| 3091 |
2024-06-11 07:39
|
 conhost.exe 8378455f7c8a30d74b355adaf576a10b
XMRig Miner Emotet Cryptocurrency Miner Suspicious_Script_Bin Generic Malware CoinHive Cryptocurrency task schedule Downloader Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate pri VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key |
4
http://147.45.47.81/xmrig.exe
http://147.45.47.81/WatchDog.exe
http://147.45.47.81/WinRing0x64.sys
https://pastebin.com/raw/2qX4CwaY
|
3
pastebin.com(172.67.19.24) - mailcious
147.45.47.81 - malware
172.67.19.24 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3092 |
2024-06-11 07:36
|
 meta0906.exe 05a1e80be42d093214516f6862c84ad9
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3093 |
2024-06-11 07:36
|
 dmshell.exe a62abdeb777a8c23ca724e7a2af2dbaa
Metasploit Meterpreter Generic Malware PE64 PE File VirusTotal Malware DNS crashed |
|
1
|
|
|
3.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3094 |
2024-06-10 10:37
|
 DUU.exe e26a8ce5b2f2b9730cc15713a4b1d4a1
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.26.13.205)
104.26.12.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3095 |
2024-06-10 10:10
|
 loader-1001.exe 58ca6d5068fa4fed981cf5ef8a04e4d5
NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 Pow VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder Tofsee Windows ComputerName Cryptographic key crashed |
5
http://apps.identrust.com/roots/dstrootcax3.p7c
https://cdn-edge-node.com/online_security_mkl.exe - rule_id: 39716
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1001 - rule_id: 39690
https://d2lvl7wmj7b91p.cloudfront.net/load/load.php?c=1001
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1001 - rule_id: 39689
|
9
d2lvl7wmj7b91p.cloudfront.net(54.230.169.96)
d22hce23hy1ej9.cloudfront.net(13.225.110.70) - mailcious
adblock2024.shop(104.21.43.83) - mailcious
cdn-edge-node.com(104.21.11.117) - mailcious
54.230.169.11
172.67.165.254 - mailcious
121.254.136.18
13.225.110.102
172.67.176.247
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
https://cdn-edge-node.com/online_security_mkl.exe
https://d22hce23hy1ej9.cloudfront.net/load/th.php
https://d22hce23hy1ej9.cloudfront.net/load/dl.php
|
10.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3096 |
2024-06-10 10:08
|
 Nngraprczwe.exe 9e57a1210d8f8c3be8e109e888eb1cc4
.NET framework(MSIL) PE File .NET EXE PE32 Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows |
|
2
panel.xxxx.uz(46.226.160.88)
46.226.160.88
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3097 |
2024-06-10 10:06
|
 Ucxnbz.exe 9399f672f1d34d17a26a1a6336cfdf6a
.NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows |
|
2
panel.xxxx.uz(46.226.160.88)
46.226.160.88
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3098 |
2024-06-10 10:05
|
 timeSync.exe 8f709d3db81945c2261c46827a83d33b
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3099 |
2024-06-10 10:04
|
 loki.exe 94af29468388f69f7cb8332883e5e88e
Generic Malware Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://tampabayllc.top/teamb/five/fre.php
|
3
tampabayllc.top(104.21.46.21)
172.67.222.157 - malware
162.19.241.67
|
6
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
|
|
8.6 |
M |
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3100 |
2024-06-10 10:02
|
 sapsan.exe 53099afa75043ea832b64db81231caff
Generic Malware Malicious Library UPX PE64 PE File OS Processor Check VirusTotal Malware Check memory crashed |
|
|
|
|
2.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3101 |
2024-06-10 10:01
|
 putty.exe 744f16da7768ed9f66393cb57f760746
PE64 PE File VirusTotal Cryptocurrency Miner Malware Cryptocurrency |
|
2
de-zephyr.miningocean.org(162.19.241.67)
162.19.241.67
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
1.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3102 |
2024-06-10 10:01
|
 update.exe 5d0fb9d3fcf1a559a5a346ce92cab568
Themida Packer PE64 PE File VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
3.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3103 |
2024-06-09 15:57
|
8910.unp.exe f8d212919820b46438d8b921fd6e0857
UPX PE File PE32 OS Processor Check |
|
|
|
|
0.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3104 |
2024-06-09 14:24
|
 Satin06.exe 09ab6049a1abaac4ce2aef0dc60b6b6d
Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume Cry FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
21
http://www.antonio-vivaldi.mobi/fo8o/?-g=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&ZaB=wt4TDEIUNob0tE3R - rule_id: 39855
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.magmadokum.com/fo8o/?-g=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&ZaB=wt4TDEIUNob0tE3R - rule_id: 39856
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.donnavariedades.com/fo8o/ - rule_id: 39861
http://www.donnavariedades.com/fo8o/?-g=l+301ZvITCxaX9AA7VU8BaNl0giE4t3JgzctOQx29qSsrxX8kw490hU6vymbZWA2w8GmYCogcgx/MI4pNd8ITQiOXzox9fl9oCNBaJd4bIe7oyUKC5LhLVNYvjLZULJxgsfERiI=&ZaB=wt4TDEIUNob0tE3R - rule_id: 39861
http://www.3xfootball.com/fo8o/?-g=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&ZaB=wt4TDEIUNob0tE3R - rule_id: 39852
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
http://www.techchains.info/fo8o/?-g=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&ZaB=wt4TDEIUNob0tE3R - rule_id: 39858
http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.rssnewscast.com/fo8o/?-g=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&ZaB=wt4TDEIUNob0tE3R - rule_id: 39857
http://www.kasegitai.tokyo/fo8o/?-g=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&ZaB=wt4TDEIUNob0tE3R - rule_id: 39853
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.elettrosistemista.zip/fo8o/?-g=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&ZaB=wt4TDEIUNob0tE3R - rule_id: 39860
http://www.goldenjade-travel.com/fo8o/?-g=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&ZaB=wt4TDEIUNob0tE3R - rule_id: 39854
|
20
www.elettrosistemista.zip(195.110.124.133) - mailcious
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.donnavariedades.com(23.227.38.74) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
195.110.124.133 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
45.33.6.223
23.227.38.74 - mailcious
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
3
ET INFO Observed DNS Query to .zip TLD
ET INFO HTTP Request to a *.zip Domain
ET MALWARE FormBook CnC Checkin (GET) M5
|
18
http://www.antonio-vivaldi.mobi/fo8o/
http://www.magmadokum.com/fo8o/
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.techchains.info/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.goldenjade-travel.com/fo8o/
|
7.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3105 |
2024-06-09 09:39
|
 work.exe fcd2251a8050b590a00cfe90dde9bd4c
Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 VirusTotal Malware AutoRuns Creates executable files RWX flags setting unpack itself AppData folder Windows crashed |
|
|
|
|
4.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|