| 44341 |
2024-05-16 18:22
|
 FlexPremises.exe bdaf0c44377ebc825e98d8e649ca8f4b
NSIS Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName |
|
|
|
|
6.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44342 |
2024-05-17 07:29
|
 324hj23k4jh423kjh4g423.exe 348bce7a46271aa5ff25de5e15e291d4
Malicious Library Downloader UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
1.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44343 |
2024-05-17 07:31
|
 smss.exe 413bf385b1f985dcd43e2cdd2ebce8c5
Formbook Generic Malware Malicious Library .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser crashed |
9
http://www.crimsoncascade.xyz/a42m/
http://www.gregoriusalvin.com/a42m/ - rule_id: 39605
http://www.gregoriusalvin.com/a42m/?AhB=6CH/YRMAK7aydmoeIYug/5bPLtmJ66q3593I/qH1Euv5gdtO1aVIO5sIkdD8Uy+PegRauaWIQNwg1s6QWSBfdi8lbfjBcXeXE7/rv5fmweeN04I7MmJWMdAH+Ho2e4yDZBqoJ1k=&eS0G=fcpMuMP5iihRHWDU - rule_id: 39605
http://www.xn--bb55rtp-9va2p.store/a42m/?AhB=SpRmwiWWWie0LiCQik30fMumghQ1V43TuTRukl4i+K/mOSJ9++mg5ZeFxUAkG3Pdc43Qwg0V3CKoqh5jVerICFqxOreCo6UFThdoK0ITtUR0x3kt6DvHO7oYbUe5+lYToPjvUAg=&eS0G=fcpMuMP5iihRHWDU
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.crimsoncascade.xyz/a42m/?AhB=OaCxij+az8CWZkVV/54ln7Tii7cuYBvJsZdPmSHU0RFVoK/pLfrBdHMvdCD9qCJrgyFEUHy2yFOAdhP54QELuvsZtM/ZdHBp7cl68dN6EF+6a9fy3QPRhNX/VA1OInBnCfWbr6U=&eS0G=fcpMuMP5iihRHWDU
http://www.xn--bb55rtp-9va2p.store/a42m/
http://www.tintasmaiscor.com/a42m/?AhB=BaBbynwG2FaMiw+hhIbbh28MgtbEHbpnPsDfKOVNrs70A5vduIAGjxN5gftBLQVIAtEactO1mhmKtuNjdeyvWaHsEukAqVbBiuakY2ayn/21WOCwyWJ4ZPsM5Fw7u2uLCIVlGog=&eS0G=fcpMuMP5iihRHWDU - rule_id: 39606
http://www.tintasmaiscor.com/a42m/ - rule_id: 39606
|
14
www.crimsoncascade.xyz(162.0.237.22)
www.italiangreyhounds.online() - mailcious
www.xn--bb55rtp-9va2p.store(84.32.84.32)
www.gregoriusalvin.com(103.247.10.164) - mailcious
www.tintasmaiscor.com(162.240.81.18) - mailcious
www.designsbysruly.com() - mailcious
www.gcashservice247.com() - mailcious
www.weeveno.com() - mailcious
www.infomail.website() - mailcious
162.0.237.22
84.32.84.32 - mailcious
45.33.6.223
162.240.81.18 - mailcious
103.247.10.164 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET) M5
|
4
http://www.gregoriusalvin.com/a42m/
http://www.gregoriusalvin.com/a42m/
http://www.tintasmaiscor.com/a42m/
http://www.tintasmaiscor.com/a42m/
|
10.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44344 |
2024-05-17 07:32
|
 ReurgingGleek.exe 1d3535cc01b2cc54b808a55e945707a0
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44345 |
2024-05-17 07:32
|
 bas.exe 53d0c5288b720419cb95ed2cb57cbfd9
Malicious Library UPX AntiDebug AntiVM PE File DllRegisterServer dll PE32 MZP Format URL Format VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Tofsee Interception Windows Advertising Google ComputerName DNS Cryptographic key keylogger |
2
https://drive.usercontent.google.com/download?id=1_F5U1nd9cmh25WycEA26uaCrdwmT4bZN&export=download
https://drive.google.com/uc?export=download&id=1_F5U1nd9cmh25WycEA26uaCrdwmT4bZN
|
5
drive.usercontent.google.com(142.250.206.193) - mailcious
drive.google.com(142.250.76.142) - mailcious
63.250.43.146
142.251.220.14
142.250.66.65
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44346 |
2024-05-17 07:34
|
 yak.exe 33bbd27a00b4160a844a7edf2efef84e
Malicious Library UPX PE File DllRegisterServer dll PE32 MZP Format URL Format Remcos VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Tofsee Windows Advertising Google DNS DDNS keylogger |
3
http://geoplugin.net/json.gp
https://drive.google.com/uc?export=download&id=17oU8oYytI1akPiuIHIUd9KLqlDrKFCY3
https://drive.usercontent.google.com/download?id=17oU8oYytI1akPiuIHIUd9KLqlDrKFCY3&export=download
|
8
drive.usercontent.google.com(142.250.206.193) - mailcious
geoplugin.net(178.237.33.50)
drive.google.com(142.250.76.142) - mailcious
myumysmeetr.ddns.net(89.117.145.5)
142.251.220.78
178.237.33.50
142.250.66.97
89.117.145.5
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44347 |
2024-05-17 07:39
|
 gotomeeting.exe 877187ad95d25a0e3582331588ac8892
Malicious Library PE64 PE File VirusTotal Malware Malicious Traffic RWX flags setting unpack itself ComputerName DNS |
1
http://3.208.96.244/functionalStatus?_=EInrswNj-Smw7wHUODEblLL439ayqOOtH_5tR6ROrd0QGwcO1yuDBudGKa4SC9TtxUwCInmkBxwGljbmw0ILNKuyhL8Nlfy8cQKnl4mbPhiqNUkRPS4Fq54Lqcliho2IiNBBA30VUjOrMgNSUV_JL-Rjy6UxR-vRc9NeDvPoRko
|
1
|
|
|
4.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44348 |
2024-05-17 07:39
|
 sb.exe 04bcca3d8db9f3034c8814acd8735073
Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check VirusTotal Malware PDB Check memory Windows |
|
|
|
|
2.2 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44349 |
2024-05-17 07:41
|
 grace.exe 6cb57b7bbac238426bb2f888fbfc3ed7
Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44350 |
2024-05-17 07:43
|
shell.exe 346dae7e729ed4f192d213fcd2292d58
UPX MPRESS PE File PE32 DLL VirusTotal Malware AutoRuns Check memory Creates executable files AppData folder sandbox evasion Windows |
|
|
|
|
4.6 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44351 |
2024-05-17 09:10
|
 mrngisagreatdayformebecausewew... 8dc3b5e3a2c0fbc303f76905e8247926
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware ICMP traffic RWX flags setting exploit crash Tofsee Exploit DNS DDNS crashed |
2
http://wednesdayyyymangeo.duckdns.org/morning_wednesdaydatingmango.vbs
https://paste.ee/d/ougGo
|
4
wednesdayyyymangeo.duckdns.org(107.173.4.20)
paste.ee(172.67.187.200) - mailcious
107.173.4.20 - malware
172.67.187.200 - mailcious
|
5
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
|
|
4.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44352 |
2024-05-17 09:10
|
createdbeautifulimagesentirepl... 118a6298bf966ad5979e15faca957cbd
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://172.245.123.8/80090/createdveryhdimagestoview.png
https://paste.ee/d/OJmBL
|
3
paste.ee(172.67.187.200) - mailcious
104.21.84.67 - malware
172.245.123.8 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44353 |
2024-05-17 09:11
|
 dl.php 9b811321fcab794c77c3f9a6b6622c37
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44354 |
2024-05-17 09:13
|
weneverneedtokissflowersbeause... 4f3983c99751f41c7d1639fccbee0491
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
13
http://www.crimsoncascade.xyz/a42m/
http://www.gregoriusalvin.com/a42m/ - rule_id: 39605
http://www.gregoriusalvin.com/a42m/?IWGZfq=6CH/YRMAK7aydmoeIYug/5bPLtmJ66q3593I/qH1Euv5gdtO1aVIO5sIkdD8Uy+PegRauaWIQNwg1s6QWSBfdi8lbfjBcXeXE7/rv5fmweeN04I7MmJWMdAH+Ho2e4yDZBqoJ1k=&6Za=ySE9k110 - rule_id: 39605
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
http://www.xn--bb55rtp-9va2p.store/a42m/?IWGZfq=SpRmwiWWWie0LiCQik30fMumghQ1V43TuTRukl4i+K/mOSJ9++mg5ZeFxUAkG3Pdc43Qwg0V3CKoqh5jVerICFqxOreCo6UFThdoK0ITtUR0x3kt6DvHO7oYbUe5+lYToPjvUAg=&6Za=ySE9k110
http://www.fidyart.com/a42m/?IWGZfq=TRa47sC0zg9DwlJH2ofZbpLPxb60FAnROaHr8XI2UWJs85O5KJ5v05dP6WLbumUjxgnYSz8VJIiFOj3/jDGGhDjJnNfIP19njrbmy90O84rAfsEKawWCksmZBQaaYfgJFBMVu+Q=&6Za=ySE9k110
http://www.tintasmaiscor.com/a42m/?IWGZfq=BaBbynwG2FaMiw+hhIbbh28MgtbEHbpnPsDfKOVNrs70A5vduIAGjxN5gftBLQVIAtEactO1mhmKtuNjdeyvWaHsEukAqVbBiuakY2ayn/21WOCwyWJ4ZPsM5Fw7u2uLCIVlGog=&6Za=ySE9k110 - rule_id: 39606
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.fidyart.com/a42m/
http://www.crimsoncascade.xyz/a42m/?IWGZfq=OaCxij+az8CWZkVV/54ln7Tii7cuYBvJsZdPmSHU0RFVoK/pLfrBdHMvdCD9qCJrgyFEUHy2yFOAdhP54QELuvsZtM/ZdHBp7cl68dN6EF+6a9fy3QPRhNX/VA1OInBnCfWbr6U=&6Za=ySE9k110
http://www.xn--bb55rtp-9va2p.store/a42m/
http://www.tintasmaiscor.com/a42m/ - rule_id: 39606
http://192.3.216.156/71120/smss.exe
|
17
www.crimsoncascade.xyz(162.0.237.22)
www.fidyart.com(63.250.43.146)
www.italiangreyhounds.online() - mailcious
www.xn--bb55rtp-9va2p.store(84.32.84.32)
www.gregoriusalvin.com(103.247.10.164) - mailcious
www.tintasmaiscor.com(162.240.81.18) - mailcious
www.designsbysruly.com() - mailcious
www.gcashservice247.com() - mailcious
www.weeveno.com() - mailcious
www.infomail.website() - mailcious
162.0.237.22
84.32.84.32 - mailcious
45.33.6.223
63.250.43.147
162.240.81.18 - mailcious
103.247.10.164 - mailcious
192.3.216.156 - malware
|
7
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious smss.exe in URI
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
4
http://www.gregoriusalvin.com/a42m/
http://www.gregoriusalvin.com/a42m/
http://www.tintasmaiscor.com/a42m/
http://www.tintasmaiscor.com/a42m/
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44355 |
2024-05-17 09:13
|
 dl.php d20089770bdb6ace5be655ee209e4f24
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|