| 17341 |
2023-06-07 07:50
|
 BMKNJPO87.exe 1d45466db6f73b1f93161e33b9cad371
Formbook AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
11
http://www.windmarkdijital.xyz/p9ao/?7Gi=+bmephAqYj2sPehVYG+6vylNZ9xTD57k0www/64WlyporzTS/DQK9Cj9E45l2PnpvASrzBKQ+MTFYh98/e7cSFktWy6uJymQpJPkUO8=&Yg0pd=0Gq1uMaLm1WDER - rule_id: 33956
http://www.g2g2sport.xyz/p9ao/?7Gi=XT67LxJVileSUZubvPnUPegaTgZ/6jQtKal3VjDKoEwa5II03LuvqSNChaRu2iUoBEt/Y1rs6QWzksNnW/YxdPu4ukuWTQMQOAWrwp4=&Yg0pd=0Gq1uMaLm1WDER - rule_id: 33955
http://www.suzheng22.top/p9ao/ - rule_id: 33954
http://www.bluhenhalfte.xyz/p9ao/?7Gi=vRFPeW+a5eWj78d95ZChSzUnWBErJOu6BL+rqrQuXzoLgBIyf+8wG4E0yzEkSL259muf+heCu3SYFxv43Rue+P6JisHwLR8+s0aKyro=&Yg0pd=0Gq1uMaLm1WDER - rule_id: 33953
http://www.windmarkdijital.xyz/p9ao/ - rule_id: 33956
http://www.solarwachstum.com/p9ao/ - rule_id: 33952
http://www.solarwachstum.com/p9ao/?7Gi=CRBGmlvLKSdWYJTLFdYUqNcl5XacT7p2l/bsj7rBz10wHnkWrMrpIEuQZVcc3zXzkIzXuCRWtiUMrr5dZy1sHRpRgJUYDyiz+Rr4X1g=&Yg0pd=0Gq1uMaLm1WDER - rule_id: 33952
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.bluhenhalfte.xyz/p9ao/ - rule_id: 33953
http://www.suzheng22.top/p9ao/?7Gi=UF1gbyBA2KpG8m0Rm9ehbXR0zJmaFb1dyUpi9VFZIpYgOTVtiTl0F+cTQPY8C/xJkCHyK8gaxezu3hN4hseR4mpCn7WT9y60MQraZ8Q=&Yg0pd=0Gq1uMaLm1WDER - rule_id: 33954
http://www.g2g2sport.xyz/p9ao/ - rule_id: 33955
|
11
www.bluhenhalfte.xyz(109.123.121.243) - mailcious
www.suzheng22.top(104.21.42.144) - mailcious
www.solarwachstum.com(89.31.143.1) - mailcious
www.g2g2sport.xyz(198.54.117.210) - mailcious
www.windmarkdijital.xyz(85.159.66.93) - mailcious
109.123.121.243 - mailcious
85.159.66.93 - mailcious
89.31.143.1 - mailcious
172.67.162.131 - mailcious
198.54.117.216 - phishing
45.33.6.223
|
5
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
10
http://www.windmarkdijital.xyz/p9ao/
http://www.g2g2sport.xyz/p9ao/
http://www.suzheng22.top/p9ao/
http://www.bluhenhalfte.xyz/p9ao/
http://www.windmarkdijital.xyz/p9ao/
http://www.solarwachstum.com/p9ao/
http://www.solarwachstum.com/p9ao/
http://www.bluhenhalfte.xyz/p9ao/
http://www.suzheng22.top/p9ao/
http://www.g2g2sport.xyz/p9ao/
|
9.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17342 |
2023-06-07 07:47
|
 achform.docx 2a824a7c1f57740354cdf6a3275df44f
Doc XML Downloader ZIP Format Word 2007 file format(docx) Vulnerability unpack itself |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17343 |
2023-06-07 07:45
|
 Jonh.exe 99c0cd96d46794e20fa539b20e4cff64
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
|
|
|
2.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17344 |
2023-06-07 07:43
|
 88999.exe ee9f9565049005c3fc1dfd32db706ef8
UPX Malicious Library PE File PE32 VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Creates executable files unpack itself AppData folder Tofsee Windows RCE DNS |
3
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
http://107.151.204.57:9985/NetSyst96.dll
https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
|
4
users.qzone.qq.com(58.250.136.113) - mailcious
103.97.178.89
107.151.204.57
58.250.136.113
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET HUNTING Rejetto HTTP File Sever Response
|
|
8.0 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17345 |
2023-06-07 07:41
|
 ceshi.exe 25214ee067e1480fa57f0ffd143ebb03
Malicious Library PE File PE32 VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Creates executable files unpack itself suspicious TLD Windows DNS |
2
http://103.97.178.89/NetSyst96.dll
http://zlaiyy.top/NetSyst96.dll
|
4
zlaiyy.top(103.97.178.89)
103.97.178.89
121.254.136.27
45.12.253.105 - malware
|
4
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Dotted Quad Host DLL Request
ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))
ET HUNTING Rejetto HTTP File Sever Response
|
|
6.8 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17346 |
2023-06-07 07:40
|
 Installer.exe 38b258c567b378058ac5cad63ab59584
UPX OS Processor Check PE File PE32 VirusTotal Malware Checks debugger unpack itself |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.gstatic.com/generate_204
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/n3xmszuzmcp4pxq3qhmant63nm_9.45.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.45.0_all_ecp3yewcq3fuvht5wyi7t7s37y.crx3
http://clients2.google.com/time/1/current?cup2key=4:3591542034&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
18
edgedl.me.gvt1.com(34.104.35.123)
www.google.com(142.250.207.100)
www.gstatic.com(142.250.207.99)
cdn.stubdownloader.services.mozilla.com(34.120.48.173)
fonts.googleapis.com(142.250.206.202)
accounts.google.com(172.217.25.173)
_googlecast._tcp.local()
fonts.gstatic.com(142.250.206.227)
apis.google.com(142.250.76.142)
142.251.220.67
142.250.204.142
142.250.204.36
216.58.200.237
121.254.136.27
34.104.35.123
34.120.48.173
142.251.222.195
172.217.25.10
|
|
|
2.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17347 |
2023-06-07 07:38
|
 BBHhHhB.exe 543e32d9617d5851aef813fe77310a84
RAT .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
|
2
hydramecs.com(45.12.253.105) - malware
45.12.253.105 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17348 |
2023-06-07 07:37
|
 H.exe a5a287e329d02dd5d3d7a33927f8c010
Formbook AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself suspicious TLD DNS |
19
http://www.kp69f.top/6huu/?YAqknid=c/0CEmjcp1qhbjrBdr7qFpTEdTMNmdGL+2G3nk26J8C5sXkvdYxGabdoDx2ERzE1q79WMkYCDIvd6DDSGqF5RzVKrD1kqEcaGqxbLU4=&u1E6=Oxybn - rule_id: 33944
http://www.0096061.com/6huu/ - rule_id: 33949
http://www.solarwachstum.com/6huu/?YAqknid=w02mQAblJWbyIo6ozgnxrIUPRxqR4gn//aKR4b4C2qQSYqcw3Vi29oLFIvtOIeXnZF+XC4+RsLS3HuGm7zRt9dlAuIsc4gbzWXQ9ldM=&u1E6=Oxybn - rule_id: 33943
http://www.14zhibo.work/6huu/ - rule_id: 33945
http://www.lancele.com/6huu/?YAqknid=lkPChsOgbmG6IllhHTLtf7ULj1acQ37do+96zoOFU1wEZ7Q3pDLdySJi8tX/LksgKKJ2zleSV8oD4OY5SI7MA2q2BuCSDDIq7z8yKSo=&u1E6=Oxybn - rule_id: 33947
http://www.kp69f.top/6huu/ - rule_id: 33944
http://www.lancele.com/6huu/ - rule_id: 33947
http://www.0096061.com/6huu/?YAqknid=cmX/07TqI3ZVBqSk8R867+hdp8bVOoL06AzKIpvdRFeyAj6hvaaJUHhkQ/toAIcVWWdRQEgjpGpGrDxsMG4sQneWN+dP3qrEhepv/3Q=&u1E6=Oxybn - rule_id: 33949
http://www.ticimmo.com/6huu/ - rule_id: 33951
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
http://www.terrenoscampestres.com/6huu/?YAqknid=vPEZFS80w83TR1ISai5AEG4cZjK/Z0sPVYJxvP0qkrafDKWjEP7E989Tf/65iA6Wv6B2G+FeAz/F94bTMl2+G2T5U6uSTMLdr8gHGso=&u1E6=Oxybn - rule_id: 33950
http://www.qfx88.com/6huu/?YAqknid=ai4Hj7VNL/eal8v50vngd1esaVL80O28AVhmObBuZqCvkNevFGLtvLG4llGxYwRMqic01nY12J0ERo7jbuO1GzAlXIwPB2kWrkts/2A=&u1E6=Oxybn - rule_id: 33948
http://www.tarolstroy.store/6huu/ - rule_id: 33946
http://www.terrenoscampestres.com/6huu/ - rule_id: 33950
http://www.tarolstroy.store/6huu/?YAqknid=En7LCrBqRDvhnDHpczrHWaIedYbeAgZr6OxVyCrdWihd6XEAizhpO0j/kkT3E0Ail4lmu+00ROJTwCbrXgrUq/0FdQ7yD2DHgTmcEH4=&u1E6=Oxybn - rule_id: 33946
http://www.ticimmo.com/6huu/?YAqknid=TigSyFlwP0RNpBbhC/rdMwC8b/Qg/Ivp2etxz330Y/wAN2mEJT4yMf4cHTRgrqo8FsDkyKZ/RDxnb9SkkKZ8CLMuGFsv81COs/EjZGo=&u1E6=Oxybn - rule_id: 33951
http://www.14zhibo.work/6huu/?YAqknid=DY82kxx300f8Ik70WvLdREOGU4sx5WmLPZ3/q1TGOtAA9/Gzsd9nceuxwkKKmb1RPsemirf5O/kWho3f6FGpO5KONInBcJ6F+ssJurA=&u1E6=Oxybn - rule_id: 33945
http://www.qfx88.com/6huu/ - rule_id: 33948
http://www.solarwachstum.com/6huu/ - rule_id: 33943
|
19
www.tarolstroy.store(91.106.207.17) - mailcious
www.ticimmo.com(217.26.48.101) - mailcious
www.kp69f.top(34.120.55.112) - mailcious
www.14zhibo.work(43.154.196.178) - mailcious
www.solarwachstum.com(89.31.143.1) - mailcious
www.qfx88.com(120.48.139.92) - mailcious
www.terrenoscampestres.com(109.106.251.102) - mailcious
www.lancele.com(38.239.160.233) - mailcious
www.0096061.com(154.55.172.139) - mailcious
43.154.196.178 - mailcious
38.239.160.233 - mailcious
154.55.172.139 - mailcious
109.106.251.102 - mailcious
120.48.139.92 - mailcious
34.149.198.43 - mailcious
89.31.143.1 - mailcious
217.26.48.101 - mailcious
45.33.6.223
91.106.207.17 - malware
|
7
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET INFO HTTP Request to Suspicious *.work Domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO Observed DNS Query to .work TLD
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
|
18
http://www.kp69f.top/6huu/
http://www.0096061.com/6huu/
http://www.solarwachstum.com/6huu/
http://www.14zhibo.work/6huu/
http://www.lancele.com/6huu/
http://www.kp69f.top/6huu/
http://www.lancele.com/6huu/
http://www.0096061.com/6huu/
http://www.ticimmo.com/6huu/
http://www.terrenoscampestres.com/6huu/
http://www.qfx88.com/6huu/
http://www.tarolstroy.store/6huu/
http://www.terrenoscampestres.com/6huu/
http://www.tarolstroy.store/6huu/
http://www.ticimmo.com/6huu/
http://www.14zhibo.work/6huu/
http://www.qfx88.com/6huu/
http://www.solarwachstum.com/6huu/
|
10.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17349 |
2023-06-07 07:36
|
 A.exe 706c4e397de8260d889cf83ba6707e7c
SMTP PWS[m] KeyLogger AntiDebug AntiVM PE64 PE File Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Browser Email ComputerName DNS DDNS crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(132.226.8.169)
193.122.6.168
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
10.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17350 |
2023-06-07 07:34
|
 NA.exe 6c432a8b26bc0e068f23e88f69c0f565
DNS AntiDebug AntiVM PE64 PE File VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
3
ezemnia3.ddns.net(79.134.225.109) - mailcious
91.193.75.178 - mailcious
79.134.225.109
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
13.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17351 |
2023-06-07 07:32
|
 BHHh.exe 96b0ccf071277093a2e02fd89ae05dcb
RAT .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
oshi.at(5.253.86.15) - malware
5.253.86.15 - mailcious
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17352 |
2023-06-07 07:30
|
 wininit.exe d39050a4b6ef3f4aaa5808d30501d4fd
RAT PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
1.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17353 |
2023-06-07 07:28
|
 Brickbats.exe 821823659183e8ca89f7d90cb55cae55
PWS .NET framework RAT UPX Confuser .NET OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger ICMP traffic unpack itself Windows Cryptographic key |
|
2
bettchanguballc.cloud(156.227.0.57)
156.227.0.57
|
|
|
3.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17354 |
2023-06-07 05:38
|
 ddsc.exe 6156028337e0510bd3535c891ed15029
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB Code Injection buffers extracted unpack itself Windows utilities sandbox evasion Windows Browser |
|
2
mmnedgeggrrva.com(153.92.126.196)
153.92.126.196
|
|
|
9.2 |
M |
46 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17355 |
2023-06-05 21:24
|
 ddsc.exe 6156028337e0510bd3535c891ed15029
UPX Malicious Library OS Processor Check PE File PE32 Malware download Remcos VirusTotal Malware PDB Code Injection Malicious Traffic Check memory buffers extracted unpack itself Windows utilities sandbox evasion Windows Browser |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
mmnedgeggrrva.com(153.92.126.196)
178.237.33.50
153.92.126.196
|
2
ET MALWARE Remcos 3.x Unencrypted Checkin
ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
8.0 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|