| 1 |
2023-12-01 10:45
|
 exedroidddcc.exe 5793a999d5a84a4f10801b2f00371533
PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Browser Email ComputerName crashed |
|
|
|
|
9.4 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2023-08-25 18:20
|
 NMK9938.exe c573e900611f78a87d128236180d56db
Confuser .NET PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
|
|
|
5.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2023-08-24 18:11
|
 wininit.exe 840006dac67d23b7725020c8441a6a4b
Confuser .NET PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself DNS |
|
1
108.181.20.35 - mailcious
|
|
|
6.4 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2023-08-24 07:41
|
 wininit.exe 932b776b87e459c404ae7e9ca38a0c7e
Formbook Confuser .NET AntiDebug AntiVM PE File .NET EXE PE32 Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself DNS |
17
http://www.yh66985.com/pta7/?2pp61=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&2b=YzwO5n4T_u4 - rule_id: 35249
http://www.playcups.life/pta7/?2pp61=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&2b=YzwO5n4T_u4 - rule_id: 35250
http://www.playcups.life/pta7/ - rule_id: 35250
http://www.acdaiucdac.com/pta7/?2pp61=43v7Ny/HipLC1/i8/EHFbQWk+eiIQ/u53GN7wShSu/utS8xmabSGaVvVJrZKwfQ4W1iMjfgim/Qvgf/YMs2AzVLD8F/JP8IFS4Qjg6E=&2b=YzwO5n4T_u4 - rule_id: 35847
http://www.yh66985.com/pta7/ - rule_id: 35249
http://www.cosmicearthgoddess.com/pta7/ - rule_id: 35248
http://www.cosmicearthgoddess.com/pta7/?2pp61=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&2b=YzwO5n4T_u4 - rule_id: 35248
http://www.promptyum.com/pta7/?2pp61=51fXUovDvl40Gay+bBOuV4csAD2CR1Bn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJhW/MWm8p48YIEfLWeZ5rDjg9Q=&2b=YzwO5n4T_u4 - rule_id: 35845
http://www.applechiofficial.com/pta7/ - rule_id: 35846
http://www.applechiofficial.com/pta7/?2pp61=3tLz2GELRqgUNEe3Tg6pYXQ6INf+7Y5kvPosXVoeGK7Pb7+bWmhYMZiQ8dlF92mvy5mXj5zMlug3M8Fw5MW69FZ659FzjUfEuZ9BwIA=&2b=YzwO5n4T_u4 - rule_id: 35846
http://www.promptyum.com/pta7/ - rule_id: 35845
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.selfstorage.koeln/pta7/?2pp61=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&2b=YzwO5n4T_u4 - rule_id: 35247
http://www.maytag36.com/pta7/ - rule_id: 35246
http://www.acdaiucdac.com/pta7/ - rule_id: 35847
http://www.maytag36.com/pta7/?2pp61=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&2b=YzwO5n4T_u4 - rule_id: 35246
http://www.selfstorage.koeln/pta7/ - rule_id: 35247
|
18
www.sisbom.online() - mailcious
www.acdaiucdac.com(165.140.70.70) - mailcious
www.cosmicearthgoddess.com(74.208.236.61) - mailcious
www.selfstorage.koeln(81.169.145.157) - mailcious
www.applechiofficial.com(217.144.104.212) - mailcious
www.promptyum.com(52.20.84.62) - mailcious
www.playcups.life(203.161.58.192) - mailcious
www.yh66985.com(154.215.247.58) - mailcious
www.maytag36.com(76.223.26.96) - mailcious
165.140.70.70 - mailcious
74.208.236.61 - mailcious
52.20.84.62 - mailcious
81.169.145.157 - mailcious
154.215.247.58 - mailcious
76.223.26.96 - mailcious
217.144.104.212 - mailcious
45.33.6.223
203.161.58.192 - mailcious
|
2
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD
|
16
http://www.yh66985.com/pta7/
http://www.playcups.life/pta7/
http://www.playcups.life/pta7/
http://www.acdaiucdac.com/pta7/
http://www.yh66985.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.promptyum.com/pta7/
http://www.applechiofficial.com/pta7/
http://www.applechiofficial.com/pta7/
http://www.promptyum.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.maytag36.com/pta7/
http://www.acdaiucdac.com/pta7/
http://www.maytag36.com/pta7/
http://www.selfstorage.koeln/pta7/
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2023-08-16 07:36
|
 wininit.exe 7f162aac8d8d2af6c52e87a85a1547e5
Formbook Confuser .NET AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
17
http://www.acdaiucdac.com/pta7/ - rule_id: 35847
http://www.playcups.life/pta7/ - rule_id: 35250
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zip
http://www.promptyum.com/pta7/?3KQc7=51fXUovDvl40Gay+bBOuV4csAD2CR1Bn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJhW/MWm8p48YIEfLWeZ5rDjg9Q=&-XQ_Ia=PCu1nHmFlVYPOKh - rule_id: 35845
http://www.yh66985.com/pta7/ - rule_id: 35249
http://www.acdaiucdac.com/pta7/?3KQc7=43v7Ny/HipLC1/i8/EHFbQWk+eiIQ/u53GN7wShSu/utS8xmabSGaVvVJrZKwfQ4W1iMjfgim/Qvgf/YMs2AzVLD8F/JP8IFS4Qjg6E=&-XQ_Ia=PCu1nHmFlVYPOKh - rule_id: 35847
http://www.cosmicearthgoddess.com/pta7/ - rule_id: 35248
http://www.maytag36.com/pta7/?3KQc7=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&-XQ_Ia=PCu1nHmFlVYPOKh - rule_id: 35246
http://www.selfstorage.koeln/pta7/?3KQc7=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&-XQ_Ia=PCu1nHmFlVYPOKh - rule_id: 35247
http://www.applechiofficial.com/pta7/ - rule_id: 35846
http://www.applechiofficial.com/pta7/?3KQc7=3tLz2GELRqgUNEe3Tg6pYXQ6INf+7Y5kvPosXVoeGK7Pb7+bWmhYMZiQ8dlF92mvy5mXj5zMlug3M8Fw5MW69FZ659FzjUfEuZ9BwIA=&-XQ_Ia=PCu1nHmFlVYPOKh - rule_id: 35846
http://www.promptyum.com/pta7/ - rule_id: 35845
http://www.maytag36.com/pta7/ - rule_id: 35246
http://www.playcups.life/pta7/?3KQc7=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&-XQ_Ia=PCu1nHmFlVYPOKh - rule_id: 35250
http://www.cosmicearthgoddess.com/pta7/?3KQc7=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&-XQ_Ia=PCu1nHmFlVYPOKh - rule_id: 35248
http://www.yh66985.com/pta7/?3KQc7=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&-XQ_Ia=PCu1nHmFlVYPOKh - rule_id: 35249
http://www.selfstorage.koeln/pta7/ - rule_id: 35247
|
18
www.acdaiucdac.com(165.140.70.70) - mailcious
www.sisbom.online() - mailcious
www.yh66985.com(154.215.247.58) - mailcious
www.applechiofficial.com(217.144.104.212) - mailcious
www.promptyum.com(52.20.84.62) - mailcious
www.playcups.life(203.161.58.192) - mailcious
www.cosmicearthgoddess.com(74.208.236.61) - mailcious
www.selfstorage.koeln(81.169.145.157) - mailcious
www.maytag36.com(76.223.26.96) - mailcious
74.208.236.61 - mailcious
165.140.70.70 - mailcious
154.215.247.58 - mailcious
52.20.84.62 - mailcious
81.169.145.157 - mailcious
13.248.148.254 - mailcious
217.144.104.212 - mailcious
45.33.6.223
203.161.58.192 - mailcious
|
|
16
http://www.acdaiucdac.com/pta7/
http://www.playcups.life/pta7/
http://www.promptyum.com/pta7/
http://www.yh66985.com/pta7/
http://www.acdaiucdac.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.maytag36.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.applechiofficial.com/pta7/
http://www.applechiofficial.com/pta7/
http://www.promptyum.com/pta7/
http://www.maytag36.com/pta7/
http://www.playcups.life/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.yh66985.com/pta7/
http://www.selfstorage.koeln/pta7/
|
8.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2023-08-16 07:36
|
 wininit.exe 64870ba5b0e92b05dc383959e02782ce
Formbook Confuser .NET AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD |
22
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
http://www.cosmicearthgoddess.com/pta7/?aHip=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&15=_oc9 - rule_id: 35248
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.selfstorage.koeln/pta7/ - rule_id: 35247
http://www.selfstorage.koeln/pta7/?aHip=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&15=_oc9 - rule_id: 35247
http://www.promptyum.com/pta7/?aHip=51fXUovDvl40Gay+bBOuV4csAD2CR1Bn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJhW/MWm8p48YIEfLWeZ5rDjg9Q=&15=_oc9 - rule_id: 35845
http://www.maytag36.com/pta7/?aHip=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&15=_oc9 - rule_id: 35246
http://www.cosmicearthgoddess.com/pta7/ - rule_id: 35248
http://www.playcups.life/pta7/?aHip=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&15=_oc9 - rule_id: 35250
http://www.promptyum.com/pta7/ - rule_id: 35845
http://www.acdaiucdac.com/pta7/?aHip=43v7Ny/HipLC1/i8/EHFbQWk+eiIQ/u53GN7wShSu/utS8xmabSGaVvVJrZKwfQ4W1iMjfgim/Qvgf/YMs2AzVLD8F/JP8IFS4Qjg6E=&15=_oc9 - rule_id: 35847
http://www.playcups.life/pta7/ - rule_id: 35250
http://www.applechiofficial.com/pta7/ - rule_id: 35846
http://www.grmlfgsz.click/pta7/?aHip=ZUw0DE2tTfMrS/vGgTqiPtR9iLDJ7ITJFCKtS8euE2iaohDcpFUZC4QpBbwyViCfiPHxoQAr+wVp68on4xa7Qrqk1k7DdBy37sJAI4o=&15=_oc9 - rule_id: 35857
http://www.grmlfgsz.click/pta7/ - rule_id: 35857
http://www.acdaiucdac.com/pta7/ - rule_id: 35847
http://www.yh66985.com/pta7/?aHip=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&15=_oc9 - rule_id: 35249
http://www.yh66985.com/pta7/ - rule_id: 35249
http://www.workationdelsol.com/pta7/?aHip=KwcplsCPI1RgA9llBgRI7UZiW4SpOPY+6KzEsYVNfDztjut0HKme+ulBSzhiqB8GHLrJm3E5Mws5yZIdMQ67aG0FcK0zVEj9Psx/60M=&15=_oc9 - rule_id: 35856
http://www.applechiofficial.com/pta7/?aHip=3tLz2GELRqgUNEe3Tg6pYXQ6INf+7Y5kvPosXVoeGK7Pb7+bWmhYMZiQ8dlF92mvy5mXj5zMlug3M8Fw5MW69FZ659FzjUfEuZ9BwIA=&15=_oc9 - rule_id: 35846
http://www.maytag36.com/pta7/ - rule_id: 35246
http://www.workationdelsol.com/pta7/ - rule_id: 35856
|
24
www.workationdelsol.com(81.169.145.159) - mailcious
www.applechiofficial.com(217.144.104.212) - mailcious
www.selfstorage.koeln(81.169.145.157) - mailcious
www.grmlfgsz.click(172.67.178.188) - mailcious
www.s7ve7.top(107.148.23.45)
www.acdaiucdac.com(165.140.70.70) - mailcious
www.promptyum.com(52.20.84.62) - mailcious
www.yh66985.com(154.215.247.58) - mailcious
www.playcups.life(203.161.58.192) - mailcious
www.cosmicearthgoddess.com(74.208.236.61) - mailcious
www.maytag36.com(76.223.26.96) - mailcious
www.sisbom.online() - mailcious
81.169.145.159 - mailcious
107.148.23.45
172.67.178.188
74.208.236.61 - mailcious
52.20.84.62 - mailcious
81.169.145.157 - mailcious
13.248.148.254 - mailcious
203.161.58.192 - mailcious
165.140.70.70 - mailcious
217.144.104.212 - mailcious
45.33.6.223
154.215.247.58 - mailcious
|
|
20
http://www.cosmicearthgoddess.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.selfstorage.koeln/pta7/
http://www.promptyum.com/pta7/
http://www.maytag36.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.playcups.life/pta7/
http://www.promptyum.com/pta7/
http://www.acdaiucdac.com/pta7/
http://www.playcups.life/pta7/
http://www.applechiofficial.com/pta7/
http://www.grmlfgsz.click/pta7/
http://www.grmlfgsz.click/pta7/
http://www.acdaiucdac.com/pta7/
http://www.yh66985.com/pta7/
http://www.yh66985.com/pta7/
http://www.workationdelsol.com/pta7/
http://www.applechiofficial.com/pta7/
http://www.maytag36.com/pta7/
http://www.workationdelsol.com/pta7/
|
9.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2023-08-14 07:53
|
 wininit.exe 1188a953c9f36b374ca3714c9de1763e
Formbook Confuser .NET AntiDebug AntiVM .NET EXE PE File PE32 Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
21
http://www.applechiofficial.com/pta7/
http://www.grmlfgsz.click/pta7/?fnA=ZUw0DE2tTfMrS/vGgTqiPtR9iLDJ7ITJFCKtS8euE2iaohDcpFUZC4QpBbwyViCfiPHxoQAr+wVp68on4xa7Qrqk1k7DdBy37sJAI4o=&kMqzI-=yuAc
http://www.playcups.life/pta7/?fnA=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&kMqzI-=yuAc - rule_id: 35250
http://www.applechiofficial.com/pta7/?fnA=3tLz2GELRqgUNEe3Tg6pYXQ6INf+7Y5kvPosXVoeGK7Pb7+bWmhYMZiQ8dlF92mvy5mXj5zMlug3M8Fw5MW69FZ659FzjUfEuZ9BwIA=&kMqzI-=yuAc
http://www.playcups.life/pta7/ - rule_id: 35250
http://www.maytag36.com/pta7/?fnA=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&kMqzI-=yuAc - rule_id: 35246
http://www.selfstorage.koeln/pta7/ - rule_id: 35247
http://www.yh66985.com/pta7/ - rule_id: 35249
http://www.workationdelsol.com/pta7/?fnA=KwcplsCPI1RgA9llBgRI7UZiW4SpOPY+6KzEsYVNfDztjut0HKme+ulBSzhiqB8GHLrJm3E5Mws5yZIdMQ67aG0FcK0zVEj9Psx/60M=&kMqzI-=yuAc
http://www.selfstorage.koeln/pta7/?fnA=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&kMqzI-=yuAc - rule_id: 35247
http://www.acdaiucdac.com/pta7/?fnA=43v7Ny/HipLC1/i8/EHFbQWk+eiIQ/u53GN7wShSu/utS8xmabSGaVvVJrZKwfQ4W1iMjfgim/Qvgf/YMs2AzVLD8F/JP8IFS4Qjg6E=&kMqzI-=yuAc
http://www.cosmicearthgoddess.com/pta7/ - rule_id: 35248
http://www.yh66985.com/pta7/?fnA=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&kMqzI-=yuAc - rule_id: 35249
http://www.promptyum.com/pta7/
http://www.promptyum.com/pta7/?fnA=51fXUovDvl40Gay+bBOuV4csAD2CR1Bn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJhW/MWm8p48YIEfLWeZ5rDjg9Q=&kMqzI-=yuAc
http://www.maytag36.com/pta7/ - rule_id: 35246
http://www.grmlfgsz.click/pta7/
http://www.cosmicearthgoddess.com/pta7/?fnA=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&kMqzI-=yuAc - rule_id: 35248
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
http://www.acdaiucdac.com/pta7/
http://www.workationdelsol.com/pta7/
|
22
www.sisbom.online() - mailcious
www.acdaiucdac.com(165.140.70.70)
www.cosmicearthgoddess.com(74.208.236.61) - mailcious
www.selfstorage.koeln(81.169.145.157) - mailcious
www.applechiofficial.com(217.144.104.212) - mailcious
www.grmlfgsz.click(172.67.178.188)
www.promptyum.com(52.20.84.62) - mailcious
www.workationdelsol.com(81.169.145.159)
www.playcups.life(203.161.58.192) - mailcious
www.yh66985.com(154.215.247.58) - mailcious
www.maytag36.com(76.223.26.96) - mailcious
74.208.236.61 - mailcious
81.169.145.159 - mailcious
165.140.70.70
154.215.247.58 - mailcious
52.20.84.62 - mailcious
81.169.145.157 - mailcious
203.161.58.192 - mailcious
217.144.104.212 - mailcious
45.33.6.223
104.21.75.162
13.248.148.254 - mailcious
|
|
10
http://www.playcups.life/pta7/
http://www.playcups.life/pta7/
http://www.maytag36.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.yh66985.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.yh66985.com/pta7/
http://www.maytag36.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2023-08-14 07:47
|
 wininit.exe cb38f35ebcddff1cb735acad8b65096e
Formbook Confuser .NET AntiDebug AntiVM .NET EXE PE File PE32 Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
17
http://www.playcups.life/pta7/ - rule_id: 35250
http://www.promptyum.com/pta7/?C_EPEnQ=51fXUovDvl40Gay+bBOuV4csAD2CR1Bn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJhW/MWm8p48YIEfLWeZ5rDjg9Q=&De=i55vP4VghF6t
http://www.applechiofficial.com/pta7/?C_EPEnQ=3tLz2GELRqgUNEe3Tg6pYXQ6INf+7Y5kvPosXVoeGK7Pb7+bWmhYMZiQ8dlF92mvy5mXj5zMlug3M8Fw5MW69FZ659FzjUfEuZ9BwIA=&De=i55vP4VghF6t
http://www.acdaiucdac.com/pta7/?C_EPEnQ=43v7Ny/HipLC1/i8/EHFbQWk+eiIQ/u53GN7wShSu/utS8xmabSGaVvVJrZKwfQ4W1iMjfgim/Qvgf/YMs2AzVLD8F/JP8IFS4Qjg6E=&De=i55vP4VghF6t
http://www.yh66985.com/pta7/ - rule_id: 35249
http://www.maytag36.com/pta7/?C_EPEnQ=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&De=i55vP4VghF6t - rule_id: 35246
http://www.applechiofficial.com/pta7/
http://www.yh66985.com/pta7/?C_EPEnQ=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&De=i55vP4VghF6t - rule_id: 35249
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.cosmicearthgoddess.com/pta7/ - rule_id: 35248
http://www.cosmicearthgoddess.com/pta7/?C_EPEnQ=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&De=i55vP4VghF6t - rule_id: 35248
http://www.promptyum.com/pta7/
http://www.selfstorage.koeln/pta7/?C_EPEnQ=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&De=i55vP4VghF6t - rule_id: 35247
http://www.maytag36.com/pta7/ - rule_id: 35246
http://www.acdaiucdac.com/pta7/
http://www.playcups.life/pta7/?C_EPEnQ=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&De=i55vP4VghF6t - rule_id: 35250
http://www.selfstorage.koeln/pta7/ - rule_id: 35247
|
18
www.acdaiucdac.com(165.140.70.70)
www.sisbom.online() - mailcious
www.yh66985.com(154.215.247.58) - mailcious
www.applechiofficial.com(217.144.104.212) - mailcious
www.promptyum.com(52.20.84.62) - mailcious
www.playcups.life(203.161.58.192) - mailcious
www.cosmicearthgoddess.com(74.208.236.61) - mailcious
www.selfstorage.koeln(81.169.145.157) - mailcious
www.maytag36.com(76.223.26.96) - mailcious
74.208.236.61 - mailcious
165.140.70.70
154.215.247.58 - mailcious
52.20.84.62 - mailcious
81.169.145.157 - mailcious
13.248.148.254 - mailcious
217.144.104.212 - mailcious
45.33.6.223
203.161.58.192 - mailcious
|
|
10
http://www.playcups.life/pta7/
http://www.yh66985.com/pta7/
http://www.maytag36.com/pta7/
http://www.yh66985.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.maytag36.com/pta7/
http://www.playcups.life/pta7/
http://www.selfstorage.koeln/pta7/
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2023-07-28 10:26
|
 secbobbyzx.exe b05e3ab4699177f4dcad8e34ceda8efb
Confuser .NET .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName DNS |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
transfer.sh(144.76.136.153) - malware
121.254.136.27
144.76.136.153 - mailcious
|
5
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
|
|
3.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2023-06-03 17:27
|
 H2.exe 200f70cceffbcc69815d125f1ca40fd8
AgentTesla RAT browser info stealer Google Chrome User Data Downloader Confuser .NET Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM PE64 PE File Remcos VirusTotal Malware PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
pekonomia.duckdns.org(185.225.74.112) - mailcious
178.237.33.50
185.225.74.112 - mailcious
|
3
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
8.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2023-06-02 11:12
|
 R.exe 75e536684503b069e3f8782abee90845
RAT Confuser .NET AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
11
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.bluhenhalfte.xyz/p9ao/?seGgFJ=vRFPeW+a5eWj78d95ZChSzUnWBErJOu6BL+rqrQuXzoLgBIyf+8wG4E0yzEkSL259muf+heCu3SYFxv43Rue+P6JisHwLR8+s0aKyro=&6v=LtYV7f8p2kiE
http://www.windmarkdijital.xyz/p9ao/?seGgFJ=+bmephAqYj2sPehVYG+6vylNZ9xTD57k0www/64WlyporzTS/DQK9Cj9E45l2PnpvASrzBKQ+MTFYh98/e7cSFktWy6uJymQpJPkUO8=&6v=LtYV7f8p2kiE
http://www.windmarkdijital.xyz/p9ao/
http://www.g2g2sport.xyz/p9ao/?seGgFJ=XT67LxJVileSUZubvPnUPegaTgZ/6jQtKal3VjDKoEwa5II03LuvqSNChaRu2iUoBEt/Y1rs6QWzksNnW/YxdPu4ukuWTQMQOAWrwp4=&6v=LtYV7f8p2kiE
http://www.g2g2sport.xyz/p9ao/
http://www.suzheng22.top/p9ao/
http://www.solarwachstum.com/p9ao/
http://www.bluhenhalfte.xyz/p9ao/
http://www.suzheng22.top/p9ao/?seGgFJ=UF1gbyBA2KpG8m0Rm9ehbXR0zJmaFb1dyUpi9VFZIpYgOTVtiTl0F+cTQPY8C/xJkCHyK8gaxezu3hN4hseR4mpCn7WT9y60MQraZ8Q=&6v=LtYV7f8p2kiE
http://www.solarwachstum.com/p9ao/?seGgFJ=CRBGmlvLKSdWYJTLFdYUqNcl5XacT7p2l/bsj7rBz10wHnkWrMrpIEuQZVcc3zXzkIzXuCRWtiUMrr5dZy1sHRpRgJUYDyiz+Rr4X1g=&6v=LtYV7f8p2kiE
|
11
www.bluhenhalfte.xyz(109.123.121.243)
www.suzheng22.top(172.67.162.131)
www.solarwachstum.com(89.31.143.1)
www.g2g2sport.xyz(198.54.117.211)
www.windmarkdijital.xyz(85.159.66.93)
109.123.121.243 - mailcious
85.159.66.93 - mailcious
89.31.143.1 - mailcious
198.54.117.212 - mailcious
104.21.42.144
45.33.6.223
|
6
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2023-06-02 11:11
|
 D.exe 7233778f2b64f9e0cf54a3a15ff91bb2
RAT Confuser .NET AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
19
http://www.tarolstroy.store/6huu/?OqPR=En7LCrBqRDvhnDHpczrHWaIedYbeAgZr6OxVyCrdWihd6XEAizhpO0j/kkT3E0Ail4lmu+00ROJTwCbrXgrUq/0FdQ7yD2DHgTmcEH4=&Yln=M4DXTK1SNj
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
http://www.0096061.com/6huu/
http://www.14zhibo.work/6huu/
http://www.kp69f.top/6huu/
http://www.terrenoscampestres.com/6huu/?OqPR=vPEZFS80w83TR1ISai5AEG4cZjK/Z0sPVYJxvP0qkrafDKWjEP7E989Tf/65iA6Wv6B2G+FeAz/F94bTMl2+G2T5U6uSTMLdr8gHGso=&Yln=M4DXTK1SNj
http://www.lancele.com/6huu/
http://www.ticimmo.com/6huu/
http://www.lancele.com/6huu/?OqPR=lkPChsOgbmG6IllhHTLtf7ULj1acQ37do+96zoOFU1wEZ7Q3pDLdySJi8tX/LksgKKJ2zleSV8oD4OY5SI7MA2q2BuCSDDIq7z8yKSo=&Yln=M4DXTK1SNj
http://www.14zhibo.work/6huu/?OqPR=DY82kxx300f8Ik70WvLdREOGU4sx5WmLPZ3/q1TGOtAA9/Gzsd9nceuxwkKKmb1RPsemirf5O/kWho3f6FGpO5KONInBcJ6F+ssJurA=&Yln=M4DXTK1SNj
http://www.0096061.com/6huu/?OqPR=cmX/07TqI3ZVBqSk8R867+hdp8bVOoL06AzKIpvdRFeyAj6hvaaJUHhkQ/toAIcVWWdRQEgjpGpGrDxsMG4sQneWN+dP3qrEhepv/3Q=&Yln=M4DXTK1SNj
http://www.solarwachstum.com/6huu/?OqPR=w02mQAblJWbyIo6ozgnxrIUPRxqR4gn//aKR4b4C2qQSYqcw3Vi29oLFIvtOIeXnZF+XC4+RsLS3HuGm7zRt9dlAuIsc4gbzWXQ9ldM=&Yln=M4DXTK1SNj
http://www.tarolstroy.store/6huu/
http://www.terrenoscampestres.com/6huu/
http://www.kp69f.top/6huu/?OqPR=c/0CEmjcp1qhbjrBdr7qFpTEdTMNmdGL+2G3nk26J8C5sXkvdYxGabdoDx2ERzE1q79WMkYCDIvd6DDSGqF5RzVKrD1kqEcaGqxbLU4=&Yln=M4DXTK1SNj
http://www.ticimmo.com/6huu/?OqPR=TigSyFlwP0RNpBbhC/rdMwC8b/Qg/Ivp2etxz330Y/wAN2mEJT4yMf4cHTRgrqo8FsDkyKZ/RDxnb9SkkKZ8CLMuGFsv81COs/EjZGo=&Yln=M4DXTK1SNj
http://www.qfx88.com/6huu/
http://www.qfx88.com/6huu/?OqPR=ai4Hj7VNL/eal8v50vngd1esaVL80O28AVhmObBuZqCvkNevFGLtvLG4llGxYwRMqic01nY12J0ERo7jbuO1GzAlXIwPB2kWrkts/2A=&Yln=M4DXTK1SNj
http://www.solarwachstum.com/6huu/
|
19
www.tarolstroy.store(91.106.207.17)
www.14zhibo.work(43.154.196.178)
www.kp69f.top(34.149.198.43)
www.solarwachstum.com(89.31.143.1)
www.ticimmo.com(217.26.48.101)
www.qfx88.com(120.48.139.92)
www.terrenoscampestres.com(109.106.251.102)
www.lancele.com(38.239.160.233)
www.0096061.com(154.55.172.139)
43.154.196.178 - mailcious
38.239.160.233
154.55.172.139
109.106.251.102
120.48.139.92
89.31.143.1 - mailcious
217.26.48.101 - mailcious
45.33.6.223
34.120.55.112
91.106.207.17 - malware
|
6
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to Suspicious *.work Domain
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .work TLD
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
8.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2023-06-02 09:23
|
 Nano.exe cc23b614fd8b8174dabacc2c124742ca
RAT Confuser .NET DNS AntiDebug AntiVM PE64 PE File VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
3
ezemnia3.ddns.net(197.210.227.232)
91.193.75.178
197.210.227.232
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
13.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2022-09-02 09:41
|
 QQBVBZCHGJHSF.exe 9e22324dca3d7fa3b6295977c8e98a96
PWS[m] RAT SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
11.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2022-08-27 19:01
|
 vbc.exe 20008556b4dc2db9e96a78cc2422b98b
PWS[m] RAT SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
mboxhosting.com(185.176.40.12)
185.176.40.12
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|