| 16966 |
2023-05-23 17:31
|
 003079999209.pdf.scr 0957864375a690abcea81ce440d762f8
Suspicious_Script_Bin Generic Malware UPX Malicious Library Antivirus DNS AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW human activity check Windows ComputerName RCE DNS DDNS |
|
4
december2n.duckdns.org(192.169.69.26)
december2nd.ddns.net(212.193.30.230)
192.169.69.26 - phishing
212.193.30.230 - mailcious
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
20.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16967 |
2023-05-23 17:28
|
 csrss.exe ef9d99538803de5140aa18eeb3b958b3
Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder anti-virtualization DNS crashed |
|
1
|
|
|
4.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16968 |
2023-05-23 17:26
|
 aDTUAh4aJrmzMHA.exe ae3300545a8b7b614d5d974e70769052
RAT UPX SMTP KeyLogger AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
3
mail.safinaco.com(112.213.89.32)
45.81.243.246 - mailcious
112.213.89.32 - mailcious
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16969 |
2023-05-23 17:26
|
 vbc.exe 864ffb0d2b8f9e7ddabd50be7409046b
Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16970 |
2023-05-23 17:25
|
 ChatGPT-4.exe dce55bbdd6eed9c8208b7e2581566ff0
Gen1 Generic Malware UPX Malicious Library Malicious Packer ASPack Anti_VM OS Processor Check PE64 PE File DLL VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
3.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16971 |
2023-05-23 17:25
|
 papizx.exe e2f5006e1aaef2772f0593ca9e63d13b
AgentTesla PWS .NET framework browser info stealer Google Chrome User Data Downloader Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Remcos VirusTotal Malware AutoRuns PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
45.81.243.246 - mailcious
178.237.33.50
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
10.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16972 |
2023-05-23 17:24
|
 1.exe cc09bb37daeedc24a5029612658ffb7e
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16973 |
2023-05-23 17:22
|
 Zhazpwadddz.exe 24781c1e54454da853bef89a12b65975
RAT .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16974 |
2023-05-23 17:21
|
 bld_3s.exe 44b65c0e74a1c608b202a663318f966d
Emotet PWS .NET framework Loki_b RAT UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Windows ComputerName DNS Cryptographic key |
15
http://94.142.138.111/concerts/2.php - rule_id: 32678
http://94.142.138.111/concerts/13.php - rule_id: 32689
http://94.142.138.111/concerts/10.php - rule_id: 32686
http://ip-api.com/json/
http://94.142.138.111/concerts/9.php - rule_id: 32685
http://94.142.138.111/concerts/11.php - rule_id: 32687
http://94.142.138.111/concerts/8.php - rule_id: 32684
http://94.142.138.111/concerts/6.php - rule_id: 32682
http://94.142.138.111/concerts/4.php - rule_id: 32680
http://94.142.138.111/concerts/1.php - rule_id: 32677
http://94.142.138.111/concerts/12.php - rule_id: 32688
http://94.142.138.111/concerts/7.php - rule_id: 32683
http://94.142.138.111/concerts/5.php - rule_id: 32681
http://ipwhois.app/xml/
http://94.142.138.111/concerts/3.php - rule_id: 32679
|
5
ipwhois.app(103.126.138.87)
ip-api.com(208.95.112.1)
103.126.138.87
94.142.138.111 - malware
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
13
http://94.142.138.111/concerts/2.php
http://94.142.138.111/concerts/13.php
http://94.142.138.111/concerts/10.php
http://94.142.138.111/concerts/9.php
http://94.142.138.111/concerts/11.php
http://94.142.138.111/concerts/8.php
http://94.142.138.111/concerts/6.php
http://94.142.138.111/concerts/4.php
http://94.142.138.111/concerts/1.php
http://94.142.138.111/concerts/12.php
http://94.142.138.111/concerts/7.php
http://94.142.138.111/concerts/5.php
http://94.142.138.111/concerts/3.php
|
5.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16975 |
2023-05-23 17:20
|
 vbc.exe 7457fdd20c567bd3c20e7be6ee044726
Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16976 |
2023-05-23 17:18
|
 buggzx.exe a29fb824aaf242efc1f4d4527c2e8a0a
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/bugg/five/fre.php - rule_id: 33487
|
1
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.60/bugg/five/fre.php
|
13.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16977 |
2023-05-23 17:17
|
 2022_12_PO-note_page-0002.hta dada4c04af88637d79abfec8ed74e568VirusTotal Malware Check memory RWX flags setting unpack itself WriteConsoleW Tofsee Windows Discord DNS |
1
https://cdn.discordapp.com/attachments/1062280171790540840/1063090692613746718/aDTUAh4aJrmzMHA.exe
|
2
cdn.discordapp.com(162.159.133.233) - malware
162.159.129.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16978 |
2023-05-23 17:16
|
llillillillillilli%23%23%23%23... 05ec34c0d8db1ff6e5def9ab587dadc8
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
2
http://107.172.130.133/62/vbc.exe
http://107.172.130.133/e/cLItriJACP41.bin
|
1
107.172.130.133 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE Generic .bin download from Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16979 |
2023-05-23 17:15
|
 ark.exe f40caeb8d127389627cf20e34c70b1ca
PWS .NET framework Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.211)
173.231.16.76
|
|
|
10.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16980 |
2023-05-23 17:06
|
File_pass1234.7z 59bdba4300a7d636830fa3ff631a8ed0
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee DNS |
4
http://www.maxmind.com/geoip/v2.1/city/me
http://85.208.136.10/api/tracemap.php - rule_id: 32662
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
|
10
api.db-ip.com(104.26.5.15)
db-ip.com(104.26.5.15)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.214.67)
172.67.75.166
104.17.215.67
85.208.136.10 - mailcious
34.117.59.81
104.26.5.15
94.142.138.113 - mailcious
|
3
ET SCAN Potential VNC Scan 5900-5920
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://85.208.136.10/api/tracemap.php
|
4.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|