| 16996 |
2023-05-22 16:34
|
 345534534.exe 6355c5f8f98ffd7042a07ed616a2bb34
AgentTesla browser info stealer Generic Malware Downloader UPX Malicious Library Create Service DGA Socket DNS BitCoin Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger Screen Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Collect installed applications Check virtual network interfaces malicious URLs sandbox evasion installed browsers check Ransomware Windows Exploit Browser ComputerName RCE Firmware DNS Cryptographic key crashed |
1
http://185.99.133.246/c2sock - rule_id: 33485
|
1
185.99.133.246 - mailcious
|
1
SURICATA HTTP unable to match response to request
|
1
http://185.99.133.246/c2sock
|
17.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16997 |
2023-05-22 16:32
|
 governorzx.exe 62a46435c5e579b3f3a7d59f64317a09
PWS .NET framework KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Discord Browser Email ComputerName DNS Cryptographic key Software crashed |
1
https://discord.com/api/webhooks/1103875906361118810/4y7iINqCCd1vB_5CHVi8bfs-VsURmj2vh2ZdBw9vV7iC_QaLM-Uzs73INWoN8KSw28mH
|
2
discord.com(162.159.136.232) - mailcious
162.159.137.232 - mailcious
|
3
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
ET INFO Observed Discord Domain (discord .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16998 |
2023-05-22 16:31
|
 shell.exe 604e6d6cac22bc2c954367b4a36bb195
Gen1 UPX Malicious Library ASPack Admin Tool (Sysinternals etc ...) Anti_VM OS Processor Check PE64 PE File ZIP Format DLL VirusTotal Malware Check memory Creates executable files crashed |
|
|
|
|
2.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 16999 |
2023-05-22 16:28
|
 adolfzx.exe 372daff38ea8b876b01803b474c7f687
Formbook PWS .NET framework RAT AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities AppData folder Windows |
|
2
www.anime-room.com()
www.todipjane.africa()
|
|
|
11.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17000 |
2023-05-22 16:26
|
 whiteezx.exe dc7614d708b3b80811a4c8dde9eb4e1c
Formbook PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
3
http://www.ebndeoo.store/pr29/?Sh=T2TbN0Zq62ho9rLNZMUBepa4dSHomHzO9AtC/XYSeFvuxA7nQTBQ8gktsXrl5MMEMi+Syat/&RX=dnHxRbdHWnS4fP5
http://www.eventequipmentexpress.com/pr29/?Sh=fp/AfiVnqCIH8M1YKHlz0gaU8dW5ScGccE7V/FPeYIQ0AeAEOBMSxwD4Ou/6lh0DqUgisOqN&RX=dnHxRbdHWnS4fP5
http://www.cuisineconfort.com/pr29/?Sh=S0SwMb/6oZgQzwAmRA9qWrUSbSeRu71rATdJ/boUNw8KzXM8MwG+oUPoGiXkDp9gToBx8Zsu&RX=dnHxRbdHWnS4fP5
|
7
www.eventequipmentexpress.com(34.102.136.180)
www.ebndeoo.store(47.251.52.228)
www.cuisineconfort.com(23.227.38.74)
46.30.213.155 - mailcious
23.227.38.74 - mailcious
34.102.136.180 - mailcious
47.251.52.228
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17001 |
2023-05-22 16:25
|
 vbc.exe f4fb22b77def98b9cc1231ab69a98f58
Formbook NSIS UPX Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder suspicious TLD ComputerName DNS |
12
http://www.zservers.xyz/hjdr/ - rule_id: 28386
http://www.xn--pdotrychler-l8a.ch/hjdr/ - rule_id: 28389
http://www.amateurshow.online/hjdr/?sQ51n=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4WKSSlO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&O-G=Y-3P - rule_id: 28385
http://www.howtrue.info/hjdr/?sQ51n=kJhn0XnRZRgnPBFsTC3RrkdNU3jL2gKJb5tjL3sD/5M7+ZJLcewBYYG+QRdPVJXXplIlf5qgAFj8zlCmH3brR5caIrNXSuF9PhWnmJU=&O-G=Y-3P - rule_id: 28387
http://www.tugrow.top/hjdr/?sQ51n=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6Q88r0UIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&O-G=Y-3P - rule_id: 28388
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.moneyflowplant.com/hjdr/?sQ51n=eyJcKPxcHEkYOgBJ9ZZ9cit4y5B++Dvl/uOHalw31nGSIs778X+Kd1FjwZjeX1NbjiHN6FVudnpl9UmJEcwgNYvdeBiOQHW6RccTTCs=&O-G=Y-3P - rule_id: 31708
http://www.xn--pdotrychler-l8a.ch/hjdr/?sQ51n=viX6L1AgcIzkNKvffNzJJ+Yd0/U+wEe4YYZ25bQBQN6YyRvPjBEvK6hqMFdbfSlnHMzHqKUOr90SHQpYKy1ow0mwR1Rp7LB2XNGkbPc=&O-G=Y-3P - rule_id: 28389
http://www.zservers.xyz/hjdr/?sQ51n=a/jwoO6Li4WGoMKhZK2qV7tdnllQ6mdQYsYFdFr7RisYjJd1Hm0f46xorIJmHDnVHKTR/o/1BaU+86MBDvdqY5CeL0wg/BcTjfumQVU=&O-G=Y-3P - rule_id: 28386
http://www.howtrue.info/hjdr/ - rule_id: 28387
http://www.tugrow.top/hjdr/ - rule_id: 28388
http://www.moneyflowplant.com/hjdr/ - rule_id: 31708
|
15
www.flamencovive.com() - mailcious
www.amateurshow.online(37.220.1.68) - mailcious
www.xn--pdotrychler-l8a.ch(95.130.17.35) - mailcious
www.fruitecology.com(46.30.213.155) - mailcious
www.howtrue.info(184.168.113.29) - mailcious
www.zservers.xyz(103.42.108.46) - mailcious
www.tugrow.top(66.29.131.66) - mailcious
www.moneyflowplant.com(62.77.152.57) - mailcious
95.130.17.35 - mailcious
184.168.113.29 - mailcious
62.77.152.57 - mailcious
66.29.131.66 - mailcious
103.42.108.46 - mailcious
45.33.6.223
37.220.1.68
|
5
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING Request to .TOP Domain with Minimal Headers
|
11
http://www.zservers.xyz/hjdr/
http://www.xn--pdotrychler-l8a.ch/hjdr/
http://www.amateurshow.online/hjdr/
http://www.howtrue.info/hjdr/
http://www.tugrow.top/hjdr/
http://www.moneyflowplant.com/hjdr/
http://www.xn--pdotrychler-l8a.ch/hjdr/
http://www.zservers.xyz/hjdr/
http://www.howtrue.info/hjdr/
http://www.tugrow.top/hjdr/
http://www.moneyflowplant.com/hjdr/
|
5.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17002 |
2023-05-22 16:19
|
 Satan_AIO.exe c8c82a0f0ee038fddb54cbf156f2e300
Malicious Library Malicious Packer VMProtect PE64 PE File VirusTotal Malware Checks debugger DNS crashed |
|
1
|
|
|
3.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17003 |
2023-05-22 16:19
|
 WindowsApp6.exe 5681f190a1d7c696efa487fa0100e96b
Formbook .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
5.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17004 |
2023-05-22 16:18
|
 jawazx.exe 0cf0d018debfce1695e34759289e31db
AgentTesla PWS .NET framework browser info stealer Google Chrome User Data Downloader Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Remcos VirusTotal Malware AutoRuns PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
45.81.243.246
178.237.33.50
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
10.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17005 |
2023-05-22 16:17
|
 xmrig32.exe cc20a54b21aac972382d5ad53f67e91b
Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.4 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17006 |
2023-05-22 09:09
|
 goat.dll 78b53767df514a3d25aed7b2befbf562
UPX Malicious Library OS Processor Check DLL PE64 PE File Checks debugger unpack itself ComputerName DNS crashed |
|
5
214.43.249.250
2.228.251.38
57.182.80.190
92.119.178.40 - mailcious
62.4.213.138
|
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17007 |
2023-05-22 09:04
|
 Updates%20Windows.exe 05ea0aa586cd127894ff0bd65566254c
Loki_b Loki_m PWS .NET framework RAT UPX Code injection PWS[m] AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Telegram AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows ComputerName DNS Cryptographic key crashed |
3
https://steamcommunity.com/profiles/76561199501059503
https://t.me/mastersbots
http://185.254.37.108/Luibkj.dll
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.200.235.107) - mailcious
149.154.167.99 - mailcious
23.37.146.163
185.254.37.108 - mailcious
|
4
ET INFO Dotted Quad Host DLL Request
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17008 |
2023-05-22 09:03
|
ilillil%23%23%23%23%23%23%23%2... f83050a49383b5c615b9a84543254f4e
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash Exploit DNS crashed Downloader |
1
http://104.234.10.91/441/vbc.exe
|
1
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17009 |
2023-05-22 09:02
|
 whiteezx.exe 2608ea96bd6424120c20e6594827f844
Formbook PWS .NET framework Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.kd-quilts.com/pr29/?v4=wXyY+y/V+y1/AnxM16dRfRBuxbe/Yr8e2DlPMb8DPd7MrVB1Ku0tny0zWEj61KI8d3SuNV54&nt=V48HiDzp
http://www.datings69.com/pr29/?v4=iWIxv15JsrJJkCjZ8Z2o3kuz+1NpAQWXASqKJKsuslEEMxeXMyCRxey2t2zedcxZSr3jS5XB&nt=V48HiDzp
|
4
www.datings69.com(172.67.150.74)
www.kd-quilts.com(199.115.116.43)
104.21.88.25
70.32.1.32 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17010 |
2023-05-22 08:59
|
 ne983n8sn3lks3.exe a96ac42f9ccc7d11663f2741d5dfe930
BlackMatter Ransomware PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|