| 1 |
2022-11-02 16:58
|
 CVBCVBVCBVCBD.exe 9c35652428e65743f62c64ef9f438720
RAT Generic Malware task schedule Antivirus AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware powershell Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key DDNS |
|
2
chinasea.duckdns.org(173.234.105.145) - mailcious
173.234.105.145
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
13.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2022-11-02 16:45
|
 VCXVNCXMCXGJJGDF.exe a24100782a9e93d92d074ccab972bd18
PWS[m] RAT email stealer Generic Malware Downloader Antivirus DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File Malware download AveMaria NetWireRC VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process Windows RAT ComputerName DNS Cryptographic key |
|
3
45.137.22.236
51.75.209.245 - mailcious
23.207.99.220
|
2
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
|
|
11.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2022-11-02 16:45
|
 BCBCBDHDHD.exe 8509fc852d545aabe120f411ec8f8edb
AgentTesla PWS[m] RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File Remcos VirusTotal Malware powershell Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
178.237.33.50
51.75.209.245 - mailcious
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
13.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2022-11-02 16:45
|
 eurob.exe 3dd5e211cb02f98fe31c6dd83685d464
AgentTesla PWS[m] RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File MSOffice File PNG Format JPEG Remcos VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting exploit crash unpack itself Windows utilities suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed keylogger |
2
http://geoplugin.net/json.gp
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0
|
5
geoplugin.net(178.237.33.50)
learn.microsoft.com(104.76.76.50)
45.137.22.236
178.237.33.50
104.71.174.10
|
4
ET JA3 Hash - Remcos 3.x TLS Connection
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA HTTP unable to match response to request
|
|
15.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2022-10-28 17:39
|
 BGHkKHH.exe 3d9cdfc20871dffc0c7df185982f5990
PWS[m] RAT email stealer Generic Malware Downloader Antivirus Socket DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware powershell Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows ComputerName DNS Cryptographic key DDNS |
|
2
chinagov.duckdns.org(198.20.177.169) - mailcious
198.20.177.169 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
14.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2022-10-28 17:29
|
 VXCVNCXVJGKKFD.exe 23d5f75391136c6e3fafc24f60c257c1
AgentTesla PWS[m] RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus ScreenShot Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware powershell Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser Email ComputerName Cryptographic key |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
top.thekillforabuse1.xyz(195.178.120.12)
178.237.33.50
195.178.120.12
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
14.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2022-10-28 17:26
|
 NMXCJKHKDFDF.exe 12eb96cc98bb2088519e0e38316e8c8f
AgentTesla PWS[m] RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File Remcos VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process Windows ComputerName DNS Cryptographic key keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
178.237.33.50
51.75.209.245
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
12.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2022-10-28 17:24
|
 HDFFHXGHFHHFJHHJ.exe b70cce7e2c30571192e316924ad76214
PWS[m] RAT email stealer Generic Malware Downloader Antivirus DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware powershell Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key DDNS crashed |
|
2
chinagov.duckdns.org(198.20.177.169) - mailcious
198.20.177.169 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2022-10-28 17:22
|
 VMNCXJFDJK.exe 3b19dd4d3625af420864de2a700468d5
PWS[m] RAT email stealer Generic Malware Downloader Antivirus Socket DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware powershell Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows ComputerName DNS Cryptographic key DDNS |
|
2
chinagov.duckdns.org(198.20.177.169) - mailcious
198.20.177.169 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2022-10-28 17:21
|
 BHGgTtTtgtG.exe 7512087827c35d33ff03468850968b0e
PWS[m] RAT email stealer Generic Malware Downloader Antivirus Socket DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process malicious URLs Windows ComputerName DNS Cryptographic key DDNS |
|
2
chinagov.duckdns.org(198.20.177.169) - mailcious
198.20.177.169 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2022-10-28 17:17
|
 BCDGFJFJGHKJK.exe ee17a84bf597ef822d3264bf3b8c30c9
PWS[m] RAT email stealer Generic Malware Downloader Antivirus DGA Socket DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware powershell Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs Windows ComputerName DNS Cryptographic key DDNS |
|
2
chinagov.duckdns.org(198.20.177.169) - mailcious
198.20.177.169 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
13.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2022-10-28 17:15
|
 DFGHHDJFDDFDFJDJ.exe 50807a033f29ce6ea0e822a4f0b4e60f
RAT Generic Malware task schedule Antivirus AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process Windows ComputerName DNS Cryptographic key DDNS |
|
2
chinasea.duckdns.org(198.20.177.169) - mailcious
198.20.177.169 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
11.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2022-10-28 17:14
|
 HFMN,N,JGHJH.exe d52446f23b3f32482c2f9463e73a2e9c
RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed |
18
http://www.markasch.info/ehib/?wP9=g1Fhxv0LjrAYf/5tD7RYP/NJ9dzU/hsnkyTjxx+OO1oDl/521sMsdmGCgXkYvgDBgT7bhJQ6LjbYMY49wNTJuQF0p6lMJMaLjfDDUBw=&lZQ=7nbHudZPJ
http://www.kongjian666.vip/ehib/
http://www.loovalue.best/ehib/?wP9=RycohF4F6oG+gMUGC54V6/u8ENwlqc6M56KiVL3mQwFho8ThhIYV5JUKmFTGFVRoprvq3QsRl+Y7WaLHzElPoT9m8NcpZfu2nXpbJYs=&lZQ=7nbHudZPJ
http://www.ortaklarpetshop.com/ehib/
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.akssbci.org/ehib/
http://www.rufrufsports.com/ehib/
http://www.ortaklarpetshop.com/ehib/?wP9=Hh5HXXKwt0YubAZdSLpclkjlMLkqkG6dO9N2tjGaevHhyH5nXu/MYgPz83LKE0UAC/CHmEdAz94SpQnrCUmYZ+fPOnZs5c0lH9qebN4=&lZQ=7nbHudZPJ
http://www.markasch.info/ehib/
http://www.tuvi.asia/ehib/
http://www.tuvi.asia/ehib/?wP9=vDy28c4A8yAPWILIwETUBA8z4sSN+xPOf98zzSHrFftS0HVhLhVW05NgRwAUMsFJmtYUq5pwW+jkvdeGPEtln/T+SXrsR6l7/O/LehQ=&lZQ=7nbHudZPJ
http://www.voltagemarkets.com/ehib/?wP9=XJpTmlLi75mbesb6UMM709BMF4uB3tA26VeV0lE7KXzGe592FYcu9Z4nzQqkQBXdql5WG1sgCQuimp5bg3aF5HfZK6rARIqxckrn9zE=&lZQ=7nbHudZPJ
http://www.akssbci.org/ehib/?wP9=THbiExPBObb3BT0tV1vyVOsW1kcYooexWq0IanMH3HjZ6WK0/dCyj/wkkpPahFBbtvE8TtEVfSa/kQmulJOZfrTVnUMiafggIo7B9Aw=&lZQ=7nbHudZPJ
http://www.voltagemarkets.com/ehib/
http://www.e-lists.live/ehib/
http://www.kongjian666.vip/ehib/?wP9=EGBXbKIab5YOU/V9/BufR3qH771T8wM/sUCcyaxVFwsi26+Hq4LI8Ocu47lfwy04MSIb2vW+Rf3GwyUKqu4diU99hVzqma+UC+obGvA=&lZQ=7nbHudZPJ
http://www.rufrufsports.com/ehib/?wP9=zdFT4tuQ5YyrzftWQUVlaQe/fgkbQ+VJNQUs/x3rQTxasad4oZ0LmUlI08FAZ/n4+LvWqS7kZ4lsU/EJqvo4vcJIzSdnQAYzadnado4=&lZQ=7nbHudZPJ
http://www.e-lists.live/ehib/?wP9=zCnh2pwYjwTnHjHRvt/xYecBL0syfpl9qYRvxvvPfQ5o4nyhC1RahtSA0piBVGNLE4YTFq/w2UbXST9jywIgvtJSOuj4IhQbA+6LlVg=&lZQ=7nbHudZPJ
|
22
www.ortaklarpetshop.com(104.247.161.194)
www.tuvi.asia(103.28.36.200)
www.loovalue.best(152.89.236.110)
www.voltagemarkets.com(35.214.196.81)
www.markasch.info(63.250.44.241) - mailcious
www.ooddreamsso.online(91.205.173.118)
www.akssbci.org(208.91.197.27)
www.e-lists.live(185.180.199.136)
www.kongjian666.vip(35.190.62.175)
www.sqlite.org(45.33.6.223)
www.rufrufsports.com(72.167.68.137)
185.180.199.136
72.167.68.137
35.190.62.175
63.250.44.241 - mailcious
35.214.196.81
208.91.197.27 - mailcious
152.89.236.110
104.247.161.194
45.33.6.223
103.28.36.200 - mailcious
91.205.173.118
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to a *.asia domain
|
|
10.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2022-10-28 17:13
|
 MNZCVNCJKG.exe 04a33f596eca01055852772a327659a3
PWS[m] RAT email stealer Generic Malware Downloader Antivirus DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process sandbox evasion WriteConsoleW Windows Browser ComputerName DNS Cryptographic key DDNS crashed |
|
2
rippeymp811.ddns.net(3.19.76.205)
3.19.76.205
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
13.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2022-10-28 17:11
|
 HHkPoJhH.exe 8f89c4cd81384874cea3378488944245
PWS[m] RAT email stealer Generic Malware Downloader Antivirus Socket DNS Code injection KeyLogger Escalate priviledges persistence AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process malicious URLs Windows ComputerName DNS Cryptographic key DDNS |
|
2
chinagov.duckdns.org(198.20.177.169) - mailcious
198.20.177.169 - mailcious
|
1
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|