| 17686 |
2023-05-25 15:12
|
 po-docs-may24.exe 14d2501921d7cf94f36f5deb78c93982
Dbatloader UPX Malicious Library Admin Tool (Sysinternals etc ...) MZP Format PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
|
2
onedrive.live.com(13.107.43.13) - mailcious
13.107.42.13 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17687 |
2023-05-25 14:50
|
 Iu3HbEA1IfVFPRf.exe dafbec53a5d8e7e9f419a67a1846bb2f
Generic Malware Antivirus DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS |
|
4
december2nd.ddns.net(212.193.30.230) - mailcious
december2n.duckdns.org(192.169.69.26) - mailcious
192.169.69.26 - phishing
212.193.30.230 - mailcious
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
14.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17688 |
2023-05-25 13:18
|
 d.hta c808f7c2c8b88c92abf095f10afae803
Formbook RAT JPEG Format Check memory RWX flags setting unpack itself Check virtual network interfaces Tofsee ComputerName |
|
2
elfinindia.com(162.241.85.104) - malware
162.241.85.104 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17689 |
2023-05-25 11:07
|
 GuessableInapti.js c2951dc43814c87f30815f802c3d27e7
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
7
http://196.232.241.171/bf4Va/T2
http://84.188.206.47/QU/2ouR
http://49.179.73.226/fWod/gk5g
http://41.100.76.232/dTaui/G
http://192.121.23.104/TLGhNd/kgVclk
http://149.154.159.98/PpUYX/GwZy6
http://192.121.23.61/9a67pes/eS1N4Nz
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17690 |
2023-05-25 10:59
|
 d.hta c808f7c2c8b88c92abf095f10afae803
Formbook RAT unpack itself crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17691 |
2023-05-25 10:53
|
apt37.lnk 7095811df4cb1ee4135ce605af7f163f
Generic Malware Downloader Antivirus Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot Hide_URL PDF AntiDebug AntiVM GIF Format .NET DLL DLL PE Fil VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger heapspray Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Windows Browser ComputerName Cryptographic key |
1
http://vmi810830.contaboserver.net/local/cache-js/f93754e660802d7cc70924cceb4738ef.gz
|
2
vmi810830.contaboserver.net(75.119.136.207)
75.119.136.207
|
|
|
13.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17692 |
2023-05-25 10:53
|
 PMTRD.bat 5f9e0afb3503d909984b3b30d038bdc5
Generic Malware Downloader Antivirus Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot Hide_URL AntiDebug AntiVM .NET DLL DLL PE File PE32 powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
1
http://vmi810830.contaboserver.net/local/cache-js/f93754e660802d7cc70924cceb4738ef.gz
|
2
vmi810830.contaboserver.net(75.119.136.207)
75.119.136.207
|
|
|
9.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17693 |
2023-05-25 10:47
|
 exosporeEloper.js 30b9760a9d321a493485d3478333b8ba
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
6
http://168.210.85.145/9Ni4/9
http://147.136.249.109/T0/ykKD
http://55.87.97.150/2/5
http://192.121.23.104/TLGhNd/QWd5IVXShe
http://149.154.159.98/PpUYX/pNdIyW1
http://192.121.23.61/9a67pes/0v4j0q
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17694 |
2023-05-25 10:45
|
 exocoetidae.js 6fb012a2b6d44621cd97ec623362180f
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
6
http://60.88.147.243/YjR/GOvxE
http://110.138.86.158/ia/J
http://118.57.150.121/Lp1jv/S
http://192.121.23.104/TLGhNd/m0FgG7kn
http://192.121.23.61/9a67pes/LXm25SaHMZ3
http://149.154.159.98/PpUYX/mphHHqFLCkX
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17695 |
2023-05-25 10:45
|
 envenomation.js c33d868374d8dc29858a094689ce231c
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
5
http://160.200.240.144/zot82/DPEgb
http://141.191.215.246/t/TVsA
http://192.121.23.61/9a67pes/GZ4RIFZBn
http://149.154.159.98/PpUYX/o4xHoqlmXUiN
http://192.121.23.104/TLGhNd/C2ibiRsCrOX
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17696 |
2023-05-25 10:45
|
pessonal pic.png.lnk 1afc64e248b3e6e675fa31d516f0ee63
Generic Malware AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting unpack itself suspicious process Tofsee Interception |
1
https://elfinindia.com/wp-includes/files/pictures/man/
|
2
elfinindia.com(162.241.85.104) - malware
162.241.85.104 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17697 |
2023-05-25 10:21
|
 Personal.zip 05eb7152bc79936bea431a4d8c97fb7b
ZIP Format VirusTotal Malware Tofsee |
1
https://elfinindia.com/wp-includes/files/pictures/man/
|
2
elfinindia.com(162.241.85.104) - malware
162.241.85.104 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
0.6 |
M |
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17698 |
2023-05-25 09:41
|
 dwm.exe 69599d9e3f0215c8322482c5787119c4
Formbook PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
7
http://www.treeremovalkingwood.com/dyeb/?2lH7=ot2zVt7gYiYVRQ9vvNmBHR7+ThDbtsc5ek8bGz74xX5U1doydBpcmiSkVy8u8MuUFpWdZPDPZrAoOHnwm5gEHBkymeZFezCBl1qs2nQ=&vVy=lpZFPvqgan42T - rule_id: 33446
http://www.treeremovalkingwood.com/dyeb/ - rule_id: 33446
http://www.gullsteam.com/dyeb/?2lH7=gpFiMZyRZMV876gQ5pKC/N1h/E4k1JTYqvKRrfnY4KgDM3MAJOrei7MZxy1PV3eRL73jRv6RgLSF36g9rJ5AMkJq2HAD/moUEr4eCPA=&vVy=lpZFPvqgan42T - rule_id: 33447
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip
http://www.gullsteam.com/dyeb/ - rule_id: 33447
http://www.sk676.com/dyeb/ - rule_id: 33448
http://www.sk676.com/dyeb/?2lH7=eRDn4OYLwGAFOe+oMCQszUCYwMg+uVi8ZbKWpPBz42pRqgBZU372Jy+dcILn2QiWfPdOhu0Hdz7kmVVrr+zaLBc9OSgj6EJ8eLn4AGY=&vVy=lpZFPvqgan42T - rule_id: 33448
|
7
www.sk676.com(154.212.104.55) - mailcious
www.treeremovalkingwood.com(104.21.11.173) - mailcious
www.gullsteam.com(85.159.66.93) - mailcious
104.21.11.173 - mailcious
85.159.66.93 - mailcious
154.212.104.55 - mailcious
45.33.6.223
|
2
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
|
6
http://www.treeremovalkingwood.com/dyeb/
http://www.treeremovalkingwood.com/dyeb/
http://www.gullsteam.com/dyeb/
http://www.gullsteam.com/dyeb/
http://www.sk676.com/dyeb/
http://www.sk676.com/dyeb/
|
9.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17699 |
2023-05-25 09:38
|
 k2.exe fdb8081ac26d8de3f7582b2616bcf3e8
PWS .NET framework RAT .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName DNS |
|
1
|
|
|
2.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17700 |
2023-05-25 09:36
|
 vulcancontrol.exe 4482bb2674adc80b247a13e6901d6945
UPX Malicious Library Malicious Packer PE64 PE File VirusTotal Malware |
|
|
|
|
1.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|