| 17251 |
2023-06-09 16:18
|
 SOA-0438.xlsx 261cc699f2de3e15d63c9a9180cb8625
ZIP Format Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://109.206.240.64/HBZ.exe
http://geoplugin.net/json.gp
http://109.206.240.64/tl/ZriAIHCKuK34.bin
|
5
geoplugin.net(178.237.33.50)
gdyhjjdhbvxgsfe.gotdns.ch(45.81.39.214) - mailcious
109.206.240.64 - malware
178.237.33.50
45.81.39.214
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Generic .bin download from Dotted Quad
ET INFO DYNAMIC_DNS Query to a *.gotdns .ch Domain
ET JA3 Hash - Remcos 3.x TLS Connection
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17252 |
2023-06-09 15:50
|
 LokiLocker.exe d03823a205919b6927f3fa3164be5ac5
UltraVNC UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware powershell AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW shadowcopy delete Ransom Message Turn off Windows Error Recovery notification window Firewall state off anti-virtualization Creates autorun.inf IP Check VM Disk Size Check human activity check installed browsers check Windows Browser ComputerName Cryptographic key crashed |
1
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
18.6 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17253 |
2023-06-09 11:12
|
 upgrade.exe a07dc64946ef6ed57eb50821ee02415b
UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself crashed |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17254 |
2023-06-09 11:06
|
 64.exe 67dfc7730a6d14715de7b28db5f23c0b
Hide_EXE Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL VirusTotal Malware AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder suspicious TLD sandbox evasion WriteConsoleW Windows RCE DNS |
|
2
cloudbase-init.pw(114.202.175.143) - mailcious
114.202.175.143 - malware
|
1
ET DNS Query to a *.pw domain - Likely Hostile
|
|
6.4 |
|
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17255 |
2023-06-09 11:05
|
 xmrig.exe 1e7094119ed8a4415c7549c19d771a71
Generic Malware UPX Malicious Library Malicious Packer PE File PE32 PE64 OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files Windows utilities Auto service suspicious process AppData folder suspicious TLD WriteConsoleW Windows RCE DNS |
|
3
mys.cloudbase-init.pw(186.125.222.162)
my.cloudbase-init.pw(186.125.222.162)
186.125.222.162
|
1
ET DNS Query to a *.pw domain - Likely Hostile
|
|
9.2 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17256 |
2023-06-09 10:03
|
 default-browser-agent.exe 828dda50caa47e37c427142e216c373f
PE64 PE File Malware download VirusTotal Cryptocurrency Miner Malware Phishing Cryptocurrency Malicious Traffic unpack itself Windows DNS CoinMiner |
1
http://ppanel.freaktorrentz.xyz/x/y/z/WebPanel/api/endpoint.php - rule_id: 34184
|
8
ppanel.freaktorrentz.xyz(188.165.24.131) - mailcious
conn.gta5cheatcode.world(194.180.48.231) - mailcious
pastebin.com(172.67.34.170) - mailcious
gulf.moneroocean.stream(54.250.156.221) - mailcious
54.250.156.221
188.165.24.131 - malware
194.180.48.231 - malware
104.20.67.143 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
ET MALWARE Win32/Pripyat Activity (POST)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
ET POLICY Cryptocurrency Miner Checkin
ET INFO Observed DNS Query to .world TLD
|
1
http://ppanel.freaktorrentz.xyz/x/y/z/WebPanel/api/endpoint.php
|
2.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17257 |
2023-06-09 09:25
|
 mobsync.exe 828dda50caa47e37c427142e216c373f
PE64 PE File Malware download VirusTotal Cryptocurrency Miner Malware Phishing Cryptocurrency Malicious Traffic unpack itself Windows DNS CoinMiner |
1
http://ppanel.freaktorrentz.xyz/x/y/z/WebPanel/api/endpoint.php
|
8
gulf.moneroocean.stream(54.250.156.221) - mailcious
ppanel.freaktorrentz.xyz(188.165.24.131)
conn.gta5cheatcode.world(194.180.48.231)
pastebin.com(172.67.34.170) - mailcious
54.250.156.221
188.165.24.131 - malware
194.180.48.231 - malware
172.67.34.170 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET INFO Observed DNS Query to .world TLD
ET POLICY Cryptocurrency Miner Checkin
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
ET MALWARE Win32/Pripyat Activity (POST)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
2.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17258 |
2023-06-09 09:16
|
 dxpserver.exe bfcffc1ba90629e540fd23ad570db1d5
RAT PE64 PE File VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces |
1
http://file.xhamsterrr.com/v/panel/uploads/Amdjgsj.dat
|
2
file.xhamsterrr.com(188.165.24.131)
188.165.24.131 - malware
|
|
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17259 |
2023-06-09 09:02
|
 5943.js 76f6a06e23970b7eb45cabba0418a5d2
Generic Malware Antivirus AntiDebug AntiVM PowerShell ZIP Format powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://fuelrescue.ie/wp/
|
2
fuelrescue.ie(185.2.67.20)
185.2.67.20
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17260 |
2023-06-09 07:57
|
 netTime.exe 19197b3174a5f441696e23f7e8b8c33a
PWS .NET framework RAT Generic Malware UPX Malicious Packer Antivirus OS Processor Check PE64 PE File suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process Windows ComputerName RCE Cryptographic key |
|
|
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17261 |
2023-06-09 07:36
|
 cleanmgr.exe f503da8eee4e7cd822239110b488b08b
AgentTesla RAT browser info stealer Google Chrome User Data Downloader Confuser .NET Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 PE64 Remcos Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows DNS DDNS |
2
http://geoplugin.net/json.gp
http://84.54.50.31/D/YY.exe
|
5
geoplugin.net(178.237.33.50)
pekonomiana.duckdns.org(134.19.179.211) - mailcious
178.237.33.50
84.54.50.31 - malware
134.19.179.211 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17262 |
2023-06-09 07:33
|
fbfbfbfbfbfbfbfbfbfbfbfbffbf%2... 7e59937dcacd711b717c66c93b90e398
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS DDNS crashed |
3
http://geoplugin.net/json.gp
http://45.83.140.48/420/cleanmgr.exe
http://84.54.50.31/D/YY.exe
|
6
geoplugin.net(178.237.33.50)
pekonomiana.duckdns.org(134.19.179.211) - mailcious
178.237.33.50
84.54.50.31 - malware
45.83.140.48
134.19.179.211 - mailcious
|
9
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET JA3 Hash - Remcos 3.x TLS Connection
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
|
|
4.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17263 |
2023-06-08 19:29
|
 hkcmd.exe d2a06a7386680bc248d79c2974f9b0cf
UPX Malicious Library PE File PE32 DLL PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17264 |
2023-06-08 19:26
|
 systemwp.php e48ed194f54c5df7938c9575c7e84261
ZIP Format |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17265 |
2023-06-08 19:06
|
icicicicicicicicicicicicicic%2... f5879c1be334d16e12d50db0fd3c233f
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
2
http://192.3.176.146/311/hkcmd.exe
http://107.172.148.208/blk/jzKrFwCeIEvTEpb62.bin
|
2
192.3.176.146
107.172.148.208 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|