| 17056 |
2023-05-18 17:36
|
GGG%23%23%23%23%23%23%23%23%23... 01c2fe220d602996255a3760b10a1219
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://192.227.228.120/60/vbc.exe
|
1
192.227.228.120 - malware
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17057 |
2023-05-18 15:41
|
cryptoistic.bin d41d8cd98f00b204e9800998ecf8427e
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17058 |
2023-05-18 10:48
|
 vbc.exe 59f9df6fb26fb1a5c6343a443075649b
Formbook Malicious Library PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic unpack itself DNS |
34
http://www.towfire.life/f619/?E9W=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&NC=ptGp - rule_id: 33475
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
http://www.towfire.life/f619/ - rule_id: 33475
http://www.skillfulp10.buzz/f619/?E9W=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&NC=ptGp - rule_id: 33500
http://www.skillfulp10.buzz/f619/?E9W=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&NC=ptGp
http://www.28588v.com/f619/ - rule_id: 33501
http://www.28588v.com/f619/
http://www.gospelfy.online/f619/ - rule_id: 33496
http://www.gospelfy.online/f619/
http://www.intake-tree.com/f619/?E9W=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&NC=ptGp - rule_id: 33494
http://www.intake-tree.com/f619/?E9W=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&NC=ptGp
http://www.smartinnoventions.com/f619/ - rule_id: 33493
http://www.smartinnoventions.com/f619/
http://www.gospelfy.online/f619/?E9W=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&NC=ptGp - rule_id: 33496
http://www.gospelfy.online/f619/?E9W=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&NC=ptGp
http://www.stephenwang.photography/f619/?E9W=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&NC=ptGp - rule_id: 33499
http://www.stephenwang.photography/f619/?E9W=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&NC=ptGp
http://www.skillfulp10.buzz/f619/ - rule_id: 33500
http://www.skillfulp10.buzz/f619/
http://www.stephenwang.photography/f619/ - rule_id: 33499
http://www.stephenwang.photography/f619/
http://www.sockmomma.com/f619/ - rule_id: 33498
http://www.sockmomma.com/f619/
http://www.28588v.com/f619/?E9W=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&NC=ptGp - rule_id: 33501
http://www.28588v.com/f619/?E9W=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&NC=ptGp
http://www.intake-tree.com/f619/ - rule_id: 33494
http://www.intake-tree.com/f619/
http://www.smartinnoventions.com/f619/?E9W=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&NC=ptGp - rule_id: 33493
http://www.smartinnoventions.com/f619/?E9W=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&NC=ptGp
http://www.sockmomma.com/f619/?E9W=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&NC=ptGp - rule_id: 33498
http://www.sockmomma.com/f619/?E9W=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&NC=ptGp
http://www.queenkidul.com/f619/ - rule_id: 33497
http://www.queenkidul.com/f619/
http://www.queenkidul.com/f619/?E9W=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&NC=ptGp - rule_id: 33497
|
19
www.towfire.life(67.223.117.160) - mailcious
www.stephenwang.photography(208.113.186.56) - mailcious
www.queenkidul.com(45.130.230.191) - mailcious
www.smartinnoventions.com(5.157.87.204) - mailcious
www.gospelfy.online(185.27.134.115) - mailcious
www.sockmomma.com(154.94.121.119) - mailcious
www.skillfulp10.buzz(172.67.194.173) - mailcious
www.intake-tree.com(54.91.6.89) - mailcious
www.28588v.com(137.220.202.242) - mailcious
54.196.16.164
104.21.34.8 - mailcious
208.113.186.56 - mailcious
67.223.117.160 - mailcious
185.27.134.115 - mailcious
154.94.121.119 - mailcious
137.220.202.242
45.130.230.191 - mailcious
45.33.6.223
5.157.87.204 - mailcious
|
4
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO HTTP Request to a *.buzz domain
ET MALWARE FormBook CnC Checkin (GET)
|
18
http://www.towfire.life/f619/
http://www.towfire.life/f619/
http://www.skillfulp10.buzz/f619/
http://www.28588v.com/f619/
http://www.gospelfy.online/f619/
http://www.intake-tree.com/f619/
http://www.smartinnoventions.com/f619/
http://www.gospelfy.online/f619/
http://www.stephenwang.photography/f619/
http://www.skillfulp10.buzz/f619/
http://www.stephenwang.photography/f619/
http://www.sockmomma.com/f619/
http://www.28588v.com/f619/
http://www.intake-tree.com/f619/
http://www.smartinnoventions.com/f619/
http://www.sockmomma.com/f619/
http://www.queenkidul.com/f619/
http://www.queenkidul.com/f619/
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17059 |
2023-05-18 09:58
|
 buggzx.exe d29862a821bc742d24c346287c79ca1a
Loki_b Loki_m PWS .NET framework Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/bugg/five/fre.php
|
2
137.220.225.73
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
15.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17060 |
2023-05-18 09:58
|
jjjj%23%23%23%23%23%23%23%23%2... f2af555f26393f34180a3845e92ba1cb
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
22
http://www.queenkidul.com/f619/?O7pS=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&CP-m=8c92fQNKIzrCDRX
http://www.stephenwang.photography/f619/?O7pS=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&CP-m=8c92fQNKIzrCDRX
http://www.intake-tree.com/f619/?O7pS=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&CP-m=8c92fQNKIzrCDRX
http://www.towfire.life/f619/ - rule_id: 33475
http://www.towfire.life/f619/
http://www.smartinnoventions.com/f619/?O7pS=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&CP-m=8c92fQNKIzrCDRX
http://www.28588v.com/f619/
http://www.gospelfy.online/f619/?O7pS=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&CP-m=8c92fQNKIzrCDRX
http://www.towfire.life/f619/?O7pS=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&CP-m=8c92fQNKIzrCDRX - rule_id: 33475
http://www.towfire.life/f619/?O7pS=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&CP-m=8c92fQNKIzrCDRX
http://www.gospelfy.online/f619/
http://www.stephenwang.photography/f619/
http://www.smartinnoventions.com/f619/
http://www.skillfulp10.buzz/f619/?O7pS=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&CP-m=8c92fQNKIzrCDRX
http://www.skillfulp10.buzz/f619/
http://195.201.147.116/433/vbc.exe
http://www.sockmomma.com/f619/
http://www.sockmomma.com/f619/?O7pS=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&CP-m=8c92fQNKIzrCDRX
http://www.intake-tree.com/f619/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.queenkidul.com/f619/
http://www.28588v.com/f619/?O7pS=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&CP-m=8c92fQNKIzrCDRX
|
20
www.towfire.life(67.223.117.160)
www.stephenwang.photography(208.113.186.56)
www.queenkidul.com(45.130.230.191)
www.smartinnoventions.com(5.157.87.204)
www.gospelfy.online(185.27.134.115)
www.sockmomma.com(154.94.121.119)
www.skillfulp10.buzz(104.21.34.8)
www.intake-tree.com(34.201.80.84)
www.28588v.com(137.220.225.73)
54.196.16.164
104.21.34.8
208.113.186.56
67.223.117.160
137.220.225.73
154.94.121.119
185.27.134.115 - mailcious
195.201.147.116 - mailcious
45.130.230.191
45.33.6.223
5.157.87.204 - mailcious
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO HTTP Request to Suspicious *.life Domain
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET MALWARE FormBook CnC Checkin (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to a *.buzz domain
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.towfire.life/f619/
http://www.towfire.life/f619/
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17061 |
2023-05-18 09:54
|
 papilazx.exe 589fc2b85730cb3a14c1ba64b8a4693d
PWS .NET framework Anti_VM .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17062 |
2023-05-18 09:53
|
 135.exe c3359aec2c64c031a1e9f65c6520ed0f
UPX PE File PE32 Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Malicious Traffic Checks debugger buffers extracted unpack itself Collect installed applications sandbox evasion installed browsers check Ransomware Browser ComputerName Firmware DNS crashed |
1
http://185.99.133.246/c2sock
|
1
|
1
SURICATA HTTP unable to match response to request
|
|
9.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17063 |
2023-05-18 09:50
|
ASSS%23%23%23%23%23%23%23%23%2... 047fef24cc2235db39d3eb1551be28bf
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
12
http://www.mjsink.com/f619/?8h-zwsZ=QohnKbePrODEc2nRtJyzKv2nV7sTIQ5Qx9yDXgwt8Ie8gSFBAbmvCJj6zIyweYgDzy/0i+4z3xbiwRYsSsB8T6DnOWQEfeuCAQefg3Q=&XoCV09=Pw3IzxRA7ICfJT
http://www.towfire.life/f619/
http://www.mjsink.com/f619/
http://www.ginbaochip.com/f619/?8h-zwsZ=J8+hP/zSxq0se/+LWXXRGMthd5MtqREYtVha/m82I85cLREj8S8ix7RpcjqSy8HBHkmEBC3cSxdy+flYH4rJd56MdeRk/rncEkBsCJA=&XoCV09=Pw3IzxRA7ICfJT
http://www.marketing-solution.net/f619/?8h-zwsZ=7aEb1be+dODnXJS70ht2rOIyRE7tt83KP3MXokAl2sed9H5NqFjOq19haFrbwR5XS7xCcbMG4E83Por5kDVXeeM4WTNIDHd3Sc1+pdc=&XoCV09=Pw3IzxRA7ICfJT
http://www.regnerjanet.xyz/f619/
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3260000.zip
http://www.marketing-solution.net/f619/
http://www.towfire.life/f619/?8h-zwsZ=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&XoCV09=Pw3IzxRA7ICfJT
http://www.regnerjanet.xyz/f619/?8h-zwsZ=6wuoF5Ocy4AJpvQBu7Oine5RwOGmLKsd0ov4HSbRQC4ETZ6v/roT0yDkqgD/NT0BDr09cLMaIgNt2KmG3oCiS9IXpK2jSgOlbsyy8aE=&XoCV09=Pw3IzxRA7ICfJT
http://www.ginbaochip.com/f619/
http://195.201.147.116/422/vbc.exe
|
12
www.marketing-solution.net(91.195.240.45)
www.towfire.life(67.223.117.160)
www.mjsink.com(104.21.88.53)
www.regnerjanet.xyz(109.123.121.243)
www.ginbaochip.com(210.16.189.19)
109.123.121.243 - mailcious
67.223.117.160
210.16.189.19
195.201.147.116 - mailcious
91.195.240.45 - mailcious
172.67.173.11
45.33.6.223
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO HTTP Request to Suspicious *.life Domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
5.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17064 |
2023-05-18 09:48
|
 llaa25.exe aec63ca0e90ee3b2f811656ae8747e9e
Gen2 Gen1 Generic Malware Malicious Packer PE64 PE File Browser Info Stealer VirusTotal Malware PDB MachineGuid buffers extracted unpack itself Check virtual network interfaces Tofsee Browser RCE crashed |
4
http://as.imgjeoigaa.com/check/safe
http://us.imgjeoigaa.com/sts/imagc.jpg
https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F
https://adsmanager.facebook.com/ads/manager/account_settings/account_billing/
|
8
as.imgjeoigaa.com(39.109.117.57)
www.facebook.com(157.240.215.35)
adsmanager.facebook.com(157.240.215.16)
us.imgjeoigaa.com(154.221.19.146)
154.221.19.146
157.240.215.35
157.240.215.16
39.109.117.57
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Double User-Agent (User-Agent User-Agent)
|
|
4.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17065 |
2023-05-18 09:47
|
 build.exe c82632236e77359b2aaa32e0cc38cd99
Loki_b Loki_m Gen1 Suspicious_Script_Bin Generic Malware UPX Malicious Library Malicious Packer DGA Socket DNS PWS[m] Http API Internet API ScreenShot Code injection AntiDebug AntiVM OS Processor Check PE File PE32 DLL Browser Info Stealer Malware download FTP Client Info Stealer Dridex VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft Telegram AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser Email ComputerName DNS Software |
8
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://zexeq.com/raud/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true - rule_id: 31029
http://116.203.165.188/9dfa7ee730fa2f1efb5ed51dbbec22f5
http://116.203.165.188/
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://116.203.165.188/config.zip
https://steamcommunity.com/profiles/76561199263069598 - rule_id: 32753
https://t.me/cybehost
|
11
t.me(149.154.167.99) - mailcious
colisumy.com(175.119.10.231) - malware
api.2ip.ua(162.0.217.254)
steamcommunity.com(69.192.92.139) - mailcious
zexeq.com(201.124.218.111) - malware
149.154.167.99 - mailcious
23.37.146.163
123.140.161.243 - mailcious
162.0.217.254
116.203.165.188
222.236.49.124
|
12
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO TLS Handshake Failure
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Dotted Quad Host ZIP Request
|
4
http://colisumy.com/dl/build2.exe
http://zexeq.com/raud/get.php
http://zexeq.com/files/1/build3.exe
https://steamcommunity.com/profiles/76561199263069598
|
18.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17066 |
2023-05-18 09:45
|
 vbc.exe 2e84d5556bb37fcecb8cf7942a70606a
PWS .NET framework Generic Malware Antivirus PWS[m] Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
13
http://www.regnerjanet.xyz/f619/?umuRf1-z=6wuoF5Ocy4AJpvQBu7Oine5RwOGmLKsd0ov4HSbRQC4ETZ6v/roT0yDkqgD/NT0BDr09cLMaIgNt2KmG3oCiS9IXpK2jSgOlbsyy8aE=&dn=Hu_4
http://www.marketing-solution.net/f619/?umuRf1-z=7aEb1be+dODnXJS70ht2rOIyRE7tt83KP3MXokAl2sed9H5NqFjOq19haFrbwR5XS7xCcbMG4E83Por5kDVXeeM4WTNIDHd3Sc1+pdc=&dn=Hu_4
http://www.energytransfer.online/f619/?umuRf1-z=imAs1hkpHrLTTkkyOgnH89N/E9bMOyYXgY//e0ZAWIltUe1JjhRFlIwaBCyG3+J8qMS7wCwKaJDJAhWlf84Z7A+nWgiGhVr1qYjHL9w=&dn=Hu_4
http://www.towfire.life/f619/
http://www.mjsink.com/f619/
http://www.energytransfer.online/f619/
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.regnerjanet.xyz/f619/
http://www.marketing-solution.net/f619/
http://www.ginbaochip.com/f619/
http://www.mjsink.com/f619/?umuRf1-z=QohnKbePrODEc2nRtJyzKv2nV7sTIQ5Qx9yDXgwt8Ie8gSFBAbmvCJj6zIyweYgDzy/0i+4z3xbiwRYsSsB8T6DnOWQEfeuCAQefg3Q=&dn=Hu_4
http://www.towfire.life/f619/?umuRf1-z=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&dn=Hu_4
http://www.ginbaochip.com/f619/?umuRf1-z=J8+hP/zSxq0se/+LWXXRGMthd5MtqREYtVha/m82I85cLREj8S8ix7RpcjqSy8HBHkmEBC3cSxdy+flYH4rJd56MdeRk/rncEkBsCJA=&dn=Hu_4
|
13
www.marketing-solution.net(91.195.240.45)
www.towfire.life(67.223.117.160)
www.energytransfer.online(84.32.84.32)
www.mjsink.com(172.67.173.11)
www.regnerjanet.xyz(109.123.121.243)
www.ginbaochip.com(210.16.189.19)
109.123.121.243 - mailcious
84.32.84.32 - mailcious
67.223.117.160
210.16.189.19
91.195.240.45 - mailcious
172.67.173.11
45.33.6.223
|
4
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
12.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17067 |
2023-05-18 09:43
|
 setupcode.exe 28aa586922822ebcfd3254bb9bae053a
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17068 |
2023-05-18 09:41
|
 buildnew.exe 15e49c65d2ec8fa2294fa13b91550a0a
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17069 |
2023-05-18 09:41
|
 fred.exe 49fb581e3d3ed6fbd834aff980244e36
PWS .NET framework Anti_VM .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17070 |
2023-05-18 09:39
|
 Financials-05-16-23-PDF.exe 03c3f979feffbf02e7ab9a66f9a1f7b4
RAT .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces WriteConsoleW Tofsee ComputerName |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
oshi.at(5.253.86.15) - malware
5.253.86.15 - mailcious
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|