44491 |
2024-05-24 07:49
|
csrss.exe e5cb8c66cab6a972529a85480b9881bc Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44492 |
2024-05-24 07:49
|
xxxz.exe fba7a7675a7db49f2e2d06c74912a706 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44493 |
2024-05-24 07:50
|
ChromeSetup.exe fe2f9e211bfaf529c92bc28cb847da46 Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName Remote Code Execution DNS |
4
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=12:n6EyV-uvoCaVgxFxDQet4WSYiBFRf-2C5HNBwb81dao&cup2hreq=1617e93f4cc0a87c8eec0ba442964150753038fe712f2774cc7d587abbdc23fd
|
28
edgedl.me.gvt1.com(34.104.35.123) dns.google(8.8.4.4) www.google.com(172.217.25.164) www.gstatic.com(172.217.25.163) play.google.com(142.250.207.110) r1---sn-3u-bh2ss.gvt1.com(211.114.64.12) clients2.googleusercontent.com(172.217.161.225) accounts.google.com(64.233.188.84) _googlecast._tcp.local() apis.google.com(172.217.161.238) clientservices.googleapis.com(142.250.206.195) 108.177.125.84 172.217.25.170 - malware 211.114.64.12 172.217.27.36 142.250.206.234 - malware 142.250.204.110 142.250.76.131 172.217.161.225 - mailcious 45.33.6.223 216.58.200.228 34.104.35.123 142.250.76.142 - mailcious 142.251.222.195 172.217.24.78 172.217.24.97 172.217.27.46 172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44494 |
2024-05-24 07:51
|
7zipsilentinstaller.exe 09fc747681c810bf422de1d30713800c Malicious Library Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
|
2
7-zip.org(49.12.202.237) 49.12.202.237
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.8 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44495 |
2024-05-24 07:52
|
gHIvTf22qvmZjum.exe 8b7b19184d4eaa008d1cbba2bfece478 AgentTesla Malicious Library PWS KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Browser Email ComputerName crashed |
1
http://ip-api.com/line/?fields=hosting
|
2
ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
11.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44496 |
2024-05-24 09:39
|
lionisthekingbuttigertrytobeco... 7450c0dcd0bafd974d4d9b976b84089b MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://198.12.81.178/43411/lionisthekingofjungleimageshere.bmp https://paste.ee/d/W7VfG
|
3
paste.ee(172.67.187.200) - mailcious 104.21.84.67 - malware 198.12.81.178 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44497 |
2024-05-24 09:39
|
HHAMMOFATHEATBBDNN.jpg 3c79a6180ae2590450d46359924cb9c1 ZIP Format VirusTotal Malware |
|
|
|
|
0.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44498 |
2024-05-24 09:41
|
lionsarekingbitmapimagesarebea... 292fc41f2ca899c90c5cf89ae7bb6852 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://198.46.178.154/550033/bitmaplionjungleimageforview.bmp https://paste.ee/d/j5TgA
|
3
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious 198.46.178.154 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44499 |
2024-05-24 09:44
|
lionisthekingofjunglewhoruleth... b03fb70c3be411363c911037b610df82 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://198.46.177.156/xampp/kw/rulethejunglewithnewlionkingimage.bmp https://paste.ee/d/NhBmA
|
3
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious 198.46.177.156 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44500 |
2024-05-24 09:44
|
room4.hta 409f1bada32d81974fd8606be4cbc943 Generic Malware Antivirus Malicious Library PowerShell PE File PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
16
http://20.86.128.223/room/rooma.exe
http://www.antonio-vivaldi.mobi/fo8o/?I0NK=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Lw8=oat1oSv
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.goldenjade-travel.com/fo8o/?I0NK=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Lw8=oat1oSv
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.3xfootball.com/fo8o/?I0NK=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Lw8=oat1oSv
http://www.magmadokum.com/fo8o/?I0NK=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Lw8=oat1oSv
http://www.rssnewscast.com/fo8o/?I0NK=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Lw8=oat1oSv
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.techchains.info/fo8o/?I0NK=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Lw8=oat1oSv
http://www.antonio-vivaldi.mobi/fo8o/
http://www.kasegitai.tokyo/fo8o/?I0NK=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Lw8=oat1oSv
|
17
www.liangyuen528.com()
www.magmadokum.com(85.159.66.93)
www.techchains.info(66.29.149.46)
www.kasegitai.tokyo(202.172.28.202)
www.3xfootball.com(154.215.72.110)
www.goldenjade-travel.com(116.50.37.244)
www.antonio-vivaldi.mobi(46.30.213.191)
www.rssnewscast.com(91.195.240.94) 202.172.28.202
85.159.66.93 - mailcious
116.50.37.244
46.30.213.191 - mailcious
66.29.149.46
91.195.240.94 - phishing
45.33.6.223
20.86.128.223 - malware
154.215.72.110
|
5
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
14.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44501 |
2024-05-24 09:51
|
tE6.xls 72b684c764f3fa2b4f7ecbc3a572c7a5 RedLine stealer Generic Malware Malicious Library PE File DLL PE32 .NET DLL VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44502 |
2024-05-24 10:07
|
tE6.xls 72b684c764f3fa2b4f7ecbc3a572c7a5 RedLine stealer Generic Malware Malicious Library PE File DLL PE32 .NET DLL VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44503 |
2024-05-24 10:41
|
loudzx.scr ed7336086b1e5267c0d4863325956be2 Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 ActiveXObject OS Processor Check DLL Browser Info Stealer VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser |
|
15
www.primeplay88.org(91.195.240.19) www.mrart.co.kr(183.111.183.31) www.99b6q.xyz() www.besthomeincome24.com() www.xn--matfrmn-jxa4m.se(194.9.94.85) www.aceautocorp.com(198.12.241.35) www.kinkynerdspro.blog(54.38.220.85) www.terelprime.com(66.96.161.166) 91.195.240.19 - mailcious 54.38.220.85 - mailcious 66.96.161.166 45.33.6.223 194.9.94.85 - mailcious 183.111.183.31 198.12.241.35
|
1
SURICATA HTTP Request abnormal Content-Encoding header
|
|
10.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44504 |
2024-05-24 10:44
|
123.456 7b207ce9f9d71dfc2eaa2e959634a54d Generic Malware Malicious Library UPX PE64 PE File DLL OS Processor Check VirusTotal Malware PDB Checks debugger |
|
|
|
|
1.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44505 |
2024-05-24 10:58
|
iscsicli.exe ed7336086b1e5267c0d4863325956be2 Formbook Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 ActiveXObject OS Processor Check DLL Browser Info Stealer VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
|
19
www.primeplay88.org(91.195.240.19) - mailcious www.touchclean.top(67.223.117.189) www.mrart.co.kr(183.111.183.31) - mailcious www.99b6q.xyz() - mailcious www.xn--matfrmn-jxa4m.se(194.9.94.85) - mailcious www.besthomeincome24.com() - mailcious www.ibistradingco.com(93.127.196.51) www.terelprime.com(66.96.161.166) - mailcious www.kinkynerdspro.blog(54.38.220.85) - mailcious www.aceautocorp.com(198.12.241.35) - mailcious 91.195.240.19 - mailcious 194.9.94.86 - mailcious 67.223.117.189 66.96.161.166 - mailcious 45.33.6.223 93.127.196.151 183.111.183.31 - mailcious 94.23.162.163 198.12.241.35 - mailcious
|
3
ET DNS Query to a *.top domain - Likely Hostile SURICATA HTTP Request abnormal Content-Encoding header ET INFO HTTP Request to a *.top domain
|
12
http://www.aceautocorp.com/ufuh/ http://www.mrart.co.kr/ufuh/ http://www.aceautocorp.com/ufuh/ http://www.kinkynerdspro.blog/ufuh/ http://www.terelprime.com/ufuh/ http://www.primeplay88.org/ufuh/ http://www.terelprime.com/ufuh/ http://www.xn--matfrmn-jxa4m.se/ufuh/ http://www.mrart.co.kr/ufuh/ http://www.xn--matfrmn-jxa4m.se/ufuh/ http://www.primeplay88.org/ufuh/ http://www.kinkynerdspro.blog/ufuh/
|
11.4 |
M |
51 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|