imp0rtp3 @imp0rtp3 - Twitter Profile

New IPs related to the TA exploiting #CVE_2022_42475: 139.99.35[.116 139.99.37[.119 194.62.42[.105 45.86.231[.71 45.86.229[.220 185.250.149[.32 137.175.30[.138 146.70.157[.133 155.138.220[.254 #JA3: bf2b95ac267823f6588b2436bc537b26

1

33

13

4

7K

imp0rtp3 @imp0rtp3

over 3 years ago

TA was less careful with the windows samples - left us some clues: - GBK (Chinese) encoding of the computer info (later changed to utf-8) - UTC+8 compile time string inside sample (exactly 8 hours ahead of PE compile time)

imp0rtp3's tweet photo. TA was less careful with the windows samples - left us some clues:
- GBK (Chinese) encoding of the computer info (later changed to utf-8)
- UTC+8 compile time string inside sample (exactly 8 hours ahead of PE compile time) https://t.co/BI15QqNHWq

1

0

449

imp0rtp3 @imp0rtp3

over 3 years ago

Advisory of #CVE_2022_42475 (FortiOS SSL-VPN RCE) updated with additional IPs of the threat actor exploiting it: 139.180.184[.]197 66.42.91[.]32 158.247.221[.]101 107.148.27[.]117 139.180.128[.]142 155.138.224[.]122 185.174.136[.]20 https://t.co/OggXyn5Rj7

0

14

5

3

2K

imp0rtp3 retweeted

Karsten Hahn @struppigel

over 3 years ago

Undetected PyInstaller stealers on Virustotal Search for behaviour:"mdvksublbpczqluqvvbytfprxdwakuke"

1

82

26

16

0

imp0rtp3 retweeted

Kris McConkey @smoothimpact

over 3 years ago

So yesterday was open #threatintel season on the Russia-based Callisto/SEABORGIUM crew, with a triple whammy of blogs from us and a couple of industry friends: PwC: https://t.co/VGDNOmyZMK Recorded Future: https://t.co/8azTZKeyO0 Sekoia: https://t.co/rM7w5sPQ1y

1

60

24

7

0

imp0rtp3 @imp0rtp3

over 3 years ago

@malwrhunterteam @Arkbird_SOLG @JAMESWT_MHT

0

1

0

imp0rtp3 @imp0rtp3

over 3 years ago

New rebranded #Conti #Ransomeware Linux & ESXi locker surfaced on VT as #Monti. Almost identical to previous versions of Conti. Added cmdline argumens --detach --size, --file (latter unused). We wrote about previous campaign on September (YARA included): https://t.co/Q0r5hO9iEB

imp0rtp3's tweet photo. New rebranded #Conti #Ransomeware Linux & ESXi locker surfaced on VT as #Monti.
Almost identical to previous versions of Conti.
Added cmdline argumens --detach --size, --file (latter unused).
We wrote about previous campaign on September (YARA included):
https://t.co/Q0r5hO9iEB https://t.co/CFcrmE3pdf

3

50

13

6

0

imp0rtp3 @imp0rtp3

over 3 years ago

IoCs: sha256 - edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1 hxxp://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid[.]onion hxxp://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid[.]onion/chat/c7c5b8b0703950c40e6614bf957f94c1

imp0rtp3's tweet photo. IoCs:
sha256 - edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1
hxxp://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid[.]onion
hxxp://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid[.]onion/chat/c7c5b8b0703950c40e6614bf957f94c1 https://t.co/m3xnw15U0D

1

3

0

imp0rtp3 retweeted

Arkbird @Arkbird_SOLG

over 3 years ago

I share yara rules and the samples of the new variant of #blackbasta ransomware. Samples: https://t.co/rNYWROjxb0 Yara : https://t.co/HGerLMS4rR

1

27

12

4

0

imp0rtp3 retweeted

ESET Research

@ESETresearch

over 3 years ago

#ESETresearch discovered an active #Android campaign conducted by the hack-for-hire group #Bahamut. The campaign has been active since January 2022, with malicious apps are distributed through a fake #SecureVPN website @LukasStefanko https://t.co/Kdfc7hdJQT 1/6

1

50

29

9

0

imp0rtp3 retweeted

ESET Research

@ESETresearch

over 3 years ago

#ESETResearch discovered that #LuckyMouse/#APT27 used a code-signing certificate belonging to VMPsoft, the developer of the VMProtect packer. The signed file is a loader for the SysUpdate backdoor (aka Soldier). We notified VMPSoft of this compromise 1/4 https://t.co/iCC221bwxw

ESETresearch's tweet photo. #ESETResearch discovered that #LuckyMouse/#APT27 used a code-signing certificate belonging to VMPsoft, the developer of the VMProtect packer. The signed file is a loader for the SysUpdate backdoor (aka Soldier). We notified VMPSoft of this compromise 1/4
https://t.co/iCC221bwxw https://t.co/WWiiLpIBcK

2

241

108

29

0

imp0rtp3 retweeted

Lorenzo Franceschi-Bicchierai @lorenzofb

over 3 years ago

NEW: Cybersecurity startup Corellium gave trials to NSO Group and DarkMatter. It also sold to cellphone cracking firms Cellebrite and Elcomsoft in Russia, as well as Pwnzen, a hacking firm with ties to China's government, according to a leaked document. https://t.co/Sc9SJhQTPK

6

348

160

97

0

imp0rtp3 @imp0rtp3

over 3 years ago

Like everyone, I'm also available on Mastodon. This is my handle: @[email protected] https://t.co/8CTWDYEqqH

0

2

0

imp0rtp3

@imp0rtp3

Who to follow

Last Seen Users on Sotwe

Trends for you

Most Popular Users