| 1 |
2024-07-15 09:38
|
 Milieuskadeligst.exe 99af50ba5059f85a1c8bd15ecf23fb3b
Malicious Library PE File PE64 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2024-06-07 09:37
|
 Tlcf4ubbOhvrFYkon.exe 9c4b350eb7315c2f6f4b2eb64bccd918
Formbook Malicious Library AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process Windows DNS Cryptographic key crashed |
6
http://www.caxars.store/muti/
http://www.eshopkhaliji.store/muti/?8p=PenW7MtlXSrvxOPA1PJj8U2jUUvXlhwVh1FpwKQCNXiCStQ1MIBfQTqa3m2cpudHTvQpU++Q&4h=vTxdQD-PSRspeX7&sql=1
http://www.eshopkhaliji.store/muti/
http://www.shopadamsstore.com/muti/?8p=rUMPbDi9V+hLkBWFtVE1y7T4O5kE79Gi8Nwpb3xjlkSgEF4tpwDWlQ4hDt2c39K6jtdDQHz5&4h=vTxdQD-PSRspeX7&sql=1
http://www.caxars.store/muti/?8p=vAkEv8VlD6HvoJ7OTZ3UyhPmsIwewVN5MI8wV+ea/g1itgmvOaYSZ0nMfK3GudfMXpkuz2fr&4h=vTxdQD-PSRspeX7&sql=1
http://www.shopadamsstore.com/muti/
|
8
www.caxars.store(91.184.0.200)
www.eshopkhaliji.store(158.176.194.183)
www.shopadamsstore.com(23.227.38.74)
www.kampspacex.com()
45.33.6.223
23.227.38.74 - mailcious
141.125.157.19
91.184.0.200 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE FormBook CnC Checkin (POST) M2
|
|
10.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2024-03-28 07:54
|
 6nSkW0jqkE1okon.exe 5d76a9e3a1948a1307330e52cfefd7bb
AgentTesla UPX PWS SMTP KeyLogger AntiDebug AntiVM PE64 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(172.67.74.152)
104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2023-11-27 09:39
|
 balotek2.1.exe cf52e32f7257ad06e9436c2090585f55
NSIS Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.earthdatascape.com/t2ti/?tXxh=kstlMeg9IcwzJYyFLKGxy4q3LInO5BAGxn+RlyiQLQgBmQ7dbCQPEHLv7OQh7nVjyOSdc9Py&U48Hj=Nte0PL1048jDrzg
http://www.merelweb.com/t2ti/?tXxh=BOOThCPjnUM7lSCFBnH2BimjClSgW0h7VqsAOgTwhlCUKhxaVw8OFbF4wmCxnm287AtkZOd7&U48Hj=Nte0PL1048jDrzg
http://www.studio352events.com/t2ti/?tXxh=8VRVJ2RxNdqDCe39p/mzazLWBvMIpzi1TvcwnZg1FNPprXhJpJwCdr2o+lwBqF61wTFgCK1+&U48Hj=Nte0PL1048jDrzg
http://www.office-honu.com/t2ti/?tXxh=tZ9f+xkGPYGlMQD6QUQgW7Bu5011mP3F3RfKADEubwWsw8RZnTP/abNvRo2Y4yuWOfFkav01&U48Hj=Nte0PL1048jDrzg
|
8
www.office-honu.com(163.44.185.180)
www.studio352events.com(208.91.197.132)
www.earthdatascape.com(62.149.128.45)
www.merelweb.com(172.67.158.89)
163.44.185.180
104.21.82.142
208.91.197.132 - mailcious
62.149.128.45 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2023-11-26 13:41
|
 macindas2.1.exe 84682f07f2f1698e49b6a29573c5679d
NSIS Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.salvanandcie.com/tb8i/?-ZeTi6B=UMOMUPRltOuIOavlOV9TAbzOI3NyPSxU0IiF98vYZIoJYysmNQovnALCNihIDsZ76SkBnDz1&2d=lnxh
http://www.tron-pk.xyz/tb8i/?-ZeTi6B=5rJxyOnP1GB0ESD4ttWy9/4jFy42toRxagw3E+bnB/pmFdmTHJRzMwLMKKbb+ploXs+4W+sP&2d=lnxh
http://www.texwwfrx.com/tb8i/?-ZeTi6B=zluqp2Qif7Juk0jSJTDTdhTVgLgB+eVfrKJdSE4Bz8PdBwx7LJWv3E/FDzXvfZ8eIpu6oPdn&2d=lnxh
http://www.free-indeed.faith/tb8i/?-ZeTi6B=mjsfGumS0MCj+go/ckdO0h+daXKQjTCMjol4fCy+GQ9z9EIRohWOFaX9TAL/50qANRa4gnnD&2d=lnxh
|
9
www.rykuruh.cfd() - mailcious
www.salvanandcie.com(34.149.87.45)
www.free-indeed.faith(91.195.240.19)
www.tron-pk.xyz(172.67.152.75)
www.texwwfrx.com(104.21.88.236)
91.195.240.19 - mailcious
104.21.32.135 - mailcious
172.67.154.55
34.149.87.45 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2023-11-21 08:00
|
 jurojarem2.1.exe 0a1d0f4a278dff187347c1544ab3dc6a
NSIS Malicious Library UPX PE32 PE File OS Processor Check Remcos VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
sheddy1122.ddns.net(103.212.81.155) - mailcious
103.212.81.155
178.237.33.50
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2023-11-16 18:59
|
 macherako2.1.exe 5b691330acaa3c5432b9caadbeb82003
NSIS Malicious Library UPX PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.jaliyahsboutique.site/tb8i/?Mfg=AQaGQeJtSF7XURKecA8O7yr+NlX8zRsowlAtlkToCPVC5G43PHBjCbek0+SoUA10RQeLzaXp&D6h4=O2JdRpPP8
http://www.freightlizards.com/tb8i/?Mfg=iDy6itdHrWaTfAWmWuh/mgzAS6tKx110PlwR6oB3LkHWhoHRuQXiu8dUVQqS4bUVZcTWjSMs&D6h4=O2JdRpPP8
http://www.driftlessmenofthewoods.com/tb8i/?Mfg=eqj5Z4ypABx4+RJiqSEL2pQMeiYVPR0bHgBfmB0KWoL2fjeQVwepQ8EqIXRbUYrWMehCRAoK&D6h4=O2JdRpPP8
|
7
www.freightlizards.com(15.197.148.33)
www.rykuruh.cfd()
www.driftlessmenofthewoods.com(66.96.162.130)
www.jaliyahsboutique.site(62.72.50.217)
3.33.130.190 - phishing
62.72.50.217
66.96.162.130 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2023-11-11 16:23
|
 kongaby2.1.exe 0289449a841d419c7fecc344ea10d16a
Formbook NSIS Malicious Library UPX PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
2
http://www.batcavela.com/ge06/?kHQD=Q330Nlrdd7wjbNOXaSC7JMUzln/+sA0fy8mpHysJLBlsNI2WRIrp3yqbQPXqvCDIbk6bxFbG&D81h=O2MHdPrXY - rule_id: 37803
http://www.waveoflife.pro/ge06/?kHQD=MT2lmuLr4xW4Y36Na+kfxB+SBx3z6weHsbIXVLyeZmOnioiBuNRbSrEPi8rGHADI09fpEf4R&D81h=O2MHdPrXY
|
7
www.batcavela.com(13.248.148.254) - mailcious
www.carat-automotive.com()
www.booptee.com()
www.waveoflife.pro(66.96.162.150)
www.lodsoab.com()
13.248.148.254 - mailcious
66.96.162.150 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.batcavela.com/ge06/
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2023-10-12 07:50
|
 macbomard2.1.exe 7f4be9fcb7371a4a4c98462602a33639
NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.new-minerals.com/t6tg/?Tj=KAteo39jXhYLV1ChmFznVIk+hBqN4AymFECkKH2GQakbZ7TdByL07ntBP05Gab5nXO3C3vF7&RX=dn98bVV8c4CP
http://www.tugerdi.site/t6tg/?Tj=Za8NgA951HtgEMA/N1pbqY3Eng45w2byd25/9jAsmGZLSXWq5l9klRymntmNRw3MeMdtayU2&RX=dn98bVV8c4CP
http://www.aspiredstudio.com/t6tg/?Tj=2Be6iIgSXmfB1nqJxUfd7To44XQGyUfcHTuBHOXScd6rc4VNel4uavXkn/Sr1IDzPZX3+Zir&RX=dn98bVV8c4CP
http://www.ocoala.com/t6tg/?Tj=Bo69CXQCSq8YAZlSXsSXSHHhzBc0NkTLrUDc3+XWv9vtXAWnC5Ex0xTxf+gUzISZTYrGWz37&RX=dn98bVV8c4CP
|
9
www.tugerdi.site(93.89.226.17)
www.abstractcertify.com()
www.aspiredstudio.com(199.36.158.100)
www.ocoala.com(13.248.169.48)
www.new-minerals.com(103.146.179.167)
76.223.54.146
93.89.226.17 - mailcious
103.146.179.167
199.36.158.100 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2023-10-11 07:51
|
 romankon2.1.exe f66044875f6dff90814d4b09be15bde7
NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.seoulbeautytw.com/ge06/?cxlL6=Qc2b7R052BxaaIixZxZchyIrCtI6dOvdNg5lwCRd5bjXdsmVEtEF/rdDBYlFLrvTnx09Yrft&Tj=YBZ0
http://www.bowllywood.com/ge06/?cxlL6=uEJyp/LCRcqeyVkDqWXotAOO7ojlhdOeJwNXEXO62CdMmnp4nkE9E2jcl8Y9Q/hLDx6OjvQc&Tj=YBZ0
http://www.oneresi.com/ge06/?cxlL6=TxZz26qHBFBWLipdaFP8DXj847gFVWoG3E2dnld5pyULLNin+5TsGSuzug1CwjEl4T2LS/ZH&Tj=YBZ0
http://www.trailblazerbaby.com/ge06/?cxlL6=Vn36JpzNTKaSb0MTbSztLcrwH0nGOIWlPxp5C0tdRb7z35/kOAEpp28Rs4alwfkjtZwLX/a3&Tj=YBZ0
|
9
www.bowllywood.com(156.241.138.74)
www.qianxz109.xyz()
www.seoulbeautytw.com(151.101.194.236)
www.oneresi.com(15.197.148.33)
www.trailblazerbaby.com(198.49.23.144)
146.75.50.236
15.197.148.33
156.241.138.74
198.49.23.145 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2023-10-07 14:54
|
 shedremko2.1.exe b80d6d5161b4f047ebb9f903822e2cd2
NSIS Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
|
2
sheddy1122.ddns.net(103.212.81.151)
103.212.81.151
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
6.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2023-10-03 12:56
|
 madywarza2.1.exe a8dcae0690c61f8517b877b5191fc388
NSIS Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
|
1
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
4.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2023-10-01 17:17
|
 borilpokonta2.1.exe ff5073e7ca0e1ec86ee0268f040af237
NSIS Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
4.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2023-09-28 08:27
|
 imolight2.1.exe 56a626b9244c18ac768b5d3db7e014ed
NSIS Malicious Library UPX Anti_VM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS |
|
1
194.180.48.119 - mailcious
|
|
|
10.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2023-09-21 09:35
|
 maxlobbing2.1.exe 8d7eea4fa1b573b722cac003a8aa205f
NSIS Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212)
104.237.62.212
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
8.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|