| 17671 |
2023-05-26 09:16
|
 update 3e2fa17fe889c35fb284cd3dda93220c
OS Processor Check ZIP Format |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17672 |
2023-05-26 09:14
|
 petercodyzx.exe e466877037de62f5262670bc43e57b83
Loki_b Loki_m Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/petercody/five/fre.php
|
1
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17673 |
2023-05-26 09:13
|
646ff8e66b17a.ps1 7e02353fe6383628da722c7c895ef755
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17674 |
2023-05-25 18:21
|
 up-do-dat-M2u7HcEuL9S7AFLW.exe 6f66d806f252bb81ed8954dceed8cce9
njRAT Generic Malware UPX .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17675 |
2023-05-25 18:19
|
 poweroff.exe 4ab4f24b913575f5dbaf2f17a6b5a2b1
PWS .NET framework njRAT RAT UPX .NET EXE PE File PE32 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17676 |
2023-05-25 17:53
|
 vtshfowlzpky.exe 2427dc12a5685106ea301efc43e99701
Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware crashed |
|
|
|
|
1.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17677 |
2023-05-25 17:51
|
 INET_CACHE.exe 4bbbad7edcd5cd1e3e8b298236a94ebb
Anti_VM .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17678 |
2023-05-25 17:49
|
 newamka2.1.exe 21ffcbf147759f82745f07bfdb0662f4
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
5
instac.duckdns.org(77.220.215.70)
77.220.215.70
37.230.138.66 - mailcious
5.75.210.95
37.230.138.123 - mailcious
|
4
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17679 |
2023-05-25 17:48
|
 PEP2.exe 0b79fbf16b76bd0ff14e9d079e40e889
Emotet PWS .NET framework njRAT RAT Gen1 Generic Malware UPX Malicious Library MZP Format PE File PE32 .NET EXE OS Processor Check DLL PE64 VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder Tofsee Windows ComputerName DNS crashed |
13
http://link.storjshare.io/s/juwxjm5rlewtkplox6e4e3btskgq/yokoso/fullham/manatara/poweroff.exe?download=1
http://link.storjshare.io/juwxjm5rlewtkplox6e4e3btskgq/yokoso%2Ffullham%2Fmanatara%2Fpoweroff.exe?download=1
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
https://link.storjshare.io/s/jxjnpyegksik26mz4wqismdyexpq/yokoso/fullham/enel/hand-M2u7HcEuL9S7AFLW.exe?download=1
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json - rule_id: 1972
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://www.google.com/
https://connectini.net/Series/configPoduct/2/goodchannel.json - rule_id: 1973
https://connectini.net/Series/Conumer2kenpachi.php - rule_id: 1974
https://link.storjshare.io/s/jx573tmlnr5wf7adrak4haxbcyra/yokoso/fullham/enel/up-do-dat-M2u7HcEuL9S7AFLW.exe?download=1
https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=7 - rule_id: 7620
https://link.storjshare.io/jx573tmlnr5wf7adrak4haxbcyra/yokoso/fullham/enel/up-do-dat-M2u7HcEuL9S7AFLW.exe?download=1
|
13
n8w5.c12.e2-1.dev() - malware
wewewe.s3.eu-central-1.amazonaws.com(3.5.138.115) - mailcious
www.google.com(142.250.76.132)
link.storjshare.io(185.244.226.4)
google.com(142.250.206.206)
360devtracking.com(37.230.138.66) - mailcious
connectini.net(37.230.138.123) - mailcious
142.251.220.78
52.219.140.16
37.230.138.123 - mailcious
37.230.138.66 - mailcious
172.217.31.4
185.244.226.4
|
5
ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io)
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
7
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
https://connectini.net/Series/SuperNitouDisc.php
https://connectini.net/Series/kenpachi/2/goodchannel/
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/Series/configPoduct/2/goodchannel.json
https://connectini.net/Series/Conumer2kenpachi.php
https://connectini.net/S2S/Disc/Disc.php
|
8.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17680 |
2023-05-25 17:44
|
 clp5.exe a541e034129465229c0fe10ecfcb2703
UPX Malicious Library OS Processor Check PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17681 |
2023-05-25 17:42
|
 vbc.exe 06168af4a9d358eab028fb62b550299f
UPX Antivirus .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17682 |
2023-05-25 17:40
|
 black.pif 35b9124a72b939bddecd642532c56d4f
Formbook Generic Malware Antivirus PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://185.252.179.22/black/inc/b7c6f3f48ef1c3.php
https://api.ipify.org/
|
3
api.ipify.org(173.231.16.76)
64.185.227.155
185.252.179.22
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE AgentTesla Communicating with CnC Server
|
|
16.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17683 |
2023-05-25 17:40
|
 Setup_x32_x64.exe c51e82e2c7a0f3b68d02fc988f764f8f
UPX Malicious Library VMProtect OS Processor Check PE File PE32 VirusTotal Malware Telegram MachineGuid Malicious Traffic Check memory Creates executable files RWX flags setting unpack itself Tofsee ComputerName DNS |
4
http://5.75.210.95/addon.zip
http://5.75.210.95/93847ac75331fcbc8340ae251ef2cc25
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
|
6
t.me(149.154.167.99) - mailcious
steamcommunity.com(96.7.99.39) - mailcious
149.154.167.99 - mailcious
104.88.222.199
5.75.210.95
192.30.89.67 - mailcious
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO Dotted Quad Host ZIP Request
|
|
5.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17684 |
2023-05-25 17:38
|
 johnftp.pif 24fc1b788089d81c274e16e075676e6d
PWS .NET framework Generic Malware Antivirus PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17685 |
2023-05-25 17:37
|
IEIEIEIEIE%23%23%23%23%23%23%2... 1c963374f3c33e9136fb1bafc156938f
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS DDNS crashed |
3
http://geoplugin.net/json.gp
http://104.234.10.91/279/IE_CACHES.exe
http://104.234.10.91/ie/JWwvty89.bin
|
5
geoplugin.net(178.237.33.50)
divdemoce.duckdns.org(192.30.89.67) - mailcious
104.234.10.91 - malware
178.237.33.50
192.30.89.67 - mailcious
|
9
ET MALWARE Generic .bin download from Dotted Quad
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|