| 1 |
2024-07-05 15:54
|
 Report.ps1 054618073752ea5823c98130114a3241
Hide_EXE Generic Malware task schedule Antivirus KeyLogger AntiDebug AntiVM Malware download AsyncRAT NetWireRC VirusTotal Malware Code Injection Check memory buffers extracted unpack itself DDNS |
|
2
services-line2.freeddns.org(136.243.111.71)
136.243.111.71
|
3
ET INFO DYNAMIC_DNS Query to a *.freeddns .org Domain
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
7.2 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2024-07-04 17:08
|
 Explore.vbs 9b5731dd0f4fe8d82ce62e1ef83ebc8c
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
|
1
89.197.154.116 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
9.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2024-07-04 11:31
|
 Update.js 616eae241a26b57cf9d5efc97ff8491fVBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://shryr.fans.smalladventureguide.com/orderReview
|
2
shryr.fans.smalladventureguide.com(162.252.175.117)
162.252.175.117 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2024-07-03 10:46
|
 Update.js cbca476a716c76cf629b3428ee9c3f43VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://yeo.fans.smalladventureguide.com/orderReview
|
2
yeo.fans.smalladventureguide.com(162.252.175.117)
162.252.175.117 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2024-07-03 08:07
|
 mku.vbs 723330a9cf1200400aa6a4dcbd27e061Malware download Wshrat NetWireRC Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS DDNS Dropper |
1
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(46.246.86.12) - mailcious
46.246.86.12
|
4
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2024-07-02 14:10
|
 Update.js 365d4f4e6ffed01288e0fae6e352e8a5VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://czvqr.fans.smalladventureguide.com/orderReview
|
2
czvqr.fans.smalladventureguide.com(162.252.175.117) - mailcious
162.252.175.117 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2024-07-02 13:49
|
 Update.js a17403e9e32d19f46d7796f574136b61VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://vlms.fans.smalladventureguide.com/orderReview
|
2
vlms.fans.smalladventureguide.com(162.252.175.117)
162.252.175.117 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2024-07-01 16:46
|
 Update.js 365d4f4e6ffed01288e0fae6e352e8a5VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://czvqr.fans.smalladventureguide.com/orderReview
|
2
czvqr.fans.smalladventureguide.com(162.252.175.117)
162.252.175.117
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2024-06-29 15:24
|
 lamda.cmd b9b513ba600e0bbf6f72129ba99ba72e
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM powershell suspicious privilege Check memory Checks debugger heapspray Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
6
http://45.88.91.103/LgGFdDAm/AntiVirus.exe
http://45.88.91.103/LgGFdDAm/AntiVirus2.exe
http://45.88.91.103/LgGFdDAm/AntiVirus3.exe
http://45.88.91.103/LgGFdDAm/AntiVirus4.exe
http://45.88.91.103/LgGFdDAm/main.exe
http://45.88.91.103/LgGFdDAm/main2.exe
|
|
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2024-06-27 13:25
|
 Result_2024-0617.pdf.jse 20e2de2d794dfff774b71b6dd2294a96
Client SW User Data Stealer browser info stealer Generic Malware Suspicious_Script_Bin Hide_EXE Google Chrome User Data Downloader Antivirus Malicious Library Malicious Packer UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal cr Browser Info Stealer VirusTotal Malware United States powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Windows Exploit Browser ComputerName Cryptographic key crashed |
1
http://image.ionexusa.com/view.php
|
1
image.ionexusa.com(127.0.0.1) - mailcious
|
1
ET INFO DYNAMIC_DNS Query to a *.ionexusa .com Domain
|
|
13.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2024-06-27 10:07
|
 w624.vbs c2ab43cad589673051ce723bc3b37392VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7044/is-ready
|
4
chongmei33.publicvm.com(188.126.90.18) - mailcious
ip-api.com(208.95.112.1)
188.126.90.18
208.95.112.1
|
2
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2024-06-24 15:51
|
 pumairld.txt.ps1 19a7f5e2e7fd8e14d8129dcdf6c8b992
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Discord ComputerName DNS Cryptographic key |
|
2
cdn.discordapp.com(162.159.134.233) - malware
162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2024-06-24 15:45
|
 nyctalopicAWm.ps1 ce1d9b1f2993eb46aa483c2f5790ad58
Generic Malware Antivirus VirusTotal Malware Check memory Checks debugger unpack itself WriteConsoleW Windows ComputerName Cryptographic key crashed |
1
https://www.luciaricciardi.com/wp-content/uploads/2018/12/epitheliogeneticTFr.exe
|
|
|
|
3.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2024-06-24 15:32
|
 pinspotterEtbYF.php.ps1 b07664f8abb0f1883e2adaa70e10ffcb
Generic Malware Antivirus unpack itself WriteConsoleW Windows Cryptographic key |
1
https://www.luciaricciardi.com/wp-content/uploads/2018/12/untormentedXz.php
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2024-06-21 09:45
|
 Invoice.bat 45c581bf3caca47ff9f0515f42571935
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|