| 4021 |
2024-05-16 09:17
|
beautifulthingstohappenedevery... faf0cacc6b11e438c4bfec5aff2e4927
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://192.227.173.67/Ifeanyi.exe
|
3
api.ipify.org(172.67.74.152)
192.227.173.67 - malware
172.67.74.152
|
8
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4022 |
2024-05-16 09:16
|
 vncx.exe d21ff27f8fcaee1acf0047dde48f4759
NSIS Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4023 |
2024-05-16 09:14
|
 regasms.exe 9cded6e0c0b625370bb17884b7611955
AsyncRAT Malicious Library Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Malware download AsyncRAT NetWireRC VirusTotal Malware DDNS DoTNet |
|
2
leetboy.dynuddns.net(185.196.11.252)
185.196.11.252
|
4
ET INFO DYNAMIC_DNS Query to a *.dynuddns .net Domain
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
1.2 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4024 |
2024-05-16 09:13
|
beautifuldaystartedwithbeautiu... 6fd521ca6607ad89cfaabeccfa7ae150
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://198.12.81.162/60590/spoolsv.exe
|
1
198.12.81.162 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4025 |
2024-05-16 09:12
|
 mimikats.ps1 929da23097367077c3678dea19303133
Hide_EXE Generic Malware Antivirus VirusTotal Malware powershell Check memory heapspray unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
2.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4026 |
2024-05-16 09:11
|
 vnc.exe a9d3bb0da3b9e0e7e58d67bd854600e1
Formbook Malicious Library .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.zshoessale.com/ht3d/?X2JtLLIP=KNW++co0WOUUOeVy1yumhiPpCJt5B+GOr4dwSTSfofY/YX8F6Ro1LNTkPqjSHYlOaPmihmJ6&bl=UVW8MhVXhZQ8-4w
http://www.coachwunder.com/ht3d/?X2JtLLIP=/YUL6YCHhTiRbngjw+JX2TJKTr93KVrGBAteOVqB4a1cvSMCaV6LIhkawvKbzE1nb4sI3EFe&bl=UVW8MhVXhZQ8-4w
|
6
www.coachwunder.com(91.195.240.19)
www.used-cars-77695.bond()
www.earthoftender.com()
www.zshoessale.com(104.21.35.22)
91.195.240.19 - mailcious
172.67.211.158
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4027 |
2024-05-16 09:11
|
 647c143e-7885-49f0-aca4-712bdd... 84db43a164ce3f375e38430aa3c817c5
Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4028 |
2024-05-16 09:08
|
 meter2.exe b2956ff8340e2b2eb4aa41fe953486f2
Malicious Library Malicious Packer PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
|
|
|
3.6 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4029 |
2024-05-16 09:08
|
 cmd.ps1 7801b02953637126c9012fd6e630f790
Malicious Library Malicious Packer UPX PE64 PE File OS Processor Check VirusTotal Malware DNS crashed |
|
1
|
|
|
2.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4030 |
2024-05-16 09:07
|
 akurg.exe 6bef283833fa82a12f2a6a73fb43a4bb
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
|
2
api.ipify.org(104.26.13.205)
172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4031 |
2024-05-16 09:06
|
 rem.exe 06f5b8dffc6c138828adbc7f29cfc7f0
Browser Login Data Stealer Generic Malware Malicious Library Downloader Malicious Packer UPX PE File PE32 OS Processor Check Remcos VirusTotal Malware AutoRuns Check memory Windows DDNS DoTNet keylogger |
|
2
leetboy.dynuddns.net(185.196.11.252)
185.196.11.252
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.dynuddns .net Domain
|
|
3.2 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4032 |
2024-05-16 09:04
|
br.msi cbd6f6f7682366b65948238e0d1f03e5
Generic Malware MSOffice File CAB VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
1
http://ec2-3-21-233-33.us-east-2.compute.amazonaws.com/5806460-36.2024.7.10.7643/bobluz
|
2
ec2-3-21-233-33.us-east-2.compute.amazonaws.com(3.21.233.33)
3.21.233.33
|
|
|
3.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4033 |
2024-05-16 09:04
|
 Ifeanyi.exe 96cb932974b4d07cf7d11caef8c1d590
AgentTesla Malicious Library PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
1
|
2
api.ipify.org(172.67.74.152)
104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4034 |
2024-05-16 09:02
|
everythinggoingfineandgreatwit... 92f0065ee050a8dcd89fc59eddb048c7
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
3
http://www.butterflygroup.net/ht3d/?ARr=TaJuVXa8zD69E3rzgnBHcrtXTrwOaZM8cT0N/R70fGbWZvadCJ+iOLXrNCS6WQsHODSZZ5YX&ndlpiZ=u4ftAr7xpX7P
http://www.aaditt.com/ht3d/?ARr=Jxa8xlTunEPBVne4oi/bIU6b5tyucP/prE9/dQtU4ejg32tqlJ0LdPdUuJRqPlVl4EhKaSuV&ndlpiZ=u4ftAr7xpX7P
http://23.94.36.162/4506/vnc.exe
|
8
www.testingsol.com()
www.52iwin.com(199.59.243.225)
www.butterflygroup.net(13.248.169.48)
www.aaditt.com(15.197.148.33)
199.59.243.225 - mailcious
23.94.36.162 - mailcious
3.33.130.190 - phishing
13.248.169.48 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4035 |
2024-05-16 09:01
|
beautifulflowerwhenraiseinthev... 6d3be789542f3bb48e47dad639120a19
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://192.3.239.30/25095/spoolsv.exe
|
4
api.ipify.org(172.67.74.152)
192.3.239.30 - malware
104.26.13.205
103.143.81.180
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|