| 1 |
2024-06-05 07:43
|
 NUZfgivQhifX46kon.exe 957f18ab4db251c4c04ec51d97e27c4b
AgentTesla Malicious Library PWS SMTP KeyLogger AntiDebug AntiVM PE64 PE File Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(104.26.12.205)
104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2023-11-07 07:52
|
 jucostam2.1.exe 1f6a213c979c6adff88e31e059d2825d
Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.zg9tywlubmftzw5ldzmzmzk.com/ju29/?BZR8DR=eJVNysqPhL/uaCM5mmKlDkK99NL0wUK/QD98X4Xi+tSElCareFrH+cf4EbqdkZtA1uTt8AGh&VRKt=vBZhWH98eHJDbf
http://www.klxcv.xyz/ju29/?BZR8DR=4JvfAS1R38BLVmeFk9DSiCnJ91CcqWw5bF+8iYbx752X4gk0kHBYwToCGZXoT3c/qcFpSYl1&VRKt=vBZhWH98eHJDbf
http://www.xpermate.com/ju29/?BZR8DR=YSdUgFSDvDomRrfxRTc82IB8KvEz5Cudp7FBenL6bBiUULPv2hucH8VGw3UW6gX6WzIP7l0c&VRKt=vBZhWH98eHJDbf - rule_id: 37946
|
8
www.zg9tywlubmftzw5ldzmzmzk.com(103.224.212.216)
www.klxcv.xyz(198.177.124.40)
www.xpermate.com(77.245.157.73) - mailcious
www.jokergiftcard.buzz()
www.merchascarpamici.com()
198.177.124.40 - mailcious
103.224.212.216 - mailcious
77.245.157.73 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.xpermate.com/ju29/
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2023-11-03 18:18
|
 macoptic2.1.exe d6c5df23371399eb60055b93d7b80ea7
NSIS Malicious Library UPX PE File PE32 OS Processor Check Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2023-11-03 18:18
|
 jujoptics2.1.exe 0c57a7aae080fd2eac42a31fa5b7f051
NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself DNS |
2
http://www.xpermate.com/ju29/?8pwDZZSX=YSdUgFSDvDomRrfxRTc82IB8KvEz5Cudp7FBenL6bBiUULPv2hucH8VGw3UW6gX6WzIP7l0c&mvHpx=Y4C4ZlYp7ZstcN7
http://www.sextapevidhot.com/ju29/?8pwDZZSX=GMwV4/acGCaMlZi4K+MQ3vTvNv8+0oL4+WFE2ysoGOt3m0Xi0X0oVpaGXeUG3ymsAqEbf+Ht&mvHpx=Y4C4ZlYp7ZstcN7
|
8
www.sextapevidhot.com(103.224.212.211)
www.ascorpii.com()
www.xpermate.com(77.245.157.73)
www.lineyours.com()
185.196.8.176 - malware
103.224.212.211
77.245.157.73
104.76.78.101 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2023-11-03 10:38
|
 macringa2.1.exe f231a02d229e5f504eacc706629ae2f1
NSIS Malicious Library UPX PE File PE32 VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself |
|
|
|
|
3.8 |
M |
51 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2023-11-03 10:33
|
 macringa2.1.exe f231a02d229e5f504eacc706629ae2f1
NSIS Malicious Library UPX PE File PE32 VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself |
|
|
|
|
3.8 |
M |
51 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2023-11-02 07:48
|
 strakonaj2.1.exe 4cb44bd5d786a7f2b53fd6d9602a2b8c
NSIS Malicious Library UPX PE File PE32 OS Processor Check Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2023-10-31 07:48
|
 jujukhanis2.1.exe 4dca2433d6524869e26cda42d6aac35a
NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.umertazkeer.com/ju29/?0nGP-6=qL/w1+MBvm8GoMYX5IhFQmgMppJTUe9u/duKotMyUJF4p+ww3IubNw5rhrvFOtNFijYs9Y2C&JXULWR=RX0xlPZ8UPmL7V6P
http://www.glocraze.com/ju29/?0nGP-6=gDkZXs7NveHu4EW0skg7wBT+4b2V8qQlIvFf+hRei/lqZM1GklKH3GG4bPd4M6MmprPp+Vw1&JXULWR=RX0xlPZ8UPmL7V6P
http://www.gaming-chairs-vn-vi-2885437.fyi/ju29/?0nGP-6=jZmXybCgFR2uD0ejxMDWyZKNvc7QdVfFN8JL5WlE97s3Bg4Qi+fVSOqduvGFqlRkfw/fGckr&JXULWR=RX0xlPZ8UPmL7V6P
http://www.sklm888.com/ju29/?0nGP-6=n8Crfq8u97ohQJzT+GN2bIuprmrMns3qA2cyB53CLK5Nkn3ik8XJfCdpmXkpj8M2YodcTKUz&JXULWR=RX0xlPZ8UPmL7V6P
|
8
www.sklm888.com(108.186.24.175)
www.umertazkeer.com(103.224.212.216)
www.gaming-chairs-vn-vi-2885437.fyi(104.17.157.1)
www.glocraze.com(15.197.148.33)
15.197.148.33
103.224.212.216
104.17.157.1
108.186.24.175
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2023-10-31 07:46
|
 macsilon2.1.exe acae22d54a60cda3e945eb605b2e0d79
Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.ssongg13026.cfd/t6tg/?hB9=Nmqux/666XlLtJ3WEKzUk3EHj+ftlkJxJixPq7eQ/k8b2WLLehoT1axEI2nKmBLwOwlBSnRz&lN68=VTRPbxUh6tHTgV - rule_id: 37346
http://www.g7bety.com/t6tg/?hB9=tJCug8916Nk3qwpVWxazfba7U2UvaJXJwG1WTz0cOvag2M7/5zn5sibdV7VYkPm4YwuRNFZo&lN68=VTRPbxUh6tHTgV
http://www.lobby138.monster/t6tg/?hB9=3b8u1mK8VHbHBfK/UsLoDkPDaVA31KqbuvBNGor4kXVmAL21gM7ZM3KDEr8Jm2Spn741Hpzt&lN68=VTRPbxUh6tHTgV
http://www.fem-studio.com/t6tg/?hB9=wO01AVbbXSVLf6qO03SX5K+SMOPGPZyPLFmMZ0U48re65Y/5ubB6fIycEVvycH59j+ia3nP/&lN68=VTRPbxUh6tHTgV
|
9
www.ssongg13026.cfd(101.32.68.183) - mailcious
www.abstractcertify.com() - mailcious
www.lobby138.monster(91.195.240.123)
www.g7bety.com(172.67.171.189)
www.fem-studio.com(192.0.78.211)
101.32.68.183 - mailcious
91.195.240.123 - mailcious
172.67.171.189
192.0.78.185
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.ssongg13026.cfd/t6tg/
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2023-10-20 07:34
|
 macringa2.1.exe f231a02d229e5f504eacc706629ae2f1
NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.jys639.com/t6tg/?ARr=iZSd4WcVLoxrty2SI4zYYm+k8zxr4doV+JNRrflDFWaXgV8umUmWRFTZcO/6j4IcEfQ2bA86&ndlpdZ=u4itArTPyX7D
http://www.verificardsa.com/t6tg/?ARr=e3AQhDkaG9eafEaUpLL/rSilDzf/hET9ej10VBCXgx4U67QE0b9NWX3D0BBjP0VOu+agMW4z&ndlpdZ=u4itArTPyX7D
http://www.izeera.com/t6tg/?ARr=m529FBdnR7W3BTzP5MxjwgE+mkLjoMm+UZfynz2FhzEQtAjK+eSB/JNk4Nuy1iudF5erJ+NJ&ndlpdZ=u4itArTPyX7D
http://www.nextino.app/t6tg/?ARr=hbKaBdJJ6vFN8tzB35DGgEHrZG9ClC0kvKQfUGuMd838c0khCL09IqdRU/B5FhQhg2CjjGkb&ndlpdZ=u4itArTPyX7D
|
8
www.jys639.com(203.210.27.41)
www.nextino.app(91.195.240.19)
www.verificardsa.com(23.145.120.242)
www.izeera.com(185.199.111.153)
91.195.240.19 - mailcious
23.145.120.242
203.210.27.41
185.199.109.153 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2023-10-19 18:30
|
 sukonted2.1.exe ed1aef251adba4e47408db95bcf563cf
NSIS Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
4.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2023-10-17 07:46
|
 macwelter2.1.exe 5dc9185191d639c955367a880101e252
NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.zeropointenergyhvac.com/t6tg/?jDKP8=vAEcViLLfRnXrvGHJGOy3S0oM5KgJr+WLGiVWET49+NKpGPyCcxnbWSVNLBpcRBJoM/m8+js&8p0=IbtHbJ
http://www.domumix.com/t6tg/?jDKP8=NCr4hxvH2ezd5PnFQvFe4UNVT4u8oc6t8Rf/c3KW26/rudMQ46jCsaNfWBhm2pOWUClrv1g3&8p0=IbtHbJ
http://www.ssongg13026.cfd/t6tg/?jDKP8=Nmqux/666XlLtJ3WEKzUk3EHj+ftlkJxJixPq7eQ/k8b2WLLehoT1axEI2nKmBLwOwlBSnRz&8p0=IbtHbJ
http://www.tugerdi.site/t6tg/?jDKP8=Za8NgA951HtgEMA/N1pbqY3Eng45w2byd25/9jAsmGZLSXWq5l9klRymntmNRw3MeMdtayU2&8p0=IbtHbJ
|
8
www.domumix.com(23.227.38.74)
www.ssongg13026.cfd(101.32.68.183)
www.zeropointenergyhvac.com(15.197.148.33)
www.tugerdi.site(93.89.226.17)
101.32.68.183 - mailcious
15.197.148.33
93.89.226.17 - mailcious
23.227.38.74 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2023-10-11 08:01
|
 marcolite2.1.exe 71ea87bcc822a68c4ef492ecbdba37f6
NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
1
http://www.cysh100th.com/t6tg/?RVE=C4RGcRJ+oFeN6Dw5JyxSSWJXrhqNO9HSkiwUjsu5KAkN06m/6Uw6tkK+9OBn6uuuNd9cxUAj&oX=Txo8ntIpM8sp
|
5
www.ascend-help.tech()
www.ep0i.com()
www.cysh100th.com(66.235.200.146)
www.adam-automatik.com()
66.235.200.146 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2023-10-10 07:40
|
 shekinga2.1.exe 4018b3beefce0db09ca018c8d99262e3
NSIS Malicious Library UPX PE File PE32 OS Processor Check Remcos VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
sheddy1122.ddns.net(103.212.81.158) - mailcious
178.237.33.50
103.212.81.158
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
5.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2023-09-14 19:06
|
 centrolineo2.1.exe f111e4ac9108f1bdbb1205b23abe1d28
NSIS UPX Malicious Library PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156)
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|