ch
Feedback
هیچی برگر [﷼]

هیچی برگر [﷼]

前往频道在 Telegram

shit/schizo posting

显示更多
未指定国家未指定类别
219
订阅者
无数据24 小时
+17
+230
帖子存档
Historic photo of this moment
Historic photo of this moment

Repost from vx-underground
oh sorry if youre a threat intel nerd, or anti malware nerd, who is designated to track potential state sponsored activity in south america final payload: 5a979c309aff96456ba4482653fc213997387956c24e376645e4e0cfaa6b878a obfuscated js payload (fragmented utf16le): 87eac5fa290387bd90d71424f8a65f2b2c7436a415f6e7f033915ef8e833ef86 file sent to colombia ppl i guess idk: 193b98595f44935e79413aeb474cd8d75e8d5ba63caf0d52470cadbeb8139c03 theyre all on VT now

Repost from vx-underground
> get dm > "government ppl in Colombia getting weird file" > lolwtf > send link > look inside > phishing page (looks good tho
+2
> get dm > "government ppl in Colombia getting weird file" > lolwtf > send link > look inside > phishing page (looks good tho tbh) > image 1 > i dont speak spanish, idk wtf it says > look inside .html > .zip hidden inside it as base64 > lol ok > bonk with stick > "Oficio 2231" zip file > idk what that means still > look inside > .zip has .js inside of it > look inside > big ass fuck off obfuscated bs trying to trick u > image 2 > utf16 bullshit > utf16 makes another file > ??? > extract from tiny little fragments of js > look inside > .dll .net file > wtf lol > look inside > heavily obfuscated .net malware > image 3 > tiny .js fragments contain powershell script > ??? tl;dr .html does something that triggers .js which extracts .zip. the .js from .html executes the .js inside the .zip which reads the .ps script from the .js. the .ps then executes a c# .dll which is named taskscheduler (its malware) why would someone send government officials in Colombia this file wtf lol