| 1 |
2023-07-25 07:36
|
 r8LO6JsBFr.exe 39bd04b9ae7385809776dc4bad0eb9ff
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Malware download AveMaria NetWireRC Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
2
patront.duckdns.org(85.208.139.45)
85.208.139.45
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2023-07-20 07:43
|
 lzoCW4lLiTNeo.exe bacd8202f058ddcc5fddf57f8fce99d8
Formbook NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
5
http://www.1xboro7.click/k2l0/?v2Jx4=gdIo5mM9lXBdi558t2eJ3ed4IEH2JjF3YUJjs/DuOxOlHAWx6kMfp5pai83Dg+nwI9+C5pp6&jJBP_F=PPJHa6cP0fV4ANB0
http://www.trwc.online/k2l0/?v2Jx4=TY0eLS25TbGWIPoAvIBkbiGMyWIlUL+junlCch65rY0chgQMasfhvMnMRaLp/GGSn7X9xMH4&jJBP_F=PPJHa6cP0fV4ANB0
http://www.getflooringservices.today/k2l0/?v2Jx4=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&jJBP_F=PPJHa6cP0fV4ANB0 - rule_id: 34670
http://www.ezkiosystem.com/k2l0/?v2Jx4=xqYImV8HKxPdTcT8y9GMwftV4Cj/nHOqtw0ItIHCgt3zlewQWki2gcTtgHbczwBAu8VEYRGB&jJBP_F=PPJHa6cP0fV4ANB0
http://www.mtproductions.xyz/k2l0/?v2Jx4=o2du+VOpfCxxrHF0jTeQdwEN/Nb3oP3iwGp0y37hEj8zJFJ0k0b8cpmxFrA37JuCeHQ21Z1q&jJBP_F=PPJHa6cP0fV4ANB0
|
10
www.mtproductions.xyz(103.138.151.78)
www.ezkiosystem.com(170.130.208.37)
www.getflooringservices.today(172.67.183.64) - mailcious
www.1xboro7.click(104.21.47.7)
www.trwc.online(162.0.238.217)
104.21.48.94
104.21.47.7
103.138.151.78
170.130.208.37
162.0.238.217
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.getflooringservices.today/k2l0/
|
4.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2023-07-18 18:25
|
 shedin2.1.exe 3237ac71bbc1b1153dda35c76e1b80b8
NSIS UPX Malicious Library PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(173.231.16.76) -
104.237.62.211 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2023-06-24 13:25
|
 festkon2.1.exe f14a6c2f0c53470577f1e3a66e34fe64
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.getflooringservices.today/k2l0/?RP=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&rXLpvR=P0D4a24
http://www.alltiett.net/k2l0/?RP=CLWhMEEH+TKpZCs82dDMH40MtEeqU8fVsX2BTRkbuaHTGaAdqzqBoXZ1eBBCJkRM4luJ5zo3&rXLpvR=P0D4a24
http://www.usdrub.com/k2l0/?RP=R+iha7GQYIR128qb/ePPYcj+8Pay4Nrp+ciVv5jeZEPMbb+7/2J83xwbNHNe0GBur2Js8QJC&rXLpvR=P0D4a24
|
7
www.alltiett.net(81.169.145.70)
www.capitalrepros.com()
www.usdrub.com(13.248.169.48)
www.getflooringservices.today(172.67.183.64)
81.169.145.70 - mailcious
104.21.48.94
13.248.169.48
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2023-05-06 12:03
|
 ostaj2.1.exe c544c36f9031c1c13c9444edc245f55f
NSIS UPX Malicious Library PE32 PE File DLL Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
2
jeron7.duckdns.org(212.8.244.201)
212.8.244.201 - mailcious
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
|
|
5.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2023-04-25 10:13
|
 shedume2.1.exe c2193488994db0c99893eb8d336874e3
NSIS UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
1
http://www.billydeluca.com/sd03/?jBZ4=bwn3WNXG1QkKkY/peZjHiiVfFEeZEuNxgxDQNfmA0NAm5QlqR0e5861NDsuhGMHW1ZdwAArQ&P0D=Abs0IXf
|
5
www.liberix.se()
www.lincornellah.africa()
www.copywriters.agency()
www.billydeluca.com(198.185.159.145)
198.49.23.144 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2023-04-22 08:45
|
 dcrossc.exe fcb1534a561fc1fe2954c00899e2815f
NSIS UPX Malicious Library Malicious Packer PE32 PE File OS Processor Check Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
2
avarian717.duckdns.org(193.56.29.183)
193.56.29.183
|
4
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2023-03-02 09:44
|
 ojekon2.1.exe 15ee8e51c501df2614eb8f81a4f5fde6
UPX Malicious Library PE32 PE File OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2023-02-16 10:32
|
 bokledge4.1.exe 500ce28cca98df7f3d40fa8f5e428598
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.123findcapital.com/b07o/?r0=BQnnnzHQBKzmuzWUc1NmCI/zEoVgbKldG3lEFhDIxtN9pUoBFrHG6JYkbinJNYhAMboRWfOr&sZODHD=8pH8P6V
http://www.dccmovil.com/b07o/?r0=o6HXEdJl6/VPp8rWf7jQRIH4rS2B7wZBnAS41Nk2ga+LVrdEWYkuzCknyBgzWY5EcE0I5NHB&sZODHD=8pH8P6V
http://www.jcw-media.com/b07o/?r0=jaJOBLEmd5yxE98n7CSjpxqJgVtnhHa3aCWCYIkttjtkv6GZ+uhp6dkAW9oK9ZGeuV/IrL/Z&sZODHD=8pH8P6V
|
6
www.jcw-media.com(66.96.162.140)
www.123findcapital.com(3.33.152.147)
www.dccmovil.com(34.102.136.180)
34.102.136.180 - mailcious
66.96.162.140 - mailcious
3.33.152.147 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2023-02-15 18:17
|
 febono2.3.exe 4186ef2676e64436549e70dbb1210a8e
Malicious Library UPX PE32 PE File OS Processor Check Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS DDNS |
|
2
valentine23.duckdns.org(45.132.106.37)
45.132.106.37 - mailcious
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Possible NanoCore C2 60B
|
|
8.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|