| 1906 |
2025-02-19 11:26
|
 emgg.ps1 d3b7a6cbb1106c831806fa680b1dad50
Hide_EXE Generic Malware Confuser .NET Antivirus PE File PE64 powershell MachineGuid Check memory Checks debugger Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces DNS |
|
1
|
|
|
5.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1907 |
2025-02-19 11:25
|
 bea.exe e3a004b573f3b6a8e32a6cf74e63c9d2
Malicious Library PE File PE64 RWX flags setting unpack itself ComputerName DNS |
|
1
|
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1908 |
2025-02-19 11:24
|
 artifact_x64_test2.exe b1e8cabf1133b394028a2ab19df8c80a
Malicious Library PE File PE64 RWX flags setting DNS crashed |
|
1
|
1
SURICATA Applayer Wrong direction first Data
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1909 |
2025-02-19 11:22
|
 beacon.exe c5d8217bd1a44f9ef1966ca00c91f85a
Malicious Library PE File PE64 RWX flags setting unpack itself ComputerName DNS |
|
1
|
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1910 |
2025-02-19 11:22
|
 monthdragon.exe 3987c20fe280784090e2d464dd8bb61a
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Code Injection Check memory Checks debugger buffers extracted unpack itself crashed |
|
|
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1911 |
2025-02-19 11:10
|
setup8812.msi 40b91f7289d9e797d4318581af642ad8
Generic Malware Malicious Library MSOffice File CAB OS Processor Check suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
2
http://kuueskmwqmwoocuq.xyz:443/api/client_hello - rule_id: 43990
http://kuueskmwqmwoocuq.xyz:443/api/client_hello
|
2
kuueskmwqmwoocuq.xyz() -
31.192.232.4 -
|
|
1
http://kuueskmwqmwoocuq.xyz:443/api/client_hello
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1912 |
2025-02-19 11:07
|
 TASLoginBase.dll edc0784c522abc4891d9bedac02e0a1c
Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check Checks debugger unpack itself crashed |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1913 |
2025-02-19 11:07
|
 cabal.exe c0b915db483249fbb011d4c73d0dbf1f
Emotet Generic Malware Malicious Library .NET framework(MSIL) UPX Downloader Anti_VM PE File .NET EXE PE32 DLL OS Processor Check .NET DLL MSOffice File CAB Malware Buffer PE PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder Ransomware Windows Update DNS Cryptographic key |
116
http://168.138.162.78/output0//client/update.exe
http://168.138.162.78/output0/client/Guild/1_140.gld
http://168.138.162.78/output0/client/Data/change_shape.enc
http://168.138.162.78/output0/client/Data/Language/English/cabal_msg.enc
http://168.138.162.78/output0/client/Data/UI/Icon/force010.dds
http://168.138.162.78/output0/client/Guild/1_246.gld
http://168.138.162.78/output0/client/Guild/1_231.gld
http://168.138.162.78/output0/client/Data/Language/English/caz_msg.enc
http://168.138.162.78/output0/client/Guild/1_38.gld
http://168.138.162.78/output0/client/Data/Language/English/achievement_msg.enc
http://168.138.162.78/output0/client/Guild/1_186.gld
http://168.138.162.78/output0/client/Data/quest.enc
http://168.138.162.78/output0/client/Guild/1_51.gld
http://168.138.162.78/output0/client/Guild/1_167.gld
http://168.138.162.78/output0/client/Guild/1_22.gld
http://168.138.162.78/output0/client/Guild/1_258.gld
http://168.138.162.78/output0/client/Guild/1_252.gld
http://168.138.162.78/output0/client/Guild/1_27.gld
http://168.138.162.78/output0/client/Guild/1_3.gld
http://168.138.162.78/output0/client/Data/item.enc
http://168.138.162.78/output0/client/Guild/1_92.gld
http://168.138.162.78/output0/client/Guild/1_28.gld
http://168.138.162.78/output0/client/Guild/1_202.gld
http://168.138.162.78/output0/client/Guild/1_50.gld
http://168.138.162.78/output0/client/Guild/1_70.gld
http://168.138.162.78/output0/client/Guild/1_6.gld
http://168.138.162.78/output0/client/Guild/1_199.gld
http://168.138.162.78/output0/client/Guild/1_208.gld
http://168.138.162.78/output0/client/Guild/1_8.gld
http://168.138.162.78/output0/client/Guild/1_42.gld
http://168.138.162.78/output0/client/Guild/1_1.gld
http://168.138.162.78/output0/client/Data/market.enc
http://168.138.162.78/output0/client/Data/caz.enc
http://168.138.162.78/output0/client/Guild/1_30.gld
http://168.138.162.78/output0/client/Data/UI/Icon/skill265.dds
http://168.138.162.78/output0/client/Guild/1_149.gld
http://168.138.162.78/output0//client/7z.dll
http://168.138.162.78/output0/client/Data/Language/English/klog.enc
http://168.138.162.78/output0/client/Data/Language/English/extra_obj_msg.enc
http://168.138.162.78/output0/client/Data/Language/English/script_msg.enc
http://168.138.162.78/output0/client/custom.dll
http://168.138.162.78/output0/client/cabalmain.exe
http://168.138.162.78/output0//client/System.Windows.Interactivity.dll
http://168.138.162.78/output0/client/Data/Language/English/help.enc
http://168.138.162.78/output0/client/Guild/1_166.gld
http://168.138.162.78/output0/client/Guild/1_31.gld
http://168.138.162.78/output0/client/Guild/1_43.gld
http://168.138.162.78/output0/client/Guild/1_135.gld
http://168.138.162.78/output0/client/Guild/1_99.gld
http://168.138.162.78/output0/client/Data/Language/English/script.enc
http://168.138.162.78/output0/client/Data/mapinfo.enc
http://168.138.162.78/output0/client/Guild/1_143.gld
http://168.138.162.78/output0/client/Guild/1_102.gld
http://168.138.162.78/output0/client/Guild/1_55.gld
http://168.138.162.78/output0/client/Data/cont2.enc
http://168.138.162.78/output0/client/Data/global.enc
http://168.138.162.78/output0//client/SevenZipSharp.dll
http://168.138.162.78/output0/client/Guild/1_16.gld
http://168.138.162.78/output0/client/Data/assistant.enc
http://168.138.162.78/output0/client/Data/mob.enc
http://168.138.162.78/output0/client/Guild/1_2.gld
http://168.138.162.78/output0/client/Data/data.enc
http://168.138.162.78/output0/client/Guild/1_103.gld
http://168.138.162.78/output0/client/Data/UI/Icon/skill266.dds
http://168.138.162.78/output0/client/Data/Language/English/tip.enc
http://168.138.162.78/output0/client/Guild/1_19.gld
http://168.138.162.78/output0/client/Guild/1_62.gld
http://168.138.162.78/output0/client/Guild/1_15.gld
http://168.138.162.78/output0/client/Data/achievement.enc
http://168.138.162.78/output0/client/Data/UI/Icon/skill264.dds
http://168.138.162.78/output0/client/Data/extra_obj.enc
http://168.138.162.78/output0/client/Guild/1_18.gld
http://168.138.162.78/output0/client/Data/Language/English/cont2_msg.enc
http://168.138.162.78/output0/client/Guild/1_232.gld
http://168.138.162.78/output0/client/Guild/1_40.gld
http://168.138.162.78/output0/client/Guild/1_192.gld
http://168.138.162.78/output0/client/Guild/1_253.gld
http://168.138.162.78/output0/client/Guild/1_91.gld
http://168.138.162.78/output0/client/Guild/1_26.gld
http://168.138.162.78/output0/client/Data/destroy.enc
http://168.138.162.78/output0/client/Guild/1_230.gld
http://168.138.162.78/output0/client/Guild/1_66.gld
http://168.138.162.78/output0/client/Guild/1_104.gld
http://168.138.162.78/output0/client/Data/Map/world_01.mcl
http://168.138.162.78/output0/client/Data/Language/English/msg.enc
http://168.138.162.78/output0/client/Guild/1_5.gld
http://168.138.162.78/output0//resources0.xml
http://168.138.162.78/output0/client/Data/cont.enc
http://168.138.162.78/output0/client/Data/smob.enc
http://168.138.162.78/output0/client/Guild/1_193.gld
http://168.138.162.78/output0/client/Guild/1_17.gld
http://168.138.162.78/output0/client/Guild/1_106.gld
http://168.138.162.78/output0/client/Guild/1_105.gld
http://168.138.162.78/output0/updates/update_1.7z
http://168.138.162.78/output0/client/Guild/1_260.gld
http://168.138.162.78/output0/client/Guild/1_257.gld
http://168.138.162.78/output0/client/Guild/1_218.gld
http://168.138.162.78/output0/client/Guild/1_12.gld
http://168.138.162.78/output0/client/Data/keymap.enc
http://168.138.162.78/output0/client/Guild/1_32.gld
http://168.138.162.78/output0/client/Guild/1_125.gld
http://168.138.162.78/output0/client/Guild/1_37.gld
http://168.138.162.78/output0/client/Guild/1_23.gld
http://168.138.162.78/output0/client/Data/Language/English/keymap_msg.enc
http://168.138.162.78/output0/client/Guild/1_25.gld
http://168.138.162.78/output0/client/Guild/1_24.gld
http://168.138.162.78/output0/client/Guild/1_219.gld
http://168.138.162.78/output0/client/Guild/1_227.gld
http://168.138.162.78/output0/client/Data/ability.enc
http://168.138.162.78/output0/client/Guild/1_14.gld
http://168.138.162.78/output0/client/Guild/1_184.gld
http://168.138.162.78/output0/client/Guild/1_145.gld
http://168.138.162.78/output0/client/Data/maze.enc
http://168.138.162.78/output0/client/Data/cabal.enc
http://168.138.162.78/output0/client/Guild/1_136.gld
http://168.138.162.78/output0/client/Data/Language/English/cont_msg.enc
|
2
s4.gtsystems.hu() -
168.138.162.78 -
|
7
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
9.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1914 |
2025-02-19 11:07
|
 fg.exe e86ce954943b063bb003f4769b82f7e9
XWorm Hide_EXE WebCam Antivirus UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check .NET DLL suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
10.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1915 |
2025-02-19 11:06
|
 tt012.exe 76283d02eb521a667273085a9068b59d
Themida UPX PE File PE32 Checks debugger unpack itself Checks Bios Detects VMWare AntiVM_Disk VMware anti-virtualization VM Disk Size Check Windows crashed |
|
|
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1916 |
2025-02-19 11:03
|
 cabalmain.exe 1504c256a0a41aa361ccc85e73a6d918
Gen1 Themida Generic Malware EnigmaProtector Malicious Library Malicious Packer Antivirus Downloader UPX Anti_VM PE File ftp DllRegisterServer dll PE32 OS Processor Check |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1917 |
2025-02-19 11:02
|
 update.exe d4318770944feebcb959c1318304be0f
Generic Malware Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder Windows Update DNS Cryptographic key |
3
http://168.138.162.78/output0/client/cabal.exe
http://168.138.162.78/output0/updates/update_1.7z
http://168.138.162.78/output0//resources0.xml
|
2
s4.gtsystems.hu() -
168.138.162.78 -
|
4
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1918 |
2025-02-19 10:55
|
 jfufk.exe 92b0881788e7f86b38779db248eb959b
Generic Malware Malicious Library UPX PE File PE32 MZP Format buffers extracted unpack itself sandbox evasion Browser |
|
|
|
|
2.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1919 |
2025-02-19 10:52
|
 ADGService.exe d760d6d65e21de73fedc69a38c5dc0d4
Malicious Library PE File PE64 |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1920 |
2025-02-19 10:50
|
kissingdragonbestloverthinking... 94a3b721c0f09451abe525abe8cf5c32
MS_RTF_Obfuscation_Objects RTF File doc Malware download Vulnerability Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed |
3
http://198.12.123.6/112/w/Unifev.jpg
http://217.160.17.80/231/kissingdragonbestloverthinkinggood.gIF
http://217.160.17.80/231/cnm/kissingdragonbestloverthinkinggood.hta
|
3
198.12.123.6 -
31.220.102.19 -
217.160.17.80 -
|
6
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
ET MALWARE Base64 Encoded MZ In Image
ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|