{ "name": "Code Emulation and Cybercrime Infrastructure Discovery", "slug": "code-emulation-and-cybercrime-infrastructure-discovery", "description": "This report details the analysis of a malspam campaign utilizing the Matanbuchus loader, which involved decrypting strings within the malware through emulation techniques. The investigation pivoted to uncover a Russian bulletproof hosting service, Proton66 OOO, that currently hosts various malicious activities, including the SocGholish malware. The report highlights how exploring the infrastructure behind these threats can reveal interconnected cybercrime operations and enable proactive defense.", "published": "2024-05-08T09:18:22+00:00", "created_at": "2024-05-08T09:18:22+00:00", "modified_at": "2024-05-08T15:29:35+00:00", "created_at_opencti": "2024-05-08T09:18:22+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-05-03", "2024-05-04", "2024-05-05", "2024-05-06", "2024-05-07", "2024-05-08", "bulletproof", "emulation", "loader", "matanbuchus", "ransomware", "socgholish", "stealer" ], "related_entities": { "observables": [ { "id": "", "name": "91.226.31.34" }, { "id": "", "name": "5.252.177.213" }, { "id": "", "name": "37.128.207.92" }, { "id": "", "name": "193.143.1.54" }, { "id": "", "name": "193.143.1.207" }, { "id": "", "name": "193.143.1.198" }, { "id": "", "name": "193.143.1.197" }, { "id": "", "name": "193.143.1.196" }, { "id": "", "name": "193.141.1.196" }, { "id": "", "name": "185.11.61.172" }, { "id": "", "name": "185.11.61.171" }, { "id": "", "name": "185.11.61.169" }, { "id": "", "name": "162.33.177.118" }, { "id": "", "name": "128.254.207.82" }, { "id": "", "name": "147.45.47.87" }, { "id": "", "name": "185.11.61.170" }, { "id": "", "name": "166.1.173.27" }, { "id": "", "name": "https://muagol.com/useraccount.aspx" }, { "id": "", "name": "https://988skins.com/admin/view/stylesheet/50k.png" }, { "id": "", "name": "http://muagol.com/Traffic/link/posting/index.php" }, { "id": "", "name": "http://marvin-occentus.net/statistic/js/stat.js" }, { "id": "", "name": "http://iseberkis.com:62478/medical/plan/oslo/posting/in" }, { "id": "", "name": "http://itter.com/I" }, { "id": "", "name": "http://ec.com/bl" }, { "id": "", "name": "http://988.skins.com/admin/view/stylesheet/50k.png" }, { "id": "", "name": "venice.sunproject.dev" }, { "id": "", "name": "turin.sunproject.dev" }, { "id": "", "name": "trademark.iglesiaelarca.com" }, { "id": "", "name": "rome.sunproject.dev" }, { "id": "", "name": "research.openanalysis.net" }, { "id": "", "name": "proton.net.ru" }, { "id": "", "name": "florence.sunproject.dev" }, { "id": "", "name": "fancy.justbartanews.com" }, { "id": "", "name": "bologna.sunproject.dev" }, { "id": "", "name": "988.skins.com" }, { "id": "", "name": "vsofm.com" }, { "id": "", "name": "vlanj.org" }, { "id": "", "name": "unitele.ru" }, { "id": "", "name": "torontoclub.vip" }, { "id": "", "name": "sweetapp.page" }, { "id": "", "name": "sunproject.dev" }, { "id": "", "name": "speedprocanada.com" }, { "id": "", "name": "sdic.org" }, { "id": "", "name": "reykh.icu" }, { "id": "", "name": "redviking.com" }, { "id": "", "name": "presswire.com" }, { "id": "", "name": "poolsbydesignaz.com" }, { "id": "", "name": "pestpatrol1.com" }, { "id": "", "name": "muagol.com" }, { "id": "", "name": "mindsmatterphilly.org" }, { "id": "", "name": "mavrin-occentus.net" }, { "id": "", "name": "mannmortgage.com" }, { "id": "", "name": "locustfamilydentistry.com" }, { "id": "", "name": "kalaswire.com" }, { "id": "", "name": "itter.com" }, { "id": "", "name": "iseberkis.com" }, { "id": "", "name": "intervention911.com" }, { "id": "", "name": "inkedin.co" }, { "id": "", "name": "huntersinternational.org" }, { "id": "", "name": "gatewaycr.org" }, { "id": "", "name": "gulappa.com" }, { "id": "", "name": "gammaprojec.dev" }, { "id": "", "name": "galimidilaw.com" }, { "id": "", "name": "filesnatchcloud.pro" }, { "id": "", "name": "extic.icu" }, { "id": "", "name": "dumingas.com" }, { "id": "", "name": "designedlearning.com" }, { "id": "", "name": "dems.ag" }, { "id": "", "name": "democraticags.org" }, { "id": "", "name": "breakpointbooking.com" }, { "id": "", "name": "binder-sa.com" }, { "id": "", "name": "barbarajking.com" }, { "id": "", "name": "atomwise.com" }, { "id": "", "name": "aitcaid.com" }, { "id": "", "name": "988skins.com" }, { "id": "", "name": "treasurybanks.org" } ], "malware": [ { "id": "legacy:malware:f4e2b60f465e2e7c", "name": "Matanbuchus", "slug": "matanbuchus" }, { "id": "legacy:malware:d1aa278dda3939ad", "name": "SocGholish", "slug": "socgholish" } ], "intrusion_sets": [ { "id": "1aaac7b9-4304-44fd-a331-f20b8115ff32", "name": "TA577", "slug": "ta577" } ], "attack_patterns": [ { "id": "05e73ff9-b721-406c-8010-3447faaa0056", "name": "T1591.001" }, { "id": "03d1f078-193c-483c-9b2c-af1e97b38978", "name": "T1578.004" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7", "name": "T1573.002" }, { "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd", "name": "T1059.005" }, { "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9", "name": "T1497.001" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "45c400ce-708d-4ac2-8ea7-57c971a83ce5", "name": "T1027.005" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "88fa397b-4cc9-42c0-b52d-4108f9630529", "name": "T1095" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "d9f271ed-7685-4362-b90d-f16a14102f39", "name": "T1489" }, { "id": "2c3d4267-2bae-41ae-8486-5876953a1748", "name": "T1129" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" } ] }, "external_refs": [ "https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf", "https://otx.alienvault.com/pulse/663b5f7e5b2287dec38a1b3b" ] }