1 |
2023-07-25 07:36
|
r8LO6JsBFr.exe 39bd04b9ae7385809776dc4bad0eb9ff NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Malware download AveMaria NetWireRC Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
2
patront.duckdns.org(85.208.139.45) 85.208.139.45
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2023-07-20 07:43
|
lzoCW4lLiTNeo.exe bacd8202f058ddcc5fddf57f8fce99d8 Formbook NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
5
http://www.1xboro7.click/k2l0/?v2Jx4=gdIo5mM9lXBdi558t2eJ3ed4IEH2JjF3YUJjs/DuOxOlHAWx6kMfp5pai83Dg+nwI9+C5pp6&jJBP_F=PPJHa6cP0fV4ANB0 http://www.trwc.online/k2l0/?v2Jx4=TY0eLS25TbGWIPoAvIBkbiGMyWIlUL+junlCch65rY0chgQMasfhvMnMRaLp/GGSn7X9xMH4&jJBP_F=PPJHa6cP0fV4ANB0 http://www.getflooringservices.today/k2l0/?v2Jx4=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&jJBP_F=PPJHa6cP0fV4ANB0 - rule_id: 34670 http://www.ezkiosystem.com/k2l0/?v2Jx4=xqYImV8HKxPdTcT8y9GMwftV4Cj/nHOqtw0ItIHCgt3zlewQWki2gcTtgHbczwBAu8VEYRGB&jJBP_F=PPJHa6cP0fV4ANB0 http://www.mtproductions.xyz/k2l0/?v2Jx4=o2du+VOpfCxxrHF0jTeQdwEN/Nb3oP3iwGp0y37hEj8zJFJ0k0b8cpmxFrA37JuCeHQ21Z1q&jJBP_F=PPJHa6cP0fV4ANB0
|
10
www.mtproductions.xyz(103.138.151.78) www.ezkiosystem.com(170.130.208.37) www.getflooringservices.today(172.67.183.64) - mailcious www.1xboro7.click(104.21.47.7) www.trwc.online(162.0.238.217) 104.21.48.94 104.21.47.7 103.138.151.78 170.130.208.37 162.0.238.217
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.getflooringservices.today/k2l0/
|
4.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2023-07-18 18:25
|
shedin2.1.exe 3237ac71bbc1b1153dda35c76e1b80b8 NSIS UPX Malicious Library PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(173.231.16.76) - 104.237.62.211 -
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2023-06-24 13:25
|
festkon2.1.exe f14a6c2f0c53470577f1e3a66e34fe64 NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.getflooringservices.today/k2l0/?RP=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&rXLpvR=P0D4a24 http://www.alltiett.net/k2l0/?RP=CLWhMEEH+TKpZCs82dDMH40MtEeqU8fVsX2BTRkbuaHTGaAdqzqBoXZ1eBBCJkRM4luJ5zo3&rXLpvR=P0D4a24 http://www.usdrub.com/k2l0/?RP=R+iha7GQYIR128qb/ePPYcj+8Pay4Nrp+ciVv5jeZEPMbb+7/2J83xwbNHNe0GBur2Js8QJC&rXLpvR=P0D4a24
|
7
www.alltiett.net(81.169.145.70) www.capitalrepros.com() www.usdrub.com(13.248.169.48) www.getflooringservices.today(172.67.183.64) 81.169.145.70 - mailcious 104.21.48.94 13.248.169.48
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2023-05-06 12:03
|
ostaj2.1.exe c544c36f9031c1c13c9444edc245f55f NSIS UPX Malicious Library PE32 PE File DLL Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
2
jeron7.duckdns.org(212.8.244.201) 212.8.244.201 - mailcious
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
|
|
5.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2023-04-25 10:13
|
shedume2.1.exe c2193488994db0c99893eb8d336874e3 NSIS UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
1
http://www.billydeluca.com/sd03/?jBZ4=bwn3WNXG1QkKkY/peZjHiiVfFEeZEuNxgxDQNfmA0NAm5QlqR0e5861NDsuhGMHW1ZdwAArQ&P0D=Abs0IXf
|
5
www.liberix.se() www.lincornellah.africa() www.copywriters.agency() www.billydeluca.com(198.185.159.145) 198.49.23.144 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2023-04-22 08:45
|
dcrossc.exe fcb1534a561fc1fe2954c00899e2815f NSIS UPX Malicious Library Malicious Packer PE32 PE File OS Processor Check Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
2
avarian717.duckdns.org(193.56.29.183) 193.56.29.183
|
4
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2023-03-02 09:44
|
ojekon2.1.exe 15ee8e51c501df2614eb8f81a4f5fde6 UPX Malicious Library PE32 PE File OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2023-02-16 10:32
|
bokledge4.1.exe 500ce28cca98df7f3d40fa8f5e428598 Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.123findcapital.com/b07o/?r0=BQnnnzHQBKzmuzWUc1NmCI/zEoVgbKldG3lEFhDIxtN9pUoBFrHG6JYkbinJNYhAMboRWfOr&sZODHD=8pH8P6V http://www.dccmovil.com/b07o/?r0=o6HXEdJl6/VPp8rWf7jQRIH4rS2B7wZBnAS41Nk2ga+LVrdEWYkuzCknyBgzWY5EcE0I5NHB&sZODHD=8pH8P6V http://www.jcw-media.com/b07o/?r0=jaJOBLEmd5yxE98n7CSjpxqJgVtnhHa3aCWCYIkttjtkv6GZ+uhp6dkAW9oK9ZGeuV/IrL/Z&sZODHD=8pH8P6V
|
6
www.jcw-media.com(66.96.162.140) www.123findcapital.com(3.33.152.147) www.dccmovil.com(34.102.136.180) 34.102.136.180 - mailcious 66.96.162.140 - mailcious 3.33.152.147 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2023-02-15 18:17
|
febono2.3.exe 4186ef2676e64436549e70dbb1210a8e Malicious Library UPX PE32 PE File OS Processor Check Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS DDNS |
|
2
valentine23.duckdns.org(45.132.106.37) 45.132.106.37 - mailcious
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET MALWARE Possible NanoCore C2 60B
|
|
8.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|