09-05-2023 09:15 AM
Hello dear community,
got an 2 hour infection on a fat client from this https://www.virustotal.com/gui/file/79e3e243726a8b29b4cf74576e364ce98dfadb5bd182d8d1ed55255e70defc2c...
This little guy was evading cortex xdr pro.
Whatch out and fill your blocklist, because they getting better and better.
Initial access was a google drive link and the pw protected rar/zip with about 120 MB size.
If you are interested with wich self made bioc we detected it let me know.
BR
Rob
09-07-2023 07:13 PM
Hi @RFeyertag
For Cortex XDR coverage information, please submit a TAC case and share your observation and workaround you did on the same for team to review and update.
Thanks
09-06-2023 01:53 PM
Hey @anlynch!
it would be nice if there could be a new rule for process which is not browser communicating to steamcommunity and/or t.me. And this rule should terminate this process.
Because wildfire is not getting a 300 MB scr file to analyze. So it flew completely under the radar.
This is one of the best evasion technique I've ever seen and I am a little bit proud that I detected it with much efort creating new rules to detect this peace of best stealer trojan.
BR
Rob
09-07-2023 07:13 PM
Hi @RFeyertag
For Cortex XDR coverage information, please submit a TAC case and share your observation and workaround you did on the same for team to review and update.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
