Code Emulation and Cybercrime Infrastructure Discovery

May 8, 2024, 5:29 p.m.

Description

This report details the analysis of a malspam campaign utilizing the Matanbuchus loader, which involved decrypting strings within the malware through emulation techniques. The investigation pivoted to uncover a Russian bulletproof hosting service, Proton66 OOO, that currently hosts various malicious activities, including the SocGholish malware. The report highlights how exploring the infrastructure behind these threats can reveal interconnected cybercrime operations and enable proactive defense.

External References

https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf
https://otx.alienvault.com/pulse/663b5f7e5b2287dec38a1b3b
Tags
loader
ransomware
stealer
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
socgholish
matanbuchus
emulation
bulletproof

Date

  • Created: May 8, 2024, 11:18 a.m.
  • Published: May 8, 2024, 11:18 a.m.
  • Modified: May 8, 2024, 5:29 p.m.

Indicators

  • 91.226.31.34
  • 5.252.177.213
  • 37.128.207.92
  • 193.143.1.54
  • 193.143.1.207
  • 193.143.1.198
  • 193.143.1.197
  • 193.143.1.196
  • 193.141.1.196
  • 185.11.61.172
  • 185.11.61.171
  • 185.11.61.169
  • 162.33.177.118
  • 128.254.207.82
  • 147.45.47.87
  • 185.11.61.170
  • 166.1.173.27
  • https://muagol.com/useraccount.aspx
  • https://988skins.com/admin/view/stylesheet/50k.png
  • http://muagol.com/Traffic/link/posting/index.php
  • http://marvin-occentus.net/statistic/js/stat.js
  • http://iseberkis.com:62478/medical/plan/oslo/posting/in
  • http://itter.com/I
  • http://ec.com/bl
  • http://988.skins.com/admin/view/stylesheet/50k.png
  • venice.sunproject.dev
  • turin.sunproject.dev
  • trademark.iglesiaelarca.com
  • rome.sunproject.dev
  • research.openanalysis.net
  • proton.net.ru
  • florence.sunproject.dev
  • fancy.justbartanews.com
  • bologna.sunproject.dev
  • 988.skins.com
  • vsofm.com
  • vlanj.org
  • unitele.ru
  • torontoclub.vip
  • sweetapp.page
  • sunproject.dev
  • speedprocanada.com
  • sdic.org
  • reykh.icu
  • redviking.com
  • presswire.com
  • poolsbydesignaz.com
  • pestpatrol1.com
  • muagol.com
  • mindsmatterphilly.org
  • mavrin-occentus.net
  • mannmortgage.com
  • locustfamilydentistry.com
  • kalaswire.com
  • itter.com
  • iseberkis.com
  • intervention911.com
  • inkedin.co
  • huntersinternational.org
  • gatewaycr.org
  • gulappa.com
  • gammaprojec.dev
  • galimidilaw.com
  • filesnatchcloud.pro
  • extic.icu
  • dumingas.com
  • designedlearning.com
  • dems.ag
  • democraticags.org
  • breakpointbooking.com
  • binder-sa.com
  • barbarajking.com
  • atomwise.com
  • aitcaid.com
  • 988skins.com
  • treasurybanks.org
Download all indicators here!

Attack Patterns

  • Matanbuchus
  • SocGholish
  • TA577
  • T1591.001
  • T1578.004
  • T1053.005
  • T1573.002
  • T1059.005
  • T1497.001
  • T1059.003
  • T1059.001
  • T1027.005
  • T1059.007
  • T1095
  • T1071.001
  • T1204.002
  • T1489
  • T1129
  • T1105
  • T1083
  • T1055
  • T1219
  • T1027