| 1 |
2025-04-14 09:57
|
 main.bat 04653769c130f602a242fa9f8ef8ef0d
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://lumiraseo.com/download/payload.exe
|
|
|
|
3.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2025-04-11 23:19
|
 diff.bin 4b5445a1b4ed5fe8c8b965cc2033ecf6
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2025-04-10 11:00
|
 exclusion.vbs 5070287d3b01b1aff921d11c9be09b9c
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger heapspray Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2025-04-10 10:56
|
 goodlogs.doc 2ed4da2fd6fa4adb14bbc80738482f71
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Telegram Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS DDNS crashed keylogger |
3
http://213.209.150.18/L67bqFnxPLWre36.exe
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/121.133.128.1
|
7
checkip.dyndns.org(132.226.8.169)
reallyfreegeoip.org(104.21.112.1)
api.telegram.org(149.154.167.220) - mailcious
104.21.112.1 - mailcious
213.209.150.18 - mailcious
158.101.44.242
149.154.167.220 - mailcious
|
15
ET DROP Spamhaus DROP Listed Traffic Inbound group 55
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2025-04-10 10:55
|
 ActDefender.vbs cfb1eeccfbaf5dfcb2515ade0b9c9664
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.8 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2025-04-09 20:47
|
 Win11_24H2_English_x64.iso.3af... 96beac72b4b58aecf6ea792711e263fc
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2025-04-09 16:50
|
 2.wsf 70e7a78686df6013aa8fabe63d2827b8
Generic Malware Antivirus AntiDebug AntiVM PNG Format MSOffice File JPEG Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Cloudflare DNS Cryptographic key |
7
https://toolkit-nokia-network-alert.trycloudflare.com/error_log.txt
https://toolkit-nokia-network-alert.trycloudflare.com/AutoRun.inf
https://toolkit-nokia-network-alert.trycloudflare.com/deci.zip
https://toolkit-nokia-network-alert.trycloudflare.com/
https://toolkit-nokia-network-alert.trycloudflare.com/b.txt - rule_id: 44968
https://numbers-queensland-rec-thumbs.trycloudflare.com/lo.bat
https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf
|
6
www.healyconsultants.com(162.159.134.42)
numbers-queensland-rec-thumbs.trycloudflare.com(104.16.231.132) - mailcious
toolkit-nokia-network-alert.trycloudflare.com(104.16.230.132) - malware
162.159.134.42 - mailcious
104.16.231.132 - malware
104.16.230.132 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
ET HUNTING TryCloudFlare Domain in TLS SNI
ET INFO Observed trycloudflare .com Domain in TLS SNI
|
1
https://toolkit-nokia-network-alert.trycloudflare.com/b.txt
|
8.4 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2025-04-09 10:25
|
 ori.js 01e995c96291c13d4ec3a08ebcdca4f6
AgentTesla Hide_EXE Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Processor Check OS Name Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Gmail Browser Email ComputerName crashed keylogger |
|
2
smtp.gmail.com(142.251.8.108)
108.177.125.108
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2025-04-09 10:23
|
 mgh.js 455952e05525f25fbe0c893828d2a29f
Suspicious_Script_Bin Hide_EXE PE File PE32 Malware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName Dropper |
1
http://lee44.kozow.com:6892/is-ready
|
2
lee44.kozow.com(104.168.7.12)
104.168.7.12
|
4
ET INFO DYNAMIC_DNS Query to a *.kozow .com Domain
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.kozow .com Domain
|
|
10.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2025-04-08 09:32
|
 700815a50547b01b29cf3a1ca55d7a... 33d5132d6c41b72b5faa7697a5e74e8e
AntiDebug AntiVM ftp MSOffice File Code Injection RWX flags setting unpack itself Windows utilities Tofsee Windows |
1
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
|
2
cacerts.digicert.com(23.36.55.181)
118.214.79.16
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2025-04-08 09:30
|
 RE_018903890241.pdf.wsf 4b97436ae2e59a3ec6cdd4cd3c4bd264
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger WMI Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cloudflare DNS Cryptographic key |
1
https://carry-lately-hills-systematic.trycloudflare.com/klm.bat
|
2
carry-lately-hills-systematic.trycloudflare.com(104.16.230.132) - mailcious
104.16.231.132 - malware
|
1
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
|
|
6.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2025-04-08 09:17
|
 Kaeder.chm aa6bdcff75c2a7f82ffd2c6b53e2d5b3
Suspicious_Script_Bin AntiDebug AntiVM Code Injection Check memory crashed |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2025-04-08 06:28
|
 sw.js 6ac23e50b164eeb9e756aab24af8bb29crashed |
|
|
|
|
0.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2025-04-07 19:44
|
 cdcfe4d9-3401-f075-6f71-c7c897... a92351d390f50abd23c09dc8e8a6f788
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2025-04-04 10:00
|
 bloodengineer.bat ae9cfe66056b85f360098a7fcb9bc238
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://195.82.147.81/abacfa/032625-log/bloodengineer.zip
|
|
|
|
4.8 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|