44476 |
2024-05-23 18:04
|
xin.exe ca039a10eadbf91b4d5363e4f1090141 AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
17
widget.uservoice.com(104.17.27.92) fonts.googleapis.com(74.125.203.95) camo.githubusercontent.com(185.199.108.133) www.google-analytics.com(142.250.76.142) 142.250.207.78 104.17.29.92 104.17.30.92 142.250.66.106 104.17.27.92 104.17.28.92 104.17.31.92 216.239.38.178 216.239.34.178 216.239.36.178 185.199.110.133 - malware 216.239.32.178 172.217.25.10
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44477 |
2024-05-23 18:04
|
lionisthetruekingsofthejunglew... 0305665fe64e9a6f1ece3d43bc5d5112 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://www.synergyinnovationsgroup.com/amjEkz102.bin
http://192.3.109.164/5445/csrss.exe
|
3
www.synergyinnovationsgroup.com(199.217.106.226) 199.217.106.226 - mailcious
192.3.109.164 - malware
|
6
ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious csrss.exe in URI ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44478 |
2024-05-23 18:06
|
crypted.exe 5f3aeb71b5f03a122bce55ffc079fa63 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44479 |
2024-05-23 18:08
|
1.hta a77becccca5571c00ebc9e516fd96ce8 AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44480 |
2024-05-23 18:09
|
csrss.exe b616cc8c02b88cff3a1d36ab29673399 NSIS Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Ransomware |
|
|
|
|
4.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44481 |
2024-05-23 20:54
|
1.jpg d1a446c5c7563fb7901a33313ddb9d05 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44482 |
2024-05-24 07:38
|
svc.exe 92c57dd80b764a028749520017d44e76 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44483 |
2024-05-24 07:40
|
GoogleUpdateTaskMachineQCW.exe 4e9292f02efc44abd5a2671439283405 PE64 PE File VirusTotal Cryptocurrency Miner Malware Cryptocurrency DNS CoinMiner |
|
2
xmr.2miners.com(162.19.139.184) - mailcious 162.19.139.184 - mailcious
|
1
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
|
|
2.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44484 |
2024-05-24 07:41
|
SrbijaSetupHokej.exe 528b9a26fd19839aeba788171c568311 Generic Malware Malicious Library UPX PE File PE32 MZP Format OS Processor Check PE64 VirusTotal Malware Checks debugger unpack itself AppData folder |
|
|
|
|
2.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44485 |
2024-05-24 07:41
|
rooma.exe 1dcce19e1a6306424d073487af821ff0 Generic Malware Malicious Library PE File PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
19
http://www.magmadokum.com/fo8o/?wZKEjc=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Waqa=s-tm2C8j http://www.magmadokum.com/fo8o/ http://www.rssnewscast.com/fo8o/?wZKEjc=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Waqa=s-tm2C8j http://www.3xfootball.com/fo8o/ http://www.donnavariedades.com/fo8o/ http://www.elettrosistemista.zip/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.techchains.info/fo8o/ http://www.goldenjade-travel.com/fo8o/?wZKEjc=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Waqa=s-tm2C8j http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip http://www.kasegitai.tokyo/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.techchains.info/fo8o/?wZKEjc=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Waqa=s-tm2C8j http://www.antonio-vivaldi.mobi/fo8o/ http://www.3xfootball.com/fo8o/?wZKEjc=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Waqa=s-tm2C8j http://www.kasegitai.tokyo/fo8o/?wZKEjc=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Waqa=s-tm2C8j http://www.antonio-vivaldi.mobi/fo8o/?wZKEjc=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Waqa=s-tm2C8j http://www.donnavariedades.com/fo8o/?wZKEjc=l+301ZvITCxaX9AA7VU8BaNl0giE4t3JgzctOQx29qSsrxX8kw490hU6vymbZWA2w8GmYCogcgx/MI4pNd8ITQiOXzox9fl9oCNBaJd4bIe7oyUKC5LhLVNYvjLZULJxgsfERiI=&Waqa=s-tm2C8j http://www.elettrosistemista.zip/fo8o/?wZKEjc=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&Waqa=s-tm2C8j
|
20
www.elettrosistemista.zip(195.110.124.133) www.liangyuen528.com() www.magmadokum.com(85.159.66.93) www.techchains.info(66.29.149.46) www.donnavariedades.com(23.227.38.74) www.kasegitai.tokyo(202.172.28.202) www.3xfootball.com(154.215.72.110) www.goldenjade-travel.com(116.50.37.244) www.antonio-vivaldi.mobi(46.30.213.191) www.rssnewscast.com(91.195.240.94) 202.172.28.202 85.159.66.93 - mailcious 116.50.37.244 195.110.124.133 - mailcious 46.30.213.191 - mailcious 66.29.149.46 45.33.6.223 23.227.38.74 - mailcious 91.195.240.94 - phishing 154.215.72.110
|
3
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO Observed DNS Query to .zip TLD ET INFO HTTP Request to a *.zip Domain
|
|
6.6 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44486 |
2024-05-24 07:42
|
Bypass3_Pure_Mode.exe 6e1e63e97c09758e3db18ea31bd95284 Generic Malware Malicious Library Malicious Packer UPX Antivirus Anti_VM PE File .NET EXE PE32 PE64 ftp OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
5.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44487 |
2024-05-24 07:46
|
vax.exe efb0c31543ca816cd9a55cafd730224c Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Check memory Checks debugger unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44488 |
2024-05-24 07:47
|
Testing.exe 144f1b1c4b9cdad97d8dd1a3a89e7ea1 Suspicious_Script_Bin Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX Confuser .NET PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Telegram Buffer PE AutoRuns Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder installed browsers check Tofsee Windows Browser DNS |
|
4
api64.ipify.org(173.231.16.77) api.telegram.org(149.154.167.220) 173.231.16.77 149.154.167.220
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) ET HUNTING Telegram API Domain in DNS Lookup
|
|
7.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44489 |
2024-05-24 07:47
|
sharonzx.exe 0b67adeb422396c047e87fa78a9e8e80 Loki LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://rocheholding.top/evie3/five/fre.php - rule_id: 39724
|
16
rocheholding.top(172.67.165.74) - malware 108.177.125.84 172.217.25.170 - malware 104.21.65.180 - mailcious 172.217.27.36 142.250.206.234 - malware 142.250.204.110 142.250.76.131 216.58.203.67 216.58.200.228 142.250.76.142 - mailcious 142.251.222.195 172.217.24.78 172.217.24.97 172.217.27.46 172.217.25.174 - mailcious
|
8
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP Request to a *.top domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Fake 404 Response
|
1
http://rocheholding.top/evie3/five/fre.php
|
16.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44490 |
2024-05-24 07:47
|
Client.exe 7ac0adf482250172280defec7a7054da Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.6 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|