| 17956 |
2023-05-09 13:22
|
 aslmanager.20230509T000519-04 3bd376dae4abaf351e98ac49c96d4ee8
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17957 |
2023-05-09 13:14
|
 F211CDAB-CD00-415A-99E2-27DF41... 48b29d559c76e8d14e5e6434d84405ab
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17958 |
2023-05-09 13:07
|
 main.c47195de.css 0adbf0b1d5e2bd19d4e94242e0840430
ScreenShot AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17959 |
2023-05-09 12:57
|
 override-mac_f76168c82308f7c98... af97a2869dbd1103f4fcdbe3c8c53568
ScreenShot AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17960 |
2023-05-09 11:01
|
 vbc.exe 34fbc7022384a5377bd9b728f7e35ee8
Generic Malware UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
49 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17961 |
2023-05-09 09:21
|
 vbc.exe 743a03da4bca80da5f49be2b77050225
Formbook NSIS UPX Malicious Library PE32 PE File DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
21
http://www.222ambking.org/u2kb/?w3khrt=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28004
http://www.thedivinerudraksha.com/u2kb/?w3khrt=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28009
http://www.gritslab.com/u2kb/?w3khrt=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28002
http://www.thewildphotographer.co.uk/u2kb/?w3khrt=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28007
http://www.un-object.com/u2kb/ - rule_id: 28137
http://www.energyservicestation.com/u2kb/?w3khrt=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28005
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.younrock.com/u2kb/?w3khrt=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28006
http://www.shapshit.xyz/u2kb/?w3khrt=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28008
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.white-hat.uk/u2kb/?w3khrt=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28001
http://www.bitservicesltd.com/u2kb/?w3khrt=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28003
http://www.un-object.com/u2kb/?w3khrt=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28137
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.avisrezervee.com/u2kb/
http://www.younrock.com/u2kb/ - rule_id: 28006
|
24
www.thewildphotographer.co.uk(96.126.123.244) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.fclaimrewardccpointq.shop() - mailcious
www.avisrezervee.com(31.186.11.254)
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.un-object.com(192.185.17.12) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(192.187.111.222) - mailcious
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
192.185.17.12 - mailcious
31.186.11.254 - mailcious
213.145.228.111 - mailcious
63.141.242.46
94.176.104.86 - mailcious
72.14.178.174
161.97.163.8 - mailcious
45.33.6.223
199.192.30.147 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
19
http://www.222ambking.org/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.un-object.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.younrock.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.white-hat.uk/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.un-object.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.younrock.com/u2kb/
|
5.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17962 |
2023-05-09 09:11
|
 fotocr23.exe 9a5f630ba99d3ee7e838d5c9abac233e
Gen1 Emotet PWS .NET framework RAT UltraVNC UPX Malicious Library Malicious Packer Confuser .NET CAB PE32 PE File OS Processor Check .NET EXE AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself Disables Windows Security AppData folder AntiVM_Disk VM Disk Size Check Windows Update RCE DNS Cryptographic key crashed |
|
2
94.142.138.32
77.91.124.20 - malware
|
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17963 |
2023-05-09 09:11
|
 123.exe 2aeac863392c9a2a31058c6d5eeb4cc2
PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download VirusTotal Malware RecordBreaker PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications installed browsers check Stealer Windows Browser DNS |
9
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://94.142.138.32/
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://94.142.138.32/a51fd817c1762ffe7664b43743dd0958
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
|
1
|
5
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information
|
|
11.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17964 |
2023-05-09 09:11
|
 foto0174.exe 1b1b1239c10dcd01f551df6cee30d4e2
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName RCE DNS Cryptographic key Software crashed |
4
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849
http://77.91.124.20/store/games/index.php - rule_id: 32547
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
|
2
77.91.124.20 - malware
217.196.96.101 - mailcious
|
6
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.124.20/store/games/Plugins/cred64.dll
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17965 |
2023-05-09 09:09
|
 vbc.exe 34fbc7022384a5377bd9b728f7e35ee8
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17966 |
2023-05-09 09:09
|
 vbc.exe e47e3bd985effc1d1352ac832a09da14
Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://185.246.220.60/fresh2/five/fre.php
|
1
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
14.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17967 |
2023-05-09 09:05
|
 009.jpg baa51dc77e43c436c429a9131ce4b152
Malicious Library PE32 PE File VirusTotal Malware Check memory unpack itself suspicious TLD WriteConsoleW Interception RCE |
|
1
|
|
|
3.4 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17968 |
2023-05-09 09:04
|
 zqqK.html 5144480c0b8e79a016fafcfc3d3c3aa7unpack itself crashed |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17969 |
2023-05-09 09:03
|
 instal6699_cr.exe eafe753a6fd3d7e298974135a34d565c
RedLine stealer[m] UPX Admin Tool (Sysinternals etc ...) PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
10.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17970 |
2023-05-09 09:03
|
 obi.exe f8001587bbb6e217b0f812e0e6e797d3
.NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|