| 31 |
2024-05-23 09:44
|
 wxijgyp.exe ca82319fef771a184d1f98750e5bbb21
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Browser Email ComputerName crashed |
1
http://ip-api.com/line/?fields=hosting
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
6.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32 |
2024-05-23 09:41
|
 gywervcyuj.exe d90f41701d76908bf5a1519fe7b99f23
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
|
2
api.ipify.org(104.26.12.205)
104.26.12.205
|
3
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
8.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33 |
2024-05-23 09:39
|
 ngown.exe 66e5c9de148b496d53b2968c6a03c257
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
5.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 34 |
2024-05-20 07:40
|
 Document0984757478.exe c36f798f2646092c180c6fc904c418f7
Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Malicious Packer PE File Device_File_Check PE32 OS Processor Check DLL FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
12
http://www.hidrapelenobrasil.shop/tnob/
http://www.vgyuren.icu/tnob/?M768=NZLAttDy15cbxmTAaaJAAhcdtbbzbdC6cQASBxA5nayYu/GOfC/5A+IahllAzFRUiFmSt5kq6F0oVQiv/GR/+8xUZyS/zwm/ST73YGuTYQJxL0QGvxJmA8+4HRiCsYQg+9RGN1M=&8VV=cbpI8Z
http://www.vgyuren.icu/tnob/
http://www.infiniteiris.xyz/tnob/
http://www.agiluxer.com/tnob/
http://www.hidrapelenobrasil.shop/tnob/?M768=TPrZ4a0urPHyVFZKcsh5aEnGH6x10c+LVWP6ua7p29CzcHV40vt+Ed5yRYmyzTCpigI2rSAw2/G/eFm8oGlzQ7+/7cLR6wXoQapfC3ZuTGxBv6b1IEkJAtht8fY8zqhXw31ZFKk=&8VV=cbpI8Z
http://www.arlobear.com/tnob/
http://www.arlobear.com/tnob/?M768=mRJtfJxmotkXpphcq/QE5FfNUlyuhqJ4xTDuf4BcDBVqwLPDVx7TaFjEYZ/wXCuyUE/EPLaluHW5tfzg79EX9lgH2c6h3RXVi7dgiQ81i4DOx3Z88Lcisl2d1B4Lf8dw8FhpRx8=&8VV=cbpI8Z
http://www.astrologervijay.co.in/tnob/
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
http://www.agiluxer.com/tnob/?M768=xucYkVA0pSGnJLauQED+MX/AFeENqsoRBgDyCFwoPTJzowq3+SiQ/gcTvZgaze9ZduNu+YKWql+189tIlRko0A5LPpTiApeLXRVMRPzwdFYfTFxYQJVx/YqpG4REi2vAdvDqirs=&8VV=cbpI8Z
http://www.infiniteiris.xyz/tnob/?M768=dKcAFocpbczRW7Ograh51MDLU8SGd9cCF4nhV6jObVdk20h2WG8oxGerRI8ZVjKSHAzMSzznD5M+/O7693UL+HQ2E52xXWoR98sgwtG4w7xMcOP0BgswZlze6fxvf5u2IXPt7lE=&8VV=cbpI8Z
|
22
www.likbez22.store()
www.hidrapelenobrasil.shop(162.241.2.244)
www.ablazeaiagents.com()
www.astrologervijay.co.in(43.231.124.79)
www.justgoodsin.com()
www.sdshopping.org()
www.agiluxer.com(74.208.236.41)
www.infiniteiris.xyz(162.0.237.22)
www.arlobear.com(46.30.215.3)
www.artismeapparel.com()
www.vgyuren.icu(192.207.62.21)
104.21.11.117
162.0.237.22
194.54.164.123
162.19.139.184 - mailcious
162.241.2.244 - mailcious
43.231.124.79
74.208.236.41 - mailcious
13.225.110.102
192.207.62.21
45.33.6.223
46.30.215.3
|
3
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO DNS Query for Suspicious .icu Domain
ET INFO HTTP POST Request to Suspicious *.icu domain
|
|
7.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 35 |
2024-05-18 20:19
|
 HVC.exe d3d4eadf3c33f7f479c4e647ac76ed25
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(172.67.74.152)
172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 36 |
2024-05-16 09:07
|
 akurg.exe 6bef283833fa82a12f2a6a73fb43a4bb
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
|
2
api.ipify.org(104.26.13.205)
172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 37 |
2024-05-13 09:06
|
 go.exe dc540b21dd7ea520b4390010baee443f
Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AaSxoQzQIIpBZjKNBi40fIhgM04aqMC10RSUh09-oqGjM9r6pC85eFFhK3TqfZOdE-A9GLwgnEJq0Q
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/generate_204?UAPjyQ
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AaSxoQzQ7rgk_U7qtouG2IWzPuE-48A-cdZOogWaBVud6M8pbV9TDnaV-d3eSsBZ57WIbrdoC1W7&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1744383557%3A1715558550050150
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.206.195)
accounts.google.com(108.177.125.84)
www.google.com(172.217.25.164)
142.251.130.4
142.251.8.84
172.217.25.3
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38 |
2024-05-11 19:38
|
 wfopkrgoplq.exe 6a267a91de66ab6c8fbdf4cbaa1e27e9
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
5.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39 |
2024-05-03 07:55
|
 random.exe 6b31dd4a6560603dfe9f833ca5dd4d7d
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Malware Code Injection Check memory Checks debugger installed browsers check Browser |
|
|
|
|
3.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40 |
2024-05-03 07:48
|
 go.exe b8e5ad86c9e9b3aef46098f287e8b0ac
Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico
https://accounts.google.com/generate_204?iU4cJw
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AaSxoQxLNxI2HHlyxoGVcimqY4uM5LhzX4AaU3oCu3hm6douPS3R9_nXx_4seqaPnHWGVIcIYa-CcQ
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AaSxoQyzK7K9-0SpUK5Ty5V-P6hQ_biFIJfL9ccChY7BZx85vNPhi5nC5sdCfjIBNHPOk2d3ZxGBoQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1073016254%3A1714689841540357
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
7
ssl.gstatic.com(172.217.25.163)
accounts.google.com(108.177.125.84)
www.google.com(142.250.207.100)
23.94.53.100
216.58.200.227
216.58.203.68
64.233.188.84
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41 |
2024-05-03 07:45
|
 GVV.exe fa3641c75d2beb68c01e8065eefc4707
Generic Malware Suspicious_Script_Bin Malicious Library UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself suspicious process AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser Email ComputerName DNS DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
yuahdgbceja.sytes.net(23.94.53.100)
178.237.33.50
23.94.53.100
|
2
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.sytes.net Domain
|
|
13.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42 |
2024-04-20 09:41
|
 random.exe 47c3491d805349f03578f6ac3e0bda01
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger exploit crash installed browsers check Exploit Browser crashed |
|
|
|
|
4.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43 |
2024-04-10 13:50
|
 wininit.exe 290102d5e403f9eb6d7cd7fe3188d307
Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check |
|
|
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44 |
2024-04-10 13:45
|
 wininit.exe 6b7314e8a04ad8436c3aff06f3918ea6
Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45 |
2024-04-08 18:29
|
 medcallaboratory5.exe b915133065e8c357f8b37e28015088fe
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|