| 17281 |
2023-06-08 17:43
|
 wininit.exe 4c46bfbd4f6224963065eede69e80f7d
Malicious Library PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself DNS |
16
http://www.seseapk.com/hqny/
http://www.gardinalplace.life/hqny/
http://www.montanasapphires.online/hqny/?m40HnJIf=n1CdPpzxYwqEjsG0Qgxc3fK1e+R7zylx10dE7UARUo2qmYQZkuFozCTNAjLX4OweHcopEvO11zC7KH5OIbyIbW6BPXRJsCk2YfaTf38=&k-I=dHgK57WfpMAIaF9c
http://www.luxeconcept.net/hqny/
http://www.luxeconcept.net/hqny/?m40HnJIf=Hsr+FS3aUC3v5cYG2kJwTz2Fiv05Ac/D2GVn4rP2+cnf/CEwXrKsow638/CQaZGhQs+ww4P4gMYs+x3Lc8BNJT7QU85Ww4GHlJMw20s=&k-I=dHgK57WfpMAIaF9c
http://www.montanasapphires.online/hqny/
http://www.seseapk.com/hqny/?m40HnJIf=mJH9W27z8cbsc7vpY+E6DLxpKObOQHn2HvWQb9G1AeaU7CpO/W7NVY91S6OxE3LAXZsPh7Ioc7rkgvN9xJr9EVPP8ghUoovlGQYiqlI=&k-I=dHgK57WfpMAIaF9c
http://www.uchbfm.cfd/hqny/
http://www.69573.xyz/hqny/
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
http://www.uchbfm.cfd/hqny/?m40HnJIf=m+ybVjvh7agWR9kwIW90wxm7xw0mVpAKZ7IrFeQzPIYANX32/SKYYL1eEsf44L+W0nPEXXXW2Q2sM9/iZhRVCXL5a7JofqeU46QhEqQ=&k-I=dHgK57WfpMAIaF9c
http://www.69573.xyz/hqny/?m40HnJIf=LuFWF9Ua84RDJQoWRjdHaxOOJGr2k3CF/TnoVcaYxo8S6F7pRCZMbcZzZdCEfatU6D3gOhGC0lLUMqABcFj4if2qqDICpO2nO8eNe9I=&k-I=dHgK57WfpMAIaF9c
http://www.gardinalplace.life/hqny/?m40HnJIf=dCEp+0m3P0JUSbGijBo/RSr8kaN/Z3sSlC8vhR/5CqloiAn9JexI0t5iKqyAv6gMC40bfRj5WBEr7LlDi1AuUeAMNiBwlcnzOqfFvew=&k-I=dHgK57WfpMAIaF9c
http://www.kakekgirang5.shop/hqny/
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.kakekgirang5.shop/hqny/?m40HnJIf=CXlbuvDGPZkDZuVIC7pN9bWZtfAlmQpQeGiqx6WAcwFRIivK0QTPVQRfBJCVm9sX5H1lJ3DwQtgXkv6CkHLTc1MyWUNY9q0X0o/sl2U=&k-I=dHgK57WfpMAIaF9c
|
18
www.uchbfm.cfd(47.57.240.200)
www.luxeconcept.net(216.40.34.41)
www.montanasapphires.online(208.91.197.27)
www.kakekgirang5.shop(198.252.98.107)
www.rosifariasestetica.online()
www.new-balkon-otdelka.site()
www.gardinalplace.life(162.254.37.64)
www.winchespullers.store()
www.seseapk.com(156.237.242.36)
www.69573.xyz(122.10.50.92)
162.254.37.64
208.91.197.27 - mailcious
216.40.34.41 - mailcious
122.10.50.92
156.237.242.36
45.33.6.223
198.252.98.107
47.57.240.200
|
5
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
3.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17282 |
2023-06-08 17:43
|
 wininit.exe 8f25fe4c31de1a795ca154d7dacad298
UPX Malicious Library PE File PE32 JPEG Format DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
3.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17283 |
2023-06-08 17:41
|
 snappyshop.it_img_docse.php.ps... 3e2fdbdefa7c8e16b351a46ed1afc33d
Generic Malware Antivirus AutoRuns Check memory unpack itself WriteConsoleW Windows Cryptographic key |
1
https://www.snappyshop.it/img/index.php
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17284 |
2023-06-08 17:40
|
 SY.exe 1190c6a8211a23925ec5342f1b457192
RAT email stealer Downloader Confuser .NET DNS Code injection PWS[m] Escalate priviledges persistence KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself DNS crashed |
|
1
193.42.32.191 - mailcious
|
|
|
9.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17285 |
2023-06-08 17:40
|
clclcllclclclcllclclclclcllclc... 3abfcd50698f63ec13889697874b0dfd
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
3
http://www.meter-ooh.com/xchu/?gdBt0P3x=RWcC4MkZSDk3mPucx988ojlBmNB6jNKUkkXC2Ajox5pIO+tnQ1elShzyRn23Myu/RX+OuZHb&M6Al=2dcphnL0DpFDjd
http://107.172.148.217/cl/zbXCSdHkU190.bin
http://107.172.148.217/23/cleanmgr.exe
|
5
www.nadiya.online()
www.meter-ooh.com(194.58.112.174)
194.58.112.174 - mailcious
107.172.148.217 - malware
156.237.242.36
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17286 |
2023-06-08 17:39
|
mdmdmdmdmdmmdmdm%23%23%23%23%2... ce692ee68ccc4b7fb7381f0eabfa6891
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
16
http://www.seseapk.com/hqny/
http://www.gardinalplace.life/hqny/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.luxeconcept.net/hqny/
http://www.luxeconcept.net/hqny/?0LduG=Hsr+FS3aUC3v5cYG2kJwTz2Fiv05Ac/D2GVn4rP2+cnf/CEwXrKsow638/CQaZGhQs+ww4P4gMYs+x3Lc8BNJT7QU85Ww4GHlJMw20s=&J-FG=X_zm5
http://www.kakekgirang5.shop/hqny/
http://www.uchbfm.cfd/hqny/?0LduG=m+ybVjvh7agWR9kwIW90wxm7xw0mVpAKZ7IrFeQzPIYANX32/SKYYL1eEsf44L+W0nPEXXXW2Q2sM9/iZhRVCXL5a7JofqeU46QhEqQ=&J-FG=X_zm5
http://www.uchbfm.cfd/hqny/
http://www.69573.xyz/hqny/?0LduG=LuFWF9Ua84RDJQoWRjdHaxOOJGr2k3CF/TnoVcaYxo8S6F7pRCZMbcZzZdCEfatU6D3gOhGC0lLUMqABcFj4if2qqDICpO2nO8eNe9I=&J-FG=X_zm5
http://www.montanasapphires.online/hqny/
http://www.69573.xyz/hqny/
http://www.montanasapphires.online/hqny/?0LduG=n1CdPpzxYwqEjsG0Qgxc3fK1e+R7zylx10dE7UARUo2qmYQZkuFozCTNAjLX4OweHcopEvO11zC7KH5OIbyIbW6BPXRJsCk2YfaTf38=&J-FG=X_zm5
http://www.seseapk.com/hqny/?0LduG=mJH9W27z8cbsc7vpY+E6DLxpKObOQHn2HvWQb9G1AeaU7CpO/W7NVY91S6OxE3LAXZsPh7Ioc7rkgvN9xJr9EVPP8ghUoovlGQYiqlI=&J-FG=X_zm5
http://www.kakekgirang5.shop/hqny/?0LduG=CXlbuvDGPZkDZuVIC7pN9bWZtfAlmQpQeGiqx6WAcwFRIivK0QTPVQRfBJCVm9sX5H1lJ3DwQtgXkv6CkHLTc1MyWUNY9q0X0o/sl2U=&J-FG=X_zm5
http://www.gardinalplace.life/hqny/?0LduG=dCEp+0m3P0JUSbGijBo/RSr8kaN/Z3sSlC8vhR/5CqloiAn9JexI0t5iKqyAv6gMC40bfRj5WBEr7LlDi1AuUeAMNiBwlcnzOqfFvew=&J-FG=X_zm5
http://103.57.130.167/winSpace/wininit.exe
|
19
www.uchbfm.cfd(47.57.240.200)
www.luxeconcept.net(216.40.34.41)
www.montanasapphires.online(208.91.197.27)
www.kakekgirang5.shop(198.252.98.107)
www.rosifariasestetica.online()
www.new-balkon-otdelka.site()
www.gardinalplace.life(162.254.37.64)
www.winchespullers.store()
www.seseapk.com(156.237.242.36)
www.69573.xyz(122.10.50.92)
162.254.37.64
208.91.197.27 - mailcious
216.40.34.41 - mailcious
122.10.50.92
156.237.242.36
45.33.6.223
103.57.130.167 - malware
198.252.98.107
47.57.240.200
|
11
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
5.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17287 |
2023-06-08 17:38
|
mimimimimimimiimii%23%23%23%23... f773fdea0e32c51ffea025bc50767210
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
4
http://www.360elemental.com/be03/?GVTh=jhI+vywCMt2npbDJzeD9/lYKEbD8JLwdnODL6xC0Csx6vWRUimADe+yjE737e9SxfNKLZW43&uzu8=jjIxZ4h8M02li4
http://107.172.148.208/mi/md/kp/HSuJRpsszEVxY182.bin
http://www.patronbases.cfd/be03/?GVTh=az/6JVy9Wk8RCbLeWnMudjda35MxTzQJIXkn0z0Udyq1fOX35xGGHIaA46RMb3EB8oPHqyzU&uzu8=jjIxZ4h8M02li4
http://103.170.120.247/winSpace/wininit.exe
|
6
www.patronbases.cfd(109.123.121.243)
www.360elemental.com(91.195.240.123)
109.123.121.243 - mailcious
103.170.120.247 - malware
107.172.148.208 - mailcious
91.195.240.123 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE Generic .bin download from Dotted Quad
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17288 |
2023-06-08 17:36
|
 cleanmgr.exe e95742503cd258666b61c5dde8a9003a
UPX Malicious Library PE File PE32 JPEG Format DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder DNS |
|
1
|
|
|
3.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17289 |
2023-06-08 17:36
|
ijoijoijoijoijoijoijoijoijoijo... e230816a29bb8af0b5f24adfbe5eff62
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
4
http://www.triciaaprimrosevp.com/xchu/?tzrL=FfQWrZf95VxT5fbFP2ouR8u1gr6XUpPNH6jyiiRwDUjhhUhOx6/nNPit9Ft1WefXL/7Zht0A&1bYHT=mzrd
http://107.172.148.217/il/AzGEADokio218.bin
http://www.nilhanzsa.net/xchu/?tzrL=UpdBoqvO0VuPJxPINRTvivST/MoTuXfbqSvNaVPeAJ6CiCHZFJ6wtB6ckIFoxPORzmMfQmkP&1bYHT=mzrd
http://107.172.148.217/533/hkcmd.exe
|
6
www.nilhanzsa.net(64.98.135.11)
www.castilloshowroom.com()
www.triciaaprimrosevp.com(165.160.15.20)
64.98.135.11
165.160.15.20 - mailcious
107.172.148.217 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17290 |
2023-06-08 17:34
|
 remcos_a2.exe 9aa44989b63c667ede9f25e26497c20f
Generic Malware UPX Malicious Library Downloader Malicious Packer OS Processor Check PE File PE32 Malware download Remcos VirusTotal Malware AutoRuns Malicious Traffic Check memory Windows DNS |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
178.237.33.50
94.142.138.111 - malware
|
2
ET MALWARE Remcos 3.x Unencrypted Checkin
ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
3.6 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17291 |
2023-06-08 17:33
|
rsrsrsrsrsrrsrsrsrsrsrsrssrsrs... 39669a47b553f5d6b3ed6b730d7852f9
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17292 |
2023-06-08 14:02
|
 photo250.exe e53eb222dce17efcdcac2c00cacb6c45
RedLine stealer[m] Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) PWS[m] AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName RCE DNS Cryptographic key Software crashed |
3
http://77.91.68.30/music/rock/index.php - rule_id: 34087
http://77.91.68.30/music/rock/Plugins/cred64.dll - rule_id: 34101
http://77.91.68.30/music/rock/Plugins/clip64.dll - rule_id: 34102
|
2
83.97.73.129 - mailcious
77.91.68.30 - malware
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.30/music/rock/index.php
http://77.91.68.30/music/rock/Plugins/cred64.dll
http://77.91.68.30/music/rock/Plugins/clip64.dll
|
20.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17293 |
2023-06-08 14:00
|
 photo250.exe cf66c33d6331c8d39b8058b46d59c108
RedLine stealer[m] Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer PWS[m] AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName RCE DNS Cryptographic key Software crashed |
3
http://77.91.68.30/music/rock/index.php - rule_id: 34087
http://77.91.68.30/music/rock/Plugins/cred64.dll - rule_id: 34101
http://77.91.68.30/music/rock/Plugins/clip64.dll - rule_id: 34102
|
2
77.91.68.30 - malware
83.97.73.129 - mailcious
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.30/music/rock/index.php
http://77.91.68.30/music/rock/Plugins/cred64.dll
http://77.91.68.30/music/rock/Plugins/clip64.dll
|
20.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17294 |
2023-06-08 13:59
|
 2.exe 991184ef5c59ae33725e99a2e828ef8e
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17295 |
2023-06-08 13:47
|
 hostdll.exe d8c387e22a23fcdac8444ff9d43ebef8
Generic Malware UPX Malicious Library PE File PE32 VirusTotal Malware AutoRuns Check memory RWX flags setting AntiVM_Disk suspicious TLD sandbox evasion VM Disk Size Check Windows Browser DNS |
|
2
imtieken.top(152.32.138.112)
152.32.138.112
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
4.2 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|