| 30766 |
2022-05-25 09:36
|
 wealthzx.exe ada99df555a683678791e279044e3fe5
PWS[m] PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(132.226.8.169)
132.226.247.73
|
2
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
12.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30767 |
2022-05-25 09:35
|
 DirectDeposits.vbs be69cecfe642a937c9bbad0b3c0a49c3
AgentTesla PWS[m] Gen2 browser info stealer Generic Malware Google Chrome User Data Antivirus Malicious Packer Malicious Library Create Service Socket DNS Internet API Code injection Sniff Audio KeyLogger Downloader Escalate priviledges Hide_URL AntiDebug VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process AppData folder Windows ComputerName DNS Cryptographic key keylogger |
2
http://geoplugin.net/json.gp
http://198.12.89.134/favicon.ico
|
7
geoplugin.net(178.237.33.50)
google.com(172.217.26.238)
saptransmissions.dvrlists.com(103.231.91.59) - mailcious
178.237.33.50
198.12.89.134 - mailcious
142.250.207.14
103.231.91.59
|
|
|
17.0 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30768 |
2022-05-25 09:34
|
 MMS.exe 4469ca72bc5827911bd370575fe41075
RAT PWS .NET framework DNS AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
4
kingsley2022.bounceme.net(62.197.136.29) - mailcious
212.192.246.6
62.197.136.29
103.231.91.59
|
1
ET POLICY DNS Query to DynDNS Domain *.bounceme .net
|
|
15.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30769 |
2022-05-25 09:34
|
 toolspab3.exe 092ee5d919e1ef891d4483c3fce3543b
Malicious Library AntiDebug AntiVM PE32 PE File VirusTotal Malware PDB Code Injection Checks debugger buffers extracted unpack itself RCE DNS |
|
1
|
|
|
7.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30770 |
2022-05-25 09:33
|
 XUY.exe 1d43452837e9f7c03353b92a317fef5f
RAT PWS .NET framework DNS AntiDebug AntiVM PE32 .NET EXE PE File Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
2
xp230522.ddns.net(37.0.8.138)
37.0.8.138
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Possible NanoCore C2 60B
|
|
14.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30771 |
2022-05-25 07:34
|
 tel.exe ee6f57229cd8d1156a7fbab15be254a0
UPX Malicious Library PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30772 |
2022-05-24 18:36
|
 vbc.exe f05a460e312d90267b12335c3c86e6a8
PWS[m] Generic Malware UPX Malicious Library Antivirus Create Service DGA Socket ScreenShot DNS Internet API Code injection Sniff Audio HTTP Steal credential KeyLogger P2P Downloader Escalate priviledges FTP Http API AntiDebug AntiVM PE32 PE File Emotet VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key DDNS crashed |
4
http://geoplugin.net/json.gp
https://onedrive.live.com/download?cid=F547EE3E8FFF6BF5&resid=F547EE3E8FFF6BF5%21453&authkey=AOijTcPaFAa_sFY
https://xxggqg.bn.files.1drv.com/y4mZ04JFnfIkWTrcbGjKJqnT1_whH5a4gewQUd9rU-zn-XASy9kj8861d5lBJpZeiYItjRRzNnljnkwb-cBR7SG3qIXnbzoRculh-hJehFsDMopV_mS3cHJ15pKloJfM014cqwcYcymtXfE3IbN-GlX5I6C_DkCFpK_5vHbP03E9NaOhkc8UXhmv9g4lALU24-ASME_KLf4QhHXs5iYy9VoUg/Oywnaspxncyxayhkogvpxcsolzrnnly?download&psid=1
https://xxggqg.bn.files.1drv.com/y4mo-OJo9wpmax2OvB29vRxbCR_XHI1S9TO9DxkvzSDmOtvVCfdjFA5iJe_tsCB5hke4QTjJLqf2DXsOokiGFDWYTUPxE1cccg9s5CHpH4mgpeJk7DEz2hTWHtbtslcxa5Szl4466KRJBjr-OM68hUz0Mri9n2FXq4bERFOmqvGuyLFMUhC1mk5TTcJ_Nro0Wjpsy2YHstADf0g6Zn42Lxg-w/Oywnaspxncyxayhkogvpxcsolzrnnly?download&psid=1
|
8
geoplugin.net(178.237.33.50)
onedrive.live.com(13.107.42.13) - mailcious
xxggqg.bn.files.1drv.com(13.107.42.12)
blackwealth001.duckdns.org() - mailcious
13.107.42.13 - mailcious
13.107.42.12 - malware
178.237.33.50
185.157.162.137 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
14.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30773 |
2022-05-24 18:36
|
 majMSPharm.exe 6c53f542fb4bf76bba5492fdcd68241b
Malicious Library PE32 PE File DLL VirusTotal Malware Checks debugger unpack itself AppData folder AntiVM_Disk VM Disk Size Check DNS |
|
1
185.157.162.137 - mailcious
|
|
|
2.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30774 |
2022-05-24 18:34
|
 csrss.exe 2fc4ab028a0b12f36f20a929118f42c2
Formbook PWS .NET framework Generic Malware Antivirus KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
8
http://www.adgelin.com/orte/?2dqLWP=lksIQWYu6cAksj+JrztFlIunrblB3zzQ6iRMnWfVbTHC8dXADbOAKc5TVqaSLay2bBp1DNJ9&LZND=XVM4it4P
http://www.lagunaniguellawsuit.com/orte/?2dqLWP=+gjhxBcHx5DxCiuuy6CuW2XPeJFwItZDl08sY/o+Uln4UY6Jr7inphJLqrRrwM8a0l0HtOw+&LZND=XVM4it4P
http://www.almanayif.com/orte/?2dqLWP=ZLYDXpVoaNeQPXqILBUIJmsuTSbcAEtzsPFmaO7NIG3zaK09G07L6THtY0431ap8rwbHwcRO&LZND=XVM4it4P
http://www.prochesta.xyz/orte/?2dqLWP=vwB6nUbkWv0EYZJZ0y14U2WUb2chdCQ3YVzLja4bbXsM7womuH2qHD36mtFi4RrBPLHI9UBy&LZND=XVM4it4P
http://www.pixelskygame.com/orte/?2dqLWP=IAfjKt2BEqwPLZy6a48j7/Wps/DHeSo9HQIws3W+7HZFKWFSloMowYGL+phbGjiXNrdmfV9b&LZND=XVM4it4P
http://www.leadfirst.us/orte/?2dqLWP=9VcAWgyiK7tsXPfZHLefYRuh0nU83OPPkT6A4LUFRRtuqbsZe6O8ObE1PUkPllJpn03vNOik&LZND=XVM4it4P
http://www.kusurinokinoken.com/orte/?2dqLWP=Mhh1c0FQs/RPGrzLV0a9bP9YJjYld98utnFtRGUcqiuaNiWvbdhYkgTaJSczzNnRzCDW5Zjz&LZND=XVM4it4P
http://www.digitalworkoption.com/orte/?2dqLWP=rb0eclsS2SG66Bfj0KfUccSwNEwbX66xBvTeEmbytOlL75RSJgmlsLSonPTfsPKk7bZpSMYF&LZND=XVM4it4P
|
16
www.lagunaniguellawsuit.com(34.98.99.30)
www.prochesta.xyz(66.29.141.228)
www.digitalworkoption.com(217.21.84.73)
www.pixelskygame.com(34.102.136.180)
www.adgelin.com(45.199.116.85)
www.leadfirst.us(208.91.197.27)
www.kusurinokinoken.com(103.224.212.221)
www.almanayif.com(208.91.197.91)
34.98.99.30 - phishing
66.29.141.228
45.199.116.85
217.21.84.73
34.102.136.180 - mailcious
208.91.197.91 - mailcious
103.224.212.221 - mailcious
208.91.197.27 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
12.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30775 |
2022-05-24 18:34
|
 data64_4.exe d76ba31bdfb2bb3b2a14704e7ed1c094
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30776 |
2022-05-24 18:32
|
 csrss.exe 4ef6c0f9a237f7aed67b79b6e5d3e1cc
Formbook RAT PWS .NET framework Generic Malware Antivirus AntiDebug AntiVM PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
11.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30777 |
2022-05-24 18:32
|
 data64_4.exe 81df5c60780873d34e488655e3838c4d
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30778 |
2022-05-24 18:30
|
 c7crGdejW4380ORuxqR d5e9618a54167e7ad174deee219e51a1
UPX Malicious Packer Malicious Library DLL PE File PE64 Dridex TrickBot VirusTotal Malware Report AutoRuns Checks debugger ICMP traffic unpack itself Auto service suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Kovter Windows ComputerName RCE DNS |
|
15
160.16.143.191 - mailcious
202.29.239.162 - mailcious
202.28.34.99 - mailcious
104.248.225.227 - mailcious
62.171.178.147 - mailcious
196.44.98.190 - mailcious
195.77.239.39 - mailcious
87.106.97.83 - mailcious
210.57.209.142 - mailcious
190.90.233.66 - mailcious
110.235.83.107 - mailcious
165.22.73.229 - mailcious
134.122.119.23 - mailcious
37.44.244.177 - mailcious
88.217.172.165 - mailcious
|
3
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 13
|
|
8.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30779 |
2022-05-24 18:24
|
document302.lnk e134136d442a5c16465d9d7e8afb5ebe
Generic Malware Antivirus AntiDebug AntiVM GIF Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
1
https://news-wellness.com/5MVhfo8BnDub/D.png
|
1
news-wellness.com(192.185.16.138)
|
|
|
5.8 |
|
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30780 |
2022-05-24 17:39
|
http://14.128.55.148/daol/daol... 0c4684f95e29cf2ddee362c7e8abe41f
PWS[m] Create Service DGA Socket ScreenShot DNS Internet API Code injection Hijack Network Sniff Audio HTTP Steal credential KeyLogger P2P Downloader Escalate priviledges persistence FTP Http API AntiDebug AntiVM MSOffice File JPEG Format Malware Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
5
http://wsgadd.kt.com/favicon.ico
http://wsgadd.kt.com/smartcs/img/smishing02.jpg
http://wsgadd.kt.com/nocache/s_smishing.html
http://wsgadd.kt.com/smartcs/css/smart_common.css
http://14.128.55.148/daol/daol.apk
|
3
wsgadd.kt.com(14.63.149.212)
14.63.149.212
14.128.55.148
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|