .js inside the .zip which reads the .ps script from the .js. the .ps then executes a c# .dll which is named taskscheduler (its malware)
why would someone send government officials in Colombia this file wtf lol
