| 45196 |
2024-06-08 17:42
|
 9a3efc.exe 8fdefd3d070cf9c9517735b029759eff
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45197 |
2024-06-08 17:44
|
 dude.exe aaf735aafa732fc96d2091354795185a
Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check icon MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico
https://accounts.google.com/generate_204?h1fWvw
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AS5LTAStUYgHXYd6dyrzYlv0rlNXWsy8KDcmbk61i6z1oK1cpRecjGypwowFoNYDjJy4FzHyYiwZOg
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AS5LTATsj2mzmMe9etAFGZRbGaNTsG4tOqdZIHJNt3wqGpQ2QarlByCCBLR3Uvd1sZcv0LJcjpdIzA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-2096241754%3A1717836011855520
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.206.195)
accounts.google.com(64.233.188.84)
www.google.com(142.250.206.228)
173.194.174.84
142.251.222.195
172.217.24.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45198 |
2024-06-08 17:44
|
 lsass.exe 6293f7a0a604be58b31b34460fd5a71b
PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows |
|
2
theloftibiza.com(193.141.3.75)
193.141.3.75
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45199 |
2024-06-08 17:47
|
 HER.exe 004d48284a26569ed3220fd1fd4b7c31
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(172.67.74.152)
172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45200 |
2024-06-09 04:21
|
 ghsalncr.exe 6ec12dab45f4cd794945a73eabdcd9d3
PE File PE32 VirusTotal Malware |
|
|
|
|
1.4 |
|
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45201 |
2024-06-09 05:49
|
 5010_1635873664_4193.exe 60938dc1c7bc8a2bbab6b7dac4ac06b4
PE File PE32 VirusTotal Malware Check memory Checks debugger ICMP traffic unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
5.0 |
M |
59 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45202 |
2024-06-09 09:15
|
 UNP%20Setup.exe a2f39491c9d6e8be4a1bf05ac024fdb4
Generic Malware Malicious Library Malicious Packer Antivirus UPX PE File PE32 CAB OS Processor Check VirusTotal Malware Check memory unpack itself Remote Code Execution |
|
|
|
|
1.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45203 |
2024-06-09 09:20
|
 sila.exe 3e9ba4168fb1c8e4a8a3a69c4968abb3
Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
6
ipinfo.io(34.117.186.192)
db-ip.com(172.67.75.166)
45.33.6.223
172.67.75.166
147.45.47.126 - mailcious
34.117.186.192
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45204 |
2024-06-09 09:21
|
 wow123.hta 21164aaeeaaa2a4a6e77798aa82d5c7c
Formbook Generic Malware Antivirus Malicious Library PowerShell PE File DLL PE32 FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
15
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://198.23.201.89/warm/VAT%20certificate.exe
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.kasegitai.tokyo/fo8o/?f5A0cwal=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&meE1x=FbDXUZ - rule_id: 39853
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.rssnewscast.com/fo8o/?f5A0cwal=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&meE1x=FbDXUZ - rule_id: 39857
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.goldenjade-travel.com/fo8o/?f5A0cwal=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&meE1x=FbDXUZ - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/?f5A0cwal=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&meE1x=FbDXUZ - rule_id: 39855
http://www.3xfootball.com/fo8o/?f5A0cwal=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&meE1x=FbDXUZ - rule_id: 39852
http://www.magmadokum.com/fo8o/?f5A0cwal=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&meE1x=FbDXUZ - rule_id: 39856
|
17
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
198.23.201.89 - malware
45.33.6.223
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
6
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
13
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.techchains.info/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.3xfootball.com/fo8o/
http://www.magmadokum.com/fo8o/
|
13.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45205 |
2024-06-09 09:21
|
 DELIVERED%200606.exe 2eebcdd0e833ba968a9cac360aed72de
Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume Cry FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
20
http://www.techchains.info/fo8o/?ctZt=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Y0cC=aMTX8YEQQ - rule_id: 39858
http://www.elettrosistemista.zip/fo8o/?ctZt=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&Y0cC=aMTX8YEQQ - rule_id: 39860
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.donnavariedades.com/fo8o/ - rule_id: 39861
http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860
http://www.rssnewscast.com/fo8o/?ctZt=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Y0cC=aMTX8YEQQ - rule_id: 39857
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.antonio-vivaldi.mobi/fo8o/?ctZt=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Y0cC=aMTX8YEQQ - rule_id: 39855
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.3xfootball.com/fo8o/?ctZt=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Y0cC=aMTX8YEQQ - rule_id: 39852
http://www.magmadokum.com/fo8o/?ctZt=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Y0cC=aMTX8YEQQ - rule_id: 39856
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.660danm.top/fo8o/
http://www.donnavariedades.com/fo8o/?ctZt=l+301ZvITCxaX9AA7VU8BaNl0giE4t3JgzctOQx29qSsrxX8kw490hU6vymbZWA2w8GmYCogcgx/MI4pNd8ITQiOXzox9fl9oCNBaJd4bIe7oyUKC5LhLVNYvjLZULJxgsfERiI=&Y0cC=aMTX8YEQQ - rule_id: 39861
http://www.kasegitai.tokyo/fo8o/?ctZt=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Y0cC=aMTX8YEQQ - rule_id: 39853
http://www.goldenjade-travel.com/fo8o/?ctZt=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Y0cC=aMTX8YEQQ - rule_id: 39854
|
22
www.elettrosistemista.zip(195.110.124.133) - mailcious
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.donnavariedades.com(23.227.38.74) - mailcious
www.660danm.top(34.120.249.181)
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
195.110.124.133 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
34.111.148.214
45.33.6.223
23.227.38.74 - mailcious
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
5
ET MALWARE FormBook CnC Checkin (GET) M5
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Observed DNS Query to .zip TLD
ET INFO HTTP Request to a *.zip Domain
ET INFO HTTP Request to a *.top domain
|
18
http://www.techchains.info/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.3xfootball.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.magmadokum.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.magmadokum.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
|
7.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45206 |
2024-06-09 09:22
|
 Delivery%2007.exe b94b6c27e410388cd4e7dfeb352b75ce
Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume Cry FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
19
http://www.magmadokum.com/fo8o/?Q1=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&niTnW=y25C - rule_id: 39856
http://www.goldenjade-travel.com/fo8o/?Q1=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&niTnW=y25C - rule_id: 39854
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.donnavariedades.com/fo8o/?Q1=l+301ZvITCxaX9AA7VU8BaNl0giE4t3JgzctOQx29qSsrxX8kw490hU6vymbZWA2w8GmYCogcgx/MI4pNd8ITQiOXzox9fl9oCNBaJd4bIe7oyUKC5LhLVNYvjLZULJxgsfERiI=&niTnW=y25C - rule_id: 39861
http://www.donnavariedades.com/fo8o/ - rule_id: 39861
http://www.3xfootball.com/fo8o/?Q1=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&niTnW=y25C - rule_id: 39852
http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.rssnewscast.com/fo8o/?Q1=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&niTnW=y25C - rule_id: 39857
http://www.antonio-vivaldi.mobi/fo8o/?Q1=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&niTnW=y25C - rule_id: 39855
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.kasegitai.tokyo/fo8o/?Q1=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&niTnW=y25C - rule_id: 39853
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.techchains.info/fo8o/?Q1=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&niTnW=y25C - rule_id: 39858
http://www.elettrosistemista.zip/fo8o/?Q1=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&niTnW=y25C - rule_id: 39860
http://www.3xfootball.com/fo8o/ - rule_id: 39852
|
20
www.elettrosistemista.zip(195.110.124.133) - mailcious
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.donnavariedades.com(23.227.38.74) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
195.110.124.133 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
45.33.6.223
23.227.38.74 - mailcious
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO HTTP Request to a *.zip Domain
ET INFO Observed DNS Query to .zip TLD
|
18
http://www.magmadokum.com/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.magmadokum.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.techchains.info/fo8o/
http://www.techchains.info/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.3xfootball.com/fo8o/
|
7.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45207 |
2024-06-09 09:23
|
 proposal%20report.exe 092cd26903ed79eb7da016adbb7c928d
Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Malic FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
18
http://www.magmadokum.com/fo8o/?mRfW=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&SM4k=DX6TxPgI - rule_id: 39856
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860
http://www.techchains.info/fo8o/?mRfW=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&SM4k=DX6TxPgI - rule_id: 39858
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.kasegitai.tokyo/fo8o/?mRfW=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&SM4k=DX6TxPgI - rule_id: 39853
http://www.3xfootball.com/fo8o/?mRfW=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&SM4k=DX6TxPgI - rule_id: 39852
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.antonio-vivaldi.mobi/fo8o/?mRfW=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&SM4k=DX6TxPgI - rule_id: 39855
http://www.rssnewscast.com/fo8o/?mRfW=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&SM4k=DX6TxPgI - rule_id: 39857
http://www.elettrosistemista.zip/fo8o/?mRfW=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&SM4k=DX6TxPgI - rule_id: 39860
http://www.goldenjade-travel.com/fo8o/?mRfW=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&SM4k=DX6TxPgI - rule_id: 39854
|
18
www.elettrosistemista.zip(195.110.124.133) - mailcious
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
195.110.124.133 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
45.33.6.223
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO HTTP Request to a *.zip Domain
ET INFO Observed DNS Query to .zip TLD
|
16
http://www.magmadokum.com/fo8o/
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.techchains.info/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.3xfootball.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.goldenjade-travel.com/fo8o/
|
7.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45208 |
2024-06-09 09:23
|
 Delivery%2006.exe 132e9cb76def326daa4088f99587b759
Formbook Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Malicious Pack FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself AppData folder Browser DNS |
16
http://www.antonio-vivaldi.mobi/fo8o/?5R=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&ERg=Lbajlol-F3v - rule_id: 39855
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.kasegitai.tokyo/fo8o/?5R=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&ERg=Lbajlol-F3v - rule_id: 39853
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.elettrosistemista.zip/fo8o/ - rule_id: 39860
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.goldenjade-travel.com/fo8o/?5R=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&ERg=Lbajlol-F3v - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.magmadokum.com/fo8o/?5R=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&ERg=Lbajlol-F3v - rule_id: 39856
http://www.rssnewscast.com/fo8o/?5R=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&ERg=Lbajlol-F3v - rule_id: 39857
http://www.techchains.info/fo8o/?5R=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&ERg=Lbajlol-F3v - rule_id: 39858
http://www.3xfootball.com/fo8o/?5R=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&ERg=Lbajlol-F3v - rule_id: 39852
|
18
www.elettrosistemista.zip(195.110.124.133) - mailcious
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
195.110.124.133 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
45.33.6.223
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Observed DNS Query to .zip TLD
ET INFO HTTP Request to a *.zip Domain
|
15
http://www.antonio-vivaldi.mobi/fo8o/
http://www.3xfootball.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.magmadokum.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.magmadokum.com/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.3xfootball.com/fo8o/
|
7.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45209 |
2024-06-09 09:32
|
 RunasCs.exe ed04f33a60faa912c5406158e2d0a800
Generic Malware Antivirus .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45210 |
2024-06-09 09:32
|
 main.exe 39b9b77f950a56b61419c2550c0ee2cf
Malicious Library UPX PE File PE32 DLL .NET DLL VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
1
http://120.48.123.240:88/shellcode/main.cs
|
1
|
2
ET HUNTING Base64 Encoded Executable over Raw TCP
ET HUNTING EXE Base64 Encoded potential malware
|
|
5.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|