| 17371 |
2023-06-04 17:38
|
 secmorganzx.exe e5cd98442cbc3af8dbc877ecd99a58d2
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself RCE DNS |
|
1
|
|
|
2.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17372 |
2023-06-04 17:37
|
 fotod25.exe 001ba557c3a6837ac5635bbf859ed645
Redline Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName RCE DNS Cryptographic key Software crashed |
5
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/DSC01491/foto124.exe
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
http://77.91.68.62/DSC01491/fotod25.exe
|
2
77.91.68.62 - malware
83.97.73.126 - malware
|
11
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
14.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17373 |
2023-06-04 17:37
|
 foto124.exe 1b28062bf3a3a5e2e681649e4a0d22dc
Redline Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName RCE DNS Cryptographic key Software crashed |
3
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
|
2
77.91.68.62 - malware
83.97.73.126 - malware
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17374 |
2023-06-04 17:33
|
File_pass1234.7z 63e2ad5f5f1466a924b0c77048dcc60a
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
9 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17375 |
2023-06-03 17:31
|
 hkcmd.exe 53d4ab9c429de02b7efc94d7be3e6059
AgentTesla RAT browser info stealer Google Chrome User Data Downloader Confuser .NET Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM PE64 PE File Remcos VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS DDNS |
2
http://geoplugin.net/json.gp
http://84.54.50.31/D/H2.exe
|
5
geoplugin.net(178.237.33.50)
pekonomia.duckdns.org(185.225.74.112) - mailcious
178.237.33.50
84.54.50.31 - malware
185.225.74.112 - mailcious
|
7
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET INFO Executable Download from dotted-quad Host
ET JA3 Hash - Remcos 3.x TLS Connection
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17376 |
2023-06-03 17:31
|
 document_C560_Jun_2.js 3a6a29b0cfe1132fba17d10f096e4104VirusTotal Malware crashed |
|
|
|
|
0.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17377 |
2023-06-03 17:31
|
 document_C540_Jun_2.js 6c6de7c1260f8b8dc6bc8505cac4288aVirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17378 |
2023-06-03 17:29
|
obizx.doc bb05581c977504151945ce548b13daf8
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://194.180.48.59/obizx.exe
|
4
api.ipify.org(104.237.62.211)
194.180.48.59 - malware
64.185.227.155
185.225.74.112 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17379 |
2023-06-03 17:29
|
 hkcmd.exe 616f84ed1a058d9b51efa2eb6007dd4e
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17380 |
2023-06-03 17:27
|
 H2.exe 200f70cceffbcc69815d125f1ca40fd8
AgentTesla RAT browser info stealer Google Chrome User Data Downloader Confuser .NET Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM PE64 PE File Remcos VirusTotal Malware PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
pekonomia.duckdns.org(185.225.74.112) - mailcious
178.237.33.50
185.225.74.112 - mailcious
|
3
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
8.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17381 |
2023-06-03 17:27
|
 setup.exe 8072726bf6f29230d619ec971b3d2a29
UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName RCE DNS Cryptographic key Software crashed |
|
1
|
3
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
12.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17382 |
2023-06-03 17:25
|
teambzx.doc 8a5c3b0f57f61e18ff31ae4903f479fa
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
3
http://x1.i.lencr.org/
https://api.ipify.org/
http://194.180.48.59/teambzx.exe
|
7
x1.i.lencr.org(104.76.70.102)
mail.grad-vodice.hr(108.179.208.47)
api.ipify.org(104.237.62.211)
108.179.208.47
173.231.16.76
194.180.48.59 - malware
104.76.70.102
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
5.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17383 |
2023-06-03 17:25
|
iuiiiuiuiuiuiuiuiui%23%23%23%2... ff889dabeb89be61eb1ece635fb12ec2
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://171.22.30.147/chang2/five/fre.php
http://45.66.230.128/257/hkcmd.exe
|
2
171.22.30.147 - mailcious
45.66.230.128 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
5.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17384 |
2023-06-03 17:23
|
 hkcmd.exe ab22e6f54ff1b1f6862780ca9a7dddaa
Loki Loki_b Loki_m Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/line/five/fre.php - rule_id: 33747
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/line/five/fre.php
|
13.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17385 |
2023-06-03 17:22
|
mimimimimimimi%23%23%23%23%23%... f4b2703a921facad2c48fdecca12ae21
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|