| 91 |
2022-12-26 09:59
|
 bd.exe afd26f223230ad20eb208dbaa0164e43
Generic Malware Themida Packer Malicious Library Anti_VM UPX PE32 PE File VirusTotal Malware Check memory unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
6.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 92 |
2022-12-19 10:03
|
 FEejeARafe.exe bac43db85fb7279c44edb5dee47dcfeb
Emotet Gen2 Gen1 Generic Malware Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File PNG Format JPEG Format MSOffice File DLL PE64 VirusTotal Malware AutoRuns suspicious privilege Code Injection Checks debugger buffers extracted WMI RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(61.111.58.34)
smashbrowser.com(172.67.192.61)
23.67.53.27
104.21.51.242
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 93 |
2022-12-19 10:02
|
 1.exe bac43db85fb7279c44edb5dee47dcfeb
Emotet Gen2 Gen1 Generic Malware Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File PNG Format JPEG Format MSOffice File DLL PE64 VirusTotal Malware AutoRuns suspicious privilege Code Injection Checks debugger WMI RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(61.111.58.35)
smashbrowser.com(104.21.51.242)
23.67.53.27
172.67.192.61
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 94 |
2022-12-12 09:48
|
 CR3.exe 8a750de9841355fb6f01c923e71303ef
Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format JPEG Format MSOffice File OS Processor Check GIF Format .NET EXE DLL PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows Google ComputerName DNS crashed |
19
http://apps.identrust.com/roots/dstrootcax3.p7c
http://chainsaw-man.s3.pl-waw.scw.cloud/costa-ins/poweroff.exe
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
http://www.google.com/
https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=7 - rule_id: 7620
https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe - rule_id: 25016
https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe - rule_id: 25017
https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe - rule_id: 25018
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW - rule_id: 7622
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW - rule_id: 7622
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww - rule_id: 7622
https://droplex.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
22
wewewe.s3.eu-central-1.amazonaws.com(52.219.171.130) - mailcious
www.google.com(142.250.207.100)
google.com(172.217.25.174)
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
www.profitabletrustednetwork.com(173.233.137.52) - mailcious
iplogger.com(148.251.234.93) - mailcious
apps.identrust.com(23.32.56.72)
chainsaw-man.s3.pl-waw.scw.cloud(151.115.10.1)
www.loransheart.com(23.160.193.16)
droplex.s3.pl-waw.scw.cloud(151.115.10.1) - malware
grilloo.net(159.8.122.140)
172.217.161.36
148.251.234.93 - mailcious
95.214.24.96 - malware
173.233.137.44
37.230.138.66 - mailcious
23.43.165.105
151.115.10.1 - malware
52.219.171.106
37.230.138.123 - mailcious
172.217.31.14
|
6
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
15
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
https://connectini.net/S2S/Disc/Disc.php
https://connectini.net/Series/publisher/1/KR.json
https://connectini.net/Series/SuperNitouDisc.php
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe
https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe
https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe
https://connectini.net/Series/Conumer4Publisher.php
https://connectini.net/ip/check.php
https://connectini.net/ip/check.php
https://connectini.net/Series/kenpachi/2/goodchannel/
https://connectini.net/Series/Conumer2kenpachi.php
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/ip/check.php
|
14.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 95 |
2022-12-08 10:47
|
 TUN3.exe f59160f8bf6d380cdecbd2db94c61deb
Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check PNG Format JPEG Format .NET EXE MSOffice File GIF Format DLL PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows Google ComputerName DNS crashed |
21
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe - rule_id: 24496
http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
http://www.google.com/
https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=6 - rule_id: 7620
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW - rule_id: 7622
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe
https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe
https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW - rule_id: 7622
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW - rule_id: 7622
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww - rule_id: 7622
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_Trustnero - rule_id: 7622
|
27
trustnero.com(104.21.1.91) - mailcious
a.dowgmua.com(172.67.157.126)
wewewe.s3.eu-central-1.amazonaws.com(3.5.139.163) - mailcious
www.google.com(142.250.207.100)
google.com(172.217.25.174)
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
www.profitabletrustednetwork.com(173.233.137.52) - mailcious
5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud(151.115.10.1)
apps.identrust.com(23.43.165.105)
droplex.s3.pl-waw.scw.cloud(151.115.10.1)
www.aculpainting.com(23.160.193.16) - malware
151.115.10.1 - malware
142.250.204.142
61.111.58.35 - malware
192.243.59.12
142.251.42.164
23.67.53.18
23.50.121.153
61.111.58.34 - malware
192.243.61.227
104.21.1.91 - mailcious
95.214.24.96 - malware
37.230.138.123 - mailcious
37.230.138.66 - mailcious
52.219.170.30
23.160.193.16 - malware
|
5
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
15
http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
https://connectini.net/S2S/Disc/Disc.php
https://connectini.net/Series/SuperNitouDisc.php
https://connectini.net/ip/check.php
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/Series/Conumer4Publisher.php
https://connectini.net/ip/check.php
https://connectini.net/ip/check.php
https://connectini.net/Series/kenpachi/2/goodchannel/
https://connectini.net/Series/Conumer2kenpachi.php
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/Series/publisher/1/KR.json
https://connectini.net/ip/check.php
https://connectini.net/ip/check.php
|
16.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 96 |
2022-12-02 10:58
|
 TUN.exe c4807ea6c4ee04746a88248c855cb71d
Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format MSOffice File GIF Format OS Processor Check .NET EXE DLL JPEG Format PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows Tor Google ComputerName DNS crashed |
16
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
http://www.google.com/
https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/hand-h6vuy332pnrr8zq9.exe
https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=6 - rule_id: 7620
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/pub-nv5fyed7t8r9ykva.exe
https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/up-da-nv5fyed7t8r9ykva.exe
https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
46
stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud(151.115.10.1)
wewewe.s3.eu-central-1.amazonaws.com(52.219.72.188) - mailcious
www.google.com(142.250.76.132)
google.com(172.217.25.174)
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
www.profitabletrustednetwork.com(173.233.139.164) - mailcious
5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud(151.115.10.1)
apps.identrust.com(23.53.228.10)
202.124.241.201
199.250.214.152
95.214.53.210
207.32.181.122
3.5.136.176
104.74.168.254
190.228.29.114
121.254.136.27
186.202.127.56
184.168.97.42 - mailcious
142.250.207.78
61.111.58.34 - malware
177.11.54.131 - malware
151.115.10.1 - malware
195.219.57.43
104.21.73.149
217.70.178.4
52.73.17.211
85.13.163.220
93.186.117.3
154.35.175.225 - mailcious
23.216.159.81
80.237.132.210
178.63.41.183 - mailcious
37.230.138.123 - mailcious
142.93.169.197
142.251.220.4
81.2.195.201
70.39.146.5
192.243.59.12
51.68.204.139 - mailcious
107.180.41.158 - mailcious
162.241.24.197 - malware
43.250.140.44
64.13.192.154
37.230.138.66 - mailcious
178.20.55.16
|
12
ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Observed DNS Query to .cloud TLD
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 193
ET TOR Known Tor Exit Node Traffic group 25
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 26
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 793
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 650
|
|
15.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 97 |
2022-11-25 11:34
|
 Ins.exe a0c71ff42da76357bfb0a0ac582fbe51
Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check PNG Format JPEG Format .NET EXE MSOffice File GIF Format DLL PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check Tofsee Windows Google ComputerName DNS crashed |
20
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.google.com/
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
http://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/costa-ins/poweroff.exe
https://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/santa/up-da-g4q95bujfkh38h5t.exe
https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW - rule_id: 7622
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=9 - rule_id: 7620
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW - rule_id: 7622
https://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/santa/hand-g4q95bujfkh38h5t.exe
https://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/santa/pub-g4q95bujfkh38h5t.exe
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww - rule_id: 7622
https://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/widgets/powerOff.exe
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_TraidingAnalyzerWW - rule_id: 7622
|
22
wewewe.s3.eu-central-1.amazonaws.com(52.219.170.6) - mailcious
www.google.com(142.250.207.100)
google.com(172.217.25.174)
germandrummertheaflorea.com(160.153.133.210) - malware
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
www.profitabletrustednetwork.com(192.243.59.13) - mailcious
peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud(151.115.10.1)
apps.identrust.com(23.43.165.66)
grilloo.net(159.8.122.140)
182.162.106.32
52.219.75.232
95.214.24.96 - malware
216.58.200.238
142.250.66.132
192.243.59.20 - mailcious
151.115.10.1 - malware
159.8.122.140 - mailcious
160.153.133.210 - mailcious
37.230.138.123 - mailcious
23.43.165.66
37.230.138.66 - mailcious
|
5
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
13
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
https://connectini.net/Series/publisher/1/KR.json
https://connectini.net/Series/SuperNitouDisc.php
https://connectini.net/ip/check.php
https://connectini.net/Series/kenpachi/2/goodchannel/
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/Series/Conumer4Publisher.php
https://connectini.net/S2S/Disc/Disc.php
https://connectini.net/ip/check.php
https://connectini.net/Series/Conumer2kenpachi.php
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/ip/check.php
https://connectini.net/ip/check.php
|
14.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 98 |
2022-11-22 10:23
|
 install1.exe e3c9d895497ffded48073eee0295bea4
Emotet NPKI Generic Malware Malicious Library UPX PE32 OS Processor Check PE File DLL CAB PE64 PNG Format VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder ComputerName crashed |
|
|
|
|
3.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 99 |
2022-11-19 09:55
|
 Bolt.exe e91e8a603108c29db5d1a1ba1c8123fd
Emotet RAT PWS .NET framework Gen1 Malicious Library UPX AntiDebug AntiVM PE32 PE File .NET EXE PNG Format MSOffice File DLL OS Processor Check JPEG Format PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows Google ComputerName DNS |
15
http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/pub-dsynf65cgyy6b7uk.exe
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/hand-dsynf65cgyy6b7uk.exe
http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/up-da-dsynf65cgyy6b7uk.exe
http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/samsung-carrers/poweroff.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.google.com/
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe - rule_id: 23145
|
18
wewewe.s3.eu-central-1.amazonaws.com(52.219.169.46) - mailcious
doll.s3.pl-waw.scw.cloud(151.115.10.1) - mailcious
google.com(172.217.25.174)
www.google.com(142.250.76.132)
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
www.profitabletrustednetwork.com(192.243.61.227) - mailcious
apps.identrust.com(23.43.165.66)
gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud(151.115.10.1)
192.243.59.13
37.230.138.66 - mailcious
23.43.165.105
151.115.10.1 - malware
23.43.165.66
52.219.169.154
37.230.138.123 - mailcious
172.217.26.238 - mailcious
142.251.220.4
|
6
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
9
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
https://connectini.net/Series/SuperNitouDisc.php
https://connectini.net/Series/publisher/1/KR.json
https://connectini.net/Series/kenpachi/2/goodchannel/
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/Series/Conumer4Publisher.php
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/Series/Conumer2kenpachi.php
https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
10.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 100 |
2022-11-19 09:45
|
 Bolt2.exe 501c0b729f6ee275a7108f1a1f1396a2
Emotet RAT Gen1 Malicious Library UPX PE32 PE File DLL OS Processor Check PE64 VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder Tofsee DNS crashed |
1
http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe
|
3
160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud(151.115.10.1)
nova-brothers.s3.pl-waw.scw.cloud(151.115.10.1) - malware
151.115.10.1 - malware
|
4
ET INFO Observed DNS Query to .cloud TLD
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO HTTP Request to Suspicious *.cloud Domain
|
|
4.2 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 101 |
2022-11-10 09:56
|
 Bolt.exe 0c51d5838eaa310b8d009ab265c1846e
Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format .NET EXE MSOffice File DLL OS Processor Check JPEG Format PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder human activity check Tofsee Windows Google ComputerName DNS crashed |
14
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/hand-b135l0bjgejx.exe
http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.google.com/
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8 - rule_id: 7620
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe - rule_id: 23145
|
23
wewewe.s3.eu-central-1.amazonaws.com(52.219.72.172) - mailcious
nova-brothers.s3.pl-waw.scw.cloud(151.115.10.1) - malware
160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud(151.115.10.1)
google.com(142.250.76.142)
doll.s3.pl-waw.scw.cloud(151.115.10.1) - mailcious
360devtracking.com(37.230.138.66) - mailcious
iplogger.org(148.251.234.83) - mailcious
connectini.net(37.230.138.123) - mailcious
www.profitabletrustednetwork.com(192.243.61.227) - mailcious
apps.identrust.com(23.43.165.66)
www.google.com(142.250.76.132)
148.251.234.83
23.43.165.105
151.115.10.1 - malware
142.250.76.132
23.43.165.66
185.213.208.196
23.216.159.9
37.230.138.123 - mailcious
142.250.76.142 - mailcious
173.233.137.36
37.230.138.66 - mailcious
52.219.170.66
|
9
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
ET INFO TLS Handshake Failure
|
10
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
https://connectini.net/Series/SuperNitouDisc.php
https://connectini.net/Series/publisher/1/KR.json
https://connectini.net/Series/kenpachi/2/goodchannel/
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/Series/Conumer4Publisher.php
https://connectini.net/S2S/Disc/Disc.php
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/Series/Conumer2kenpachi.php
https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
12.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 102 |
2022-11-03 10:09
|
 Bolt.exe aa290cfe7546e91e88278a1c4b83440f
Emotet RAT PWS .NET framework Gen1 Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format JPEG Format MSOffice File .NET EXE DLL OS Processor Check PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows Google ComputerName DNS crashed |
16
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-pub.exe
http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/ATP-VW/power-5033-off.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-hand.exe
http://www.google.com/
http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-upda.exe
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW - rule_id: 7622
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW - rule_id: 7622
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe - rule_id: 23145
|
21
wewewe.s3.eu-central-1.amazonaws.com(52.219.140.44) - mailcious
doll.s3.pl-waw.scw.cloud(151.115.10.1) - mailcious
e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud(151.115.10.1)
google.com(142.250.206.206)
www.google.com(142.250.76.132)
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
www.profitabletrustednetwork.com(173.233.137.36) - mailcious
www.tattooyema.com(207.180.199.60) - malware
apps.identrust.com(23.59.72.17)
ert.eiwagggg.com(172.67.144.83) - malware
151.115.10.1 - malware
95.214.24.96 - malware
142.251.42.164
52.219.75.64
142.251.42.142
173.233.137.44
23.43.165.66
23.59.72.17
37.230.138.123
37.230.138.66 - mailcious
|
6
ET INFO Observed DNS Query to .cloud TLD
ET INFO HTTP Request to Suspicious *.cloud Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
10
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
https://connectini.net/Series/SuperNitouDisc.php
https://connectini.net/ip/check.php
https://connectini.net/Series/kenpachi/2/goodchannel/
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/Series/Conumer4Publisher.php
https://connectini.net/ip/check.php
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/Series/Conumer2kenpachi.php
https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
12.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 103 |
2022-10-30 10:48
|
 Bolt.exe 96ecd3b0e089a8953f2c94886388b0a6
Emotet RAT PWS .NET framework Gen1 Malicious Library UPX AntiDebug AntiVM PE32 PE File .NET EXE PNG Format MSOffice File DLL OS Processor Check JPEG Format PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder Windows ComputerName crashed |
10
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.google.com/
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe - rule_id: 23145
|
19
wewewe.s3.eu-central-1.amazonaws.com(52.219.169.122) - mailcious
www.google.com(142.250.76.132)
dotexe.s3.pl-waw.scw.cloud(151.115.10.1) - malware
google.com(142.250.206.206)
doll.s3.pl-waw.scw.cloud(151.115.10.1) - mailcious
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
www.profitabletrustednetwork.com(173.233.137.60) - mailcious
apps.identrust.com(23.53.228.9)
172.217.175.68
192.243.59.20 - mailcious
142.251.42.174
151.115.10.1 - malware
52.219.74.69
23.53.228.10
121.254.136.57
37.230.138.123
23.53.228.9
37.230.138.66 - mailcious
|
|
8
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
https://connectini.net/Series/SuperNitouDisc.php
https://connectini.net/Series/kenpachi/2/goodchannel/
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/Series/Conumer4Publisher.php
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/Series/Conumer2kenpachi.php
https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
10.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 104 |
2022-10-18 17:15
|
 Bolt.exe c0b4de4f711b7c28369d7a4018f94759
Emotet njRAT RAT PWS .NET framework Gen1 Generic Malware UPX Malicious Library AntiDebug AntiVM PE32 PE File .NET EXE PNG Format JPEG Format MSOffice File DLL OS Processor Check PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder human activity check Windows ComputerName DNS crashed |
15
http://perona.s3.pl-waw.scw.cloud/sama/up-da-9438t9zexju.exe
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
http://perona.s3.pl-waw.scw.cloud/sama/pub-x9438t9zexju.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://perona.s3.pl-waw.scw.cloud/sama/hand-x9438t9zexju.exe
http://perona.s3.pl-waw.scw.cloud/pub-oorder/poweroff.exe
http://www.google.com/
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://steweiii.s3.pl-waw.scw.cloud/widgets/powerOff.exe
https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
|
22
perona.s3.pl-waw.scw.cloud(151.115.10.1)
wewewe.s3.eu-central-1.amazonaws.com(52.219.140.4)
www.google.com(142.250.76.132)
google.com(142.250.76.142)
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
a.dowgmea.com(172.67.210.101)
apps.identrust.com(96.16.99.73)
www.profitabletrustednetwork.com(192.243.61.227) - mailcious
ert.eiwagggg.com(104.21.63.82)
steweiii.s3.pl-waw.scw.cloud(151.115.10.1)
151.115.10.1 - malware
172.67.144.83
192.243.59.12
95.214.24.96 - malware
23.67.53.18
61.111.58.34 - malware
142.250.196.142
52.219.47.104
172.217.175.36
37.230.138.123
37.230.138.66 - mailcious
|
|
5
https://connectini.net/Series/SuperNitouDisc.php
https://connectini.net/Series/kenpachi/2/goodchannel/
https://connectini.net/Series/Conumer4Publisher.php
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/Series/Conumer2kenpachi.php
|
12.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 105 |
2022-09-17 14:39
|
 Bolt.exe ad8f55814ccaee68b12c96f1ccb8bb6a
Emotet RAT Gen1 njRAT UPX Malicious Library PE32 PE File DLL OS Processor Check .NET EXE PE64 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check Tofsee Windows ComputerName DNS crashed |
2
http://load-data.s3.pl-waw.scw.cloud/pub-buckets/poweroff.exe
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
|
4
connectini.net(37.230.138.123) - mailcious
load-data.s3.pl-waw.scw.cloud(151.115.10.1)
151.115.10.1 - malware
37.230.138.123
|
4
ET INFO Observed DNS Query to .cloud TLD
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO HTTP Request to Suspicious *.cloud Domain
ET POLICY PE EXE or DLL Windows file download HTTP
|
1
https://connectini.net/Series/SuperNitouDisc.php
|
6.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|