From 8a872db9ac1c7b024a24792b080c8a61092c9262 Mon Sep 17 00:00:00 2001 From: Lightning <154468000+LightningDev23@users.noreply.github.com> Date: Sun, 10 Mar 2024 17:32:23 -0400 Subject: [PATCH 1/3] =?UTF-8?q?=F0=9F=9A=80=20opensea-389-9bec97c22fa2e411?= =?UTF-8?q?.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- indicators/opensea-389-9bec97c22fa2e411.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 indicators/opensea-389-9bec97c22fa2e411.yml diff --git a/indicators/opensea-389-9bec97c22fa2e411.yml b/indicators/opensea-389-9bec97c22fa2e411.yml new file mode 100644 index 0000000..0adfd43 --- /dev/null +++ b/indicators/opensea-389-9bec97c22fa2e411.yml @@ -0,0 +1,18 @@ +title: OpenSea Phishing 389-9bec97c22fa2e411 +description: Detects OpenSea wallet drainers - mystery box scam. Often hosted on Vercel (https://vercel.com/). + +references: + - https://urlscan.io/result/03383a08-4618-4a92-9bff-99bd8b2be9f2/ + - https://urlscan.io/result/672f40d7-78fb-4b28-8ef5-9f09591e20ea/ + - https://urlscan.io/result/c6ed3c5a-e79a-491b-b316-deedc0527c49/ + +detection: + File: + # This GIF file is used on a lot of OpenSea scams. + html|contains: '/389-9bec97c22fa2e411.gif' + + condition: File + +tags: + - target.opensea + - cryptocurrency From 0786c0d8ca73f972d57f8fd854725a38a61bbaeb Mon Sep 17 00:00:00 2001 From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> Date: Sun, 10 Mar 2024 23:18:53 +0000 Subject: [PATCH 2/3] Update opensea-389-9bec97c22fa2e411.yml --- indicators/opensea-389-9bec97c22fa2e411.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/indicators/opensea-389-9bec97c22fa2e411.yml b/indicators/opensea-389-9bec97c22fa2e411.yml index 0adfd43..fe891b6 100644 --- a/indicators/opensea-389-9bec97c22fa2e411.yml +++ b/indicators/opensea-389-9bec97c22fa2e411.yml @@ -7,11 +7,12 @@ references: - https://urlscan.io/result/c6ed3c5a-e79a-491b-b316-deedc0527c49/ detection: - File: + + file: # This GIF file is used on a lot of OpenSea scams. html|contains: '/389-9bec97c22fa2e411.gif' - condition: File + condition: file tags: - target.opensea From 75ed2ced542e2dad8054c0041e667453e75ab907 Mon Sep 17 00:00:00 2001 From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> Date: Sun, 10 Mar 2024 23:22:34 +0000 Subject: [PATCH 3/3] Update opensea-389-9bec97c22fa2e411.yml --- indicators/opensea-389-9bec97c22fa2e411.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/indicators/opensea-389-9bec97c22fa2e411.yml b/indicators/opensea-389-9bec97c22fa2e411.yml index fe891b6..e2d9d28 100644 --- a/indicators/opensea-389-9bec97c22fa2e411.yml +++ b/indicators/opensea-389-9bec97c22fa2e411.yml @@ -8,11 +8,14 @@ references: detection: - file: + fileRequest: + requests|endswith: '/389-9bec97c22fa2e411.gif' + + fileUsage: # This GIF file is used on a lot of OpenSea scams. html|contains: '/389-9bec97c22fa2e411.gif' - condition: file + condition: fileRequest and fileUsage tags: - target.opensea