👋:)

https://www.trackawesomelist.com/

https://mynoise.net/noiseMachines.php

https://fmhy.pages.dev/

https://lizard.click/

  • 0 Posts
  • 4 Comments
Joined 2 years ago
Cake day: October 24th, 2023
  • bcovertigo@lemmy.worldtoSelfhosted@lemmy.worldPotentially malicious proxmox site impersonatorEnglish
    25·
    9 days ago

    Typosquat domain for sure! In a sandbox I’m seeing that all the download links point to the same HTML page on a .ink domain that cloudflare is now refusing to serve.

    But our buddy joe already got a copy for us so we can at least view that report for fun: https://www.joesandbox.com/analysis/1763244/1/html

    Edit: It pulls down an MSI installer or something it runs with msiexec but disguised with a PDF file extension. It seems to want a copy of cmd.exe to exist in an AutoIT installation (SearchPathW vs “C:\Program Files (x86)\AutoIt3\cmd.exe”) as well as pointing toward the multilanguage (.exe.mui) and other cmd variants. I suspect we’re one step away from a real payload with this report and that’s what we’d see the “Invoke-Obfuscation” powershell the sandbox spotted used for (if that wasn’t a false positive due to the base64 offset string).