Top Tweets for #RobotDropper
Two completely undetected #RobotDropper samples @abuse_ch
https://t.co/Xqju4xiXjz
https://t.co/hTt8BbCulC
@JAMESWT_MHT
What is going on with #LegionLoader / #RobotDropper? I am seeing a significant drop from over 200 samples to 15...
Did they go on vacation?
For a few weeks now I have been tracking "#Satacom/#RobotDropper/#LegionLoader" and curiously most of the submissions to VT are related to Latin American countries, mainly Brazil.
Some references and IoC below...
@Merlax_ @1ZRR4H
Did you know #LegionLoader aka #RobotDropper injects the core payload into explorer.exe and you can hunt for it in @anyrun_app Threat Intelligence tool using the query:
commandLine:"C:\\WINDOWS\\SysWOW64\\explorer.exeย explorer.exe"
Here is the recent configuration from the loader: https://t.co/k7wtMZN1aP
Sample: https://t.co/mL2LfLu3eQ
#robotdropper malvertising campaign can be also spotted on fake download .monster domains impersonating RapidShare
/getofficialapp.monster
Detonation: https://t.co/rwxp2BuPV2
๐ข Low-Detection MSI Dropper Delivers #Malware โ #ExploreWithANYRUN
โ ๏ธ A recently developed #dropper is an #MSI file containing a #password-protected RAR archive
๐ Both the sample and #C2 domains have a very low detection rate on #VirusTotal
๐ https://t.co/Vx45sGudWg
๐ค The dropper sends requests to the get-license4[.]com and get-license2[.]com resources, with the example of the following content:
IsICS=0&LangCode=5875&AwaitTmp=17&Kiid=81257
โ๏ธ After execution, it asks the user to confirm that they are not a robot by clicking the "OK" button. It then displays the 'Sending collected data' message
๐ Now the serverโs returning only the '0a' string. It may be intended to return the password for its content
๐ค We named it #RobotDropper because it requires the user to confirm that they are human
๐ https://t.co/qE3bcFFkai
We've observed it dropping #Lumma and #Stealc:
๐ https://t.co/QWiariKcGG
Find more samples by these #TILookup requests:
๐ https://t.co/2yxhsPQT8A
๐ https://t.co/mUYAZ3wVNa
๐ผ Special thanks to @RussianPanda9xx for providing the initial sample in her tweet!
Analyze and investigate the latest #malware and #phishing threats with #ANYRUN ๐ก๏ธ
![anyrun_app's tweet photo. ๐ข Low-Detection MSI Dropper Delivers #Malware โ #ExploreWithANYRUN
โ ๏ธ A recently developed #dropper is an #MSI file containing a #password-protected RAR archive
๐ Both the sample and #C2 domains have a very low detection rate on #VirusTotal
๐ https://t.co/Vx45sGudWg
๐ค The dropper sends requests to the get-license4[.]com and get-license2[.]com resources, with the example of the following content:
IsICS=0&LangCode=5875&AwaitTmp=17&Kiid=81257
โ๏ธ After execution, it asks the user to confirm that they are not a robot by clicking the "OK" button. It then displays the 'Sending collected data' message
๐ Now the serverโs returning only the '0a' string. It may be intended to return the password for its content
๐ค We named it #RobotDropper because it requires the user to confirm that they are human
๐ https://t.co/qE3bcFFkai
We've observed it dropping #Lumma and #Stealc:
๐ https://t.co/QWiariKcGG
Find more samples by these #TILookup requests:
๐ https://t.co/2yxhsPQT8A
๐ https://t.co/mUYAZ3wVNa
๐ผ Special thanks to @RussianPanda9xx for providing the initial sample in her tweet!
Analyze and investigate the latest #malware and #phishing threats with #ANYRUN ๐ก๏ธ](https://pbs.twimg.com/media/GWEvPvHXUAANEmC.jpg)
2nd scenario shows traditional Privateloader download and redirection to #robotdropper (by anyrun) .msi files hosted in MEGA, first spotted by @RussianPanda9xx
Privateloader .7z (traditional 1234 password)
https://t.co/0UbQx9RTya
Robotdropper
https://t.co/BWZexUz1mk
Distribution domain queries for #RobotDropper on @ValidinLLC and @censysio
Validin: RapidShare - Fast & Secure File Transfer for Free
Censys: services.http.response.html_title="RapidShare - Fast & Secure File Transfer for Free"
IOCs shared on ThreatFox: https://t.co/9MMfTt9KcI
๐ข Low-Detection MSI Dropper Delivers #Malware โ #ExploreWithANYRUN
โ ๏ธ A recently developed #dropper is an #MSI file containing a #password-protected RAR archive
๐ Both the sample and #C2 domains have a very low detection rate on #VirusTotal
๐ https://t.co/Vx45sGudWg
๐ค The dropper sends requests to the get-license4[.]com and get-license2[.]com resources, with the example of the following content:
IsICS=0&LangCode=5875&AwaitTmp=17&Kiid=81257
โ๏ธ After execution, it asks the user to confirm that they are not a robot by clicking the "OK" button. It then displays the 'Sending collected data' message
๐ Now the serverโs returning only the '0a' string. It may be intended to return the password for its content
๐ค We named it #RobotDropper because it requires the user to confirm that they are human
๐ https://t.co/qE3bcFFkai
We've observed it dropping #Lumma and #Stealc:
๐ https://t.co/QWiariKcGG
Find more samples by these #TILookup requests:
๐ https://t.co/2yxhsPQT8A
๐ https://t.co/mUYAZ3wVNa
๐ผ Special thanks to @RussianPanda9xx for providing the initial sample in her tweet!
Analyze and investigate the latest #malware and #phishing threats with #ANYRUN ๐ก๏ธ
๐จWe've just rolled out a new #Suricata rule for #RobotDropper, and we're excited to share it with you!
Give it a try and share your feedback with us! Your insights help us improve
๐ https://t.co/UGbjyJ9k3O
Some Related Samples
#RobotDropper
*https://get-license4].com/licenseUser.php
โ๏ธhttps://t.co/z8rMqsZ7np
![JAMESWT_WT's tweet photo. Some Related Samples
#RobotDropper
*https://get-license4].com/licenseUser.php
โ๏ธhttps://t.co/z8rMqsZ7np https://t.co/LXoFX8qHvO](https://pbs.twimg.com/media/GWFWbiPXcAAvT5S.jpg)
๐ข Low-Detection MSI Dropper Delivers #Malware โ #ExploreWithANYRUN
โ ๏ธ A recently developed #dropper is an #MSI file containing a #password-protected RAR archive
๐ Both the sample and #C2 domains have a very low detection rate on #VirusTotal
๐ https://t.co/Vx45sGudWg
๐ค The dropper sends requests to the get-license4[.]com and get-license2[.]com resources, with the example of the following content:
IsICS=0&LangCode=5875&AwaitTmp=17&Kiid=81257
โ๏ธ After execution, it asks the user to confirm that they are not a robot by clicking the "OK" button. It then displays the 'Sending collected data' message
๐ Now the serverโs returning only the '0a' string. It may be intended to return the password for its content
๐ค We named it #RobotDropper because it requires the user to confirm that they are human
๐ https://t.co/qE3bcFFkai
We've observed it dropping #Lumma and #Stealc:
๐ https://t.co/QWiariKcGG
Find more samples by these #TILookup requests:
๐ https://t.co/2yxhsPQT8A
๐ https://t.co/mUYAZ3wVNa
๐ผ Special thanks to @RussianPanda9xx for providing the initial sample in her tweet!
Analyze and investigate the latest #malware and #phishing threats with #ANYRUN ๐ก๏ธ
Last Seen Hashtags on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.6M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers