31 |
2024-05-23 09:44
|
wxijgyp.exe ca82319fef771a184d1f98750e5bbb21 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Browser Email ComputerName crashed |
1
http://ip-api.com/line/?fields=hosting
|
2
ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
6.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
32 |
2024-05-23 09:41
|
gywervcyuj.exe d90f41701d76908bf5a1519fe7b99f23 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
|
2
api.ipify.org(104.26.12.205) 104.26.12.205
|
3
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
8.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
33 |
2024-05-23 09:39
|
ngown.exe 66e5c9de148b496d53b2968c6a03c257 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
5.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
34 |
2024-05-20 07:40
|
Document0984757478.exe c36f798f2646092c180c6fc904c418f7 Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Malicious Packer PE File Device_File_Check PE32 OS Processor Check DLL FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
12
http://www.hidrapelenobrasil.shop/tnob/ http://www.vgyuren.icu/tnob/?M768=NZLAttDy15cbxmTAaaJAAhcdtbbzbdC6cQASBxA5nayYu/GOfC/5A+IahllAzFRUiFmSt5kq6F0oVQiv/GR/+8xUZyS/zwm/ST73YGuTYQJxL0QGvxJmA8+4HRiCsYQg+9RGN1M=&8VV=cbpI8Z http://www.vgyuren.icu/tnob/ http://www.infiniteiris.xyz/tnob/ http://www.agiluxer.com/tnob/ http://www.hidrapelenobrasil.shop/tnob/?M768=TPrZ4a0urPHyVFZKcsh5aEnGH6x10c+LVWP6ua7p29CzcHV40vt+Ed5yRYmyzTCpigI2rSAw2/G/eFm8oGlzQ7+/7cLR6wXoQapfC3ZuTGxBv6b1IEkJAtht8fY8zqhXw31ZFKk=&8VV=cbpI8Z http://www.arlobear.com/tnob/ http://www.arlobear.com/tnob/?M768=mRJtfJxmotkXpphcq/QE5FfNUlyuhqJ4xTDuf4BcDBVqwLPDVx7TaFjEYZ/wXCuyUE/EPLaluHW5tfzg79EX9lgH2c6h3RXVi7dgiQ81i4DOx3Z88Lcisl2d1B4Lf8dw8FhpRx8=&8VV=cbpI8Z http://www.astrologervijay.co.in/tnob/ http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip http://www.agiluxer.com/tnob/?M768=xucYkVA0pSGnJLauQED+MX/AFeENqsoRBgDyCFwoPTJzowq3+SiQ/gcTvZgaze9ZduNu+YKWql+189tIlRko0A5LPpTiApeLXRVMRPzwdFYfTFxYQJVx/YqpG4REi2vAdvDqirs=&8VV=cbpI8Z http://www.infiniteiris.xyz/tnob/?M768=dKcAFocpbczRW7Ograh51MDLU8SGd9cCF4nhV6jObVdk20h2WG8oxGerRI8ZVjKSHAzMSzznD5M+/O7693UL+HQ2E52xXWoR98sgwtG4w7xMcOP0BgswZlze6fxvf5u2IXPt7lE=&8VV=cbpI8Z
|
22
www.likbez22.store() www.hidrapelenobrasil.shop(162.241.2.244) www.ablazeaiagents.com() www.astrologervijay.co.in(43.231.124.79) www.justgoodsin.com() www.sdshopping.org() www.agiluxer.com(74.208.236.41) www.infiniteiris.xyz(162.0.237.22) www.arlobear.com(46.30.215.3) www.artismeapparel.com() www.vgyuren.icu(192.207.62.21) 104.21.11.117 162.0.237.22 194.54.164.123 162.19.139.184 - mailcious 162.241.2.244 - mailcious 43.231.124.79 74.208.236.41 - mailcious 13.225.110.102 192.207.62.21 45.33.6.223 46.30.215.3
|
3
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO DNS Query for Suspicious .icu Domain ET INFO HTTP POST Request to Suspicious *.icu domain
|
|
7.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
35 |
2024-05-18 20:19
|
HVC.exe d3d4eadf3c33f7f479c4e647ac76ed25 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(172.67.74.152) 172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
36 |
2024-05-16 09:07
|
akurg.exe 6bef283833fa82a12f2a6a73fb43a4bb Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
|
2
api.ipify.org(104.26.13.205) 172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
37 |
2024-05-13 09:06
|
go.exe dc540b21dd7ea520b4390010baee443f Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AaSxoQzQIIpBZjKNBi40fIhgM04aqMC10RSUh09-oqGjM9r6pC85eFFhK3TqfZOdE-A9GLwgnEJq0Q https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?UAPjyQ https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AaSxoQzQ7rgk_U7qtouG2IWzPuE-48A-cdZOogWaBVud6M8pbV9TDnaV-d3eSsBZ57WIbrdoC1W7&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1744383557%3A1715558550050150 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.206.195) accounts.google.com(108.177.125.84) www.google.com(172.217.25.164) 142.251.130.4 142.251.8.84 172.217.25.3
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
38 |
2024-05-11 19:38
|
wfopkrgoplq.exe 6a267a91de66ab6c8fbdf4cbaa1e27e9 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
5.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
39 |
2024-05-03 07:55
|
random.exe 6b31dd4a6560603dfe9f833ca5dd4d7d Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Malware Code Injection Check memory Checks debugger installed browsers check Browser |
|
|
|
|
3.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
40 |
2024-05-03 07:48
|
go.exe b8e5ad86c9e9b3aef46098f287e8b0ac Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico https://accounts.google.com/generate_204?iU4cJw https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AaSxoQxLNxI2HHlyxoGVcimqY4uM5LhzX4AaU3oCu3hm6douPS3R9_nXx_4seqaPnHWGVIcIYa-CcQ https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AaSxoQyzK7K9-0SpUK5Ty5V-P6hQ_biFIJfL9ccChY7BZx85vNPhi5nC5sdCfjIBNHPOk2d3ZxGBoQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1073016254%3A1714689841540357 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
7
ssl.gstatic.com(172.217.25.163) accounts.google.com(108.177.125.84) www.google.com(142.250.207.100) 23.94.53.100 216.58.200.227 216.58.203.68 64.233.188.84
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
41 |
2024-05-03 07:45
|
GVV.exe fa3641c75d2beb68c01e8065eefc4707 Generic Malware Suspicious_Script_Bin Malicious Library UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself suspicious process AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser Email ComputerName DNS DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) yuahdgbceja.sytes.net(23.94.53.100) 178.237.33.50 23.94.53.100
|
2
ET JA3 Hash - Remcos 3.x/4.x TLS Connection ET INFO DYNAMIC_DNS Query to a *.sytes.net Domain
|
|
13.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
42 |
2024-04-20 09:41
|
random.exe 47c3491d805349f03578f6ac3e0bda01 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger exploit crash installed browsers check Exploit Browser crashed |
|
|
|
|
4.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43 |
2024-04-10 13:50
|
wininit.exe 290102d5e403f9eb6d7cd7fe3188d307 Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check |
|
|
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44 |
2024-04-10 13:45
|
wininit.exe 6b7314e8a04ad8436c3aff06f3918ea6 Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45 |
2024-04-08 18:29
|
medcallaboratory5.exe b915133065e8c357f8b37e28015088fe Generic Malware Malicious Library UPX PE File PE32 OS Processor Check |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|