91 |
2022-12-26 09:59
|
bd.exe afd26f223230ad20eb208dbaa0164e43 Generic Malware Themida Packer Malicious Library Anti_VM UPX PE32 PE File VirusTotal Malware Check memory unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
6.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
92 |
2022-12-19 10:03
|
FEejeARafe.exe bac43db85fb7279c44edb5dee47dcfeb Emotet Gen2 Gen1 Generic Malware Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File PNG Format JPEG Format MSOffice File DLL PE64 VirusTotal Malware AutoRuns suspicious privilege Code Injection Checks debugger buffers extracted WMI RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(61.111.58.34) smashbrowser.com(172.67.192.61) 23.67.53.27 104.21.51.242 121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
93 |
2022-12-19 10:02
|
1.exe bac43db85fb7279c44edb5dee47dcfeb Emotet Gen2 Gen1 Generic Malware Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File PNG Format JPEG Format MSOffice File DLL PE64 VirusTotal Malware AutoRuns suspicious privilege Code Injection Checks debugger WMI RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
apps.identrust.com(61.111.58.35) smashbrowser.com(104.21.51.242) 23.67.53.27 172.67.192.61 121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
94 |
2022-12-12 09:48
|
CR3.exe 8a750de9841355fb6f01c923e71303ef Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format JPEG Format MSOffice File OS Processor Check GIF Format .NET EXE DLL PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows Google ComputerName DNS crashed |
19
http://apps.identrust.com/roots/dstrootcax3.p7c http://chainsaw-man.s3.pl-waw.scw.cloud/costa-ins/poweroff.exe http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046 http://www.google.com/ https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=7 - rule_id: 7620 https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559 https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052 https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe - rule_id: 25016 https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe - rule_id: 25017 https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe - rule_id: 25018 https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW - rule_id: 7622 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW - rule_id: 7622 https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972 https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974 https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww - rule_id: 7622 https://droplex.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
22
wewewe.s3.eu-central-1.amazonaws.com(52.219.171.130) - mailcious www.google.com(142.250.207.100) google.com(172.217.25.174) 360devtracking.com(37.230.138.66) - mailcious connectini.net(37.230.138.123) - mailcious www.profitabletrustednetwork.com(173.233.137.52) - mailcious iplogger.com(148.251.234.93) - mailcious apps.identrust.com(23.32.56.72) chainsaw-man.s3.pl-waw.scw.cloud(151.115.10.1) www.loransheart.com(23.160.193.16) droplex.s3.pl-waw.scw.cloud(151.115.10.1) - malware grilloo.net(159.8.122.140) 172.217.161.36 148.251.234.93 - mailcious 95.214.24.96 - malware 173.233.137.44 37.230.138.66 - mailcious 23.43.165.105 151.115.10.1 - malware 52.219.171.106 37.230.138.123 - mailcious 172.217.31.14
|
6
ET INFO Observed DNS Query to .cloud TLD ET INFO HTTP Request to Suspicious *.cloud Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
15
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies https://connectini.net/S2S/Disc/Disc.php https://connectini.net/Series/publisher/1/KR.json https://connectini.net/Series/SuperNitouDisc.php https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe https://connectini.net/Series/Conumer4Publisher.php https://connectini.net/ip/check.php https://connectini.net/ip/check.php https://connectini.net/Series/kenpachi/2/goodchannel/ https://connectini.net/Series/Conumer2kenpachi.php https://connectini.net/Series/configPoduct/2/goodchannel.json https://connectini.net/ip/check.php
|
14.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
95 |
2022-12-08 10:47
|
TUN3.exe f59160f8bf6d380cdecbd2db94c61deb Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check PNG Format JPEG Format .NET EXE MSOffice File GIF Format DLL PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows Google ComputerName DNS crashed |
21
http://apps.identrust.com/roots/dstrootcax3.p7c http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe - rule_id: 24496 http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046 http://www.google.com/ https://connectini.net/S2S/Disc/Disc.php?ezok=pwoffch2&tesla=6 - rule_id: 7620 https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW - rule_id: 7622 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052 https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/pub-nv5fyed7t8r9ykva.exe https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/up-da-nv5fyed7t8r9ykva.exe https://droplex.s3.pl-waw.scw.cloud/hadhi_3icha/hand-h6vuy332pnrr8zq9.exe https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_PegasunWW - rule_id: 7622 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW - rule_id: 7622 https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972 https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974 https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973 https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww - rule_id: 7622 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_Trustnero - rule_id: 7622
|
27
trustnero.com(104.21.1.91) - mailcious a.dowgmua.com(172.67.157.126) wewewe.s3.eu-central-1.amazonaws.com(3.5.139.163) - mailcious www.google.com(142.250.207.100) google.com(172.217.25.174) 360devtracking.com(37.230.138.66) - mailcious connectini.net(37.230.138.123) - mailcious www.profitabletrustednetwork.com(173.233.137.52) - mailcious 5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud(151.115.10.1) apps.identrust.com(23.43.165.105) droplex.s3.pl-waw.scw.cloud(151.115.10.1) www.aculpainting.com(23.160.193.16) - malware 151.115.10.1 - malware 142.250.204.142 61.111.58.35 - malware 192.243.59.12 142.251.42.164 23.67.53.18 23.50.121.153 61.111.58.34 - malware 192.243.61.227 104.21.1.91 - mailcious 95.214.24.96 - malware 37.230.138.123 - mailcious 37.230.138.66 - mailcious 52.219.170.30 23.160.193.16 - malware
|
5
ET INFO Observed DNS Query to .cloud TLD ET INFO HTTP Request to Suspicious *.cloud Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
15
http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies https://connectini.net/S2S/Disc/Disc.php https://connectini.net/Series/SuperNitouDisc.php https://connectini.net/ip/check.php https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe https://connectini.net/Series/Conumer4Publisher.php https://connectini.net/ip/check.php https://connectini.net/ip/check.php https://connectini.net/Series/kenpachi/2/goodchannel/ https://connectini.net/Series/Conumer2kenpachi.php https://connectini.net/Series/configPoduct/2/goodchannel.json https://connectini.net/Series/publisher/1/KR.json https://connectini.net/ip/check.php https://connectini.net/ip/check.php
|
16.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
96 |
2022-12-02 10:58
|
TUN.exe c4807ea6c4ee04746a88248c855cb71d Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format MSOffice File GIF Format OS Processor Check .NET EXE DLL JPEG Format PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows Tor Google ComputerName DNS crashed |
16
http://apps.identrust.com/roots/dstrootcax3.p7c http://5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud/mix-carrers/poweroff.exe http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046 http://www.google.com/ https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/hand-h6vuy332pnrr8zq9.exe https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559 https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=6 - rule_id: 7620 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052 https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976 https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972 https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974 https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973 https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/pub-nv5fyed7t8r9ykva.exe https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/peltor/up-da-nv5fyed7t8r9ykva.exe https://stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
46
stewei-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud(151.115.10.1) wewewe.s3.eu-central-1.amazonaws.com(52.219.72.188) - mailcious www.google.com(142.250.76.132) google.com(172.217.25.174) 360devtracking.com(37.230.138.66) - mailcious connectini.net(37.230.138.123) - mailcious www.profitabletrustednetwork.com(173.233.139.164) - mailcious 5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud(151.115.10.1) apps.identrust.com(23.53.228.10) 202.124.241.201 199.250.214.152 95.214.53.210 207.32.181.122 3.5.136.176 104.74.168.254 190.228.29.114 121.254.136.27 186.202.127.56 184.168.97.42 - mailcious 142.250.207.78 61.111.58.34 - malware 177.11.54.131 - malware 151.115.10.1 - malware 195.219.57.43 104.21.73.149 217.70.178.4 52.73.17.211 85.13.163.220 93.186.117.3 154.35.175.225 - mailcious 23.216.159.81 80.237.132.210 178.63.41.183 - mailcious 37.230.138.123 - mailcious 142.93.169.197 142.251.220.4 81.2.195.201 70.39.146.5 192.243.59.12 51.68.204.139 - mailcious 107.180.41.158 - mailcious 162.241.24.197 - malware 43.250.140.44 64.13.192.154 37.230.138.66 - mailcious 178.20.55.16
|
12
ET INFO HTTP Request to Suspicious *.cloud Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Observed DNS Query to .cloud TLD ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 193 ET TOR Known Tor Exit Node Traffic group 25 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 26 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238 ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 793 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 650
|
|
15.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
97 |
2022-11-25 11:34
|
Ins.exe a0c71ff42da76357bfb0a0ac582fbe51 Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check PNG Format JPEG Format .NET EXE MSOffice File GIF Format DLL PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check Tofsee Windows Google ComputerName DNS crashed |
20
http://apps.identrust.com/roots/dstrootcax3.p7c http://www.google.com/ http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046 http://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/costa-ins/poweroff.exe https://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/santa/up-da-g4q95bujfkh38h5t.exe https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559 https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW - rule_id: 7622 https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052 https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976 https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=9 - rule_id: 7620 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW - rule_id: 7622 https://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/santa/hand-g4q95bujfkh38h5t.exe https://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/santa/pub-g4q95bujfkh38h5t.exe https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974 https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_file2Ww - rule_id: 7622 https://peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud/widgets/powerOff.exe https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_TraidingAnalyzerWW - rule_id: 7622
|
22
wewewe.s3.eu-central-1.amazonaws.com(52.219.170.6) - mailcious www.google.com(142.250.207.100) google.com(172.217.25.174) germandrummertheaflorea.com(160.153.133.210) - malware 360devtracking.com(37.230.138.66) - mailcious connectini.net(37.230.138.123) - mailcious www.profitabletrustednetwork.com(192.243.59.13) - mailcious peter-3fc7-4f84-94a3-eddddaff3884.s3.pl-waw.scw.cloud(151.115.10.1) apps.identrust.com(23.43.165.66) grilloo.net(159.8.122.140) 182.162.106.32 52.219.75.232 95.214.24.96 - malware 216.58.200.238 142.250.66.132 192.243.59.20 - mailcious 151.115.10.1 - malware 159.8.122.140 - mailcious 160.153.133.210 - mailcious 37.230.138.123 - mailcious 23.43.165.66 37.230.138.66 - mailcious
|
5
ET INFO Observed DNS Query to .cloud TLD ET INFO HTTP Request to Suspicious *.cloud Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
13
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies https://connectini.net/Series/publisher/1/KR.json https://connectini.net/Series/SuperNitouDisc.php https://connectini.net/ip/check.php https://connectini.net/Series/kenpachi/2/goodchannel/ https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe https://connectini.net/Series/Conumer4Publisher.php https://connectini.net/S2S/Disc/Disc.php https://connectini.net/ip/check.php https://connectini.net/Series/Conumer2kenpachi.php https://connectini.net/Series/configPoduct/2/goodchannel.json https://connectini.net/ip/check.php https://connectini.net/ip/check.php
|
14.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
98 |
2022-11-22 10:23
|
install1.exe e3c9d895497ffded48073eee0295bea4 Emotet NPKI Generic Malware Malicious Library UPX PE32 OS Processor Check PE File DLL CAB PE64 PNG Format VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder ComputerName crashed |
|
|
|
|
3.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
99 |
2022-11-19 09:55
|
Bolt.exe e91e8a603108c29db5d1a1ba1c8123fd Emotet RAT PWS .NET framework Gen1 Malicious Library UPX AntiDebug AntiVM PE32 PE File .NET EXE PNG Format MSOffice File DLL OS Processor Check JPEG Format PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows Google ComputerName DNS |
15
http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/pub-dsynf65cgyy6b7uk.exe http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046 http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/hand-dsynf65cgyy6b7uk.exe http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/sata/up-da-dsynf65cgyy6b7uk.exe http://gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud/samsung-carrers/poweroff.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://www.google.com/ https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559 https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052 https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976 https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973 https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974 https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe - rule_id: 23145
|
18
wewewe.s3.eu-central-1.amazonaws.com(52.219.169.46) - mailcious doll.s3.pl-waw.scw.cloud(151.115.10.1) - mailcious google.com(172.217.25.174) www.google.com(142.250.76.132) 360devtracking.com(37.230.138.66) - mailcious connectini.net(37.230.138.123) - mailcious www.profitabletrustednetwork.com(192.243.61.227) - mailcious apps.identrust.com(23.43.165.66) gg90db2661-715df250cbed8bj4h8vwwr.s3.pl-waw.scw.cloud(151.115.10.1) 192.243.59.13 37.230.138.66 - mailcious 23.43.165.105 151.115.10.1 - malware 23.43.165.66 52.219.169.154 37.230.138.123 - mailcious 172.217.26.238 - mailcious 142.251.220.4
|
6
ET INFO Observed DNS Query to .cloud TLD ET INFO HTTP Request to Suspicious *.cloud Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
9
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies https://connectini.net/Series/SuperNitouDisc.php https://connectini.net/Series/publisher/1/KR.json https://connectini.net/Series/kenpachi/2/goodchannel/ https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe https://connectini.net/Series/Conumer4Publisher.php https://connectini.net/Series/configPoduct/2/goodchannel.json https://connectini.net/Series/Conumer2kenpachi.php https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
10.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
100 |
2022-11-19 09:45
|
Bolt2.exe 501c0b729f6ee275a7108f1a1f1396a2 Emotet RAT Gen1 Malicious Library UPX PE32 PE File DLL OS Processor Check PE64 VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder Tofsee DNS crashed |
1
http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe
|
3
160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud(151.115.10.1) nova-brothers.s3.pl-waw.scw.cloud(151.115.10.1) - malware 151.115.10.1 - malware
|
4
ET INFO Observed DNS Query to .cloud TLD ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to Suspicious *.cloud Domain
|
|
4.2 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
101 |
2022-11-10 09:56
|
Bolt.exe 0c51d5838eaa310b8d009ab265c1846e Emotet RAT Gen1 PWS .NET framework Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format .NET EXE MSOffice File DLL OS Processor Check JPEG Format PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder human activity check Tofsee Windows Google ComputerName DNS crashed |
14
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046 http://nova-brothers.s3.pl-waw.scw.cloud/four-spoon/hand-b135l0bjgejx.exe http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://www.google.com/ https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://connectini.net/Series/publisher/1/KR.json - rule_id: 23559 https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052 https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976 https://connectini.net/S2S/Disc/Disc.php?ezok=power2off2&tesla=8 - rule_id: 7620 https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973 https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974 https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe - rule_id: 23145
|
23
wewewe.s3.eu-central-1.amazonaws.com(52.219.72.172) - mailcious nova-brothers.s3.pl-waw.scw.cloud(151.115.10.1) - malware 160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud(151.115.10.1) google.com(142.250.76.142) doll.s3.pl-waw.scw.cloud(151.115.10.1) - mailcious 360devtracking.com(37.230.138.66) - mailcious iplogger.org(148.251.234.83) - mailcious connectini.net(37.230.138.123) - mailcious www.profitabletrustednetwork.com(192.243.61.227) - mailcious apps.identrust.com(23.43.165.66) www.google.com(142.250.76.132) 148.251.234.83 23.43.165.105 151.115.10.1 - malware 142.250.76.132 23.43.165.66 185.213.208.196 23.216.159.9 37.230.138.123 - mailcious 142.250.76.142 - mailcious 173.233.137.36 37.230.138.66 - mailcious 52.219.170.66
|
9
ET INFO Observed DNS Query to .cloud TLD ET INFO HTTP Request to Suspicious *.cloud Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check ET INFO TLS Handshake Failure
|
10
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies https://connectini.net/Series/SuperNitouDisc.php https://connectini.net/Series/publisher/1/KR.json https://connectini.net/Series/kenpachi/2/goodchannel/ https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe https://connectini.net/Series/Conumer4Publisher.php https://connectini.net/S2S/Disc/Disc.php https://connectini.net/Series/configPoduct/2/goodchannel.json https://connectini.net/Series/Conumer2kenpachi.php https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
12.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
102 |
2022-11-03 10:09
|
Bolt.exe aa290cfe7546e91e88278a1c4b83440f Emotet RAT PWS .NET framework Gen1 Malicious Library UPX AntiDebug AntiVM PE32 PE File PNG Format JPEG Format MSOffice File .NET EXE DLL OS Processor Check PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows Google ComputerName DNS crashed |
16
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046 http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-pub.exe http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/ATP-VW/power-5033-off.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-hand.exe http://www.google.com/ http://e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud/Sony/1715bb57-upda.exe https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_MyFileWW - rule_id: 7622 https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052 https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976 https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_mp3studioWW - rule_id: 7622 https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973 https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974 https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe - rule_id: 23145
|
21
wewewe.s3.eu-central-1.amazonaws.com(52.219.140.44) - mailcious doll.s3.pl-waw.scw.cloud(151.115.10.1) - mailcious e8ed9249-5033-4c8e-9aa2-82a1e867c268a.s3.pl-waw.scw.cloud(151.115.10.1) google.com(142.250.206.206) www.google.com(142.250.76.132) 360devtracking.com(37.230.138.66) - mailcious connectini.net(37.230.138.123) - mailcious www.profitabletrustednetwork.com(173.233.137.36) - mailcious www.tattooyema.com(207.180.199.60) - malware apps.identrust.com(23.59.72.17) ert.eiwagggg.com(172.67.144.83) - malware 151.115.10.1 - malware 95.214.24.96 - malware 142.251.42.164 52.219.75.64 142.251.42.142 173.233.137.44 23.43.165.66 23.59.72.17 37.230.138.123 37.230.138.66 - mailcious
|
6
ET INFO Observed DNS Query to .cloud TLD ET INFO HTTP Request to Suspicious *.cloud Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
|
10
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies https://connectini.net/Series/SuperNitouDisc.php https://connectini.net/ip/check.php https://connectini.net/Series/kenpachi/2/goodchannel/ https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe https://connectini.net/Series/Conumer4Publisher.php https://connectini.net/ip/check.php https://connectini.net/Series/configPoduct/2/goodchannel.json https://connectini.net/Series/Conumer2kenpachi.php https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
12.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
103 |
2022-10-30 10:48
|
Bolt.exe 96ecd3b0e089a8953f2c94886388b0a6 Emotet RAT PWS .NET framework Gen1 Malicious Library UPX AntiDebug AntiVM PE32 PE File .NET EXE PNG Format MSOffice File DLL OS Processor Check JPEG Format PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder Windows ComputerName crashed |
10
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.google.com/ https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972 https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052 https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976 https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973 https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974 https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe - rule_id: 23145
|
19
wewewe.s3.eu-central-1.amazonaws.com(52.219.169.122) - mailcious www.google.com(142.250.76.132) dotexe.s3.pl-waw.scw.cloud(151.115.10.1) - malware google.com(142.250.206.206) doll.s3.pl-waw.scw.cloud(151.115.10.1) - mailcious 360devtracking.com(37.230.138.66) - mailcious connectini.net(37.230.138.123) - mailcious www.profitabletrustednetwork.com(173.233.137.60) - mailcious apps.identrust.com(23.53.228.9) 172.217.175.68 192.243.59.20 - mailcious 142.251.42.174 151.115.10.1 - malware 52.219.74.69 23.53.228.10 121.254.136.57 37.230.138.123 23.53.228.9 37.230.138.66 - mailcious
|
|
8
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies https://connectini.net/Series/SuperNitouDisc.php https://connectini.net/Series/kenpachi/2/goodchannel/ https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe https://connectini.net/Series/Conumer4Publisher.php https://connectini.net/Series/configPoduct/2/goodchannel.json https://connectini.net/Series/Conumer2kenpachi.php https://doll.s3.pl-waw.scw.cloud/widgets/powerOff.exe
|
10.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
104 |
2022-10-18 17:15
|
Bolt.exe c0b4de4f711b7c28369d7a4018f94759 Emotet njRAT RAT PWS .NET framework Gen1 Generic Malware UPX Malicious Library AntiDebug AntiVM PE32 PE File .NET EXE PNG Format JPEG Format MSOffice File DLL OS Processor Check PE64 VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder human activity check Windows ComputerName DNS crashed |
15
http://perona.s3.pl-waw.scw.cloud/sama/up-da-9438t9zexju.exe
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
http://perona.s3.pl-waw.scw.cloud/sama/pub-x9438t9zexju.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://perona.s3.pl-waw.scw.cloud/sama/hand-x9438t9zexju.exe
http://perona.s3.pl-waw.scw.cloud/pub-oorder/poweroff.exe
http://www.google.com/
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/Series/Conumer4Publisher.php - rule_id: 1976
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://steweiii.s3.pl-waw.scw.cloud/widgets/powerOff.exe
https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
|
22
perona.s3.pl-waw.scw.cloud(151.115.10.1)
wewewe.s3.eu-central-1.amazonaws.com(52.219.140.4)
www.google.com(142.250.76.132)
google.com(142.250.76.142)
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
a.dowgmea.com(172.67.210.101)
apps.identrust.com(96.16.99.73)
www.profitabletrustednetwork.com(192.243.61.227) - mailcious
ert.eiwagggg.com(104.21.63.82)
steweiii.s3.pl-waw.scw.cloud(151.115.10.1) 151.115.10.1 - malware
172.67.144.83
192.243.59.12
95.214.24.96 - malware
23.67.53.18
61.111.58.34 - malware
142.250.196.142
52.219.47.104
172.217.175.36
37.230.138.123
37.230.138.66 - mailcious
|
|
5
https://connectini.net/Series/SuperNitouDisc.php https://connectini.net/Series/kenpachi/2/goodchannel/ https://connectini.net/Series/Conumer4Publisher.php https://connectini.net/Series/configPoduct/2/goodchannel.json https://connectini.net/Series/Conumer2kenpachi.php
|
12.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
105 |
2022-09-17 14:39
|
Bolt.exe ad8f55814ccaee68b12c96f1ccb8bb6a Emotet RAT Gen1 njRAT UPX Malicious Library PE32 PE File DLL OS Processor Check .NET EXE PE64 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check Tofsee Windows ComputerName DNS crashed |
2
http://load-data.s3.pl-waw.scw.cloud/pub-buckets/poweroff.exe https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
|
4
connectini.net(37.230.138.123) - mailcious load-data.s3.pl-waw.scw.cloud(151.115.10.1) 151.115.10.1 - malware 37.230.138.123
|
4
ET INFO Observed DNS Query to .cloud TLD SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to Suspicious *.cloud Domain ET POLICY PE EXE or DLL Windows file download HTTP
|
1
https://connectini.net/Series/SuperNitouDisc.php
|
6.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|