1 |
2024-07-15 09:38
|
Milieuskadeligst.exe 99af50ba5059f85a1c8bd15ecf23fb3b Malicious Library PE File PE64 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2024-06-07 09:37
|
Tlcf4ubbOhvrFYkon.exe 9c4b350eb7315c2f6f4b2eb64bccd918 Formbook Malicious Library AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process Windows DNS Cryptographic key crashed |
6
http://www.caxars.store/muti/ http://www.eshopkhaliji.store/muti/?8p=PenW7MtlXSrvxOPA1PJj8U2jUUvXlhwVh1FpwKQCNXiCStQ1MIBfQTqa3m2cpudHTvQpU++Q&4h=vTxdQD-PSRspeX7&sql=1 http://www.eshopkhaliji.store/muti/ http://www.shopadamsstore.com/muti/?8p=rUMPbDi9V+hLkBWFtVE1y7T4O5kE79Gi8Nwpb3xjlkSgEF4tpwDWlQ4hDt2c39K6jtdDQHz5&4h=vTxdQD-PSRspeX7&sql=1 http://www.caxars.store/muti/?8p=vAkEv8VlD6HvoJ7OTZ3UyhPmsIwewVN5MI8wV+ea/g1itgmvOaYSZ0nMfK3GudfMXpkuz2fr&4h=vTxdQD-PSRspeX7&sql=1 http://www.shopadamsstore.com/muti/
|
8
www.caxars.store(91.184.0.200) www.eshopkhaliji.store(158.176.194.183) www.shopadamsstore.com(23.227.38.74) www.kampspacex.com() 45.33.6.223 23.227.38.74 - mailcious 141.125.157.19 91.184.0.200 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET) ET MALWARE FormBook CnC Checkin (POST) M2
|
|
10.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2024-03-28 07:54
|
6nSkW0jqkE1okon.exe 5d76a9e3a1948a1307330e52cfefd7bb AgentTesla UPX PWS SMTP KeyLogger AntiDebug AntiVM PE64 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(172.67.74.152) 104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2023-11-27 09:39
|
balotek2.1.exe cf52e32f7257ad06e9436c2090585f55 NSIS Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.earthdatascape.com/t2ti/?tXxh=kstlMeg9IcwzJYyFLKGxy4q3LInO5BAGxn+RlyiQLQgBmQ7dbCQPEHLv7OQh7nVjyOSdc9Py&U48Hj=Nte0PL1048jDrzg http://www.merelweb.com/t2ti/?tXxh=BOOThCPjnUM7lSCFBnH2BimjClSgW0h7VqsAOgTwhlCUKhxaVw8OFbF4wmCxnm287AtkZOd7&U48Hj=Nte0PL1048jDrzg http://www.studio352events.com/t2ti/?tXxh=8VRVJ2RxNdqDCe39p/mzazLWBvMIpzi1TvcwnZg1FNPprXhJpJwCdr2o+lwBqF61wTFgCK1+&U48Hj=Nte0PL1048jDrzg http://www.office-honu.com/t2ti/?tXxh=tZ9f+xkGPYGlMQD6QUQgW7Bu5011mP3F3RfKADEubwWsw8RZnTP/abNvRo2Y4yuWOfFkav01&U48Hj=Nte0PL1048jDrzg
|
8
www.office-honu.com(163.44.185.180) www.studio352events.com(208.91.197.132) www.earthdatascape.com(62.149.128.45) www.merelweb.com(172.67.158.89) 163.44.185.180 104.21.82.142 208.91.197.132 - mailcious 62.149.128.45 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2023-11-26 13:41
|
macindas2.1.exe 84682f07f2f1698e49b6a29573c5679d NSIS Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.salvanandcie.com/tb8i/?-ZeTi6B=UMOMUPRltOuIOavlOV9TAbzOI3NyPSxU0IiF98vYZIoJYysmNQovnALCNihIDsZ76SkBnDz1&2d=lnxh http://www.tron-pk.xyz/tb8i/?-ZeTi6B=5rJxyOnP1GB0ESD4ttWy9/4jFy42toRxagw3E+bnB/pmFdmTHJRzMwLMKKbb+ploXs+4W+sP&2d=lnxh http://www.texwwfrx.com/tb8i/?-ZeTi6B=zluqp2Qif7Juk0jSJTDTdhTVgLgB+eVfrKJdSE4Bz8PdBwx7LJWv3E/FDzXvfZ8eIpu6oPdn&2d=lnxh http://www.free-indeed.faith/tb8i/?-ZeTi6B=mjsfGumS0MCj+go/ckdO0h+daXKQjTCMjol4fCy+GQ9z9EIRohWOFaX9TAL/50qANRa4gnnD&2d=lnxh
|
9
www.rykuruh.cfd() - mailcious www.salvanandcie.com(34.149.87.45) www.free-indeed.faith(91.195.240.19) www.tron-pk.xyz(172.67.152.75) www.texwwfrx.com(104.21.88.236) 91.195.240.19 - mailcious 104.21.32.135 - mailcious 172.67.154.55 34.149.87.45 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2023-11-21 08:00
|
jurojarem2.1.exe 0a1d0f4a278dff187347c1544ab3dc6a NSIS Malicious Library UPX PE32 PE File OS Processor Check Remcos VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) sheddy1122.ddns.net(103.212.81.155) - mailcious 103.212.81.155 178.237.33.50
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net ET JA3 Hash - Remcos 3.x TLS Connection
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2023-11-16 18:59
|
macherako2.1.exe 5b691330acaa3c5432b9caadbeb82003 NSIS Malicious Library UPX PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.jaliyahsboutique.site/tb8i/?Mfg=AQaGQeJtSF7XURKecA8O7yr+NlX8zRsowlAtlkToCPVC5G43PHBjCbek0+SoUA10RQeLzaXp&D6h4=O2JdRpPP8 http://www.freightlizards.com/tb8i/?Mfg=iDy6itdHrWaTfAWmWuh/mgzAS6tKx110PlwR6oB3LkHWhoHRuQXiu8dUVQqS4bUVZcTWjSMs&D6h4=O2JdRpPP8 http://www.driftlessmenofthewoods.com/tb8i/?Mfg=eqj5Z4ypABx4+RJiqSEL2pQMeiYVPR0bHgBfmB0KWoL2fjeQVwepQ8EqIXRbUYrWMehCRAoK&D6h4=O2JdRpPP8
|
7
www.freightlizards.com(15.197.148.33) www.rykuruh.cfd() www.driftlessmenofthewoods.com(66.96.162.130) www.jaliyahsboutique.site(62.72.50.217) 3.33.130.190 - phishing 62.72.50.217 66.96.162.130 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2023-11-11 16:23
|
kongaby2.1.exe 0289449a841d419c7fecc344ea10d16a Formbook NSIS Malicious Library UPX PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
2
http://www.batcavela.com/ge06/?kHQD=Q330Nlrdd7wjbNOXaSC7JMUzln/+sA0fy8mpHysJLBlsNI2WRIrp3yqbQPXqvCDIbk6bxFbG&D81h=O2MHdPrXY - rule_id: 37803 http://www.waveoflife.pro/ge06/?kHQD=MT2lmuLr4xW4Y36Na+kfxB+SBx3z6weHsbIXVLyeZmOnioiBuNRbSrEPi8rGHADI09fpEf4R&D81h=O2MHdPrXY
|
7
www.batcavela.com(13.248.148.254) - mailcious www.carat-automotive.com() www.booptee.com() www.waveoflife.pro(66.96.162.150) www.lodsoab.com() 13.248.148.254 - mailcious 66.96.162.150 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.batcavela.com/ge06/
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2023-10-12 07:50
|
macbomard2.1.exe 7f4be9fcb7371a4a4c98462602a33639 NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.new-minerals.com/t6tg/?Tj=KAteo39jXhYLV1ChmFznVIk+hBqN4AymFECkKH2GQakbZ7TdByL07ntBP05Gab5nXO3C3vF7&RX=dn98bVV8c4CP http://www.tugerdi.site/t6tg/?Tj=Za8NgA951HtgEMA/N1pbqY3Eng45w2byd25/9jAsmGZLSXWq5l9klRymntmNRw3MeMdtayU2&RX=dn98bVV8c4CP http://www.aspiredstudio.com/t6tg/?Tj=2Be6iIgSXmfB1nqJxUfd7To44XQGyUfcHTuBHOXScd6rc4VNel4uavXkn/Sr1IDzPZX3+Zir&RX=dn98bVV8c4CP http://www.ocoala.com/t6tg/?Tj=Bo69CXQCSq8YAZlSXsSXSHHhzBc0NkTLrUDc3+XWv9vtXAWnC5Ex0xTxf+gUzISZTYrGWz37&RX=dn98bVV8c4CP
|
9
www.tugerdi.site(93.89.226.17) www.abstractcertify.com() www.aspiredstudio.com(199.36.158.100) www.ocoala.com(13.248.169.48) www.new-minerals.com(103.146.179.167) 76.223.54.146 93.89.226.17 - mailcious 103.146.179.167 199.36.158.100 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2023-10-11 07:51
|
romankon2.1.exe f66044875f6dff90814d4b09be15bde7 NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.seoulbeautytw.com/ge06/?cxlL6=Qc2b7R052BxaaIixZxZchyIrCtI6dOvdNg5lwCRd5bjXdsmVEtEF/rdDBYlFLrvTnx09Yrft&Tj=YBZ0 http://www.bowllywood.com/ge06/?cxlL6=uEJyp/LCRcqeyVkDqWXotAOO7ojlhdOeJwNXEXO62CdMmnp4nkE9E2jcl8Y9Q/hLDx6OjvQc&Tj=YBZ0 http://www.oneresi.com/ge06/?cxlL6=TxZz26qHBFBWLipdaFP8DXj847gFVWoG3E2dnld5pyULLNin+5TsGSuzug1CwjEl4T2LS/ZH&Tj=YBZ0 http://www.trailblazerbaby.com/ge06/?cxlL6=Vn36JpzNTKaSb0MTbSztLcrwH0nGOIWlPxp5C0tdRb7z35/kOAEpp28Rs4alwfkjtZwLX/a3&Tj=YBZ0
|
9
www.bowllywood.com(156.241.138.74) www.qianxz109.xyz() www.seoulbeautytw.com(151.101.194.236) www.oneresi.com(15.197.148.33) www.trailblazerbaby.com(198.49.23.144) 146.75.50.236 15.197.148.33 156.241.138.74 198.49.23.145 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2023-10-07 14:54
|
shedremko2.1.exe b80d6d5161b4f047ebb9f903822e2cd2 NSIS Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
|
2
sheddy1122.ddns.net(103.212.81.151) 103.212.81.151
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
6.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2023-10-03 12:56
|
madywarza2.1.exe a8dcae0690c61f8517b877b5191fc388 NSIS Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
|
1
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
4.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2023-10-01 17:17
|
borilpokonta2.1.exe ff5073e7ca0e1ec86ee0268f040af237 NSIS Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
4.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2023-09-28 08:27
|
imolight2.1.exe 56a626b9244c18ac768b5d3db7e014ed NSIS Malicious Library UPX Anti_VM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS |
|
1
194.180.48.119 - mailcious
|
|
|
10.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2023-09-21 09:35
|
maxlobbing2.1.exe 8d7eea4fa1b573b722cac003a8aa205f NSIS Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212) 104.237.62.212
|
4
ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
8.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|