โHackMD
nebulard[.]io
- sample likely belongs to traffer unit
- group not yet confirmed
- employing varying code structures from previous samples, not observing reference within monitor streams
malware_data
windows payload sent:
https://www.virustotal.com/gui/file/a9165466ad09f37a2c76b8e144025f0bd9fc739b3f0f16a837e31e278914585d
anyrun
https://app.any.run/tasks/69655b22-3b77-4d1d-94ab-c439dfe38ff2
delivered via:
hxxps[://]nebulard[.]io/_next/install[.]js
install[.]js filehash search 3d3c0037398f0abbe3cf29ae66b022accfc776ed9005a1df427d82e4bfef6b31
pivots
https://urlscan.io/search/#hash:3d3c0037398f0abbe3cf29ae66b022accfc776ed9005a1df427d82e4bfef6b31
image asset:
hxxps[://]nebulard[.]io/prod-assets-parallel-life/images/download_page_bg[.]webp
file_hash:eb853175289bcf0a1197aa75a4525cb74a73d1577ef5a4b5bbdf0808cbe62eb2
https://pro.urlscan.io/triage?query=eb853175289bcf0a1197aa75a4525cb74a73d1577ef5a4b5bbdf0808cbe62eb2
correlations
observing variant iteration connected to
domain: claims-parallel[.]life from 16 days ago
domain standard web3 drainer with control server
domain: drop9-ether[.]ru
https://urlscan.io/search/#domain%3Adrop9-ether.ru
deobfuscation of claims-parallel[.]life currently showing instance as inferno drainer unit
supplemental data
unique domains:
nebulard[.]io
nebulard[.]app
nebulardgame[.]io
nebulard[.]space
url_mutations:
nebulard[.]io/
nebulard[.]io/install
nebulard[.]app/
nebulardgame[.]io/install
nebulard[.]space/
nebulardgame[.]io/?v=own
nebulard[.]io/?v=nftfree
nebulard[.]io/download
nebulard[.]space/
nebulard[.]io/?v=betavers
