| 18136 |
2023-04-27 09:59
|
 calcinstall.exe 881bef8377f48946c3863d06b3de735a
RAT Gen1 Gen2 Schwerer Generic Malware UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Obsidium protector .NET EXE PE32 PE File DLL OS Processor Check GIF Format MZP Format PE64 HWP MSOffice File VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder AntiVM_Disk suspicious TLD sandbox evasion WriteConsoleW VM Disk Size Check human activity check Tofsee Ransomware Windows ComputerName crashed |
1
http://best-calc.ru/api/1/update/?
|
6
best-calc.ru(176.9.121.140)
hamstersoft-app-install.s3.eu-west-2.amazonaws.com(52.95.142.38) - malware
www.google-analytics.com(142.250.207.110)
176.9.121.140
3.5.244.142
172.217.27.14
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18137 |
2023-04-27 09:58
|
 vbc.exe 7ee7421fc12096ec24a2cb1706c5c734
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18138 |
2023-04-27 09:53
|
 vbc.exe 773da960aeb7c6260cfe6328aafd922f
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18139 |
2023-04-27 09:51
|
 vbc.exe a1ef3aeba94469b98befd1a6ba1a8b47
RAT UPX Malicious Library OS Processor Check PE64 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18140 |
2023-04-27 09:49
|
 vbc.exe 50a75fb5b12450844ace5ef53a050ead
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18141 |
2023-04-27 09:47
|
 originalbuild.exe 6bdbea0ec35358cc728f0213603bc9f5
RAT Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
91.215.85.198 - mailcious
|
|
|
6.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18142 |
2023-04-27 07:47
|
 name.hta 1e34ba7ca79958f904b2fcaebe9532e2
RAT Generic Malware task schedule Anti_VM Antivirus ScreenShot AntiDebug AntiVM PowerShell .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer NetWireRC Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files unpack itself Checks Bios Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check Tofsee DCRat Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
15
http://94.131.112.154/PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM
http://94.131.112.154/PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&9ff31bbcdffb4b2ee507e80d804540cc=0VfiIiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI1YGN0YmNxEWMygDNmhTZmJDZ0UGMmBjN0MjNihjMxImM3ATNmlzMhJiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W
http://94.131.112.154/PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&c7b752fd708acb9907ff5fceaaa3c6a8=d1nI1YGN0YmNxEWMygDNmhTZmJDZ0UGMmBjN0MjNihjMxImM3ATNmlzMhJiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W
http://94.131.112.154/PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&c7b752fd708acb9907ff5fceaaa3c6a8=d1nI5IDNxMjN1YWZ0MTMmJTN0EGZhlDM4UWZmhTN4UmMhNWO5IGN2ATN3IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W&9ff31bbcdffb4b2ee507e80d804540cc=d1nIiojIhBDNwYGZhZzN2Y2YxUWOjhjMjljNlRmMjlDNiF2YkNjIsISOyQTMzYTNmVGNzEjZyUDNhRWY5ADOlVmZ4UDOlJTYjlTOiRjNwUzNiojIlF2NmRzN5EWNzMmMmVTNmVTO2EzY0ITNjhTOhFGNiJmIsICMkFzMyImZ4QjN5UWZwUTN3IDNyMmM2cDNzImN4QTM4kTN1UjMlhjZiojI4UjY4IWO1ATZkJmM5gjY3I2N3QjZzgTMkRjYkJTZ4gjI7xSfiElZ5oUeQl2bql0dnRkWxE1RadXRE1UeVR0T1UlMZhmUy4UbCRlW0U1VZhXRy00MNpmT0kVbOBzaU10akRUT4l0QMlGOqlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWUq50Z0UUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXS55kMjRUT1NmaNh3dT9UMVpmT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFTaiZHZzI2TKl2TptGSkBnTtl0cJlWTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI4cTMkVTM5cjMwAzNhRmZyEDOkJTM2MWY1YWZ1M2N2UDMyEDZwEWOzIiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W
http:///PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&c7b752fd708acb9907ff5fceaaa3c6a8=d1nI5IDNxMjN1YWZ0MTMmJTN0EGZhlDM4UWZmhTN4UmMhNWO5IGN2ATN3IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W&9ff31bbcdffb4b2ee507e80d804540cc=0VfiIiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI5IDNxMjN1YWZ0MTMmJTN0EGZhlDM4UWZmhTN4UmMhNWO5IGN2ATN3IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOisHL9JSOx4WSPpUaPlWUU5kMN1WW610RaBTVX5UMZpWW0kUbNlXVy4EasR1TsJkaNNTStpFejR1TohGRNlGZU9kMFpWSzlUaUl2bqlENJRkWqZFROpmTU9EaOdUToJEROpGbE10aadlW4VEVZdXRE9EaCpmWzEFVaJTRXlFaoRVTtp0QMlGNrlkNJlWWwEVbZVTQ6lVbGJTW1UFVapXVX5keFdkWs50RahmUt1UbsRVT1UUbO1GZqlVMJJTTppkaal2dpl0TKl2TpllMN1mVt1UbSJTWtxGRPlmSH1UeRdVWoJEVaNzYE9kaGpWWrpkaNRTVqlFerR0T5VFROdXStl0cJlGVp9maJVTRXllMFRUTxk1VPxGZE90MnpmTphmaaRTVU5UbORlW4VFVPJTUE9UNJRVTyklaNBTRXpleJNETpRzaJZTSTpVeZdkT31keZhXQUplaSJjTxMmaNJTRtp1dZd0T0UlaOhGZqlFNJRUTpZkaNFTS610dZ1WTpdXaJ9kSp9UaFJjTwkleOFzZU9EMrpmTqp1VNRTTX10dRdUT5NGVZNTT61EaaR0TxsGVZlGbU90MVRkTrpUbJNXSpRVavpWS4V1VOFTSH1EaapmT4lFRPhmRU9UMjpXW1EkaNBTTq5EMJdUTzU1VNhXSq1kMjRlT3VlaaFTSDxUa0sWS2kUaNRTTE9keVRUT3V0VPlmUtplMBpXW0sGRahXRH9EaS1mW3lUbaxmTUlVaCpmWqZ1Ral3aq1Ua3lWSPpUaPlWUU1UaCRVWrpkMOBzaE5UMVdVT4l1VapmTU9UNBpmTpp1VadXWy0UMVpWTrpERalXQ610djpWSzlUaUl2bqlkMF1WTtplaOBTTE5EbOpmWyUEVPRTUt1UMZpXWshmeNtmSX1EMFRVW4VERPtmUUplMFd1Txk0QMlGNrlkNJlnTxUFRaRTTq5keFdVT0U0VNNTSU1UMZdkW3FFRaNTUtlFNJR1T6dmeN1mSUlVenpXTsRGROl2dpl0TKl2TpdGRNhmSyk1dnpWTqpFROFzZ65kaO1mTpxGVOhXVE5kMBRlWyMGVOhGaUpVNJd1TzUEVZpmUql0cJlGVp9maJlmVXlFaoR0TpJERNhmUy40MJdkT3V0VaBzY61UNZpWT4lkaNFTRt5UMFRlTrJ1VaFTWUlVbKNETpRzaJZTSp5EMFdVWo50VNNzYqllMBpXWwEEVPl3aU1kMrpWT0UkMOhXRtpFboRkWwkEVOlXREplaKRlWpdXaJ9kSp9UaJpmT4VkMNpmRt10dJJTW3lFRaxmRXlFNNpXTtJ1VPVTTE1UaCpWTtRGRPdXVH5UeBRkWspUbJNXSpRVavpWS6FkaaNTSyklaCpnTw0kaN1mVUpVboRUTrp0VOpXQEpVMJRVT0sGRNlXR6llaWdUTy0keOJTSDxUa0sWS2k0QalXRyk1djpmWrZEVPpmSE9kaCpXWxEkeZRTRy4UeNR1Ttp1RONzYUpVMRRlT10kMNlmSX1Ua3lWSPpUaPlWVq10aWJTWqpEROhXRX1UMZpWW61keOVTRq50MrpWWyklaOJTRtp1aspmTspVbaJTRH9EbGpWSzlUeQl2bql0dnRkWxE1RadXRE1UeVR0T1UlMZhmUy4UbCRlW0U1VZhXRy00MNpmT0kVbOBzaU10akRUT4l0QMlGNrlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QM
http://45.67.228.48/host1.exe
http://45.67.228.48/123.txt
http://94.131.112.154/PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&c7b752fd708acb9907ff5fceaaa3c6a8=d1nIzkDO5EDOhRmN5YmMhZWZ4UTYzIjNjhzMjVmN0UWYmNzN3cDNxMzMxIiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W
http://94.131.112.154/PythonphpGeneratortemporary.php?ffj4evtisdSvL=e2caMa8rTyfUHx&d2903fd8b5e9625169a73c9bf16b0b7c=25907a775ae0c50e6896b3b0f4ed5546&12bb8387f02771b3530361d45f8bc47f=wMwYWY3EWO1IDOhlTMiBjZwgjZmRTZhZGN5YjMzgTYmBzY4YjMygTZ&ffj4evtisdSvL=e2caMa8rTyfUHx
http://94.131.112.154/PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&46784cd6da072d8e9a00a34d02493da5=QX9JyZUZTUYp1c4dVWYJUeiBjQYVWeOVUS6Z0RTtEMnRlNRhlWzh3VZhlQTFmdKNjYaBXUE9EcERGb4dkYoRmRJlmVyY1Z0ADVVBXUE9EcERGb4dkYoRmRJRXOHRWdGdUYRBXUE9EcERGb4dkYoRmRJlmVyY1ZVJTW1ZUbiBnSrNkT0s2TwY1RiNnRyY1Z0cVY1lTbVtEMnRlNRhlWzh3VZhlQ5FWdsdEV1lTbjVFcRR0TwREZsh3RihGZGlkcOhVWOZ0RkxWMrNkT0s2TwY1RiNnRyY1ZnJzYo5UbXtEMnRlNRhlWzh3VZhlQ5JWeW1mY2FzaD5ENr9EMWdkYzZkMWdWVtNmdOtmYwljMZxmUYFWTwFFRPBHRkxGeHJGakZUS6ZFSaZHaYJ1SwcGV2EFWaNHeXlFWCNlYxYVbjxGaHRmRwFFRPBHRkxGeHJGakZUS0ZlbjBjTXp1cWt2QORzaPBjVHJ2cGJjVnVVbjZnTFFmeGdkULBzZUZTUYp1c4dVWYJUaiBXOykFbShVZDBXUE9EcERGb4dkYoRmRJxmSzIGR1cVY250RkBnSrNkT0s2TwY1RiNnRyY1ZNdVY0lzRkJEcRR0TwREZsh3RihGZGlUNKNjY0pEWRtEMnRlNRhlWzh3VZhlQTpla1cVW1xWbRJiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI1YGN0YmNxEWMygDNmhTZmJDZ0UGMmBjN0MjNihjMxImM3ATNmlzMhJiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W
http://45.67.228.48/system32.exe
http://94.131.112.154/PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&9ff31bbcdffb4b2ee507e80d804540cc=QX9JSUNJiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI3QmN5MGM5MWZyUjNxMGMwUWMjJTZ0kDOycTMwUmZmFmZkljY1ITY4IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W
http://94.131.112.154/PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&46784cd6da072d8e9a00a34d02493da5=0VfikjST9EeNRUT6RzQNVXUqR2Y4FTY5ljMkxWMXlVeaVEWjJlVS9UNDRWb5IzY2p0MZBXMFh1YONDZ2JVbiBHZGh1YwpXUp9maJ9mUYlVUKNETpRjMkZXNyEWdWxWS2k0QhBjRHV1aKNjYq5EWhVkSDxUaJl2Tpd2RkhmQWJGaKNjWsh3VaVlSDxUaJl2Tp1ESjdnRVJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTSDJlSKhlW6ZlVihmVHRGVKNETpRjMkZXNyEWdWxWS2kUajxmTYZFdGdlWw4EbJNXSpJ2M50mYyVzVWl2bqlkb1cVWNFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQWJGaWdEZUp0QMl2aD1WN5VGcll3TJZHbHpVMGVUS1lzVhBDbtJGcadlWFJ0Qh5GbHN1b3F2Z0RlYuNna0AncMl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiIzMjYkhTY3QjNlBDNxEWOykzY3YmM3EmMklDN2M2MiNjZ4UGM0MmMzIiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W
http://94.131.112.154/PythonphpGeneratortemporary.php?JGvO=Epaz1Kj512gUSKaunbDS8tIMq1b&udXBuXppBF=k9NirryZAEUfpr62VhNI9tS&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzADO5QjM&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&9ff31bbcdffb4b2ee507e80d804540cc=0VfiIiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiIzMjYkhTY3QjNlBDNxEWOykzY3YmM3EmMklDN2M2MiNjZ4UGM0MmMzIiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W
https://pastebin.com/raw/Cs9EzneX
|
4
pastebin.com(104.20.67.143) - mailcious
45.67.228.48 - mailcious
94.131.112.154
104.20.67.143 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE DCRAT Activity (GET)
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
|
|
22.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18143 |
2023-04-27 03:18
|
0A7FCD23-2B52-47F2-9A10-79A2B7... 4e55bf3f7eb04fb987a1bfa08f768675
JPEG Format |
|
|
|
|
|
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18144 |
2023-04-27 02:26
|
DS_Store-5 93103d36de62ffb10919f3e7fc51783a
AntiDebug AntiVM Email Client Info Stealer Code Injection Check memory Checks debugger unpack itself installed browsers check Browser Email |
|
|
|
|
3.2 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18145 |
2023-04-27 02:17
|
DS_Store e84de8d6be88362a63d11938960b1fbd
AntiDebug AntiVM Email Client Info Stealer Code Injection Check memory Checks debugger unpack itself installed browsers check Browser Email |
|
|
|
|
3.2 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18146 |
2023-04-26 18:26
|
 reverse.exe d32a31a376731f31251a2d17ea3828bf
Meterpreter PE64 PE File VirusTotal Malware DNS crashed |
|
1
198.58.102.19 - mailcious
|
|
|
3.2 |
M |
47 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18147 |
2023-04-26 18:21
|
%23%23%23%23%23%23%23%23%23%23... 8c04ebf8df5396b9d4cd12056d0a42fe
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
4
http://www.forgetourco.com/my28/?DVBX=HR/gNFqxMMatrqckjUOgYj8CTraOU5fSyGgP08yra7HG48rWGxKrO4KotdMhMppFy0UjBinN&UbDH=kf50d6RxMtfhif
http://www.heruhome.net/my28/?DVBX=XJSMwvStj3TaOyeg51NJJiBQw7kIYWKX/lWLvyDa8ZDmiMdYLcEbycX0tGIYyEtEbF96zC57&UbDH=kf50d6RxMtfhif
http://172.245.214.178/25/vbc.exe
http://172.245.214.178/007/Dblvvr.dat
|
6
www.forgetourco.com(74.220.199.6)
www.heruhome.net(35.227.197.36)
www.naijanewsnow.africa()
35.227.197.36 - mailcious
74.220.199.6 - mailcious
172.245.214.178 - phishing
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18148 |
2023-04-26 18:19
|
debug.dbg 070b332f2ba3f1248c43931c8e9b54c2
AntiDebug AntiVM ELF VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
4.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18149 |
2023-04-26 18:16
|
 services.exe 169457576b3c270c112f87cdfefdb688
NPKI RAT PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18150 |
2023-04-26 18:15
|
 vbc.exe fe889bf209a5e139d07c128c6d0ba877
Formbook PWS .NET framework RAT AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key crashed |
4
http://www.ahmedhussein.tech/my28/?kFQl2H=X1+ORJ0PqquAMwqRkudv2MXmW9g+6c2tmFrHnXo+N3P5UuIjhh51ghREFDJwWuIRTjSnOhJv&oX9=_0GXHXQPdFBhZ
http://www.ki-ror.se/my28/?kFQl2H=4lfbIkXHco+fuMDhz2Un+xLdCLWdE3L2wwFDQBldcMLfj96ewRmoLvxyaijxNRtmHQY8ZyKd&oX9=_0GXHXQPdFBhZ
http://www.davideal.com/my28/?kFQl2H=g8afGKt5BcK8YWBpPCZ4/pxfgmmwdPBJ2VKmtBKY2hxTlxLpEHHrWffhk8WAXZeJbBDqIDJo&oX9=_0GXHXQPdFBhZ
http://172.245.214.178/007/Dblvvr.dat
|
8
www.ahmedhussein.tech(84.32.84.32)
www.ki-ror.se(194.9.94.85)
www.immernochlustig.com()
www.davideal.com(18.119.154.66)
84.32.84.32
194.9.94.86 - mailcious
18.119.154.66 - mailcious
172.245.214.178 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|