| 21811 |
2023-01-27 10:15
|
 cred.dll e2ee20e2f0a8853cae1772d095543799
Ave Maria WARZONE RAT Malicious Library UPX PE32 OS Processor Check DLL PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB Malicious Traffic Checks debugger unpack itself sandbox evasion installed browsers check Browser DNS Software |
1
http://77.73.133.72/8bmdh3Slb2/index.php
|
1
|
|
|
6.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21812 |
2023-01-27 09:34
|
 cmpbksrvc32.cmd bc352f34af0f8ee2c8296dd6aa86b7e7
PWS[m] Generic Malware Downloader Antivirus Malicious Library Create Service DGA Socket ScreenShot DNS Internet API Code injection Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges FTP Http API AntiDebug AntiVM PowerShell PE32 PE File Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
1
http://5.75.248.207/avicapn32.exe
|
1
|
4
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21813 |
2023-01-27 09:31
|
 boom.exe 8463849a48326c8b46c38717c30a7acc
RAT PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21814 |
2023-01-27 09:29
|
 .win32.exe c98fd628f48ea8674c35931367a586e9
Malicious Library UPX PE32 OS Processor Check PE File VirusTotal Malware PDB RCE |
|
|
|
|
2.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21815 |
2023-01-27 09:29
|
 vbc.exe a2e898a0d8e69dcc2d47202fd1cb8fb2
PWS .NET framework PE32 .NET EXE PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21816 |
2023-01-27 09:27
|
TradingView_setup.msi 6bf24266e05b3cd35f35ec00fd6329a6
Gen2 Generic Malware Malicious Library Antivirus Malicious Packer UPX MSOffice File OS Processor Check CAB PE32 DLL PE File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AppData folder AntiVM_Disk VM Disk Size Check ComputerName crashed |
|
|
|
|
2.8 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21817 |
2023-01-26 11:10
|
 PO_6733.exe 76218662ffd8397441fadb34d12de1cc
AgentTesla PWS[m] PWS .NET framework browser info stealer email stealer Generic Malware Google Chrome User Data Antivirus Socket ScreenShot DNS KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
212.193.30.230 - mailcious
|
|
|
11.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21818 |
2023-01-26 11:09
|
 aa.exe 4901ce4dd0d78d01170732498f3e8c49
Malicious Library UPX PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.0 |
|
40 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21819 |
2023-01-26 11:08
|
document26.doc 75dd58e072281f26204dc977d0cb83b3
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed Downloader |
3
http://ipinfo.io/ip
https://raw.githubusercontent.com/GodOfWareFare/TheGoodKidPhotos/main/rt.jpg - rule_id: 21821
http://104.223.76.152/126/vbc.exe
|
7
ipinfo.io(34.117.59.81)
raw.githubusercontent.com(185.199.108.133) - malware
185.199.108.133 - mailcious
194.5.212.164 - mailcious
104.223.76.152 - malware
46.183.223.109 - mailcious
34.117.59.81
|
9
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY External IP Lookup ipinfo.io
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
https://raw.githubusercontent.com/GodOfWareFare/TheGoodKidPhotos/main/rt.jpg
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21820 |
2023-01-26 11:05
|
 monshedy2.2.exe 01ff6e3e800d174e5d9a1b2b0b7ab5a0
Malicious Library UPX PE32 PE File OS Processor Check Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
2
bovigar.duckdns.org(194.5.212.164)
194.5.212.164 - mailcious
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
|
|
5.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21821 |
2023-01-26 11:03
|
 cc.exe 7c684ac9c2b1d2018031e342f6be13f7
Malicious Library UPX PE32 OS Processor Check PE File VirusTotal Malware PDB RCE |
|
|
|
|
1.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21822 |
2023-01-26 11:02
|
 nmnb.exe 58a93d1d064b9e8265ea798531adb0bf
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself DNS |
8
http://www.drzjup.space/poub/?J48=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&EhU4Nv=gdM0vL4huV - rule_id: 23154
http://www.soldbylena.com/poub/?J48=Yx1Go82kz3quMGBdMT8MTkTpwx2C2fKFreghtdDiaVm/DdA3lQSzkCq363BA4rx6egegMd3w&EhU4Nv=gdM0vL4huV
http://www.cheapboden.com/poub/?J48=uMC/GsanvNpPbNcCVsDObBSsNNWRYBZ6HNwnYtWwxIAICQHEP8X1B519TLgsyoj5ym3DSXfy&EhU4Nv=gdM0vL4huV
http://www.peiphitan.com/poub/?J48=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&EhU4Nv=gdM0vL4huV - rule_id: 22766
http://www.sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip
http://www.midundao.net/poub/?J48=BeQSaNCZ8Cc+ObDJRvydEORS/RePR8oKq7xoUj49pHjj3eul8epkA9+9TFgjCI7880YVFtR7&EhU4Nv=gdM0vL4huV
http://www.agence-dragonne.com/poub/?J48=AJ1lnItlOBOMu4VTxug+YhiyjjMIB0X6igB7b1gQ1/FyMjSiMMj6SiFHodYf6/xohFqvUB4/&EhU4Nv=gdM0vL4huV
http://www.elektrogo.xyz/poub/?J48=kDUzKCy494oCEChFShINt/qIs4aj4rKFw2/eKTVt/tzluLb40v7G/v2cQ7gHUqwc6NHSG5Wb&EhU4Nv=gdM0vL4huV
|
22
www.soldbylena.com(142.250.206.243)
www.etgadu.global()
www.midundao.net(172.247.35.173)
www.cheapboden.com(172.67.212.73)
www.crusadia.net(212.192.29.71)
www.peiphitan.com(192.64.115.133) - mailcious
www.agence-dragonne.com(153.127.67.174)
www.sqlite.org(45.33.6.223)
www.drzjup.space(172.255.33.179) - mailcious
www.elektrogo.xyz(85.159.66.93)
www.tokendownload.space(67.21.71.208)
85.159.66.93 - mailcious
172.255.33.179 - mailcious
172.247.35.173
67.21.71.208
212.192.29.71
192.64.115.133
104.21.35.28 - mailcious
142.250.206.243 - phishing
45.33.6.223
77.73.134.27 - malware
153.127.67.174
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
2
http://www.drzjup.space/poub/
http://www.peiphitan.com/poub/
|
6.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21823 |
2023-01-26 11:02
|
 nonetrollplease.exe f1354bde910724c6efa5bdd025827bdb
Generic Malware Anti_VM UPX PE32 OS Processor Check PE File VirusTotal Malware Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Firmware crashed |
|
|
|
|
3.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21824 |
2023-01-26 11:02
|
 vbc.exe df4bcb8211f980a6fccaf369e4e86140
PWS[m] Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(132.226.8.169)
132.226.247.73
|
5
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
|
|
14.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21825 |
2023-01-26 11:01
|
 race.exe 415bc4fc3537b94dbdd9f15ed8af7424
RAT Ave Maria WARZONE RAT Malicious Library UPX Malicious Packer VMProtect MPRESS PE32 .NET EXE PE File OS Processor Check JPEG Format DLL PE64 Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Kelihos Tofsee Windows Browser ComputerName DNS crashed |
11
http://a.dowgmua.com/gamexyz/2701/random.exe - rule_id: 26100
http://77.73.134.27/8bmdh3Slb2/index.php - rule_id: 26125
http://jjx.eiwaggff.com/files/pe/pb1111.exe - rule_id: 26217
http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll - rule_id: 26126
http://77.73.134.27/8bmdh3Slb2/index.php?scr=1 - rule_id: 26125
http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll - rule_id: 26128
http://77.73.134.27/XandETC.exe
https://xv.yxzgamen.com/logo.png - rule_id: 26104
https://xv.yxzgamen.com/logo.png
https://xv.yxzgamen.com/2701.html - rule_id: 26088
https://b.dowgmub.com/gamexyz/2701/6f711ae4592e7016f72994ae3be71daf.exe
|
9
xv.yxzgamen.com(172.67.141.51) - mailcious
a.dowgmua.com(172.67.157.126) - malware
b.dowgmub.com(172.67.140.42) - malware
jjx.eiwaggff.com(172.67.183.10) - malware
172.67.157.126 - malware
104.21.48.89 - malware
172.67.140.42 - mailcious
172.67.141.51 - mailcious
77.73.134.27 - malware
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey CnC Check-In
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO Dotted Quad Host DLL Request
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Kelihos.F EXE Download Common Structure
|
8
http://a.dowgmua.com/gamexyz/2701/random.exe
http://77.73.134.27/8bmdh3Slb2/index.php
http://jjx.eiwaggff.com/files/pe/pb1111.exe
http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll
http://77.73.134.27/8bmdh3Slb2/index.php
http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll
https://xv.yxzgamen.com/logo.png
https://xv.yxzgamen.com/2701.html
|
12.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|