Reverse The Malware

  Threat actors often deploy Domain Generation Algorithms (DGAs) to bypass detection mechanisms. A threat actor or malware developer can use a DGA to generate a large number of random domain names, which are used to connect to command and control (C2) servers. While not all generated domains successfully connect, DGAs remain a widely used technique among cyber adversaries to evade detection. The Key Question: How can we identify DGA-generated domains manually, without relying on external monitoring software? To do so, we must recognize several suspicious characteristics that indicate a domain may not be legitimate. Let’s explore some common signs: 1. Random Characters Legitimate domains are typically readable and meaningful (e.g., google.com ). In contrast, DGA-generated domains often consist of seemingly random characters, such as: ww0pm65l0s68o[.]com 2. Digits or Numbers Most legitimate domains rarely include long sequences of numbers. DGA domains often contain multiple digits ...

  Well, based on my personality, I prefer to discover things on my own and manually. I already use several platforms to look up malicious URLs, but over time, a question came to mind: where do these links actually originate? How do others find them? I don't want to always be just a user who depends on someone else's data I want to understand the source myself. Eventually, I came up with an idea for discovering new malicious URLs as a feed: by collecting a malware dataset and executing the samples in bulk. I believe this is one of the core techniques used by most security vendors and threat intelligence platforms. What is needed to gather feeds such as URLs and C2 panels without relying on additional feed platforms, whether commercial or free? Requirements: Lab Environment Virtualization software such as VMware or VirtualBox Malware Dataset A collection of malware samples for testing and analysis Network Monitoring & Extraction Tools ApateDNS  : to ca...

  Threat actors often use phishing attacks to deliver a payload for initial access or to steal credentials from individuals or an organization's network. These attacks usually involve sending phishing emails designed to deceive the target. So, what is a phishing email? Phishing is a type of social engineering attack in which the threat actor attempts to manipulate the victim into logging into a fake (scam) webpage to capture their credentials. A common example is a fake Facebook login page, which looks legitimate but is actually designed to steal login information. Our example is based on a similar phishing page, as shown in the screenshot below. Phishing attacks are responsible for approximately 95% of cyber intrusions. That’s a significant number but it’s not an exaggeration; it’s based on real data, not something made up. Well, the threat actor deploys a fake Facebook login page to trick users into entering their own credentials. But where does that stolen data go? In the c...

  Threat hunters often seek effective methods to detect and track command-and-control (C2) servers , open directories (commonly identified by the phrase “Index of” ), and phishing infrastructure . Open directories can unintentionally expose sensitive files, malware payloads, or attacker toolkits, making them valuable indicators during threat hunting. To support this process, I’ve compiled 20 practical URLScan.io queries that can be used to hunt for: Misconfigured or exposed open directories Potential C2 panels Indicators of phishing campaigns , such as spoofed login pages or malicious email payloads These queries are designed to help security analysts uncover early-stage infrastructure and gain visibility into adversary behavior before an attack escalates. 20 Urlscan.io Search Queries : task.tags:”threat” task.tags:”opendir” filename:”.php” task.tags:(@ecarlesi AND threat AND opendir) task.tags:”possiblethreat” task.tags:”c2" task.tags:(c2 AND mal...

  Threat hunters are always looking for reliable techniques to identify and track command-and-control (C2) infrastructure , open directories (often marked by the term “Index of” ), and phishing-related assets . Open directories can inadvertently reveal sensitive data, malware files, or attacker tools making them valuable clues during an investigation. To assist in this effort, I’ve curated a set of some internet search engines queries that can help detect: Exposed or misconfigured open directories Suspected C2 panels These queries are intended to give security analysts deeper insight into adversary infrastructure at early stages, enabling faster detection and response. Internet Search Engine Queries for Identifying C2 Panels Shodan Search Type Query Favicon Hash http.favicon.hash:<HASH_VALUE> Product Name product:Covenant | `product:<C2_Product_Name>` | | HTTP Title ...

  Threat hunters continually look for efficient ways to identify command-and-control (C2) servers , open directories (often recognizable by the phrase “Index of” ), and phishing infrastructure . Open directories frequently expose sensitive data, malware, or threat actor tools, making them useful indicators in threat investigations. To aid in this effort, I’ve assembled favicon hashes queries aimed at detecting: Active or staging C2 panels These queries are designed to enhance threat visibility and help analysts detect malicious infrastructure before it becomes a more serious threat. C2 Name Favicon Hash :  Mythic -859291042   StartKillerC2 1866124853   Covenant -737603591   Hak5 C2 1294130019   PandaC2 -296385002   SuperShell -1010228102   Amadey 177506569   Umam Web Panel -1278680098   Matanbuchus -896203607   HookBot -367464266   Chaos -1102365062   Neptune -95...

  Identifying command-and-control (C2) infrastructure , open directories , and phishing assets is a key part of modern threat hunting. Open directories . often marked by the term “Index of”  can unintentionally leak malware, stolen data, or attacker toolkits, offering valuable leads for early detection. To support this effort, I’ve created a collection of SHA-256 Hashes  designed to help uncover: Known or suspected C2 control panels These queries serve as practical tools for analysts aiming to discover adversary infrastructure before it’s fully weaponized. | # | Name | SHA-256 Hash | |-----|------------------------|-------------------------------------------------------------------------------| | 1 | Gorilla | 85f5de581f7cdb7218440e47601f7d5096cbf1d54226986ded38ec744f1f8359 | | 2 | Amadey | 54713a2d801093e2d318a36f662604649aeb8bd6f649bec0...