Click here to download all references as Bib-File.

Enter keywords to filter the library entries below or Propose new Entry
2021-12-30InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20211230:agent:2b24ea4, author = {Brad Duncan}, title = {{Agent Tesla Updates SMTP Data Exfiltration Technique}}, date = {2021-12-30}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28190}, language = {English}, urldate = {2022-01-03} } Agent Tesla Updates SMTP Data Exfiltration Technique
Agent Tesla
2021-12-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20211216:how:6fd0b06, author = {Brad Duncan}, title = {{How the "Contact Forms" campaign tricks people}}, date = {2021-12-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/}, language = {English}, urldate = {2021-12-31} } How the "Contact Forms" campaign tricks people
IcedID
2021-12-03SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20211203:ta551:f71be57, author = {Brad Duncan}, title = {{TA551 (Shathak) pushes IcedID (Bokbot)}}, date = {2021-12-03}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/}, language = {English}, urldate = {2021-12-06} } TA551 (Shathak) pushes IcedID (Bokbot)
IcedID
2021-11-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20211116:emotet:3545954, author = {Brad Duncan}, title = {{Emotet Returns}}, date = {2021-11-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28044}, language = {English}, urldate = {2021-11-17} } Emotet Returns
Emotet
2021-10-18paloalto Netoworks: Unit42Brad Duncan
@online{duncan:20211018:case:bdd95ff, author = {Brad Duncan}, title = {{Case Study: From BazarLoader to Network Reconnaissance}}, date = {2021-10-18}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/}, language = {English}, urldate = {2021-10-22} } Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike
2021-09-29Malware Traffic AnalysisBrad Duncan
@online{duncan:20210929:20210929:e348fca, author = {Brad Duncan}, title = {{2021-09-29 (Wednesday) - Hancitor with Cobalt Strike}}, date = {2021-09-29}, organization = {Malware Traffic Analysis}, url = {https://malware-traffic-analysis.net/2021/09/29/index.html}, language = {English}, urldate = {2021-11-03} } 2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-17Malware Traffic AnalysisBrad Duncan
@online{duncan:20210917:20210917:b995435, author = {Brad Duncan}, title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}}, date = {2021-09-17}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html}, language = {English}, urldate = {2021-09-20} } 2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-01InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210901:strrat:82432b9, author = {Brad Duncan}, title = {{STRRAT: a Java-based RAT that doesn't care if you have Java}}, date = {2021-09-01}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27798}, language = {English}, urldate = {2021-09-02} } STRRAT: a Java-based RAT that doesn't care if you have Java
STRRAT
2021-07-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210709:hancitor:814e815, author = {Brad Duncan}, title = {{Hancitor tries XLL as initial malware file}}, date = {2021-07-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27618}, language = {English}, urldate = {2021-07-19} } Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor
2021-05-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210519:bazarcall:60c6562, author = {Brad Duncan}, title = {{BazarCall: Call Centers Help Spread BazarLoader Malware}}, date = {2021-05-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bazarloader-malware/}, language = {English}, urldate = {2021-05-20} } BazarCall: Call Centers Help Spread BazarLoader Malware
BazarBackdoor campoloader
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-07Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210407:wireshark:3c806d8, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Traffic from Hancitor Infections}}, date = {2021-04-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/}, language = {English}, urldate = {2021-04-12} } Wireshark Tutorial: Examining Traffic from Hancitor Infections
Hancitor
2021-04-01Palo Alto Networks Unit 42Vijay Prakash, Brad Duncan
@online{prakash:20210401:wireshark:4778091, author = {Vijay Prakash and Brad Duncan}, title = {{Wireshark Tutorial: Decrypting RDP Traffic}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-rdp-traffic/}, language = {English}, urldate = {2021-04-09} } Wireshark Tutorial: Decrypting RDP Traffic
2021-04-01Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210401:hancitors:8876ca1, author = {Brad Duncan}, title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/}, language = {English}, urldate = {2021-04-06} } Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor
2021-03-30YouTube ( malware-traffic-analysis.net)Brad Duncan
@online{duncan:20210330:20210329:bf22ea0, author = {Brad Duncan}, title = {{2021-03-29 BazaCall (BazarCall) Example}}, date = {2021-03-30}, organization = {YouTube ( malware-traffic-analysis.net)}, url = {https://www.youtube.com/watch?v=uAkeXCYcl4Y}, language = {English}, urldate = {2021-03-31} } 2021-03-29 BazaCall (BazarCall) Example
BazarBackdoor
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2021-01-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2021-01-13InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210113:hancitor:55f3ea5, author = {Brad Duncan}, title = {{Hancitor activity resumes after a hoilday break}}, date = {2021-01-13}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/}, language = {English}, urldate = {2021-01-21} } Hancitor activity resumes after a hoilday break
Hancitor
2021-01-07Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210107:ta551:6346c62, author = {Brad Duncan}, title = {{TA551: Email Attack Campaign Switches from Valak to IcedID}}, date = {2021-01-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ta551-shathak-icedid/}, language = {English}, urldate = {2021-01-11} } TA551: Email Attack Campaign Switches from Valak to IcedID
IcedID
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } Recent Qakbot (Qbot) activity
Cobalt Strike QakBot