| 1 |
2024-05-24 07:50
|
 ChromeSetup.exe fe2f9e211bfaf529c92bc28cb847da46
Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName Remote Code Execution DNS |
4
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=12:n6EyV-uvoCaVgxFxDQet4WSYiBFRf-2C5HNBwb81dao&cup2hreq=1617e93f4cc0a87c8eec0ba442964150753038fe712f2774cc7d587abbdc23fd
|
28
edgedl.me.gvt1.com(34.104.35.123)
dns.google(8.8.4.4)
www.google.com(172.217.25.164)
www.gstatic.com(172.217.25.163)
play.google.com(142.250.207.110)
r1---sn-3u-bh2ss.gvt1.com(211.114.64.12)
clients2.googleusercontent.com(172.217.161.225)
accounts.google.com(64.233.188.84)
_googlecast._tcp.local()
apis.google.com(172.217.161.238)
clientservices.googleapis.com(142.250.206.195)
108.177.125.84
172.217.25.170 - malware
211.114.64.12
172.217.27.36
142.250.206.234 - malware
142.250.204.110
142.250.76.131
172.217.161.225 - mailcious
45.33.6.223
216.58.200.228
34.104.35.123
142.250.76.142 - mailcious
142.251.222.195
172.217.24.78
172.217.24.97
172.217.27.46
172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2024-04-08 18:28
|
 c32setup.exe 67fbec9b6576f967be0c088b209232e7
UPX PE64 PE File OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2024-04-08 18:28
|
 Rokzl.exe d43f2191937f519e0ab6f9c60649c37c
.NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2024-04-08 18:28
|
 tfr.exe ad429013c23fece896d44024860b06b8
UPX PE64 PE File OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2024-02-08 08:02
|
 RUN.exe 1b8ceba270bcec714babe5a0862ef028
Generic Malware Admin Tool (Sysinternals etc ...) UPX Antivirus PE32 PE File PowerShell Malware powershell AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://193.233.132.186/a/a.png
|
1
193.233.132.186 - malware
|
1
ET HUNTING EXE Base64 Encoded potential malware
|
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2023-11-03 15:54
|
 1.exe 1819332f150048eed72a2d891390dad1
Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName Remote Code Execution DNS |
4
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
https://update.googleapis.com/service/update2?cup2key=12:fiH-rpFmRD_9K6RrmjLJh__4TUMN6H9j0EsLvPpPbKw&cup2hreq=d0876e1be58e78f6be4d5e4f2cb7dd29f25148548a5a47d58e905d10712788fc
https://update.googleapis.com/service/update2
|
27
edgedl.me.gvt1.com(34.104.35.123)
dns.google(8.8.4.4)
www.google.com(142.250.76.132)
www.gstatic.com(142.250.206.227)
r1---sn-3u-bh2ss.gvt1.com(211.114.64.12)
clients2.googleusercontent.com(142.250.206.225)
accounts.google.com(142.250.206.205)
_googlecast._tcp.local()
apis.google.com(142.250.206.238)
clientservices.googleapis.com(142.251.42.195)
142.250.207.65
216.58.203.78
211.114.64.12
172.217.175.227
142.250.204.131
142.250.206.225 - mailcious
142.250.204.110
142.250.199.68
142.250.66.99
34.104.35.123
216.58.200.227
142.250.76.138 - phishing
142.250.76.142 - mailcious
172.217.161.202 - malware
142.250.199.77
142.250.199.67
172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
8.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2023-10-19 10:21
|
 EngineChromium.exe 2f943946efaa3e446ee3cbd43a540f5b
Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE64 ftp OS Processor Check VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces |
|
|
|
|
3.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2023-10-19 09:58
|
 EngineChromium.exe 2f943946efaa3e446ee3cbd43a540f5b
Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE64 ftp OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2023-10-17 16:40
|
 Ermnnolfu.exe 7ba214f8174004943d83942dda0f9731
Downloader UPX PWS KeyLogger Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential Sniff Audio HTTP DNS Code injection Internet API FTP P2P AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
|
4
www.pubgh4cks.com(190.123.45.218)
x1.i.lencr.org(104.76.70.102)
190.123.45.218
104.76.70.102
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2023-05-06 12:18
|
 file.exe 0e4e3cdacfbe29fdc3e189e52ee8228e
Emotet RAT Themida Packer EnigmaProtector Generic Malware Malicious Packer Antivirus Anti_VM .NET EXE PE32 PE File PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check Tofsee Ransomware Windows ComputerName Remote Code Execution DNS Cryptographic key crashed CoinMiner |
6
http://62.204.41.23/o.png
http://62.204.41.23/file.png
http://62.204.41.23/r.png
http://62.204.41.23/OneDrive.png
http://62.204.41.23/dllhost.png
http://62.204.41.23/lsass.png
|
5
maper.info(148.251.234.93)
pool.hashvault.pro(142.202.242.45) - mailcious
148.251.234.93 - mailcious
62.204.41.23 - malware
125.253.92.50
|
11
ET DROP Dshield Block Listed Source group 1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING [TW] Likely Hex Executable String
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET POLICY Cryptocurrency Miner Checkin
ET POLICY IP Logger Redirect Domain in SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
20.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2023-02-09 10:49
|
 f6ad5fe2-5c5e-4386-bdad-f48d7d... 8868eb2d40741375ce60fc710b00d3bd
Emotet Gen2 Generic Malware Malicious Library UPX Malicious Packer PE32 OS Processor Check PE File DLL PE64 Malware PDB Check memory Creates executable files Ransomware Remote Code Execution crashed |
|
|
|
|
2.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2023-01-26 10:50
|
 Installer1.exe e43bd6491d398710f23436f2cd3bd073
Emotet UPX PE File PE64 VirusTotal Malware Checks debugger Detects VMWare VMware Windows ComputerName crashed |
|
|
|
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2022-11-19 09:43
|
 vbc.exe a5d90c7d3e393ee48132480fca1532cf
AgentTesla PWS[m] RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key keylogger |
|
1
107.174.202.148 - mailcious
|
|
|
13.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2022-11-09 09:47
|
 vbc.exe 7a5019bfbddc908dd05ce3293cd616d0
AgentTesla PWS[m] RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File Remcos VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
178.237.33.50
107.174.202.148 - mailcious
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
12.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2022-11-03 10:14
|
 vbc.exe 2584c82f01d79e34c4eb4a44d58029aa
AgentTesla PWS[m] Emotet RAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS Internet API Sniff Audio KeyLogger Escalate priviledges AntiDebug AntiVM PE32 .NET EXE PE File Remcos VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
178.237.33.50
107.174.202.148
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
13.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|