| 33046 |
2022-03-29 09:48
|
 vbc.exe eb928e812266724d918ad3e6f0083100
Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.mebsway.com/m0e8/?8pM0SbPH=Bhkho9YTEAIqM8XF+y4F1kgR8+1pi9FwCoNOCYsVNuBGJbjXj4tZYwpTWp4bzJtyA51OxYvV&lnxh=fTRld0APWpcHM4L
http://www.jrgq2gu.cfd/m0e8/?8pM0SbPH=e1C45V4DclbPnviuiv9RUxMfvKUqbFXrkeF7wvx5hTO27aQ7yrajf1ToRpDA4gdU2mupHAsd&lnxh=fTRld0APWpcHM4L - rule_id: 14359
http://www.blackseedoil.xyz/m0e8/?8pM0SbPH=YeBdVihRehTUqlla1INq+w3g7mTbij311AoWIqJY0RWTkdCIodOOz8/tqkJw7PU5DBfEZR3p&lnxh=fTRld0APWpcHM4L
http://www.gkwtk.xyz/m0e8/?8pM0SbPH=D7+a3XmsBzh7GzxxMNFcnIg8XC9K0tDGg1V7i/BngKGoorP8m13qKP+5wm4vJLHJxX1M7Gwv&lnxh=fTRld0APWpcHM4L
|
8
www.blackseedoil.xyz(172.67.183.194)
www.mebsway.com(103.224.212.220)
www.gkwtk.xyz(13.248.148.254)
www.jrgq2gu.cfd(43.154.50.22)
103.224.212.220 - mailcious
13.248.148.254
104.21.56.100
43.154.50.22 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.jrgq2gu.cfd/m0e8/
|
5.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33047 |
2022-03-29 09:47
|
 data64_4.exe 82f0417b47a6a993d299cd805af9c400
Obsidium protector UPX .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI RWX flags setting unpack itself Collect installed applications sandbox evasion installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.20 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
|
|
11.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33048 |
2022-03-29 09:28
|
 Screenshot.jpg.ps1 3992b420e634313b2832c6dc5399678a
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33049 |
2022-03-29 09:10
|
 UTnG7GKKkZf 6ba36615d02eed36ad3fbe2014be82fc
Malicious Packer Malicious Library UPX OS Processor Check DLL PE File PE32 Dridex TrickBot VirusTotal Malware Report Checks debugger RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
28
188.44.20.25 - mailcious
212.24.98.99 - mailcious
58.227.42.236 - mailcious
185.8.212.130 - mailcious
209.126.98.206 - mailcious
5.9.116.246 - mailcious
138.185.72.26 - mailcious
195.201.151.129 - mailcious
103.75.201.2 - mailcious
197.242.150.244 - mailcious
159.8.59.82 - mailcious
216.120.236.62 - mailcious
51.91.7.5 - mailcious
153.126.146.25 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
79.172.212.216 - mailcious
158.69.222.101 - mailcious
164.68.99.3 - mailcious
217.182.25.250 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
51.91.76.89 - malware
131.100.24.231 - mailcious
212.237.17.99 - mailcious
45.118.135.203 - mailcious
50.116.54.215 - mailcious
192.99.251.50 - mailcious
|
11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 20
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 15
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 22
ET CNC Feodo Tracker Reported CnC Server group 19
|
|
5.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33050 |
2022-03-29 09:08
|
 FcEgwPugDI7wr2 18d9d16fed5e770d4f1b4502fab0e7a7
Malicious Packer Malicious Library UPX OS Processor Check DLL PE File PE32 Dridex TrickBot VirusTotal Malware Report Checks debugger RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
30
196.218.30.83 - mailcious
188.44.20.25 - mailcious
212.24.98.99 - mailcious
58.227.42.236 - mailcious
185.8.212.130 - mailcious
209.126.98.206 - mailcious
5.9.116.246 - mailcious
138.185.72.26 - mailcious
195.201.151.129 - mailcious
103.75.201.2 - mailcious
197.242.150.244 - mailcious
159.8.59.82 - mailcious
216.120.236.62 - mailcious
51.91.7.5 - mailcious
153.126.146.25 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
79.172.212.216 - mailcious
158.69.222.101 - mailcious
164.68.99.3 - mailcious
217.182.25.250 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
51.91.76.89 - malware
131.100.24.231 - mailcious
72.15.201.15 - mailcious
212.237.17.99 - mailcious
45.118.135.203 - mailcious
50.116.54.215 - mailcious
192.99.251.50 - mailcious
|
11
ET CNC Feodo Tracker Reported CnC Server group 15
ET CNC Feodo Tracker Reported CnC Server group 4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 22
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 12
|
|
5.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33051 |
2022-03-29 08:02
|
 8697717473027069.xls fbce8728c4ce96cd3b399f2c7ecd4250
PWS[m] ScreenShot KeyLogger AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection unpack itself |
6
http://med.devsrm.com/wp-content/gtOOTHi3zkUbn8U6/
http://izytalab.com/includes/1mafAX0kOa/
https://pcsolutionss.com/zSlT4HR92TiOpw5NM/
http://www.doctorcasenave.com/wp-content/O2Z1HMebIXiHYBBS/
https://wpl28.realtyna.com/wp-content/0b0ny5cPM/
http://www.efcballjoint.com/Template/AxEZPOfAa9/
|
|
|
|
2.6 |
|
12 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33052 |
2022-03-28 18:25
|
 4300_1648256257_6702.exe 03d3706f3b6c6f6df252ec64c2488edd
PWS[m] RedLine stealer[m] RAT AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
11.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33053 |
2022-03-28 18:23
|
 879_1648372016_4023.exe 89683334004b81b1fe89c2c10e09bc8b
RAT PWS .NET framework UPX OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
6.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33054 |
2022-03-28 18:23
|
 5897_1648325870_7622.exe 8600638dfe9e37ca91cd1faa6669f9ac
RAT .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
|
2
bronsky.kiev.ua(185.66.90.243)
185.66.90.243
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33055 |
2022-03-28 18:21
|
 629_1648146617_8324.exe a5cb154c2711fa5f0e8716d96e302f8b
RAT PWS .NET framework UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33056 |
2022-03-28 18:21
|
 8843_1648056140_4304.exe 8cb8551a6ea0ad7cfa16859ffdeaf4df
ASProtect PE File PE32 VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33057 |
2022-03-28 18:19
|
 3485_1648049861_1017.exe 2c4613519747997182bd096f6b5a12d1
Confuser .NET .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself crashed |
|
|
|
|
3.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33058 |
2022-03-28 18:19
|
 4230_1648314017_5437.exe 7d85d4cdbb617ec644e5ea39a804009f
PWS[m] RedLine stealer[m] RAT PWS .NET framework AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
6.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33059 |
2022-03-28 18:17
|
 477_1648224166_8462.exe 2f7c50f565827dabe6a94d3a16f4b214
RAT .NET EXE PE File PE32 Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows DNS |
2
http://93.115.21.45/scripts/test2.bin - rule_id: 15250
http://93.115.21.45/gtaddress - rule_id: 15251
|
3
93.115.21.45 - malware
5.4.3.1
22.61.56.108
|
4
ET HUNTING Request for .bin with BITS/ User-Agent
ET MALWARE Generic .bin download from Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://93.115.21.45/scripts/test2.bin
http://93.115.21.45/gtaddress
|
8.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33060 |
2022-03-28 18:17
|
 3211_1648033125_6586.exe d0588f2f63ec6728f72e9283dee2a6dd
Obsidium protector UPX .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI RWX flags setting unpack itself Collect installed applications Check virtual network interfaces sandbox evasion installed browsers check Tofsee Windows Browser ComputerName RCE DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.13.31)
172.67.75.172 - mailcious
193.150.103.38 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|