3106 |
2024-06-09 09:38
|
SharpHound.ps1 310d06e1da8a16b5121ead4874f634fa Generic Malware Antivirus VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3107 |
2024-06-09 09:36
|
svchost.exe 2de9a9ecf306c424eab7ace09227090f Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3108 |
2024-06-09 09:36
|
chat.exe 4c0deb28ba6ff90d8dcd8113b494442b Malicious Library PE64 PE File VirusTotal Malware RWX flags setting DNS crashed |
|
1
|
|
|
4.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3109 |
2024-06-09 09:34
|
RunasCs_net2.exe 92e567d0590f2763960910e4bb85a871 Generic Malware Antivirus PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3110 |
2024-06-09 09:34
|
nc.exe ba1a8e79b0354e180c88350f2fd965fe PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
2.4 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3111 |
2024-06-09 09:32
|
main.exe 39b9b77f950a56b61419c2550c0ee2cf Malicious Library UPX PE File PE32 DLL .NET DLL VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
1
http://120.48.123.240:88/shellcode/main.cs
|
1
|
2
ET HUNTING Base64 Encoded Executable over Raw TCP ET HUNTING EXE Base64 Encoded potential malware
|
|
5.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3112 |
2024-06-09 09:32
|
RunasCs.exe ed04f33a60faa912c5406158e2d0a800 Generic Malware Antivirus .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3113 |
2024-06-09 09:23
|
Delivery%2006.exe 132e9cb76def326daa4088f99587b759 Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Malicious Pack FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself AppData folder Browser DNS |
16
http://www.antonio-vivaldi.mobi/fo8o/?5R=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&ERg=Lbajlol-F3v - rule_id: 39855 http://www.3xfootball.com/fo8o/ - rule_id: 39852 http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853 http://www.rssnewscast.com/fo8o/ - rule_id: 39857 http://www.techchains.info/fo8o/ - rule_id: 39858 http://www.magmadokum.com/fo8o/ - rule_id: 39856 http://www.kasegitai.tokyo/fo8o/?5R=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&ERg=Lbajlol-F3v - rule_id: 39853 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860 http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854 http://www.goldenjade-travel.com/fo8o/?5R=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&ERg=Lbajlol-F3v - rule_id: 39854 http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855 http://www.magmadokum.com/fo8o/?5R=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&ERg=Lbajlol-F3v - rule_id: 39856 http://www.rssnewscast.com/fo8o/?5R=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&ERg=Lbajlol-F3v - rule_id: 39857 http://www.techchains.info/fo8o/?5R=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&ERg=Lbajlol-F3v - rule_id: 39858 http://www.3xfootball.com/fo8o/?5R=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&ERg=Lbajlol-F3v - rule_id: 39852
|
18
www.elettrosistemista.zip(195.110.124.133) - mailcious www.liangyuen528.com() - mailcious www.magmadokum.com(85.159.66.93) - mailcious www.techchains.info(66.29.149.46) - mailcious www.kasegitai.tokyo(202.172.28.202) - mailcious www.3xfootball.com(154.215.72.110) - mailcious www.goldenjade-travel.com(116.50.37.244) - mailcious www.antonio-vivaldi.mobi(46.30.213.191) - mailcious www.rssnewscast.com(91.195.240.94) - mailcious 202.172.28.202 - mailcious 85.159.66.93 - mailcious 116.50.37.244 - mailcious 195.110.124.133 - mailcious 46.30.213.191 - mailcious 66.29.149.46 - mailcious 45.33.6.223 91.195.240.94 - phishing 154.215.72.110 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO Observed DNS Query to .zip TLD ET INFO HTTP Request to a *.zip Domain
|
15
http://www.antonio-vivaldi.mobi/fo8o/ http://www.3xfootball.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.techchains.info/fo8o/ http://www.magmadokum.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.elettrosistemista.zip/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.magmadokum.com/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.techchains.info/fo8o/ http://www.3xfootball.com/fo8o/
|
7.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3114 |
2024-06-09 09:23
|
proposal%20report.exe 092cd26903ed79eb7da016adbb7c928d Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Malic FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
18
http://www.magmadokum.com/fo8o/?mRfW=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&SM4k=DX6TxPgI - rule_id: 39856 http://www.magmadokum.com/fo8o/ - rule_id: 39856 http://www.3xfootball.com/fo8o/ - rule_id: 39852 http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860 http://www.techchains.info/fo8o/?mRfW=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&SM4k=DX6TxPgI - rule_id: 39858 http://www.rssnewscast.com/fo8o/ - rule_id: 39857 http://www.techchains.info/fo8o/ - rule_id: 39858 http://www.kasegitai.tokyo/fo8o/?mRfW=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&SM4k=DX6TxPgI - rule_id: 39853 http://www.3xfootball.com/fo8o/?mRfW=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&SM4k=DX6TxPgI - rule_id: 39852 http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853 http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854 http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855 http://www.antonio-vivaldi.mobi/fo8o/?mRfW=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&SM4k=DX6TxPgI - rule_id: 39855 http://www.rssnewscast.com/fo8o/?mRfW=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&SM4k=DX6TxPgI - rule_id: 39857 http://www.elettrosistemista.zip/fo8o/?mRfW=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&SM4k=DX6TxPgI - rule_id: 39860 http://www.goldenjade-travel.com/fo8o/?mRfW=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&SM4k=DX6TxPgI - rule_id: 39854
|
18
www.elettrosistemista.zip(195.110.124.133) - mailcious www.liangyuen528.com() - mailcious www.magmadokum.com(85.159.66.93) - mailcious www.techchains.info(66.29.149.46) - mailcious www.kasegitai.tokyo(202.172.28.202) - mailcious www.3xfootball.com(154.215.72.110) - mailcious www.goldenjade-travel.com(116.50.37.244) - mailcious www.antonio-vivaldi.mobi(46.30.213.191) - mailcious www.rssnewscast.com(91.195.240.94) - mailcious 202.172.28.202 - mailcious 85.159.66.93 - mailcious 116.50.37.244 - mailcious 195.110.124.133 - mailcious 46.30.213.191 - mailcious 66.29.149.46 - mailcious 45.33.6.223 91.195.240.94 - phishing 154.215.72.110 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO HTTP Request to a *.zip Domain ET INFO Observed DNS Query to .zip TLD
|
16
http://www.magmadokum.com/fo8o/ http://www.magmadokum.com/fo8o/ http://www.3xfootball.com/fo8o/ http://www.elettrosistemista.zip/fo8o/ http://www.techchains.info/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.techchains.info/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.3xfootball.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.elettrosistemista.zip/fo8o/ http://www.goldenjade-travel.com/fo8o/
|
7.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3115 |
2024-06-09 09:22
|
Delivery%2007.exe b94b6c27e410388cd4e7dfeb352b75ce Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume Cry FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
19
http://www.magmadokum.com/fo8o/?Q1=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&niTnW=y25C - rule_id: 39856 http://www.goldenjade-travel.com/fo8o/?Q1=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&niTnW=y25C - rule_id: 39854 http://www.magmadokum.com/fo8o/ - rule_id: 39856 http://www.donnavariedades.com/fo8o/?Q1=l+301ZvITCxaX9AA7VU8BaNl0giE4t3JgzctOQx29qSsrxX8kw490hU6vymbZWA2w8GmYCogcgx/MI4pNd8ITQiOXzox9fl9oCNBaJd4bIe7oyUKC5LhLVNYvjLZULJxgsfERiI=&niTnW=y25C - rule_id: 39861 http://www.donnavariedades.com/fo8o/ - rule_id: 39861 http://www.3xfootball.com/fo8o/?Q1=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&niTnW=y25C - rule_id: 39852 http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860 http://www.rssnewscast.com/fo8o/ - rule_id: 39857 http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855 http://www.rssnewscast.com/fo8o/?Q1=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&niTnW=y25C - rule_id: 39857 http://www.antonio-vivaldi.mobi/fo8o/?Q1=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&niTnW=y25C - rule_id: 39855 http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip http://www.kasegitai.tokyo/fo8o/?Q1=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&niTnW=y25C - rule_id: 39853 http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854 http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853 http://www.techchains.info/fo8o/ - rule_id: 39858 http://www.techchains.info/fo8o/?Q1=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&niTnW=y25C - rule_id: 39858 http://www.elettrosistemista.zip/fo8o/?Q1=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&niTnW=y25C - rule_id: 39860 http://www.3xfootball.com/fo8o/ - rule_id: 39852
|
20
www.elettrosistemista.zip(195.110.124.133) - mailcious www.liangyuen528.com() - mailcious www.magmadokum.com(85.159.66.93) - mailcious www.techchains.info(66.29.149.46) - mailcious www.donnavariedades.com(23.227.38.74) - mailcious www.kasegitai.tokyo(202.172.28.202) - mailcious www.3xfootball.com(154.215.72.110) - mailcious www.goldenjade-travel.com(116.50.37.244) - mailcious www.antonio-vivaldi.mobi(46.30.213.191) - mailcious www.rssnewscast.com(91.195.240.94) - mailcious 202.172.28.202 - mailcious 85.159.66.93 - mailcious 116.50.37.244 - mailcious 195.110.124.133 - mailcious 46.30.213.191 - mailcious 66.29.149.46 - mailcious 45.33.6.223 23.227.38.74 - mailcious 91.195.240.94 - phishing 154.215.72.110 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO HTTP Request to a *.zip Domain ET INFO Observed DNS Query to .zip TLD
|
18
http://www.magmadokum.com/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.magmadokum.com/fo8o/ http://www.donnavariedades.com/fo8o/ http://www.donnavariedades.com/fo8o/ http://www.3xfootball.com/fo8o/ http://www.elettrosistemista.zip/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.techchains.info/fo8o/ http://www.techchains.info/fo8o/ http://www.elettrosistemista.zip/fo8o/ http://www.3xfootball.com/fo8o/
|
7.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3116 |
2024-06-09 09:21
|
DELIVERED%200606.exe 2eebcdd0e833ba968a9cac360aed72de Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume Cry FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
20
http://www.techchains.info/fo8o/?ctZt=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Y0cC=aMTX8YEQQ - rule_id: 39858 http://www.elettrosistemista.zip/fo8o/?ctZt=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&Y0cC=aMTX8YEQQ - rule_id: 39860 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip http://www.3xfootball.com/fo8o/ - rule_id: 39852 http://www.donnavariedades.com/fo8o/ - rule_id: 39861 http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860 http://www.rssnewscast.com/fo8o/?ctZt=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Y0cC=aMTX8YEQQ - rule_id: 39857 http://www.rssnewscast.com/fo8o/ - rule_id: 39857 http://www.techchains.info/fo8o/ - rule_id: 39858 http://www.magmadokum.com/fo8o/ - rule_id: 39856 http://www.antonio-vivaldi.mobi/fo8o/?ctZt=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Y0cC=aMTX8YEQQ - rule_id: 39855 http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853 http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854 http://www.3xfootball.com/fo8o/?ctZt=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Y0cC=aMTX8YEQQ - rule_id: 39852 http://www.magmadokum.com/fo8o/?ctZt=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Y0cC=aMTX8YEQQ - rule_id: 39856 http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855 http://www.660danm.top/fo8o/ http://www.donnavariedades.com/fo8o/?ctZt=l+301ZvITCxaX9AA7VU8BaNl0giE4t3JgzctOQx29qSsrxX8kw490hU6vymbZWA2w8GmYCogcgx/MI4pNd8ITQiOXzox9fl9oCNBaJd4bIe7oyUKC5LhLVNYvjLZULJxgsfERiI=&Y0cC=aMTX8YEQQ - rule_id: 39861 http://www.kasegitai.tokyo/fo8o/?ctZt=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Y0cC=aMTX8YEQQ - rule_id: 39853 http://www.goldenjade-travel.com/fo8o/?ctZt=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Y0cC=aMTX8YEQQ - rule_id: 39854
|
22
www.elettrosistemista.zip(195.110.124.133) - mailcious www.liangyuen528.com() - mailcious www.magmadokum.com(85.159.66.93) - mailcious www.techchains.info(66.29.149.46) - mailcious www.donnavariedades.com(23.227.38.74) - mailcious www.660danm.top(34.120.249.181) www.kasegitai.tokyo(202.172.28.202) - mailcious www.3xfootball.com(154.215.72.110) - mailcious www.goldenjade-travel.com(116.50.37.244) - mailcious www.antonio-vivaldi.mobi(46.30.213.191) - mailcious www.rssnewscast.com(91.195.240.94) - mailcious 202.172.28.202 - mailcious 85.159.66.93 - mailcious 116.50.37.244 - mailcious 195.110.124.133 - mailcious 46.30.213.191 - mailcious 66.29.149.46 - mailcious 34.111.148.214 45.33.6.223 23.227.38.74 - mailcious 91.195.240.94 - phishing 154.215.72.110 - mailcious
|
5
ET MALWARE FormBook CnC Checkin (GET) M5 ET DNS Query to a *.top domain - Likely Hostile ET INFO Observed DNS Query to .zip TLD ET INFO HTTP Request to a *.zip Domain ET INFO HTTP Request to a *.top domain
|
18
http://www.techchains.info/fo8o/ http://www.elettrosistemista.zip/fo8o/ http://www.3xfootball.com/fo8o/ http://www.donnavariedades.com/fo8o/ http://www.elettrosistemista.zip/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.techchains.info/fo8o/ http://www.magmadokum.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.3xfootball.com/fo8o/ http://www.magmadokum.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.donnavariedades.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.goldenjade-travel.com/fo8o/
|
7.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3117 |
2024-06-09 09:21
|
wow123.hta 21164aaeeaaa2a4a6e77798aa82d5c7c Formbook Generic Malware Antivirus Malicious Library PowerShell PE File DLL PE32 FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
15
http://www.magmadokum.com/fo8o/ - rule_id: 39856 http://198.23.201.89/warm/VAT%20certificate.exe http://www.3xfootball.com/fo8o/ - rule_id: 39852 http://www.kasegitai.tokyo/fo8o/?f5A0cwal=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&meE1x=FbDXUZ - rule_id: 39853 http://www.rssnewscast.com/fo8o/ - rule_id: 39857 http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855 http://www.rssnewscast.com/fo8o/?f5A0cwal=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&meE1x=FbDXUZ - rule_id: 39857 http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853 http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854 http://www.techchains.info/fo8o/ - rule_id: 39858 http://www.goldenjade-travel.com/fo8o/?f5A0cwal=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&meE1x=FbDXUZ - rule_id: 39854 http://www.antonio-vivaldi.mobi/fo8o/?f5A0cwal=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&meE1x=FbDXUZ - rule_id: 39855 http://www.3xfootball.com/fo8o/?f5A0cwal=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&meE1x=FbDXUZ - rule_id: 39852 http://www.magmadokum.com/fo8o/?f5A0cwal=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&meE1x=FbDXUZ - rule_id: 39856
|
17
www.liangyuen528.com() - mailcious www.magmadokum.com(85.159.66.93) - mailcious www.techchains.info(66.29.149.46) - mailcious www.kasegitai.tokyo(202.172.28.202) - mailcious www.3xfootball.com(154.215.72.110) - mailcious www.goldenjade-travel.com(116.50.37.244) - mailcious www.antonio-vivaldi.mobi(46.30.213.191) - mailcious www.rssnewscast.com(91.195.240.94) - mailcious 202.172.28.202 - mailcious 85.159.66.93 - mailcious 116.50.37.244 - mailcious 46.30.213.191 - mailcious 66.29.149.46 - mailcious 198.23.201.89 - malware 45.33.6.223 91.195.240.94 - phishing 154.215.72.110 - mailcious
|
6
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
13
http://www.magmadokum.com/fo8o/ http://www.3xfootball.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.techchains.info/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.3xfootball.com/fo8o/ http://www.magmadokum.com/fo8o/
|
13.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3118 |
2024-06-09 09:20
|
sila.exe 3e9ba4168fb1c8e4a8a3a69c4968abb3 Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
6
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 45.33.6.223 172.67.75.166 147.45.47.126 - mailcious 34.117.186.192
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE RisePro TCP Heartbeat Packet SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3119 |
2024-06-09 09:15
|
UNP%20Setup.exe a2f39491c9d6e8be4a1bf05ac024fdb4 Generic Malware Malicious Library Malicious Packer Antivirus UPX PE File PE32 CAB OS Processor Check VirusTotal Malware Check memory unpack itself Remote Code Execution |
|
|
|
|
1.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3120 |
2024-06-09 05:49
|
5010_1635873664_4193.exe 60938dc1c7bc8a2bbab6b7dac4ac06b4 PE File PE32 VirusTotal Malware Check memory Checks debugger ICMP traffic unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
5.0 |
M |
59 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|