| 33076 |
2022-03-28 18:04
|
 8271_1648142377_1819.exe e93deb87c6d5bfbec964ed3247f25130
RAT PWS .NET framework Generic Malware Antivirus .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key |
|
2
bronsky.kiev.ua(185.66.90.243)
185.66.90.243
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33077 |
2022-03-28 18:03
|
 test2.bin dbf44c48e0845b3715cec0c8288cd37d
Generic Malware UPX .NET EXE PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces AppData folder anti-virtualization Windows Browser ComputerName DNS |
1
http://93.115.21.45/index.php
|
2
93.115.21.45 - malware
5.4.3.1
|
|
|
9.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33078 |
2022-03-28 18:02
|
 Ainxpfgc.exe ba2258324fc45ea8d9d7d5f94f50c8f5
PWS[m] RAT SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.telegram.org(149.154.167.220)
179.43.175.187 - malware
149.154.167.220
|
4
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
13.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33079 |
2022-03-28 18:00
|
 iknn.exe 8d4a4c48639dc2ea5557ab5b8004b479
Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.davidsmpsn.com/i1a6/?UR-XYpD=p7u0kMqCx5hH/JCjgGdENgcuvo4GmLq0GdVzfduUlrLw40XzTfjZVp82ATqOHipFcyxEIuUb&jrQDrX=afhhur9
http://www.etherwatch.xyz/i1a6/?UR-XYpD=szeqVJnoaFnS5UrljB0yxwiSOR4MtJUfO9epaYXOl5Y87HyW/fCApBbbVxuDBCvWFYapWk+l&jrQDrX=afhhur9
http://www.bintisafricanfashionbeauty.net/i1a6/?UR-XYpD=dcmOYrn/2KQCSVnxZ7dEH3PrEZw+L3xV+KKEZfNTA2WLxr6U0uR4RL70vwOUUG2oX4VN0nvU&jrQDrX=afhhur9
|
8
www.bintisafricanfashionbeauty.net(199.34.228.59)
www.controlaltkeys.com()
www.davidsmpsn.com(167.99.78.230)
www.etherwatch.xyz(3.64.163.50)
www.zzzhzzz.com()
3.64.163.50 - mailcious
199.34.228.59 - mailcious
178.128.93.124 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
5.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33080 |
2022-03-28 17:11
|
 6652_1648040107_1316.exe 988aad43ece4f7629a82912907a20771
PWS[m] RedLine stealer[m] RAT PWS .NET framework AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
2
gsiahincian.xyz(185.80.53.122)
185.80.53.122 - mailcious
|
|
|
7.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33081 |
2022-03-28 17:09
|
 5712_1648137046_5470.exe 6ff70ee26bed24429f5fd10255f393b4
RAT .NET EXE PE File PE32 VirusTotal Malware PDB MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName |
1
http://pipipupucheck.xyz/log.php?os=Microsoft%20Windows%207%20Professional%20KN%20&isAdmin=yes
|
2
pipipupucheck.xyz(172.67.178.90)
104.21.91.189
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
3.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33082 |
2022-03-28 17:09
|
 6527_1648106341_4945.exe 0e48327d62a867589302e85169b0a86c
RAT PWS .NET framework UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
4.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33083 |
2022-03-28 17:08
|
 1158_1648158387_771.exe 2958d8b8ad691dc82803517630e2064a
RAT .NET EXE PE File PE32 Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows DNS |
2
http://93.115.21.45/scripts/test2.bin
http://93.115.21.45/gtaddress
|
3
93.115.21.45
5.4.3.1
22.61.56.108
|
4
ET HUNTING Request for .bin with BITS/ User-Agent
ET MALWARE Generic .bin download from Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
8.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33084 |
2022-03-28 17:07
|
 8396_1648147480_5739.exe 8fa43d91b2fbf126d65bdb8520b57f79
RAT PWS .NET framework Generic Malware Antivirus UPX .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33085 |
2022-03-28 17:05
|
 6989_1648415437_5281.exe 442c20c5c4666bd83c318ed422087c58
RAT .NET EXE PE File PE32 MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(23.216.159.81)
cdn-131.anonfiles.com(45.154.253.60)
45.154.253.60
61.111.58.35 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33086 |
2022-03-28 17:05
|
 3447_1648314430_3062.exe 22ed1588f10fbd9473c7eb9c6fad874e
Obsidium protector UPX .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI RWX flags setting unpack itself Collect installed applications sandbox evasion installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
193.150.103.37 - mailcious
|
|
|
10.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33087 |
2022-03-28 17:03
|
 3858_1648379849_6781.exe b23d3f15aa39d0b5027bd4c7f61ca04d
Malicious Library UPX PE File PE64 VirusTotal Malware Buffer PE AutoRuns Malicious Traffic buffers extracted Creates executable files Disables Windows Security Windows DNS |
3
http://185.137.234.33:8080/lm - rule_id: 10842
http://185.137.234.33:8080/xr - rule_id: 14765
http://185.137.234.33:8080/hs - rule_id: 14762
|
2
185.137.234.33 - mailcious
162.159.136.232 - mailcious
|
2
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
3
http://185.137.234.33:8080/lm
http://185.137.234.33:8080/xr
http://185.137.234.33:8080/hs
|
5.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33088 |
2022-03-28 17:03
|
 4848_1648371321_7012.exe 22e0680722035b21350b17d9beb34a34
RAT PWS .NET framework UPX OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
185.183.32.227 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33089 |
2022-03-28 17:01
|
 127_1648120494_8461.exe aaddb3f299af86eb0aacbef55aae3558
RAT PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33090 |
2022-03-28 17:00
|
 7044_1648040786_6954.exe 1f235f2e658e21a30d9296c1b3edc336
RAT UPX PE File PE64 VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|