| 1906 |
2024-07-26 18:39
|
somethinggreatwithmeentiretime... 02e73ef6a6bde5caa7628ee916111f60
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://198.46.174.139/71/winiti.exe
|
5
smtp.jlahuachem.com(208.91.199.224)
api.ipify.org(172.67.74.152)
104.26.13.205
208.91.199.224 - mailcious
198.46.174.139 - malware
|
10
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SURICATA SMTP invalid reply
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1907 |
2024-07-26 18:31
|
 ????impactfulbrands.co.uk_____... eb39f61659de025b97dc88f3c6eea279
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell ftp powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
3
https://www.mediafire.com/file/uq6estxvdnk3zze/ofeduqin1.rar/file
https://www.mediafire.com/file/hzktcfc598wc4c7/bipucowova2.rar/file
https://maper.info/1wHV45
|
8
download2280.mediafire.com(199.91.155.21)
www.mediafire.com(104.16.114.74) - mailcious
maper.info(104.21.82.89) - mailcious
download2275.mediafire.com(199.91.155.16) - mailcious
199.91.155.16 - mailcious
199.91.155.21
104.21.82.89
104.16.113.74 - mailcious
|
4
ET POLICY IP Logger Redirect Domain in SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
|
|
7.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1908 |
2024-07-26 18:28
|
멀티캠퍼스 강연의뢰서_ 김병로 교수님 .docx.lnk... 16074a3f76b7860a180e0ec54dd19ed6
Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1909 |
2024-07-26 12:09
|
 peinf.exe eed7347593de2141727d3960041d8c8e
UPX PE File PE32 VirusTotal Malware DNS |
|
1
|
|
|
1.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1910 |
2024-07-26 12:08
|
simplethingstobefranksheisvery... 13d8c6fac85c9bc52cdd1b3f03acdf2c
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
15
http://104.219.239.104/54/winiti.exe
http://www.askvanta.com/hhti/
http://www.askvanta.com/hhti/?siFuhe3N=fjRDIvTmNEJNTuTcr8del2WQp76nRU4WKVyXC6Y4v5xhqnRixQ6zeb282ydBwPMN2XVyKj7Iv4bMnoolEkDYP7t2qkRY0AApd+m94wn/hzh5njk5AnE5TcuZf+A5lnJQAByr72U=&Qt3=HJYf
http://www.juliakoppel.org/9wjj/?siFuhe3N=3pAkfJORuRgA59m5D3Ccm/a2baSHIB7ZSYQ2sF+aO2KWoeTfZIMk0oynOCre8P7un/vWh9+jgjqgzzA3WVgVD2gacPCD8hv2BH56l/1+ZEKULaKcv9mw30410B/1ELsaBxrqqsU=&Qt3=HJYf
http://www.eworld.org/18e1/
http://www.eworld.org/18e1/?siFuhe3N=Pm7pKTMIYdCMccpB3xsAXFwsVOfU5MHbomtkvn/TIB3o6VHyHDbhzBEtFW9t5aJY+pX07Evew+XtfHVHXf6tslmSqwg1OujBiiUxK9iHVQ3RBf96wgYN9V5GQcLy17oB+M1M8tY=&Qt3=HJYf
http://www.ninunveiled.shop/y2xs/
http://www.c7v88.top/v6ba/?siFuhe3N=nJtV0xxVonYleLmyEDIGF1GRtIwzCkYblW7ymF81wwUwIwWLid3Lr9yJw2X9YaLdXd5m2mo1Ok9Zsjhn2cbjbjbKzyMWkQ/uC8atz3xgP0khh14CmXxCw976WGM8OA3qn6b9QMQ=&Qt3=HJYf
http://www.microsofr.fun/omnp/?siFuhe3N=GQSd+8pi26b7zJhOJIQXVD/h3K/inFV8tNrqSt2nhXuDaWJRns1If/+gRxLu2YDerAFibGs6WR2Qt7jgVufvyJTnycUzu8Yso7GmTERVlWVgi3ROCwKMdFc5FOB0p/g90EsMQlA=&Qt3=HJYf
http://www.juliakoppel.org/9wjj/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.gotvoom.pro/yagd/?siFuhe3N=uEwhQtN8d9WFSPX3vcuayxdpQqb8c/D/UpaKbFjD70Hg2gjUyZfmxqkinXZDMhG9GrAjDWM/1uaY6+kvF7tL6dHrL5YWOt4Y3qm+cyYTZ0PahKZdxCx3NJ3PVHCt9uZUePj8NnU=&Qt3=HJYf
http://www.gotvoom.pro/yagd/
http://www.c7v88.top/v6ba/
http://www.microsofr.fun/omnp/
|
14
www.c7v88.top(15.197.148.33)
www.eworld.org(13.248.169.48)
www.ninunveiled.shop(172.67.170.124)
www.microsofr.fun(13.248.213.45)
www.gotvoom.pro(15.197.148.33)
www.juliakoppel.org(109.172.114.38)
www.askvanta.com(3.33.130.190)
13.248.213.45 - mailcious
76.223.54.146
109.172.114.38
104.219.239.104 - mailcious
172.67.170.124
3.33.130.190 - phishing
45.33.6.223
|
8
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1911 |
2024-07-26 12:07
|
 winiti.exe 076d40b4c480dbd3a0e84260aab18cff
Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
13
http://www.askvanta.com/hhti/
http://www.gotvoom.pro/yagd/
http://www.askvanta.com/hhti/?Dc08XbzK=fjRDIvTmNEJNTuTcr8del2WQp76nRU4WKVyXC6Y4v5xhqnRixQ6zeb282ydBwPMN2XVyKj7Iv4bMnoolEkDYP7t2qkRY0AApd+m94wn/hzh5njk5AnE5TcuZf+A5lnJQAByr72U=&0zGHU=_wG0Y4Ypi
http://www.c7v88.top/v6ba/?Dc08XbzK=nJtV0xxVonYleLmyEDIGF1GRtIwzCkYblW7ymF81wwUwIwWLid3Lr9yJw2X9YaLdXd5m2mo1Ok9Zsjhn2cbjbjbKzyMWkQ/uC8atz3xgP0khh14CmXxCw976WGM8OA3qn6b9QMQ=&0zGHU=_wG0Y4Ypi
http://www.eworld.org/18e1/
http://www.gotvoom.pro/yagd/?Dc08XbzK=uEwhQtN8d9WFSPX3vcuayxdpQqb8c/D/UpaKbFjD70Hg2gjUyZfmxqkinXZDMhG9GrAjDWM/1uaY6+kvF7tL6dHrL5YWOt4Y3qm+cyYTZ0PahKZdxCx3NJ3PVHCt9uZUePj8NnU=&0zGHU=_wG0Y4Ypi
http://www.eworld.org/18e1/?Dc08XbzK=Pm7pKTMIYdCMccpB3xsAXFwsVOfU5MHbomtkvn/TIB3o6VHyHDbhzBEtFW9t5aJY+pX07Evew+XtfHVHXf6tslmSqwg1OujBiiUxK9iHVQ3RBf96wgYN9V5GQcLy17oB+M1M8tY=&0zGHU=_wG0Y4Ypi
http://www.microsofr.fun/omnp/?Dc08XbzK=GQSd+8pi26b7zJhOJIQXVD/h3K/inFV8tNrqSt2nhXuDaWJRns1If/+gRxLu2YDerAFibGs6WR2Qt7jgVufvyJTnycUzu8Yso7GmTERVlWVgi3ROCwKMdFc5FOB0p/g90EsMQlA=&0zGHU=_wG0Y4Ypi
http://www.juliakoppel.org/9wjj/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.juliakoppel.org/9wjj/?Dc08XbzK=3pAkfJORuRgA59m5D3Ccm/a2baSHIB7ZSYQ2sF+aO2KWoeTfZIMk0oynOCre8P7un/vWh9+jgjqgzzA3WVgVD2gacPCD8hv2BH56l/1+ZEKULaKcv9mw30410B/1ELsaBxrqqsU=&0zGHU=_wG0Y4Ypi
http://www.c7v88.top/v6ba/
http://www.microsofr.fun/omnp/
|
11
www.c7v88.top(3.33.130.190)
www.eworld.org(76.223.54.146)
www.microsofr.fun(76.223.67.189)
www.gotvoom.pro(15.197.148.33)
www.juliakoppel.org(109.172.114.38)
www.askvanta.com(15.197.148.33)
15.197.148.33 - mailcious
13.248.213.45 - mailcious
109.172.114.38
13.248.169.48 - mailcious
45.33.6.223
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET) M5
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1912 |
2024-07-26 12:04
|
 pered.exe faf1270013c6935ae2edaf8e2c2b2c08
Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format ftp VirusTotal Malware Check memory Creates executable files DNS |
|
1
|
|
|
2.2 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1913 |
2024-07-26 12:04
|
 2020.exe 95606667ac40795394f910864b1f8cc4
Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format Check memory Creates executable files |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1914 |
2024-07-26 12:03
|
 newtpp.exe e2e3268f813a0c5128ff8347cbaa58c8
Generic Malware Downloader Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX Antivirus PE File PE32 PowerShell Malware download Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AppData folder WriteConsoleW IP Check Windows Update Email ComputerName DNS Cryptographic key |
8
http://185.215.113.66/ns/91.txt - rule_id: 39702
http://185.215.113.66/5 - rule_id: 26698
http://185.215.113.66/ns/n.txt - rule_id: 39702
http://icanhazip.com/
http://185.215.113.66/4 - rule_id: 26697
http://185.215.113.66/3 - rule_id: 26696
http://185.215.113.66/2 - rule_id: 26695
http://185.215.113.66/1 - rule_id: 26694
|
72
bellsouth.net(216.77.188.73)
mx.altice.prod.cloud.openwave.ai(65.20.63.100)
al-ip4-mx-vip1.prodigy.net(144.160.235.143)
sbcglobal.net()
ntlworld.com(213.105.9.42)
al-ip4-mx-vip2.prodigy.net(144.160.235.144)
icanhazip.com(104.16.184.241)
comcast.net(96.99.227.0)
mta6.am0.yahoodns.net(67.195.228.106)
mx0.charter.net(47.43.18.9)
mx2.mxge.comcast.net(96.102.18.147)
mx2h1.comcast.net(96.102.157.180)
mail.com(82.165.229.87)
att.net(144.160.36.42)
juno.com(64.136.53.46)
cxr.mx.a.cloudfilter.net(34.212.80.54)
mx01.mail.com(74.208.5.22)
mx1h1.comcast.net(96.102.157.181)
ff-ip4-mx-vip1.prodigy.net(144.160.159.21)
cox.net(98.182.1.143)
mx.dca.untd.com(64.136.44.37)
aim.com(13.248.158.7)
netzero.net(64.136.45.168)
yahoo.com(74.6.143.25)
mx-aol.mail.gm0.yahoodns.net(98.136.96.92)
verizon.net(72.21.81.253)
mx.vgs.untd.com(64.136.52.37)
optonline.net(167.206.148.154)
www.update.microsoft.com(20.109.209.108)
mxin5.virginmedia.com(84.116.6.18)
mx1a1.comcast.net(96.103.145.163)
mx2c1.comcast.net(96.102.18.146)
charter.net(99.83.251.242)
151.241.237.185
47.43.18.9
78.85.106.173
77.91.77.92
96.102.157.181
194.93.26.210
109.74.43.21
213.230.90.222
5.238.186.28
95.59.4.234
185.215.113.66 - malware
217.30.160.154
2.185.163.114
83.239.55.170
64.136.44.37
98.136.96.93
74.208.5.22
86.62.3.154
109.74.35.21
195.158.22.13
65.20.63.100
104.16.185.241
35.162.106.154
67.195.204.75
96.103.145.163
144.160.159.21
144.160.235.143
144.160.235.144
64.136.52.37
20.109.209.108
96.102.157.180
95.58.72.245
77.221.27.219
84.116.6.18
98.136.96.92
67.195.204.80
96.102.18.147
96.102.18.146
67.195.228.111
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
SURICATA Applayer Detect protocol only one direction
ET MALWARE Win32/Phorpiex Template 9 Active - Outbound Malicious Email Spam
ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC
|
7
http://185.215.113.66/
http://185.215.113.66/5
http://185.215.113.66/
http://185.215.113.66/4
http://185.215.113.66/3
http://185.215.113.66/2
http://185.215.113.66/1
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1915 |
2024-07-26 12:03
|
 asec.exe 132609f10f23a5a1fc5653ae7e91bdb2
Generic Malware UPX Antivirus PE File PE32 PowerShell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Disables Windows Security suspicious process WriteConsoleW Windows Update ComputerName DNS Cryptographic key |
|
3
144.160.159.21
144.160.235.143
67.195.204.80
|
|
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1916 |
2024-07-26 11:59
|
 winiti.exe 76a4d0d810f2007100c2619d184ef7de
AgentTesla North Korea Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://ip-api.com/line/?fields=hosting
https://api.ipify.org/
|
4
api.ipify.org(104.26.12.205)
ip-api.com(208.95.112.1)
104.26.12.205
208.95.112.1
|
5
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY External IP Lookup ip-api.com
|
|
15.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1917 |
2024-07-26 11:58
|
 svchost.exe 2e6d807e953cc0961f1bae27e34bc50d
njRAT backdoor Generic Malware PE File .NET EXE PE32 Malware download njRAT VirusTotal Malware Check memory Checks debugger unpack itself suspicious process WriteConsoleW DNS |
|
1
|
1
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
|
|
4.0 |
|
68 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1918 |
2024-07-26 10:59
|
 gawdth.exe c02798b26bdaf8e27c1c48ef5de4b2c3
SystemBC Generic Malware Downloader Malicious Library UPX Malicious Packer Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiV VirusTotal Malware AutoRuns PDB Code Injection Creates executable files unpack itself AppData folder Windows Remote Code Execution |
|
|
|
|
5.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1919 |
2024-07-26 10:56
|
 pf32.exe 2a74db17b50025d13a63d947d8a8f828
Antivirus UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1920 |
2024-07-26 10:55
|
 svhosts.exe fcd623c9b95c16f581efb05c9a87affb
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|