Pulse Detail — Threat Intelligence

PULSE NAME

2024-07-02 | Phishing Email

WHITE MalwareMorghulis 2024-07-02 Modified: 2024-11-21

IOCs

HIGH VOLUME

Phishing email from "Farhan Siraj" claiming to provide OSHA 10/30 training in a "Buy Now Pay Later" scam. Infrastructure is used in Malware-as-a-Service and hosted on AWS (AS16509). Possibly related to FormBook or ZingoStealer. Threat actor utilizes a URI to identify targets: "URL/promotions?special=TARGET_MARKER"

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1192

MALWARE FAMILIES

FormBook ZingoStealer

Indicators of Compromise (80)

All URL domain email hostname FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://oshaeducationschool.com	0e359e118eba5b49462d3ac870a2585d1153cb3677c97c3cd531b277e4b4fd45	2024-07-02
domain	oshaeducationschool.com	—	2024-07-02
email	farhan@oshaeducationschool.com	—	2024-07-02
hostname	amp.oshaeducationschool.com	—	2024-07-02
hostname	lms-staging.oshaeducationschool.com	—	2024-07-02
hostname	lms.oshaeducationschool.com	—	2024-07-02
hostname	staging.oshaeducationschool.com	—	2024-07-02
URL	http://www.oshaeducationschool.com/	—	2024-07-02
URL	https://www.oshaeducationschool.com/	—	2024-07-02
URL	https://www.oshaeducationschool.com/articles/buy-now-pay-later	—	2024-07-02
URL	https://www.oshaeducationschool.com/promotions?special=exclusivediscount	—	2024-07-02
URL	https://www.oshaeducationschool.com/promotions?special=limitedtimeoffer2022	—	2024-07-02
FileHash-SHA256	165072a6edf5573be186e7477df64bdab442031cf8e063299fbcd5eaec6b59e3	—	2024-07-02
FileHash-SHA256	1d58c735d408faceec26492f7a009bd2d67c46aa1d882e1c36b9f28c1591001e	—	2024-07-02
FileHash-SHA256	2b7c3a70b08a6435c943d914fa0ab55106071bc650c2cb94b52a4a3f1572c56d	—	2024-07-02
FileHash-SHA256	3eb430780779ad039b90cb1bfc851ecddf1046362592f3e01d4d790cc702dfc5	—	2024-07-02
FileHash-SHA256	413a7e8af8644bbebfdb0bca1909090e6e9d3b29007eb45b2252ecd0dacdac35	—	2024-07-02
FileHash-SHA256	4a8d553bae94b6c4f9940ccfc10bb770799bdef92050028ef18cf132f916e1e1	—	2024-07-02
FileHash-SHA256	53a2c8f9b23645ab7edd2c0afe9296ab973f75cfeba71cd733ec5371029fae76	—	2024-07-02
FileHash-SHA256	57148ea191de05a2e806d6fd5071483b3241f234ac62aa64ea882c293b787a62	—	2024-07-02
FileHash-SHA256	5be88e19c10b7938fc167a4286277ec2dc95e498acb5795fa06ed7c4043a632a	—	2024-07-02
FileHash-SHA256	7ab95ba29fd65216ae854a664092c3e2c0d7a7986ab8880bee77d3dc74a97467	—	2024-07-02
FileHash-SHA256	8a64cfbc24f96c120a8f5fca009058343a0cf09994de389ea9690bf143c45f00	—	2024-07-02
FileHash-SHA256	8abf8bafa09b220a9bad79bbb549bf2c7ffee7f8249e8fb3f7ba1386865629e0	—	2024-07-02
FileHash-SHA256	8edcbb0f33a828388fcf27989eea7e608fb63bf9ea60c56866090016dc38688b	—	2024-07-02
FileHash-SHA256	925f2450ff3db139947d1ee30b111426f9ae405e768125c5889426850dfdbe89	—	2024-07-02
FileHash-SHA256	a8e2e263211020b31de3fb8dcd25c11698a100ef031fe1781d095249d94c9e7e	—	2024-07-02
FileHash-SHA256	befacfff7722a071c34b5296e0fcc9ddba9062fa3a34f5fa1bf1eaa34f1f7c38	—	2024-07-02
FileHash-SHA256	cd4eb920e62a360ca1d92db524cc780eff00d0b7500f1a68cc19b908cb4da92e	—	2024-07-02
FileHash-SHA256	cfa5f34bf96e93db0ecc3dd44a64707ab3f58b1ecb501c597be202b241f1a28c	—	2024-07-02
FileHash-SHA256	de3b0ca24028c3aa47a073eff793ea45a700adca7ea22ce14c32ec2ad7c58f8d	—	2024-07-02
FileHash-SHA256	e5c05375072d09dcf2dba40cd3c1e60fa355b655146541c397bd568ea674837d	—	2024-07-02
domain	alienboss.xyz	—	2024-07-02
domain	arcanei.xyz	—	2024-07-02
domain	asna.com	—	2024-07-02
domain	basedboppy.xyz	—	2024-07-02
domain	binshare.net	—	2024-07-02
domain	catwifbox.xyz	—	2024-07-02
domain	chainshunter.xyz	—	2024-07-02
domain	chirpon.xyz	—	2024-07-02
domain	chukwukauba.xyz	—	2024-07-02
domain	colosseum-battlefly.xyz	—	2024-07-02
domain	crewnetwork.org	—	2024-07-02
domain	damarts.xyz	—	2024-07-02
domain	designgurus.io	—	2024-07-02
domain	dhruvk.xyz	—	2024-07-02
domain	edgenhelp.com	—	2024-07-02
domain	horizonagency.xyz	—	2024-07-02
domain	mapsscraper.ai	—	2024-07-02
domain	motfunds.com	—	2024-07-02
domain	raysee.jp	—	2024-07-02
domain	samrjj.in	—	2024-07-02
domain	seniorsgenetest.org	—	2024-07-02
domain	southealingpharmacy.co.uk	—	2024-07-02
domain	sqrat.xyz	—	2024-07-02
domain	strength-training.xyz	—	2024-07-02
domain	stusie.xyz	—	2024-07-02
domain	supersonghao.xyz	—	2024-07-02
domain	theribys.xyz	—	2024-07-02
domain	xcriminal.xyz	—	2024-07-02
domain	xtzminer.xyz	—	2024-07-02
URL	http://basedboppy.xyz/	—	2024-07-02
URL	http://hoo.be/amlabaan/1v3J4euhRMR	—	2024-07-02
URL	http://raysee.jp/	—	2024-07-02
URL	http://samrjj.in/	—	2024-07-02
URL	http://seniorsgenetest.org/	—	2024-07-02
URL	https://asna.com/	—	2024-07-02
URL	https://basedboppy.xyz/	—	2024-07-02
URL	https://binshare.net/VpA86cJvJF8RkrwJO3dy	—	2024-07-02
URL	https://crewnetwork.org	—	2024-07-02
URL	https://hoo.be/onboarding/claim-your-link/concrete	—	2024-07-02
URL	https://hoo.be/onboarding/claim-your-link/frame	—	2024-07-02
URL	https://mapsscraper.ai	—	2024-07-02
URL	https://mapsscraper.ai/	—	2024-07-02
URL	https://mapsscraper.ai/api/getm	—	2024-07-02
URL	https://mapsscraper.ai/web	—	2024-07-02
URL	https://raysee.jp/column/archives/line-stop&amp	—	2024-07-02
URL	https://www.designgurus.io/course-play/grokking-the-coding-interview	—	2024-07-02
URL	https://www.motfunds.com/en	—	2024-07-02
hostname	no-sni.vercel-infra.com	—	2024-07-02

References (1)

↗ https://whois.domaintools.com/oshaeducationschool.com