| 17896 |
2023-05-11 09:21
|
NDA_D673_May_10.wsf 883bbc5030fbf590ef98edc18c49565b
Malware VBScript Malicious Traffic WMI heapspray wscript.exe payload download ComputerName DNS Dropper |
6
http://45.155.37.101/ac3Trg8kqFxJaVW.dat
http://5.42.221.144/ac3Trg8kqFxJaVW.dat
http://91.193.16.139/ac3Trg8kqFxJaVW.dat
http://144.208.127.242/ac3Trg8kqFxJaVW.dat
http://207.148.14.105/ac3Trg8kqFxJaVW.dat
http://149.102.225.18/ac3Trg8kqFxJaVW.dat
|
6
45.155.37.101 - mailcious
144.208.127.242 - mailcious
149.102.225.18 - mailcious
91.193.16.139 - mailcious
5.42.221.144 - mailcious
207.148.14.105 - mailcious
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17897 |
2023-05-11 09:16
|
 koIWDRc.exe c0578edb37d43cc63a01b287436f4e67
Generic Malware Suspicious_Script_Bin UPX Malicious Library Antivirus Anti_VM MZP Format PE File PE32 BMP Format OS Processor Check VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
6.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17898 |
2023-05-11 09:15
|
 photo_570.exe 9521fd6fc4a58dd4ae3c47d95eb91557
Gen1 Emotet PWS .NET framework RAT UltraVNC UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Confuser .NET CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName RCE DNS Cryptographic key Software crashed |
6
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849
http://77.91.124.20/store/games/index.php - rule_id: 32547
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
http://77.91.124.20/DSC01491/foto0174.exe
http://77.91.124.20/DSC01491/fotocr23.exe
|
2
185.161.248.75
77.91.124.20 - malware
|
6
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.124.20/store/games/Plugins/cred64.dll
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17899 |
2023-05-11 09:11
|
 i.exe 5093a300dc7623ead1d35860a6312011
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself RCE |
|
|
|
|
2.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17900 |
2023-05-11 09:08
|
 Yezmtqs.js 353e7a94b3f5723043d83640fe5d85fd
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://162.252.175.224/1NoDX/jBbVYzHtqgn
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17901 |
2023-05-11 09:08
|
 Lscwklt.js 72794cef000741d517cab446ccb3b4e6
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://158.255.213.110/rQ8wEAP/fQpJet
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17902 |
2023-05-11 09:08
|
 Aqrwa.js 92fae833978ae39133e33b9c17d782ec
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17903 |
2023-05-10 18:57
|
 vbc.exe 24429aa11d39dddc2e9daec4bcba9ed0
Formbook KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Telegram PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser ComputerName DNS crashed keylogger |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17904 |
2023-05-10 18:56
|
 vbc.exe 953db0fa8e971527b18ae9abc387f7a2
Formbook KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed keylogger |
|
|
|
|
9.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17905 |
2023-05-10 18:40
|
QQQQQ%23%23%23%23%23%23%23%23%... 74f63aa2d67f8c772a62b45904c46caf
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Telegram Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed Downloader |
1
http://154.12.230.59/234/vbc.exe
|
3
api.telegram.org(149.154.167.220)
154.12.230.59 - mailcious
149.154.167.220
|
11
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO TLS Handshake Failure
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17906 |
2023-05-10 18:21
|
 PO.exe c884d60fea6f63974e134023a934894a
AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
10
http://www.fala23.shop/mmf8/
http://www.xn--939ay02cwla267bba.com/mmf8/?RqS=Vv9LNpysBLG0WLBlBRJSZMWv3IcnWlWsrWSh4V4E6GINOyD1S/RY95+sdrFXJ3xMlkG1iTslBT/aUDe48iTIc8+IJ2CX5Q0kFCgQUO4=&KE1kM2=SwiR7U5fmzyW
http://www.brjyabrsma.net/mmf8/?RqS=GsFH8V9sjXEVIdNtUVr0D0L8RWPWcEYfbnM3HA1jrPkYwEZ+yk363L0UzM/fvjJ0wF0QYJkZH65h1F6NgxFu4z3MORdNRRhXcS9WhiA=&KE1kM2=SwiR7U5fmzyW
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.fala23.shop/mmf8/?RqS=mRfznawNYRsS/krrEFPr6wThTJUuK5cw5fy5hCPbah8CdmbVpFZ+KzW4nolkgPSC94ftTqgZYMY0uY3zB6JLBoQC+3vTs/P9CqKA8hc=&KE1kM2=SwiR7U5fmzyW
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.klerktehny.xyz/mmf8/?RqS=2z21UciuCXq/2Iz5BdcWi+HoAo4Xr2boH6Xy6UvmT022bBm3ObPc3AiK2OeVOGLGS6dOQdF9ws9FJPv7jihCEkfuWHrWD9ezkYy29z0=&KE1kM2=SwiR7U5fmzyW
http://www.klerktehny.xyz/mmf8/
http://www.xn--939ay02cwla267bba.com/mmf8/
http://www.brjyabrsma.net/mmf8/
|
12
www.xn--939ay02cwla267bba.com(121.254.178.253)
www.winplayewinyu.space()
www.vnloto.tech()
www.klerktehny.xyz(109.123.121.243)
www.brjyabrsma.net(62.149.128.40)
www.14-pro-max-sales.online()
www.fala23.shop(43.154.196.178)
43.154.196.178
109.123.121.243 - mailcious
62.149.128.40 - mailcious
121.254.178.253 - mailcious
45.33.6.223
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17907 |
2023-05-10 18:18
|
 build.exe c9baa6f493c047ea988df511eae16cc8
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
5.2 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17908 |
2023-05-10 18:16
|
 path 7fc09e90a6b01b4e45dfb74a398ab841
PWS .NET framework RAT UPX Malicious Library VMProtect OS Processor Check PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger Creates executable files unpack itself AppData folder RCE DNS |
|
1
31.186.11.254 - mailcious
|
|
|
6.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17909 |
2023-05-10 18:16
|
 vbc.exe 992a0de4e5038847edbe7f400f3ccfd2
Formbook NSIS UPX Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder DNS |
21
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.un-object.com/u2kb/?z2EP7T7=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&9eJie=wZr6sXam-U6NCSL - rule_id: 28137
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.shapshit.xyz/u2kb/?z2EP7T7=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&9eJie=wZr6sXam-U6NCSL - rule_id: 28008
http://www.un-object.com/u2kb/ - rule_id: 28137
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.222ambking.org/u2kb/?z2EP7T7=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&9eJie=wZr6sXam-U6NCSL - rule_id: 28004
http://www.energyservicestation.com/u2kb/?z2EP7T7=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&9eJie=wZr6sXam-U6NCSL - rule_id: 28005
http://www.younrock.com/u2kb/?z2EP7T7=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&9eJie=wZr6sXam-U6NCSL - rule_id: 28006
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.bitservicesltd.com/u2kb/?z2EP7T7=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&9eJie=wZr6sXam-U6NCSL - rule_id: 28003
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.gritslab.com/u2kb/?z2EP7T7=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&9eJie=wZr6sXam-U6NCSL - rule_id: 28002
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.white-hat.uk/u2kb/?z2EP7T7=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&9eJie=wZr6sXam-U6NCSL - rule_id: 28001
http://www.thewildphotographer.co.uk/u2kb/?z2EP7T7=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&9eJie=wZr6sXam-U6NCSL - rule_id: 28007
http://www.thedivinerudraksha.com/u2kb/?z2EP7T7=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&9eJie=wZr6sXam-U6NCSL - rule_id: 28009
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.avisrezervee.com/u2kb/ - rule_id: 32569
http://www.younrock.com/u2kb/ - rule_id: 28006
|
25
www.thewildphotographer.co.uk(45.33.2.79) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.fclaimrewardccpointq.shop() - mailcious
www.avisrezervee.com(31.186.11.254) - mailcious
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.un-object.com(192.185.17.12) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(63.141.242.43) - mailcious
45.56.79.23 - mailcious
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
192.185.17.12 - mailcious
31.186.11.254 - mailcious
213.145.228.111 - mailcious
185.174.174.220 - phishing
192.187.111.219 - mailcious
94.176.104.86 - mailcious
161.97.163.8 - mailcious
45.33.6.223
199.192.30.147 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
20
http://www.gritslab.com/u2kb/
http://www.un-object.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.un-object.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.222ambking.org/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.younrock.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.white-hat.uk/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.avisrezervee.com/u2kb/
http://www.younrock.com/u2kb/
|
6.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17910 |
2023-05-10 18:12
|
 loki.exe 49f6547db1a057139da206876f7cac86
Generic Malware UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|