| 22456 |
2022-12-09 09:57
|
 niga.exe 7989392a248d2eb2441c09b10fdea90d
Malicious Library UPX PE32 OS Processor Check PE File PDB unpack itself RCE |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22457 |
2022-12-09 09:55
|
 anon.exe 27dd08d95b0ba699f7938eb299155460
RAT PWS .NET framework UPX PE32 OS Processor Check .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
185.106.92.214 - mailcious
45.33.6.223
|
|
|
6.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22458 |
2022-12-09 09:55
|
 vbc.exe 3b33c707e522fc9e706c62687387ddbc
Malicious Library UPX PE32 PE File OS Processor Check FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
15
http://www.escortsforme.com/ctap/
http://www.zhukojobs.com/ctap/?YrCHivW8=E1XG9CWBON0+a9SbfBam/3ujLAGBnbhHfPIl1X7Qsq43gSgatyx6Zb05lZB18Uyd2+bJYGkqNPeUe5yfZM4Pd9YxCeGbEG+LeBqkxfI=&Dxlpd=3fmL
http://www.anniistore.com/ctap/?YrCHivW8=8u93QSXfC/h8I5m86j8EifXEGqHJI1XGjLXVBTPL+MAI26ofB2ILsz8na3GixDPIUk10z/SFhZwVc2qsBgfGbhyy2T6TeVZfcvAs7cQ=&Dxlpd=3fmL
http://www.remoilandgas.com/ctap/?YrCHivW8=E0T8uSBaELVLXozbUGj4vFCh/ax/c/BP7UfgcmPHKeSPndPi9fqZod2LjyLMuFn1YlXBi56WnERThi3Mz90OXcoUj9MhH71SH1fkSCM=&Dxlpd=3fmL
http://www.wenela.com/ctap/?YrCHivW8=o1sNNbiCJpkRQnqDPpZyZWMxfrBgPkbBAAjZOkKt9pA1pIsrMlNUG63bs7Az2kMG7rhA+i5hc+r+fUSmunpAcJqGMZITHNiKC2SnTwg=&Dxlpd=3fmL
http://www.oonrreward.xyz/ctap/?YrCHivW8=kQZAwHnI+usX/PhpNwT2013quSQD2Bw1yMi/6JaPhBv2MvgNay6iHmmXHV3e2fDZrTWjpgnJjG4P3gVEkF0L/T5cfSWGsHHoG1ovy1g=&Dxlpd=3fmL
http://www.remoilandgas.com/ctap/
http://www.wenela.com/ctap/
http://www.escortsforme.com/ctap/?YrCHivW8=4paYNUohv+4jBuESLfUh/GbIRm7CgLhlfwb+oJHKJExpRjzRH/i6IZN3NTDyLd8u1WXNmpAM9BvvCNZiQiez7ZxxkE93+EvqBMPVx3A=&Dxlpd=3fmL
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.oonrreward.xyz/ctap/
http://www.endtimespastor.org/ctap/?YrCHivW8=ksM9tZ19wN2dqVwNSed5zmi5vj+T33kQr7D2a+Kp85ZymQqo1NtY5DJglrJ+uBDJsaAiL1/ulQSdlMY7LVHg27FChkif923Ke1Hmyw4=&Dxlpd=3fmL
http://www.zhukojobs.com/ctap/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.anniistore.com/ctap/
|
18
www.zhukojobs.com(103.100.62.205)
www.oonrreward.xyz(104.21.20.11)
www.escortsforme.com(156.254.228.220)
www.wenela.com(45.204.89.250)
www.endtimespastor.org(66.235.200.251)
www.anniistore.com(5.39.10.93)
www.sqlite.org(45.33.6.223)
www.remoilandgas.com(69.16.212.181)
www.qmeiwen.com(107.158.76.9)
5.39.10.93 - mailcious
107.158.76.9
156.254.228.220
69.16.212.181 - malware
103.100.62.205
104.21.20.11
45.204.89.250
66.235.200.251 - mailcious
45.33.6.223
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
6.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22459 |
2022-12-09 09:55
|
 cred64.dll c0fd0167e213b6148333351bd16ed1fb
PWS Loki[b] Loki.m Malicious Library PE32 DLL PE File FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email DNS Software crashed |
1
http://31.41.244.237/jg94cVd30f/index.php - rule_id: 25013
|
1
|
|
1
http://31.41.244.237/jg94cVd30f/index.php
|
6.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22460 |
2022-12-09 09:54
|
 sys_module.dll 27dfc5e856a1de1beafddb8efb767016
Malicious Library UPX OS Processor Check DLL PE File PE64 Malware download Cobalt Strike Cobalt VirusTotal Malware Malicious Traffic Checks debugger unpack itself ComputerName DNS crashed |
1
http://179.43.154.154/wDaA
|
2
tektadgame.at()
179.43.154.154 - malware
|
1
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
|
|
3.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22461 |
2022-12-09 09:53
|
 GIBI.exe f4669b8159d06fd545b1bcf07507ff54
PWS[m] PWS .NET framework Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22462 |
2022-12-09 09:52
|
 k.exe 04eda26f8ffd07ed4a77cb13bb413154
Malicious Library UPX DNS AntiDebug AntiVM PE32 OS Processor Check .NET EXE PE File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted WMI unpack itself ComputerName RCE crashed |
|
|
|
|
8.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22463 |
2022-12-09 09:49
|
 csrss.exe b6a13c1765a0ad179c9884b0fff6fd5a
Loki PWS[m] PWS Loki[b] Loki.m .NET framework Socket DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://208.67.105.161/gk2/five/fre.php - rule_id: 24456
|
1
208.67.105.161 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://208.67.105.161/gk2/five/fre.php
|
15.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22464 |
2022-12-09 09:48
|
 Broches.exe a6a69797f94297c043dc8930f7368271
Confuser .NET PE32 .NET EXE PE File VirusTotal Malware |
|
|
|
|
1.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22465 |
2022-12-08 18:09
|
 Shipment_notification166654743... 5f76f0b41ac9b298d26f44826b1e4a0d
PWS[m] Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
mail.pumaelektrik.com(180.235.151.11)
180.235.151.11 - malware
|
2
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
12.6 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22466 |
2022-12-08 18:03
|
 build2.exe f56c8317f668ed043779b95bef8c849e
PWS Loki[b] Loki.m Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File VirusTotal Malware PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself malicious URLs Tofsee ComputerName RCE DNS |
4
http://142.132.236.84/update.zip
http://142.132.236.84/517
https://steamcommunity.com/profiles/76561199441933804 - rule_id: 24879
https://t.me/dishasta
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(184.31.35.111) - mailcious
142.132.236.84 - mailcious
149.154.167.99 - mailcious
23.42.123.237
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
|
1
https://steamcommunity.com/profiles/76561199441933804
|
10.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22467 |
2022-12-08 16:27
|
 2.exe 8f5b26c2678fb0f0e3f0e1775e231c57
RedLine stealer[m] Generic Malware Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
10.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22468 |
2022-12-08 16:27
|
 pb1103.exe 167a8e768f6b455d8d9a7c69412be3d9
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22469 |
2022-12-08 16:24
|
 pb1117.exe 947920372b0491c5af2f2923665bc576
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.2 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22470 |
2022-12-08 16:24
|
 pb1105.exe ec7b5f5ae9b483d08fcbbe0d1f02752d
Malicious Library VMProtect PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|