1 |
2023-10-11 07:57
|
sihost.exe 8d91ce7f3a66bcfda11e488cc34c698f Formbook UPX .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor C FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
20
http://www.onlyleona.com/kniu/ - rule_id: 36720 http://www.palatepursuits.cfd/kniu/ - rule_id: 36726 http://www.onlyleona.com/kniu/?WwaYeLk_=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&154=h0P9RQvD - rule_id: 36720 http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719 http://www.xxkxcfkujyeft.xyz/kniu/?WwaYeLk_=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&154=h0P9RQvD - rule_id: 36719 http://www.flyingfoxnb.com/kniu/?WwaYeLk_=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&154=h0P9RQvD - rule_id: 36725 http://www.palatepursuits.cfd/kniu/?WwaYeLk_=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&154=h0P9RQvD - rule_id: 36726 http://www.flyingfoxnb.com/kniu/ - rule_id: 36725 http://www.tsygy.com/kniu/?WwaYeLk_=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&154=h0P9RQvD - rule_id: 36721 http://www.theartboxslidell.com/kniu/ - rule_id: 36718 http://www.frefire.top/kniu/ - rule_id: 36723 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717 http://www.theartboxslidell.com/kniu/?WwaYeLk_=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&154=h0P9RQvD - rule_id: 36718 http://23.95.106.3/350/122/Ekcflzifpij.mp3 http://www.poultry-symposium.com/kniu/?WwaYeLk_=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&154=h0P9RQvD - rule_id: 36722 http://www.frefire.top/kniu/?WwaYeLk_=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&154=h0P9RQvD - rule_id: 36723 http://www.poultry-symposium.com/kniu/ - rule_id: 36722 http://www.tsygy.com/kniu/ - rule_id: 36721 http://www.prosourcegraniteinc.com/kniu/?WwaYeLk_=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&154=h0P9RQvD - rule_id: 36717
|
24
www.palatepursuits.cfd(104.21.21.57) - mailcious www.onlyleona.com(104.21.13.143) - mailcious www.pengeloladata.click() - mailcious www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious www.siteapp.fun() - mailcious www.theartboxslidell.com(199.59.243.225) - mailcious www.8956kjw1.com(103.71.154.243) www.tsygy.com(23.104.137.185) - mailcious www.frefire.top(67.223.117.37) - mailcious www.poultry-symposium.com(85.128.134.237) - mailcious www.flyingfoxnb.com(216.40.34.41) - mailcious www.prosourcegraniteinc.com(216.239.36.21) - mailcious 216.239.38.21 - phishing 23.104.137.185 - mailcious 23.95.106.3 - mailcious 67.223.117.37 - mailcious 199.59.243.225 172.67.196.133 - mailcious 216.40.34.41 - mailcious 216.240.130.67 - mailcious 104.21.13.143 103.71.154.243 45.33.6.223 85.128.134.237 - mailcious
|
11
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SURICATA HTTP unable to match response to request ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .TOP Domain with Minimal Headers ET HUNTING Request to .XYZ Domain with Minimal Headers
|
18
http://www.onlyleona.com/kniu/ http://www.palatepursuits.cfd/kniu/ http://www.onlyleona.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.flyingfoxnb.com/kniu/ http://www.palatepursuits.cfd/kniu/ http://www.flyingfoxnb.com/kniu/ http://www.tsygy.com/kniu/ http://www.theartboxslidell.com/kniu/ http://www.frefire.top/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.theartboxslidell.com/kniu/ http://www.poultry-symposium.com/kniu/ http://www.frefire.top/kniu/ http://www.poultry-symposium.com/kniu/ http://www.tsygy.com/kniu/ http://www.prosourcegraniteinc.com/kniu/
|
11.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2023-10-08 10:45
|
Lopbf.exe 5399d7a2060eca17c4c1648fd6b09505 UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
2
http://23.95.106.3/102/process.exe http://23.95.106.3/200/Adoaqyamhks.wav
|
1
|
1
ET INFO Executable Download from dotted-quad Host
|
|
6.4 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2023-10-06 17:49
|
Tugksta.exe 1f4795e3a6a434601ec37a38ffc99ff5 Formbook UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
17
http://www.onlyleona.com/kniu/ - rule_id: 36720 http://www.frefire.top/kniu/?mc=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&1E=_Z4Fpo3srXsvqpV - rule_id: 36723 http://www.tsygy.com/kniu/?mc=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&1E=_Z4Fpo3srXsvqpV - rule_id: 36721 http://www.prosourcegraniteinc.com/kniu/?mc=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&1E=_Z4Fpo3srXsvqpV - rule_id: 36717 http://www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zip http://www.poultry-symposium.com/kniu/?mc=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&1E=_Z4Fpo3srXsvqpV - rule_id: 36722 http://www.poultry-symposium.com/kniu/ - rule_id: 36722 http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719 http://www.theartboxslidell.com/kniu/ - rule_id: 36718 http://www.frefire.top/kniu/ - rule_id: 36723 http://23.95.106.3/250/process.exe http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717 http://www.theartboxslidell.com/kniu/?mc=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&1E=_Z4Fpo3srXsvqpV - rule_id: 36718 http://www.xxkxcfkujyeft.xyz/kniu/?mc=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&1E=_Z4Fpo3srXsvqpV - rule_id: 36719 http://23.95.106.3/250/Aqjjqk.wav http://www.tsygy.com/kniu/ - rule_id: 36721 http://www.onlyleona.com/kniu/?mc=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&1E=_Z4Fpo3srXsvqpV - rule_id: 36720
|
20
www.onlyleona.com(172.67.132.228) - mailcious www.prosourcegraniteinc.com(216.239.36.21) - mailcious www.pengeloladata.click() - mailcious www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious www.frefire.top(67.223.117.37) - mailcious www.8956kjw1.com(103.71.154.243) www.tsygy.com(23.104.137.185) - mailcious www.theartboxslidell.com(199.59.243.225) - mailcious www.poultry-symposium.com(85.128.134.237) - mailcious www.siteapp.fun() - mailcious 85.128.134.237 - mailcious 216.239.34.21 - mailcious 23.104.137.185 - mailcious 23.95.106.3 - mailcious 199.59.243.225 67.223.117.37 - mailcious 216.240.130.67 - mailcious 103.71.154.243 45.33.6.223 172.67.132.228 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (POST) M2 ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain SURICATA HTTP unable to match response to request ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers ET HUNTING Request to .TOP Domain with Minimal Headers
|
14
http://www.onlyleona.com/kniu/ http://www.frefire.top/kniu/ http://www.tsygy.com/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.poultry-symposium.com/kniu/ http://www.poultry-symposium.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.theartboxslidell.com/kniu/ http://www.frefire.top/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.theartboxslidell.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.tsygy.com/kniu/ http://www.onlyleona.com/kniu/
|
11.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2023-09-30 13:17
|
Wtwvjbwnht.exe ea462e6077aa3e3c7573dd51206c7e4e Formbook UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs suspicious TLD Windows DNS Cryptographic key |
23
http://www.onlyleona.com/kniu/ - rule_id: 36720 http://192.3.179.157/690/TiWorkers.exe http://192.3.179.157/zw/Zlonloydc.dat http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719 http://www.siteapp.fun/kniu/ - rule_id: 36724 http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717 http://www.poultry-symposium.com/kniu/?-z0gsLA=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&ue-_=0C5fuT6rcako - rule_id: 36722 http://www.poultry-symposium.com/kniu/ - rule_id: 36722 http://www.theartboxslidell.com/kniu/ - rule_id: 36718 http://www.onlyleona.com/kniu/?-z0gsLA=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&ue-_=0C5fuT6rcako - rule_id: 36720 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip http://www.tsygy.com/kniu/ - rule_id: 36721 http://www.flyingfoxnb.com/kniu/?-z0gsLA=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&ue-_=0C5fuT6rcako - rule_id: 36725 http://www.tsygy.com/kniu/?-z0gsLA=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&ue-_=0C5fuT6rcako - rule_id: 36721 http://www.xxkxcfkujyeft.xyz/kniu/?-z0gsLA=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&ue-_=0C5fuT6rcako - rule_id: 36719 http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip http://www.flyingfoxnb.com/kniu/ - rule_id: 36725 http://www.prosourcegraniteinc.com/kniu/?-z0gsLA=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&ue-_=0C5fuT6rcako - rule_id: 36717 http://www.palatepursuits.cfd/kniu/ - rule_id: 36726 http://www.siteapp.fun/kniu/?-z0gsLA=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&ue-_=0C5fuT6rcako - rule_id: 36724 http://www.theartboxslidell.com/kniu/?-z0gsLA=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&ue-_=0C5fuT6rcako - rule_id: 36718 http://www.frefire.top/kniu/ - rule_id: 36723 http://www.frefire.top/kniu/?-z0gsLA=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&ue-_=0C5fuT6rcako - rule_id: 36723
|
25
www.palatepursuits.cfd(104.21.21.57) - mailcious www.onlyleona.com(104.21.13.143) - mailcious www.prosourcegraniteinc.com(216.239.34.21) - mailcious www.pengeloladata.click() - mailcious www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious www.theartboxslidell.com(199.59.243.224) - mailcious www.8956kjw1.com(103.71.154.243) www.frefire.top(67.223.117.37) - mailcious www.tsygy.com(23.104.137.185) - mailcious www.poultry-symposium.com(85.128.134.237) - mailcious www.flyingfoxnb.com(216.40.34.41) - mailcious www.siteapp.fun(23.82.12.37) - mailcious 85.128.134.237 - mailcious 81.171.28.43 23.104.137.185 - mailcious 216.239.32.21 - mailcious 199.59.243.224 - mailcious 172.67.196.133 - mailcious 216.40.34.41 - mailcious 216.240.130.67 - mailcious 192.3.179.157 - mailcious 103.71.154.243 45.33.6.223 172.67.132.228 - mailcious 67.223.117.37 - mailcious
|
11
SURICATA HTTP unable to match response to request ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .TOP Domain with Minimal Headers ET HUNTING Request to .XYZ Domain with Minimal Headers
|
19
http://www.onlyleona.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.siteapp.fun/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.poultry-symposium.com/kniu/ http://www.poultry-symposium.com/kniu/ http://www.theartboxslidell.com/kniu/ http://www.onlyleona.com/kniu/ http://www.tsygy.com/kniu/ http://www.flyingfoxnb.com/kniu/ http://www.tsygy.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.flyingfoxnb.com/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.palatepursuits.cfd/kniu/ http://www.siteapp.fun/kniu/ http://www.theartboxslidell.com/kniu/ http://www.frefire.top/kniu/ http://www.frefire.top/kniu/
|
13.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2023-09-20 18:04
|
Rzcjkedka.exe cd47b64e420b472464001891ff312ff6 AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
21
http://www.onlyleona.com/kniu/
http://www.tsygy.com/kniu/?j1=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&meUIyw=UGh-NJxfZ0
http://www.onlyleona.com/kniu/?j1=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&meUIyw=UGh-NJxfZ0
http://www.prosourcegraniteinc.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.poultry-symposium.com/kniu/?j1=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&meUIyw=UGh-NJxfZ0
http://www.frefire.top/kniu/?j1=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&meUIyw=UGh-NJxfZ0
http://www.poultry-symposium.com/kniu/
http://192.3.179.157/zs/Pkzvwkppdn.mp4
http://www.flyingfoxnb.com/kniu/
http://www.flyingfoxnb.com/kniu/?j1=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&meUIyw=UGh-NJxfZ0
http://www.theartboxslidell.com/kniu/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.frefire.top/kniu/
http://www.siteapp.fun/kniu/
http://www.prosourcegraniteinc.com/kniu/?j1=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&meUIyw=UGh-NJxfZ0
http://www.xxkxcfkujyeft.xyz/kniu/?j1=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&meUIyw=UGh-NJxfZ0
http://www.theartboxslidell.com/kniu/?j1=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&meUIyw=UGh-NJxfZ0
http://www.tsygy.com/kniu/
http://www.siteapp.fun/kniu/?j1=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&meUIyw=UGh-NJxfZ0
http://192.3.179.157/112/TiWorker.exe
|
23
www.onlyleona.com(104.21.13.143)
www.prosourcegraniteinc.com(216.239.36.21)
www.pengeloladata.click()
www.xxkxcfkujyeft.xyz(216.240.130.67)
www.theartboxslidell.com(199.59.243.224)
www.8956kjw1.com(103.71.154.244)
www.frefire.top(67.223.117.37)
www.tsygy.com(23.104.137.185) - mailcious
www.poultry-symposium.com(85.128.134.237)
www.flyingfoxnb.com(216.40.34.41)
www.siteapp.fun(23.82.12.35) 216.239.38.21 - phishing
81.171.28.43
23.104.137.185 - mailcious
199.59.243.224 - mailcious
67.223.117.37
216.40.34.41 - mailcious
216.240.130.67 - mailcious
192.3.179.157 - mailcious
103.71.154.244
45.33.6.223
172.67.132.228
85.128.134.237
|
11
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SURICATA HTTP unable to match response to request ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
10.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2023-05-24 19:38
|
IE_CACHES.exe 0b7de5ae22b768e277f8d6be97291ce0 Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|