| 17731 |
2023-05-16 11:22
|
 6462c9b83536b.zip 70692b4fc4b50e7ad88a36c78af7ba2c
ZIP Format Malware Malicious Traffic NetSupport |
4
http://blahadfurtik.com/
http://176.124.198.7:5222/
http://176.124.198.7/fakeurl.htm
http://geo.netsupportsoftware.com/location/loca.asp
|
4
geo.netsupportsoftware.com(51.142.119.24)
blahadfurtik.com(176.124.198.7) - mailcious
62.172.138.67
176.124.198.7
|
3
ET POLICY NetSupport GeoLocation Lookup Request
ET INFO NetSupport Remote Admin Checkin
ET INFO NetSupport Remote Admin Response
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17732 |
2023-05-16 10:36
|
 RECI 459d85937f975c9571d2cb390a16c117
RAT .NET DLL DLL PE File PE32 VirusTotal Malware PDB |
|
|
|
|
1.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17733 |
2023-05-16 10:36
|
 Nzor.js 82c1abc36b66e14b3afb16c20661535e
Generic Malware Admin Tool (Sysinternals etc ...) Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://109.172.45.8/fjNITpc/uPCF5K3Rɡ
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17734 |
2023-05-16 10:36
|
 Azpq.js e4195aae5423bf84ce95fdc8b6c37919
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
2
http://109.172.45.8/fjNITpc/Uv62A9m
http://109.172.45.9/Leq/MHPUAEw0aYP
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17735 |
2023-05-16 10:35
|
 Guabsl.js 370ad852dc41b1cdd740254c7b914f89
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
2
http://109.172.45.8/fjNITpc/9MGzj
http://109.172.45.9/Leq/05qpZI6FMJD
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17736 |
2023-05-16 10:22
|
 xboyxVersionxx.txt 9e97c6197f0e42fae10fdb58559d0add
UPX Malicious Library Malicious Packer OS Processor Check DLL PE64 PE File VirusTotal Malware |
|
|
|
|
1.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17737 |
2023-05-16 09:28
|
 setup.exe f24d0ab7527f3b1e184c410115e08b7b
RAT Generic Malware UPX Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 PNG Format MSOffice File OS Processor Check MZP Format DLL JPEG Format PE64 VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
|
6
globalmanysoft.com(195.179.239.150) - malware
makemymatch.site(162.0.229.248)
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
195.179.239.150 - malware
162.0.229.248 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
9.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17738 |
2023-05-16 09:25
|
 pmrs.exe 680745c9ac98102b110edf80d89e08eb
PWS .NET framework RAT UPX OS Processor Check PE64 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces |
|
|
|
|
2.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17739 |
2023-05-16 09:22
|
 vbc.exe eb5ee53f92ace8c899dd75b9af7a3ee8
PWS .NET framework RAT .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17740 |
2023-05-16 09:20
|
 321.exe ac9b826b0329458eaad2ccb3fafcd7ff
Loki_b Loki_m Gen1 PWS .NET framework RAT Downloader UPX Malicious Library Malicious Packer Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger Scre VirusTotal Malware powershell Telegram MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AppData folder malicious URLs Tofsee ComputerName DNS |
3
http://116.203.166.139/c67d16317758867576bd28c19d9721ba
https://steamcommunity.com/profiles/76561199263069598
https://t.me/cybehost
|
6
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.74.148.253) - mailcious
116.203.166.139
149.154.167.99 - mailcious
104.88.222.199
77.91.124.20 - malware
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
9.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17741 |
2023-05-16 09:20
|
YYYY%23%23%23%23%23%23%23%23%2... 2b52e3645953f9c89870ecf02cf7c0c5
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
1
http://geoplugin.net/json.gp
|
5
geoplugin.net(178.237.33.50)
pops.mastercoa.co(184.75.223.195)
104.234.10.91 - malware
178.237.33.50
184.75.223.195
|
7
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17742 |
2023-05-16 09:18
|
 vbc.exe 5be2f10437a6105706e880b53b89544a
AgentTesla browser info stealer Google Chrome User Data Downloader UPX Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Remcos Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
pops.mastercoa.co(184.75.223.195)
178.237.33.50
184.75.223.195
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17743 |
2023-05-16 09:17
|
 OAK%20FURNITURE%20UK%20APPLIAN... e537a6993f1e0bad5e05ecdb7afae6bf
PDF |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17744 |
2023-05-16 09:16
|
 photo230.exe bd745f43c090fd7fc5aeae0ec6b48d5a
RedLine stealer[m] Gen1 Emotet PWS .NET framework RAT RedLine Stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Confuser .NET SMTP Code injection HTTP PWS[m] Http API Internet API AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName RCE DNS Cryptographic key Software crashed |
6
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
http://77.91.124.20/DSC01491/foto0174.exe - rule_id: 32623
http://77.91.124.20/DSC01491/fotocr23.exe - rule_id: 32624
http://77.91.124.20/store/games/index.php - rule_id: 32547
http://77.91.124.20/store/games/index.php
|
2
77.91.124.20 - malware
185.161.248.25 - malware
|
6
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
|
5
http://77.91.124.20/store/games/Plugins/cred64.dll
http://77.91.124.20/store/games/Plugins/clip64.dll
http://77.91.124.20/DSC01491/foto0174.exe
http://77.91.124.20/DSC01491/fotocr23.exe
http://77.91.124.20/store/games/index.php
|
21.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17745 |
2023-05-16 09:15
|
 sesilezx.exe dbeab62690e3177cd56f64428bf23c87
PWS .NET framework RAT .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|