| 3841 |
2024-05-24 10:58
|
 iscsicli.exe ed7336086b1e5267c0d4863325956be2
Formbook Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 ActiveXObject OS Processor Check DLL Browser Info Stealer VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
|
19
www.primeplay88.org(91.195.240.19) - mailcious
www.touchclean.top(67.223.117.189)
www.mrart.co.kr(183.111.183.31) - mailcious
www.99b6q.xyz() - mailcious
www.xn--matfrmn-jxa4m.se(194.9.94.85) - mailcious
www.besthomeincome24.com() - mailcious
www.ibistradingco.com(93.127.196.51)
www.terelprime.com(66.96.161.166) - mailcious
www.kinkynerdspro.blog(54.38.220.85) - mailcious
www.aceautocorp.com(198.12.241.35) - mailcious
91.195.240.19 - mailcious
194.9.94.86 - mailcious
67.223.117.189
66.96.161.166 - mailcious
45.33.6.223
93.127.196.151
183.111.183.31 - mailcious
94.23.162.163
198.12.241.35 - mailcious
|
3
ET DNS Query to a *.top domain - Likely Hostile
SURICATA HTTP Request abnormal Content-Encoding header
ET INFO HTTP Request to a *.top domain
|
12
http://www.aceautocorp.com/ufuh/
http://www.mrart.co.kr/ufuh/
http://www.aceautocorp.com/ufuh/
http://www.kinkynerdspro.blog/ufuh/
http://www.terelprime.com/ufuh/
http://www.primeplay88.org/ufuh/
http://www.terelprime.com/ufuh/
http://www.xn--matfrmn-jxa4m.se/ufuh/
http://www.mrart.co.kr/ufuh/
http://www.xn--matfrmn-jxa4m.se/ufuh/
http://www.primeplay88.org/ufuh/
http://www.kinkynerdspro.blog/ufuh/
|
11.4 |
M |
51 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3842 |
2024-05-24 10:44
|
 123.456 7b207ce9f9d71dfc2eaa2e959634a54d
Generic Malware Malicious Library UPX PE64 PE File DLL OS Processor Check VirusTotal Malware PDB Checks debugger |
|
|
|
|
1.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3843 |
2024-05-24 10:41
|
 loudzx.scr ed7336086b1e5267c0d4863325956be2
Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 ActiveXObject OS Processor Check DLL Browser Info Stealer VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser |
|
15
www.primeplay88.org(91.195.240.19)
www.mrart.co.kr(183.111.183.31)
www.99b6q.xyz()
www.besthomeincome24.com()
www.xn--matfrmn-jxa4m.se(194.9.94.85)
www.aceautocorp.com(198.12.241.35)
www.kinkynerdspro.blog(54.38.220.85)
www.terelprime.com(66.96.161.166)
91.195.240.19 - mailcious
54.38.220.85 - mailcious
66.96.161.166
45.33.6.223
194.9.94.85 - mailcious
183.111.183.31
198.12.241.35
|
1
SURICATA HTTP Request abnormal Content-Encoding header
|
|
10.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3844 |
2024-05-24 10:07
|
 tE6.xls 72b684c764f3fa2b4f7ecbc3a572c7a5
RedLine stealer Generic Malware Malicious Library PE File DLL PE32 .NET DLL VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3845 |
2024-05-24 09:51
|
 tE6.xls 72b684c764f3fa2b4f7ecbc3a572c7a5
RedLine stealer Generic Malware Malicious Library PE File DLL PE32 .NET DLL VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3846 |
2024-05-24 09:44
|
 room4.hta 409f1bada32d81974fd8606be4cbc943
Generic Malware Antivirus Malicious Library PowerShell PE File PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
16
http://20.86.128.223/room/rooma.exe
http://www.antonio-vivaldi.mobi/fo8o/?I0NK=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Lw8=oat1oSv
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.goldenjade-travel.com/fo8o/?I0NK=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Lw8=oat1oSv
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.3xfootball.com/fo8o/?I0NK=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Lw8=oat1oSv
http://www.magmadokum.com/fo8o/?I0NK=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Lw8=oat1oSv
http://www.rssnewscast.com/fo8o/?I0NK=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Lw8=oat1oSv
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.techchains.info/fo8o/?I0NK=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Lw8=oat1oSv
http://www.antonio-vivaldi.mobi/fo8o/
http://www.kasegitai.tokyo/fo8o/?I0NK=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Lw8=oat1oSv
|
17
www.liangyuen528.com()
www.magmadokum.com(85.159.66.93)
www.techchains.info(66.29.149.46)
www.kasegitai.tokyo(202.172.28.202)
www.3xfootball.com(154.215.72.110)
www.goldenjade-travel.com(116.50.37.244)
www.antonio-vivaldi.mobi(46.30.213.191)
www.rssnewscast.com(91.195.240.94)
202.172.28.202
85.159.66.93 - mailcious
116.50.37.244
46.30.213.191 - mailcious
66.29.149.46
91.195.240.94 - phishing
45.33.6.223
20.86.128.223 - malware
154.215.72.110
|
5
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
14.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3847 |
2024-05-24 09:44
|
lionisthekingofjunglewhoruleth... b03fb70c3be411363c911037b610df82
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://198.46.177.156/xampp/kw/rulethejunglewithnewlionkingimage.bmp
https://paste.ee/d/NhBmA
|
3
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
198.46.177.156 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3848 |
2024-05-24 09:41
|
lionsarekingbitmapimagesarebea... 292fc41f2ca899c90c5cf89ae7bb6852
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://198.46.178.154/550033/bitmaplionjungleimageforview.bmp
https://paste.ee/d/j5TgA
|
3
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
198.46.178.154 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3849 |
2024-05-24 09:39
|
 HHAMMOFATHEATBBDNN.jpg 3c79a6180ae2590450d46359924cb9c1
ZIP Format VirusTotal Malware |
|
|
|
|
0.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3850 |
2024-05-24 09:39
|
lionisthekingbuttigertrytobeco... 7450c0dcd0bafd974d4d9b976b84089b
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://198.12.81.178/43411/lionisthekingofjungleimageshere.bmp
https://paste.ee/d/W7VfG
|
3
paste.ee(172.67.187.200) - mailcious
104.21.84.67 - malware
198.12.81.178 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3851 |
2024-05-24 07:52
|
 gHIvTf22qvmZjum.exe 8b7b19184d4eaa008d1cbba2bfece478
AgentTesla Malicious Library PWS KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Browser Email ComputerName crashed |
1
http://ip-api.com/line/?fields=hosting
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
11.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3852 |
2024-05-24 07:51
|
 7zipsilentinstaller.exe 09fc747681c810bf422de1d30713800c
Malicious Library Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
|
2
7-zip.org(49.12.202.237)
49.12.202.237
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.8 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3853 |
2024-05-24 07:50
|
 ChromeSetup.exe fe2f9e211bfaf529c92bc28cb847da46
Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName Remote Code Execution DNS |
4
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=12:n6EyV-uvoCaVgxFxDQet4WSYiBFRf-2C5HNBwb81dao&cup2hreq=1617e93f4cc0a87c8eec0ba442964150753038fe712f2774cc7d587abbdc23fd
|
28
edgedl.me.gvt1.com(34.104.35.123)
dns.google(8.8.4.4)
www.google.com(172.217.25.164)
www.gstatic.com(172.217.25.163)
play.google.com(142.250.207.110)
r1---sn-3u-bh2ss.gvt1.com(211.114.64.12)
clients2.googleusercontent.com(172.217.161.225)
accounts.google.com(64.233.188.84)
_googlecast._tcp.local()
apis.google.com(172.217.161.238)
clientservices.googleapis.com(142.250.206.195)
108.177.125.84
172.217.25.170 - malware
211.114.64.12
172.217.27.36
142.250.206.234 - malware
142.250.204.110
142.250.76.131
172.217.161.225 - mailcious
45.33.6.223
216.58.200.228
34.104.35.123
142.250.76.142 - mailcious
142.251.222.195
172.217.24.78
172.217.24.97
172.217.27.46
172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3854 |
2024-05-24 07:49
|
 xxxz.exe fba7a7675a7db49f2e2d06c74912a706
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3855 |
2024-05-24 07:49
|
 csrss.exe e5cb8c66cab6a972529a85480b9881bc
Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|