1 |
2024-05-24 07:50
|
ChromeSetup.exe fe2f9e211bfaf529c92bc28cb847da46 Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName Remote Code Execution DNS |
4
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=12:n6EyV-uvoCaVgxFxDQet4WSYiBFRf-2C5HNBwb81dao&cup2hreq=1617e93f4cc0a87c8eec0ba442964150753038fe712f2774cc7d587abbdc23fd
|
28
edgedl.me.gvt1.com(34.104.35.123) dns.google(8.8.4.4) www.google.com(172.217.25.164) www.gstatic.com(172.217.25.163) play.google.com(142.250.207.110) r1---sn-3u-bh2ss.gvt1.com(211.114.64.12) clients2.googleusercontent.com(172.217.161.225) accounts.google.com(64.233.188.84) _googlecast._tcp.local() apis.google.com(172.217.161.238) clientservices.googleapis.com(142.250.206.195) 108.177.125.84 172.217.25.170 - malware 211.114.64.12 172.217.27.36 142.250.206.234 - malware 142.250.204.110 142.250.76.131 172.217.161.225 - mailcious 45.33.6.223 216.58.200.228 34.104.35.123 142.250.76.142 - mailcious 142.251.222.195 172.217.24.78 172.217.24.97 172.217.27.46 172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2024-04-08 18:28
|
c32setup.exe 67fbec9b6576f967be0c088b209232e7 UPX PE64 PE File OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2024-04-08 18:28
|
Rokzl.exe d43f2191937f519e0ab6f9c60649c37c .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2024-04-08 18:28
|
tfr.exe ad429013c23fece896d44024860b06b8 UPX PE64 PE File OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2024-02-08 08:02
|
RUN.exe 1b8ceba270bcec714babe5a0862ef028 Generic Malware Admin Tool (Sysinternals etc ...) UPX Antivirus PE32 PE File PowerShell Malware powershell AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://193.233.132.186/a/a.png
|
1
193.233.132.186 - malware
|
1
ET HUNTING EXE Base64 Encoded potential malware
|
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2023-11-03 15:54
|
1.exe 1819332f150048eed72a2d891390dad1 Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName Remote Code Execution DNS |
4
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3 http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe https://update.googleapis.com/service/update2?cup2key=12:fiH-rpFmRD_9K6RrmjLJh__4TUMN6H9j0EsLvPpPbKw&cup2hreq=d0876e1be58e78f6be4d5e4f2cb7dd29f25148548a5a47d58e905d10712788fc https://update.googleapis.com/service/update2
|
27
edgedl.me.gvt1.com(34.104.35.123) dns.google(8.8.4.4) www.google.com(142.250.76.132) www.gstatic.com(142.250.206.227) r1---sn-3u-bh2ss.gvt1.com(211.114.64.12) clients2.googleusercontent.com(142.250.206.225) accounts.google.com(142.250.206.205) _googlecast._tcp.local() apis.google.com(142.250.206.238) clientservices.googleapis.com(142.251.42.195) 142.250.207.65 216.58.203.78 211.114.64.12 172.217.175.227 142.250.204.131 142.250.206.225 - mailcious 142.250.204.110 142.250.199.68 142.250.66.99 34.104.35.123 216.58.200.227 142.250.76.138 - phishing 142.250.76.142 - mailcious 172.217.161.202 - malware 142.250.199.77 142.250.199.67 172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
8.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2023-10-19 10:21
|
EngineChromium.exe 2f943946efaa3e446ee3cbd43a540f5b Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE64 ftp OS Processor Check VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces |
|
|
|
|
3.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2023-10-19 09:58
|
EngineChromium.exe 2f943946efaa3e446ee3cbd43a540f5b Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE64 ftp OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2023-10-17 16:40
|
Ermnnolfu.exe 7ba214f8174004943d83942dda0f9731 Downloader UPX PWS KeyLogger Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential Sniff Audio HTTP DNS Code injection Internet API FTP P2P AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
|
4
www.pubgh4cks.com(190.123.45.218) x1.i.lencr.org(104.76.70.102) 190.123.45.218 104.76.70.102
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2023-05-06 12:18
|
file.exe 0e4e3cdacfbe29fdc3e189e52ee8228e Emotet RAT Themida Packer EnigmaProtector Generic Malware Malicious Packer Antivirus Anti_VM .NET EXE PE32 PE File PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check Tofsee Ransomware Windows ComputerName Remote Code Execution DNS Cryptographic key crashed CoinMiner |
6
http://62.204.41.23/o.png
http://62.204.41.23/file.png
http://62.204.41.23/r.png
http://62.204.41.23/OneDrive.png
http://62.204.41.23/dllhost.png
http://62.204.41.23/lsass.png
|
5
maper.info(148.251.234.93)
pool.hashvault.pro(142.202.242.45) - mailcious 148.251.234.93 - mailcious
62.204.41.23 - malware
125.253.92.50
|
11
ET DROP Dshield Block Listed Source group 1 ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING [TW] Likely Hex Executable String ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET POLICY Cryptocurrency Miner Checkin ET POLICY IP Logger Redirect Domain in SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
20.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2023-02-09 10:49
|
f6ad5fe2-5c5e-4386-bdad-f48d7d... 8868eb2d40741375ce60fc710b00d3bd Emotet Gen2 Generic Malware Malicious Library UPX Malicious Packer PE32 OS Processor Check PE File DLL PE64 Malware PDB Check memory Creates executable files Ransomware Remote Code Execution crashed |
|
|
|
|
2.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2023-01-26 10:50
|
Installer1.exe e43bd6491d398710f23436f2cd3bd073 Emotet UPX PE File PE64 VirusTotal Malware Checks debugger Detects VMWare VMware Windows ComputerName crashed |
|
|
|
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2022-11-19 09:43
|
vbc.exe a5d90c7d3e393ee48132480fca1532cf AgentTesla PWS[m] RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key keylogger |
|
1
107.174.202.148 - mailcious
|
|
|
13.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2022-11-09 09:47
|
vbc.exe 7a5019bfbddc908dd05ce3293cd616d0 AgentTesla PWS[m] RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File Remcos VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50) 178.237.33.50 107.174.202.148 - mailcious
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
12.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2022-11-03 10:14
|
vbc.exe 2584c82f01d79e34c4eb4a44d58029aa AgentTesla PWS[m] Emotet RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File Remcos VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50) 178.237.33.50 107.174.202.148
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
13.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|