{%hackmd C76nuH1pTfedlTW7n2cwbQ %} # nebulard[.]io - sample likely belongs to traffer unit - group not yet confirmed - employing varying code structures from previous samples, not observing reference within monitor streams ## malware_data windows payload sent: https://www.virustotal.com/gui/file/a9165466ad09f37a2c76b8e144025f0bd9fc739b3f0f16a837e31e278914585d anyrun https://app.any.run/tasks/69655b22-3b77-4d1d-94ab-c439dfe38ff2 delivered via: `hxxps[://]nebulard[.]io/_next/install[.]js` `install[.]js` filehash search `3d3c0037398f0abbe3cf29ae66b022accfc776ed9005a1df427d82e4bfef6b31` ## pivots https://urlscan.io/search/#hash:3d3c0037398f0abbe3cf29ae66b022accfc776ed9005a1df427d82e4bfef6b31 image asset: `hxxps[://]nebulard[.]io/prod-assets-parallel-life/images/download_page_bg[.]webp` file_hash:`eb853175289bcf0a1197aa75a4525cb74a73d1577ef5a4b5bbdf0808cbe62eb2` https://pro.urlscan.io/triage?query=eb853175289bcf0a1197aa75a4525cb74a73d1577ef5a4b5bbdf0808cbe62eb2 ## correlations observing variant iteration connected to domain: `claims-parallel[.]life` from 16 days ago domain standard web3 drainer with control server domain: `drop9-ether[.]ru` https://urlscan.io/search/#domain%3Adrop9-ether.ru deobfuscation of `claims-parallel[.]life` currently showing instance as inferno drainer unit ## supplemental data **unique domains**: nebulard[.]io nebulard[.]app nebulardgame[.]io nebulard[.]space **url_mutations**: nebulard[.]io/ nebulard[.]io/install nebulard[.]app/ nebulardgame[.]io/install nebulard[.]space/ nebulardgame[.]io/?v=own nebulard[.]io/?v=nftfree nebulard[.]io/download nebulard[.]space/ nebulard[.]io/?v=betavers