| 22801 |
2022-12-21 17:55
|
 krnl_connect.exe d2e78f6663b47a7ec04a4d014cab5ff1
Gen1 Emotet Formbook Gen2 SUSP_Certificate_file Hide_EXE Generic Malware Malicious Library UPX Malicious Packer CAB PE File PE64 VirusTotal Malware AutoRuns PDB Check memory Creates executable files unpack itself Windows RCE DNS crashed |
|
2
172.67.160.130 -
104.18.114.97 -
|
|
|
4.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22802 |
2022-12-21 17:54
|
 0f5e8774150b7f0120a47909d07dc9... 7c151e9e14789c5fdb870541edd8a4e0
Malicious Library UPX PE32 OS Processor Check PE File DLL VirusTotal Malware Check memory buffers extracted WMI Creates executable files AppData folder Windows ComputerName crashed |
4
http://xv.yxzgamen.com/2203.html - rule_id: 22853
http://xv.yxzgamen.com/2203.html
http://xv.yxzgamen.com/logo.png - rule_id: 22794
http://xv.yxzgamen.com/logo.png
|
2
xv.yxzgamen.com(104.21.27.36) -
172.67.141.51 -
|
|
2
http://xv.yxzgamen.com/2203.html
http://xv.yxzgamen.com/logo.png
|
5.8 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22803 |
2022-12-21 17:52
|
 nppshell32.exe a05a3305d0474756476862801e8b7da0
Gen1 Malicious Library UPX Malicious Packer PE32 OS Processor Check PE File DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE PDB MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Collect installed applications Check virtual network interfaces AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
2
http://65.108.20.122/update.zip
http://65.108.20.122/1760
|
2
ow9fmogiytbh0cr.tvkwiqoy0bpkdbmb5d7h3jbuppj() -
65.108.20.122 -
|
1
ET INFO Dotted Quad Host ZIP Request
|
|
13.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22804 |
2022-12-21 17:52
|
 poro.exe d19425fc6dfb409d028b8b415a357fb4
Malicious Library UPX PE32 PE File VirusTotal Malware PDB unpack itself Windows RCE DNS crashed |
|
1
|
|
|
4.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22805 |
2022-12-21 17:50
|
 nojo2.2.exe 996dcccaa3103179f6b980b2a66957be
Malicious Library UPX Admin Tool (Sysinternals etc ...) PE32 PE File OS Processor Check Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder human activity check Windows RAT ComputerName DNS DDNS keylogger |
|
2
dezember22.duckdns.org(212.86.115.220) -
212.86.115.220 -
|
3
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22806 |
2022-12-21 17:48
|
 dyiewphfyyog.exe 5e8d12b5c5ef7762bcec38e696ebdc02
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22807 |
2022-12-21 13:43
|
https://www.twcp.net/images/in... bf87c3db8c028151f9e9eb19f422fa0e
PWS[m] Downloader task schedule Socket Create Service DGA ScreenShot DNS Internet API Code injection Hijack Network Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges persistence FTP Http API AntiDebug AntiVM PNG Format MSOffice File JPE VirusTotal Malware Code Injection Check memory RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit Java DNS crashed |
7
http://www.java.com/en/download/
http://java.com/inst-dl-redirect/
http://java.com/inst-dl-redirect
http://java.com/en/download/
https://www.twcp.net/favicon.ico
https://www.twcp.net/images/index.html
https://www.stmarksfincastle.org/library/photos/large/FDA-0023-051020.jnlp
|
5
www.stmarksfincastle.org(100.26.95.170) - mailcious
www.twcp.net(100.26.95.170)
www.java.com(23.35.218.121)
100.26.95.170 - mailcious
121.254.136.81
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22808 |
2022-12-21 11:15
|
loaded_store_response 2.json d3aa8a016e291df294f354e4146952dc
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22809 |
2022-12-21 10:24
|
 mp3studios_95.exe 07c8a80ab810c13ab828d94e8e43e3cf
AgentTesla PWS[m] browser info stealer Google Chrome User Data Downloader Malicious Packer Create Service DGA Socket ScreenShot DNS BitCoin Internet API Code injection Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges persistence FTP H Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName RCE DNS crashed |
1
https://www.icodeps.com/ - rule_id: 14280
|
5
www.icodeps.com(149.28.253.196) - mailcious
iplogger.org(148.251.234.83) - mailcious
149.28.253.196 - mailcious
148.251.234.83
91.106.207.89
|
4
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
|
10.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22810 |
2022-12-21 10:20
|
 stealer.EXE 67bd89ea499879545a4784b1ba387b91
RAT PWS .NET framework Generic Malware Suspicious_Script UPX Malicious Library PE32 OS Processor Check .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://37.77.239.239:15352/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
37.77.239.239 - malware
104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
8.4 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22811 |
2022-12-21 10:20
|
https://www.twcp.net/images/in... bf87c3db8c028151f9e9eb19f422fa0e
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
3
https://www.twcp.net/favicon.ico
https://www.stmarksfincastle.org/library/photos/large/FDA-0023-051020.jnlp
https://www.twcp.net/images/index.html
|
3
www.stmarksfincastle.org(100.26.95.170)
www.twcp.net(100.26.95.170)
100.26.95.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22812 |
2022-12-21 10:20
|
 Pr0xyWifeStealer.exe 2bc00eb6e395ec97be60dcd9b69ebd1f
RAT PWS .NET framework Generic Malware UPX PE32 OS Processor Check .NET EXE PE File FTP Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://37.77.239.239:15352/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
37.77.239.239 - malware
104.26.13.31
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22813 |
2022-12-21 10:20
|
 music.exe 3c10a82315dff77af1026ebc85817d56
Malicious Library UPX PE32 PE File Malware download VirusTotal Malware Checks debugger unpack itself Ransomware |
2
http://mrmax4td.beget.tech/cmd.php?hwid=7C6024AD
http://mrmax4td.beget.tech/cmd.php?timeout=1
|
2
mrmax4td.beget.tech(91.106.207.89)
91.106.207.89
|
1
ET MALWARE CerberTear Ransomware CnC Checkin
|
|
2.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22814 |
2022-12-21 10:18
|
Lgpspzhdm.dll a5e85f5cf16539ae101c80c9f9d803d0 |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22815 |
2022-12-21 10:18
|
 HBN.exe c32bb2d4bbff0a1584d8fe1ff09a2d4e
RAT PWS .NET framework PE32 .NET EXE PE File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
6.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|