| 17641 |
2023-05-27 02:18
|
http://jrodriguez3113@gmail.co... 30080455ee0ea698c6c89361b13a863d
Downloader Create Service DGA Socket DNS Hijack Network Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17642 |
2023-05-26 20:14
|
BLNR1389.js d66279c46cb9a2e4d466c045d6f89bceWMI ComputerName |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17643 |
2023-05-26 19:36
|
Install_pass1234.7z 9af61e3db077635a809314b1ed057938
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee DNS |
5
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://www.maxmind.com/geoip/v2.1/city/me
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
|
11
api.db-ip.com(172.67.75.166)
db-ip.com(172.67.75.166)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.215.67)
172.67.75.166
85.208.136.10 - mailcious
34.117.59.81
104.26.5.15
94.142.138.113 - mailcious
208.67.104.60 - mailcious
104.17.214.67
|
2
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://85.208.136.10/api/tracemap.php
http://208.67.104.60/api/tracemap.php
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17644 |
2023-05-26 19:28
|
jjjiijjjiijjjiijjji%23%23%23%2... e3b452029e1713145f0d95258fc64b3c
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic buffers extracted exploit crash Windows Exploit DNS DDNS crashed |
3
http://geoplugin.net/json.gp
http://corpotechgroup.com/Wxdypod.png - rule_id: 33748
http://104.234.10.91/477/IE_NET.exe
|
7
geoplugin.net(178.237.33.50)
divdemoce.duckdns.org(192.30.89.67) - mailcious
corpotechgroup.com(162.213.196.78) - malware
162.213.196.78 - mailcious
104.234.10.91 - malware
178.237.33.50
192.30.89.67 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
|
1
http://corpotechgroup.com/Wxdypod.png
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17645 |
2023-05-26 18:19
|
 swiss.exe 9e57567ee21222fa361798821a9571aa
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download AveMaria NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns MachineGuid Check memory buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Interception Windows Browser RAT Email ComputerName DNS DDNS |
|
5
osairus.duckdns.org(185.92.149.180)
www.google.com(142.250.206.228)
185.92.149.180
5.206.225.104 - malware
172.217.25.4 - suspicious
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
|
|
9.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17646 |
2023-05-26 18:19
|
 plugmanzx.exe 03dc66eb73f94113115e145a35599724
AgentTesla PWS .NET framework browser info stealer Google Chrome User Data Downloader Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Remcos VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
seanblacin.sytes.net(109.206.243.174)
178.237.33.50
109.206.243.174
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
10.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17647 |
2023-05-26 17:53
|
 CT360.exe 89f34702802ca7e99421d765d8404b8e
PE File PE32 VirusTotal Malware WMI ComputerName |
|
|
|
|
3.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17648 |
2023-05-26 17:51
|
jijijijiiiiji#################... 211091ff25b68364c7973844af7a44d4
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://185.246.220.85/line/five/fre.php
http://192.3.189.133/277/IE_NET.exe
|
3
192.3.189.133 - malware
185.246.220.85 - mailcious
192.30.89.67 - mailcious
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
5.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17649 |
2023-05-26 17:51
|
 mslink1.exe 56f7220f0987dc74bc0d5bb27f3df3ca
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17650 |
2023-05-26 17:51
|
 grammyzx.exe 6f5596133ba51b66fa2467610e1084d8
PWS .NET framework SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed |
|
|
|
|
9.0 |
M |
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17651 |
2023-05-26 17:50
|
 IE_NET.exe 9e925b69e3dbb48c606de897284d31ae
AgentTesla PWS .NET framework RAT browser info stealer Generic Malware Google Chrome User Data Downloader UPX Antivirus ScreenShot Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM OS Processor Check Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser Email ComputerName DNS Cryptographic key DDNS keylogger |
1
http://geoplugin.net/json.gp
|
6
geoplugin.net(178.237.33.50)
divdemoce.duckdns.org(192.30.89.67) - mailcious
corpotechgroup.com(162.213.196.78) - malware
162.213.196.78 - mailcious
178.237.33.50
192.30.89.67 - mailcious
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
14.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17652 |
2023-05-26 17:49
|
 IE_NET.exe 691533800613bff43f0e1845240bd42e
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software |
1
http://185.246.220.85/fresh/five/fre.php - rule_id: 28273
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/fresh/five/fre.php
|
14.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17653 |
2023-05-26 17:48
|
 word.exe b9a5e05efb6100a069525b12b0d5bbab
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
2.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17654 |
2023-05-26 17:46
|
jjjiijjjiijjjiijjji%23%23%23%2... e3b452029e1713145f0d95258fc64b3c
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17655 |
2023-05-26 17:46
|
 IE_NET.exe a02d63d3aa1793aca12ed3d79ac4870c
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|