Ninety three blx

BLX stealer, also known as XLABB Stealer is a malware designed to steal sensitive information like credentials, payment data, and cryptocurrency wallets from infected endpoints. It uses advanced evasion techniques, process injection, and file encryption to bypass traditional security tools, making it a serious threat to individuals and organizations. BLX Stealer is actively promoted on platforms like Telegram and Discord and comes in both free and premium versions. This blog post demonstrates how to detect and respond to BLX stealer on an infected Windows endpoint with Wazuh.Behavioral analysis of BLX stealerUpon infecting an endpoint, BLX stealer exhibits the following behaviors:The malware creates a PowerShell script temp.ps1 in the working directory.It starts a command prompt and runs a command that executes the previously created PowerShell script:C:\Windows\system32\cmd.exe /d /s /c “powershell.exe -ExecutionPolicy Bypass -File “Triggers Csc.exe and Cvtres.exe which are both legitimate Microsoft utilities that BLX abuses to compile and manipulate executable files.It executes the decrypted_executable file which is dropped in the %TeMP% folder and the users’ %Startup% folder to ensure persistence.It attempts to discover the victim’s IP and Geolocation details by querying api.ipify.org and geolocation-db.com.Analyzed malware sampleHash algorithmValueMD555bd26a6b610fc1748d0ea905a13f4f0SHA2568c4daf5e4ced10c3b7fd7c17c7c75a158f08867aeb6bccab6da116affa424a89InfrastructureWe use the following infrastructure to demonstrate the detection of BLX Stealer with Wazuh:A pre-built ready-to-use Wazuh OVA 4.9.2. Follow this guide to download the virtual machine.A Windows 11 victim endpoint with Wazuh agent 4.9.2 installed and enrolled to the Wazuh server. Refer to the installation guide for installing the Wazuh agent. We use the following techniques to detect the BLX Stealer on the infected Windows endpoint:Creating custom detection rules to detect BLX Stealer activities.Using a YARA integration to scan and remove files with malicious patterns.Creating detection rulesWe use Sysmon to monitor critical system events on Windows endpoints, such as process creation, file modifications, registry changes, network connections, and script executions. These events are correlated with custom rules on the Wazuh server to detect malicious behaviors specific to BLX Stealer activities.Windows endpointPerform the following steps to configure the Wazuh agent to capture and send Sysmon logs to the Wazuh server for analysis.1. Download Sysmon from the Microsoft Sysinternals page.2. Using Powershell with administrator privilege, create a Sysmon folder in the endpoint C:\ folder:> New-Item -ItemType Directory -Path C:\Sysmon3. Extract the compressed Sysmon file to the folder created above C:\Sysmon:> Expand-Archive -Path "\Sysmon.zip" -DestinationPath "C:\Sysmon"Replace with the path where Sysmon.zip was downloaded.4. Download the Sysmon configuration file – sysmonconfig.xml to C:\Sysmon using the Powershell command below:> wget -Uri -OutFile C:\Sysmon\sysmonconfig.xml5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges: > cd C:\Sysmon > .\Sysmon64.exe -accepteula -i sysmonconfig.xml6. Add the following configuration within the block of the C:\Program Files (x86)\ossec-agent\ossec.conf file: Microsoft-Windows-Sysmon/Operational

Eventchannel7. Restart the Wazuh agent to apply the configuration changes by running the following PowerShell command as an administrator:> Restart-Service -Name wazuhWazuh serverPerform the following steps to configure detection rules on the Wazuh server.1. Create a new file /var/ossec/etc/rules/blx_stealer.xml:# touch /var/ossec/etc/rules/blx_stealer.xml2. Edit the file /var/ossec/etc/rules/blx_stealer.xml and include the following detection rules for BLX stealer: 92200 (?i)\\\\.+(exe|dll|bat|msi) (?i)\\\\temp.ps1 Possible BLX stealer activity detected: A rogue powershell script was dropped to system. T1105 92052 (?i)\\\\.+(exe|dll|bat|msi) (?i)\\\\Windows\\\\System32\\\\cmd.exe powershell.exe -ExecutionPolicy Bypass -File Possible BLX stealer activity detected: Rogue powershell script execution. T1059.003 92213 (?i)\\\\.+(exe|dll|bat|msi) (?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp\\\\decrypted_executable.exe Possible BLX stealer activity detected: Rogue executable was dropped to system. T1105 61613 (?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp\\\\decrypted_executable.exe (?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\decrypted_executable.exe Possible BLX stealer persistence activity detected: Rogue executable was copied to users' startup folder to establish persistence. T1547.001 Where:Rule 100300 is triggered when BLX drops a rogue PowerShell script, temp.ps1 to the infected system.Rule 100310 is triggered when BLX executes the temp.ps1 PowerShell script.Rule 100320 is triggered when BLX drops an executable, decrypted_executable.exe in the Temp folder.Rule 100330 is triggered when BLX copies the rogue executable to the user %Startup% folder for persistence.3. Restart the Wazuh manager service to apply the changes.# systemctl restart wazuh-managerVisualizing alerts on the Wazuh dashboardThe screenshot below shows the alerts generated on the Wazuh dashboard when we execute the BLX sample on the victim endpoints. Perform the following steps to view the alerts on the Wazuh dashboard.1. Navigate to Threat intelligence > Threat Hunting.2. Click + Add filter. Then, filter for rule.id in the Field field.3. Filter for is one of in the Operator field.4. Filter for 100300, 100310, 100320, and 100330 in the Values field.5. Click Save.YARA integrationYARA is an open source and multi-platform tool that identifies and classifies malware samples based on their textual or binary patterns. In this blog post, we use the Wazuh Active Response capability to automatically execute a YARA scan on files added or modified in the Downloads folder.Windows endpointTo download and install YARA, we require the following packages installed on the victim endpoint:Python v 3.13.0.Microsoft Visual C++ 2015 Redistributable.Note: Make sure to select the following checkboxes on the installer dialog box during Python installation: Use admin privileges when installing py.exe.Add Python.exe to PATH.After installing the above packages, perform the steps below to download the YARA executable:1. Launch PowerShell with administrative privilege and download YARA:> Invoke-WebRequest -Uri -OutFile v4.5.2-2326-win64.zip2. Extract the YARA executable:> Expand-Archive v4.5.2-2326-win64.zip3. Create a folder called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara'> cp .\v4.5.2-2326-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara'Perform the steps below to download YARA rules:4. Using the same PowerShell terminal launched earlier, install valhallaAPI using the pip utility. This allows you to query thousands of handcrafted YARA and Sigma rules in different

6.0.3 • Public • Published a month ago ReadmeCode Beta0 Dependencies1 Dependents18 Versionsamount-to-words (Amount to Words)A simple module to convert numbers and/or amount to words for South Asian numbering system. e.g. Nine crore Eight lakhInstall (npm)npm install amount-to-wordsExample (javascript/nodejs)import { numberToWords } from "amount-to-words";...console.log(numberToWords(number));...// Sample Out Put// number// 1 -> One// 92 -> Ninety Two// 123 -> One Hundred And Twenty Three// 1234 -> One Thousand Two Hundred And Thirty Four// 12345 -> Twelve Thousand Three Hundred And Forty Five// 123456 -> One Lakh Twenty Three Thousand Four Hundred And Fifty Six// 90000 -> Ninety Thousandimport { amountToWords } from "amount-to-words";...console.log(amountToWords(amount,decimalPlaces));...// Sample Out Put// amount decimalPlaces// 1.1 2 -> {numberInWords:"One",decimalInWords:"Ten"}// 1.1 1 -> {numberInWords:"One",decimalInWords:"One"}// 19.12 2 -> {numberInWords:"Nineteen",decimalInWords:"Twelve"}// 19.12 1 -> {numberInWords:"Nineteen",decimalInWords:"One"}NOTE: This module only supports 9 digits input. A typical use case for such conversion is in tax invoices or charts etc. For that more than 9 digits input is not very common.ContributingIn case you notice a bug, please open an issue mentioning the input that has caused an incorrect conversion.

Square arrangement, this may indicate his “tickly nose” is caused by an allergy to being square.As seen in Five's Handy Shop, he may have an allergy to pollen, as he sneezed after he sniffed the flowers.Nine is the first multiple of Three to not be a Step Squad.Nine is the first odd Numberblock whose main arrangement is not their tallest.He sounds like the Colourblock Sky Blue.This is due to them both being voiced by David Holt.Most characters in Alphablocks have similar voices to Nine also.He is the smallest male Numberblock to be in the Three Times Table.Errors[]In the Numberblocks colouring page in the CBeebies Special Magazine Issue 113, 9 mistakenly has 4's eyebrows.[]Orders of Magnitude[]NinetyNine HundredNinety ThousandTimes Table[]Nine Times TableGallery[]Click here.Numberblocks charactersNumberblocksDiscoveredZero, One, Two, Three, Four, Five, Six, Seven, Eight, Nine, Ten, Eleven, Twelve, Thirteen, Fourteen, Fifteen, Sixteen, Seventeen, Eighteen, Nineteen, Twenty, Twenty-One, Twenty-Two, Twenty-Three, Twenty-Four, Twenty-Five, Twenty-Six, Twenty-Seven, Twenty-Eight, Twenty-Nine, Thirty, Thirty-One, Thirty-Two, Thirty-Five, Thirty-Six, Forty, Forty-Two, Forty-Five, Forty-Eight, Forty-Nine, Fifty, Fifty-Four, Fifty-Five, Fifty-Six, Sixty, Sixty-Three, Sixty-Four, Seventy, Seventy-Two, Eighty, Eighty-One, Ninety, One HundredUndiscovered / Non-physicalNinety-Nine, Two Hundred, Three Hundred, Nine Hundred, One Thousand, Seven Thousand, Ninety Thousand, Two Million, Seven Million, Eight Million, Nine Million, Orders of Magnitude, Compound NumberblocksAlter-EgosThe Terrible Twos, Octoblock, The Three Threes, Octonaughty, Step Squad, The Four FoursNon-integersPiMonstersFlapjack Snaffler, Blockzilla, Big Tum, TwangleTimes TablesOne Times Table, Two Times Table, Three Times Table, Four Times Table, Five Times Table, Six Times Table, Seven Times Table, Eight Times Table, Nine Times Table, Ten Times TableOtherFluffies, Squarey, Oblongy, Numberblobs, Aliens, Rainbows, Flatlanders, Sheep, Birds, What-Iffer, Octo-Computer, Rex and Rekenrek, Alphablocks, Colourblocks

Decoders, rules, and the Active Response module on the Wazuh server.1. Edit the file /var/ossec/etc/decoders/local_decoder.xml and include the following decoders: wazuh-yara: yara_decoder wazuh-yara: (\S+) - Scan result: (\S+) (\S+) log_type, yara_rule, yara_scanned_file yara_decoder wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+) log_type, yara_rule, yara_scanned_file yara_decoder wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+) log_type, yara_rule, yara_scanned_file2. Edit the file /var/ossec/etc/rules/local_rules.xml on the Wazuh server and include the following rules: 550 (?i)C:\\Users.+Downloads File modified in the Downloads folder. 554 (?i)C:\\Users.+Downloads File added to the Downloads folder. yara_decoder Yara grouping rule 100100 wazuh-yara: INFO - Scan result: Yara scan result: File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule) 100100 wazuh-yara: INFO - Successfully deleted: Active Response: Successfully removed "$(yara_scanned_file)". YARA rule: $(yara_rule) 100100 wazuh-yara: INFO - Error removing threat: Active Response: Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule) Where:Rule ID 100010 is triggered when a file is modified in the Downloads directory.Rule ID 100011 is triggered when a file is added to the Downloads directory.Rule ID 100100 is the base rule for detecting YARA events.Rule ID 100110 is triggered when YARA scans and detects a malicious file.Rule ID 100120 is triggered when the detected file has been successfully removed by the Wazuh active response module.Rule ID 100130 is triggered when the detected file is not removed successfully by Wazuh active response.3. Append the following configuration to the Wazuh server configuration file /var/ossec/etc/ossec.conf: yara yara.bat no yara local 100010,100011 4. Restart the Wazuh manager for the changes to take effect:# systemctl restart wazuh-managerVisualizing alerts on the Wazuh dashboardThe image below shows the alerts generated by the Wazuh dashboard when BLX stealer is dropped to the Downloads folder of the victim endpoint and executed. Perform the following steps to view the alerts on the Wazuh dashboard.1. Navigate to Threat intelligence > Threat Hunting.2. Click + Add filter. Then, filter for rule.id in the Field field.3. Filter for is one of in the Operator field.4. Filter for 553, 100010, 100011, 100110, 100120, and 100130 in the Values field.5. Click Save.ConclusionBLX Stealer, with its ability to steal valuable data, presents a serious threat to both organizations and individuals. Wazuh comes in as a solution to detect and respond to this malware.In this blog post, we showed how Wazuh combines real-time monitoring, and customizable rules to help security teams quickly spot BLX Stealer activity. By using these tools, organizations can take proactive measures to protect their systems and prevent sensitive information from being compromised.To learn more about Wazuh, please check out our documentation and blog posts.ReferencesCYFIRMA research – BLX Stealer.BLX Trojan Stealer – What It Is and How To Remove It.Wazuh documentation – Active response.

Weather The FIRST ALERT 10-day Forecast includes another heat wave just in time for the weekend. Highs will make a run at 100 degrees. Toledo has recorded 7 ninety degree days to this point, including the highest temperature of 98° on May 28th. Highs will reach the 90s Friday, Saturday and Sunday. There is very little to no chance of rain these three days. Record high temperatures for Toledo: June 29 (Friday): 100° set in 1952 June 30 (Saturday): 97° set... The FIRST ALERT 10-day Forecast includes another heat wavejust in time for the weekend. Highs will make a run at 100 degrees. Toledo has recorded 7 ninety degree days to this point,including the highest temperature of 98° on May 28th. Highs will reach the 90s Friday, and keep climbing through Saturday and Sunday.There is very little to no chance of rain these three days. Record high temperatures for Toledo:June 29 (Friday): 100° set in 1952June 30 (Saturday): 97° set in 1953July 1 (Sunday): 98° set in 1931If Saturday does indeed reach 100°, that will be the firsttriple digit high in nearly 6 years!Now mix in the oppressive humidity to that scorching heat expected Saturday, and it will feel like anywhere from 100° - 106°.