| 30871 |
2022-05-23 07:41
|
 pppp.exe 523e3a307421539d0d7288098359a3e1
UPX Malicious Library PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
5.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30872 |
2022-05-23 07:40
|
 update.exe 9d46b723ec666db3e73ae900c474d660
RAT njRAT backdoor Generic Malware UPX Malicious Library PE32 OS Processor Check PE File .NET EXE VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows ComputerName RCE DNS |
|
5
namemaay.beget.tech(91.106.207.43) - malware
www.whatsmyip.us(192.169.61.196)
178.33.93.88
91.106.207.43 - malware
192.169.61.196
|
3
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
11.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30873 |
2022-05-23 07:39
|
 key.exe 30a8841666deb07c981ce7280225ccc9
PWS[m] RAT PWS .NET framework UPX SMTP KeyLogger AntiDebug AntiVM PE32 OS Processor Check .NET EXE PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
ftp.alonsorojasmudanzasnacionales.com(162.213.251.217)
162.213.251.217
|
2
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil via FTP
|
|
11.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30874 |
2022-05-23 07:37
|
 s1.exe 40fdf86711473f5ea0f0ba120234f9e2
PE32 PE File VirusTotal Malware DNS |
|
3
botnet.local()
135.125.248.50
218.38.137.28
|
|
|
2.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30875 |
2022-05-23 07:35
|
 polx.exe c65326b66f8e1799d3b4b62ced8431ad
UPX Malicious Library Admin Tool (Sysinternals etc ...) PE32 OS Processor Check PE File VirusTotal Malware AutoRuns unpack itself AntiVM_Disk VM Disk Size Check Windows RCE DNS |
|
1
|
|
|
4.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30876 |
2022-05-23 01:12
|
jordanwiresharkcapture.pcapng 05254e8b9b15ef97100a8c0948faad4c
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30877 |
2022-05-22 20:32
|
 kingz.exe a6ba70f75f6fab4748bffe1784e7e8ff
RAT PWS .NET framework PDF Suspicious Link PDF PE32 .NET EXE PE File icon VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut AppData folder |
1
http://soapbeginshops.com/ItsMe.zip
|
2
soapbeginshops.com(34.118.86.4) - malware
34.118.86.4
|
1
ET HUNTING SUSPICIOUS .LNK File Inside of Zip
|
|
4.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30878 |
2022-05-22 20:30
|
 fart.exe b8ee75a53bc59d914dbeb41872191014
UPX Malicious Library PE32 OS Processor Check PE File PDB unpack itself RCE DNS |
|
1
134.122.225.195 - mailcious
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30879 |
2022-05-22 20:29
|
 vbc.exe b3a25f8fa62494ca8b99b28c4b4bb9b7
Formbook RAT PWS .NET framework Generic Malware UPX Antivirus AntiDebug AntiVM PE32 OS Processor Check .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
12
http://www.dems-clicks.com/n6g4/?0VMpQL=oW3KVVYYTUw3Xgh7G4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm/ttkP2lbtcwkQ6MOydt&iJE=zL3h7bmHut - rule_id: 17246
http://www.alcosto.club/n6g4/ - rule_id: 17250
http://www.jamesreadtanusa.com/n6g4/?0VMpQL=T/V9232TN4PjucCwYjNRob4pJIAHZz6ft2wCm65vS+Ocj7fFlNP5KXcBigkedQCEz2XJhWmY&iJE=zL3h7bmHut&IA1c=PFQHrpEh - rule_id: 17977
http://www.lucianaejoaoalberto.com/n6g4/?0VMpQL=PDy0X1NkxyeRTPS9Hg1+w0z6zI6vnvFOvFKK5AHuzUwb//Ug4g5dl9YRwhfo+s5tspSgwq+W&iJE=zL3h7bmHut&TlEU=TJBh5J90 - rule_id: 17978
http://www.moment4miracles.com/n6g4/ - rule_id: 17833
http://www.agelessfish.com/n6g4/ - rule_id: 18143
http://www.jamesreadtanusa.com/n6g4/ - rule_id: 17977
http://www.agelessfish.com/n6g4/?0VMpQL=VVT0eV61/duqSEOzU/upkp96eNUViODnSPjhFuoMZk9HTCgswXUihgeBz4Z2JJbjJkgG4Igj&iJE=zL3h7bmHut&ee-F=jJBH0bTp - rule_id: 18143
http://www.moment4miracles.com/n6g4/?0VMpQL=PsntvU6v4CRkSuqaFHZW0pb5PTAK+hbatLrgbJuIkT0ZTI72gQG9OaDIbkaiFRK5RvhsvPxb&iJE=zL3h7bmHut&xeYx=5j_PCRd0 - rule_id: 17833
http://www.alcosto.club/n6g4/?0VMpQL=2el/ot7c5YMBGOF4tAPHNftfrICusYpqYK7DNkJepwGfwFVVH29M1MFuPNXmLzoTPja39Bx2&iJE=zL3h7bmHut&5ZY9=Xvj4_D9P - rule_id: 17250
http://www.lucianaejoaoalberto.com/n6g4/ - rule_id: 17978
http://www.properscooter.com/n6g4/?0VMpQL=DeftxpR3TRPe5NFKk/LljwybnwLEUT8BN/b1MZfkXYi6MjbwZ6CvqT6X0aj26vTajWgafl+S&iJE=zL3h7bmHut
|
16
www.moment4miracles.com(208.91.197.27)
www.properscooter.com(198.54.116.236)
www.admincost.com()
www.theastralark.com()
www.alcosto.club(34.102.136.180)
www.dems-clicks.com(5.183.8.183)
www.jamesreadtanusa.com(35.209.127.155)
www.agelessfish.com(134.122.225.195)
www.lucianaejoaoalberto.com(34.95.69.141)
198.54.116.236 - mailcious
208.91.197.27 - mailcious
134.122.225.195 - mailcious
34.102.136.180 - mailcious
5.183.8.183 - mailcious
34.95.69.141 - mailcious
35.209.127.155 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
|
11
http://www.dems-clicks.com/n6g4/
http://www.alcosto.club/n6g4/
http://www.jamesreadtanusa.com/n6g4/
http://www.lucianaejoaoalberto.com/n6g4/
http://www.moment4miracles.com/n6g4/
http://www.agelessfish.com/n6g4/
http://www.jamesreadtanusa.com/n6g4/
http://www.agelessfish.com/n6g4/
http://www.moment4miracles.com/n6g4/
http://www.alcosto.club/n6g4/
http://www.lucianaejoaoalberto.com/n6g4/
|
11.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30880 |
2022-05-20 17:56
|
 boy.exe dbf26c4b639792e4ea4f934f7795bf51
Formbook RAT Hide_EXE AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware Phishing suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
17
http://www.youvegotfeet.site/h4ed/
http://www.mostbet-official23.xyz/h4ed/?h0DlqZ5=RYlU/24uolBBq9KNccrN7RxMzRFIEq3ulbhJdiKNQ6PAtjuhl0038ypRtViWXRqb3n6F/LFM&T8kD=9rJd4VDX-Zih9p2&-0sD=hBZLW8l8
http://www.www521n136.xyz/h4ed/?h0DlqZ5=8UtR4/Qg56ouMQmQxnLlJAOmpeE36dGWhglqWZUdyBOdTXXUM2rdgl/3NozcsACkIxBszDbp&T8kD=9rJd4VDX-Zih9p2&PccJ=ehItfJ5X
http://www.thesmashburguer.com/h4ed/?h0DlqZ5=opAvKuvuj1R7iPC6mSm2YBL12wxb/vAU1Q+ngiwB1TH0lIDZfuO1xLhtRHPkzPG6wEWPddFw&T8kD=9rJd4VDX-Zih9p2&IbJh=BvIXf4ip
http://www.thesmashburguer.com/h4ed/
http://www.www521n136.xyz/h4ed/
http://www.alzaeem-express.com/h4ed/?h0DlqZ5=AT4y0nJM8G2R6HaF5TgM+TzJ4LfNaKpMia2c10exL7CG7iikHfL77VieCyxdcwOtDJKqqBpo&T8kD=9rJd4VDX-Zih9p2&0ERJ=sZODWFjh
http://www.youvegotfeet.site/h4ed/?h0DlqZ5=qmdE+1yTteJJFtW9saEt5krCVIWkMMow7I8xG9DK1rkqu3LAj0ykekFIRUWzUD3mvsdcnigi&T8kD=9rJd4VDX-Zih9p2&jrwl=NZYX_n5H
http://www.alzaeem-express.com/h4ed/
http://www.philipconnected.com/h4ed/?h0DlqZ5=mT0j0qnJ3bMDh7u7+ii72nMtrbDE7CkQWWC8DLeidKABqyfY/s/jRoZvsLdrPlIf/7Fe5NiA&T8kD=9rJd4VDX-Zih9p2&iHNL=j488vFxx
http://www.philipconnected.com/h4ed/
http://www.vakexport.com/h4ed/
http://www.keritmed.com/h4ed/?h0DlqZ5=VjpKLtPknWCyJ9Td7Rq1FxlsvF+WzcJFVQPfQlUOeouyWsNSOEubtY3bqlCctUJupQ4vtZ/o&T8kD=9rJd4VDX-Zih9p2&jdGD=SVj0xR6H
http://www.vakexport.com/h4ed/?h0DlqZ5=2ozlpkkrANeZW3mN0j0XLVoiuqfGLkAw7RCVS4L1xnuLXLIwDE2Oi45Vvk0bEeuPPF+/1RYb&T8kD=9rJd4VDX-Zih9p2&GWrH=Txlpd4m8
http://www.mostbet-official23.xyz/h4ed/
http://www.momentums6.com/h4ed/?h0DlqZ5=BOXNB069vjs3hcMjYJKxUXw+0Cx8GzkwhLVnIFqmwAmUCK849GgTC9YMaPbw1ZYDgPd4GzDM&T8kD=9rJd4VDX-Zih9p2
http://www.keritmed.com/h4ed/
|
20
www.philipconnected.com(45.152.44.246)
www.keritmed.com(185.221.110.23)
www.youvegotfeet.site(209.17.116.163)
www.city-love.net()
www.mostbet-official23.xyz(172.67.158.185)
www.llmaster.com()
www.momentums6.com(199.192.20.96)
www.alzaeem-express.com(185.166.188.98)
www.vakexport.com(51.91.70.94)
www.thesmashburguer.com(217.160.0.239)
www.www521n136.xyz(35.227.213.26)
217.160.0.239 - phishing
209.17.116.163 - mailcious
199.192.20.96
51.91.70.94
172.67.158.185
35.227.213.26
185.166.188.98
45.152.44.246
185.221.110.23
|
3
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
ET MALWARE FormBook CnC Checkin (GET)
|
|
10.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30881 |
2022-05-20 17:51
|
 bcg.exe 24435824ef7a6d34dc007456dd22ade4
RAT AntiDebug AntiVM PE32 .NET EXE PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://www.ballsybanter.com/s4s9/?9rQl7P=TqxF/mj0Qw8ODJX0Sata3aYUCs40FhFmrKO7RP1b+MM+3kge1eIbIfWWVGLptFy6roAs3S8v&EhL0Nv=gdDdYxcPgT
http://darley.ml/m/Yyrmiyzmg_Kiiarffc.png
|
6
www.usaprostatecenter.com()
www.52appmj.com() - mailcious
www.ballsybanter.com(172.96.185.199)
darley.ml(192.185.174.178)
172.96.185.199 - mailcious
192.185.174.178 - malware
|
4
ET HUNTING Request to .ML Domain with Minimal Headers
ET INFO HTTP Request to a *.ml domain
ET INFO DNS Query for Suspicious .ml Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30882 |
2022-05-20 17:44
|
 update.exe b4aa27a1339c69d99121a4fe4fac94f7
Generic Malware UPX Antivirus PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key |
|
3
pastebin.com(172.67.34.170) - mailcious
23.105.131.193
172.67.34.170 - mailcious
|
|
|
7.8 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30883 |
2022-05-20 17:43
|
 Protected%20Client.vbs 55229dd65a8d4ee3d454fe9d2da3b194
AgentTesla PWS[m] Gen2 browser info stealer Generic Malware Google Chrome User Data Malicious Packer Malicious Library Antivirus Create Service Socket ScreenShot DNS Code injection Sniff Audio KeyLogger Downloader Escalate priviledges Hide_URL AntiDebug A VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process AppData folder Windows ComputerName Cryptographic key |
3
http://gotovacoil.com/cname/attack.txt
http://gotovacoil.com/favicon.ico
http://gotovacoil.com/cname/Encrypted%20Client%20OG.jpg
|
6
google.com(172.217.161.78)
donlin.dvrlists.com(23.105.131.193)
gotovacoil.com(72.48.234.249) - mailcious
72.48.234.249 - malware
216.58.220.110 - mailcious
23.105.131.193
|
|
|
15.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30884 |
2022-05-20 17:41
|
 pm.exe 22e6d862d6f51b6283b60badf02b6f81
RAT Hide_EXE PE32 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 30885 |
2022-05-20 17:39
|
 smss.exe 0e69f6e65c1499ec9529d74f53bfe8d0
Loki PWS[m] PWS Loki[b] Loki.m RAT .NET framework UPX Socket DNS AntiDebug AntiVM PE32 OS Processor Check .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://sempersim.su/gf16/fre.php - rule_id: 17217
|
2
sempersim.su(45.10.245.123) - mailcious
45.10.245.123 - mailcious
|
9
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
1
http://sempersim.su/gf16/fre.php
|
13.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|