45286 |
2024-06-14 07:41
|
setup%E4%B8%8B%E8%BD%BD%E5%90%... 13f784b718e0d45057b628f504a11235 UPX PE64 PE File DNS |
1
http://8.138.18.215/123.conf
|
1
|
|
|
2.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45287 |
2024-06-14 07:43
|
setup%E4%B8%8B%E8%BD%BD%E5%90%... fecba5d90715f5235477b67cc514855b Generic Malware Malicious Library PE64 PE File DNS |
1
http://8.134.184.154/123.conf
|
1
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45288 |
2024-06-14 07:44
|
realtekaft.exe 20878a60ab358f3ce3f3f15245ff85ee Hide_EXE Malicious Library .NET framework(MSIL) Socket Http API HTTP DNS Internet API Anti_VM AntiDebug AntiVM .NET EXE PE32 PE File Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed |
|
|
|
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45289 |
2024-06-14 07:45
|
luma22222.exe f4d57589a7db46677d1ced8f8123feda PE32 PE File |
|
|
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45290 |
2024-06-14 07:46
|
motruhjgmawes.exe 57a6a83482ce2897e8cdec17accbd662 Generic Malware Downloader Malicious Library UPX VMProtect Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE64 PE File OS Processo PDB Code Injection Creates executable files RWX flags setting unpack itself AppData folder Remote Code Execution |
|
|
|
|
4.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45291 |
2024-06-14 07:47
|
qgtplfgy2.exe 3d033b03106e5b46abde0df781c164d5 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Device_File_Check PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Software crashed |
|
2
cp8nl.hyperhost.ua(185.174.175.187) 185.174.175.187
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45292 |
2024-06-14 07:49
|
setup%E4%B8%8B%E8%BD%BD%E5%90%... 4dc6a0aa29fc47b343521af82014af0f Malicious Library PE64 PE File DNS crashed |
1
http://8.134.15.84/123.conf
|
1
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45293 |
2024-06-14 07:51
|
lummac2.exe 6e3d83935c7a0810f75dfa9badc3f199 PE32 PE File |
|
|
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45294 |
2024-06-14 09:17
|
setup%E7%9B%AE%E5%BD%95%E8%A1%... 7fbc6a95fc41c5bb0fecdd659d641ae9 Malicious Library PE64 PE File VirusTotal Malware DNS |
1
|
1
|
|
|
2.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45295 |
2024-06-14 09:20
|
setup%E7%9B%AE%E5%BD%95%E8%A1%... b8cc81e57efd30cab09d0256f79f7098 Malicious Library PE64 PE File VirusTotal Malware DNS |
1
|
1
|
|
|
2.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45296 |
2024-06-14 09:20
|
bin2.doc 118072abaca518e6ece93908a9fee1f4 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash suspicious TLD Tofsee Exploit DNS crashed |
17
http://www.carolinappttery.com/q380/ http://www.ybw73.top/zfmd/?gSDpSqhg=Wy9Xy0arXTA/u2vvBYrKIOUBpzUpOEWJyNtxnnOaFAzOmZ+G/QUaP7IPedalQRfZTnOTlfhQhpBKLAk/X9K39OImH5VRArdmcUQpro/j/mKcwsNXkqPqNRMPQWcketlQaFqDwMQ=&zd=lHTo3CucwT http://www.aritum.top/f2qc/?gSDpSqhg=+PlbwI8tNruUpga2nartzvIoOczIwOvbU1ANxXfMuvMQEzSRrWQM3cmspk1IFvcCMV40t1yig50Ax37YShWjrdIjOvIEgJJROzqkte3OBXYcjah0B7lnBY2SKVXOZr2cpq5/qwU=&zd=lHTo3CucwT http://www.aritum.top/f2qc/ http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip http://www.ybw73.top/zfmd/ http://www.carolinappttery.com/q380/?gSDpSqhg=ehUrFCKl0QR4T29AJZh5dRT/ZDPm9qTvUW59H2BhLEsiO0kIW28uNcfa56DEKhzH0iD+lYFdD8RRxblUIft60LyxhWLZTQGF9CEZTcwXHMEEzcDS8bPwZbiqnYj5NbIEEA54k2w=&zd=lHTo3CucwT http://www.sjzsls.com/9ypd/ http://www.winnscce.com/xk70/?gSDpSqhg=E9dNAQXSau8gxD7ycO4dLfQfH5YRjq6/aXbIhWqdNKhuK+zum8oLAEgkUh6j+ec/Dsz5NNoJPY83q7uKVhR+kQSzALNmdhL2cm95N3pKuY1dSsInVS8QGD1t6OErSJExWBCOe4E=&zd=lHTo3CucwT http://www.w90dm.top/8ms4/ http://www.ay62m.top/orwn/ http://www.sjzsls.com/9ypd/?gSDpSqhg=Fp4YMLPzXpbUfY9ET0WH3a72p3fXf7YhU2uVF/1Su8SRdO97GHvogqvz+96x72oMEQq3eHyW0zw8RVfXjuFBE/DSpz5ZNszOE2hxgYcLkAt/YsxuqXlLrzOhs3BZhOu+6KXTzoA=&zd=lHTo3CucwT http://www.ay62m.top/orwn/?gSDpSqhg=3cBNLJTm2SpTWV5+FkCnTYkROdg55TQjKQDEk1HDa97easJD35wZE2GMsxRselnzvm7j4PFdEanRmF1YrarFthUoWpYtpzXpGMx8vyWuQ49fEDOcUJzL6xCqo7J2o8DZINEYFF8=&zd=lHTo3CucwT http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip http://www.w90dm.top/8ms4/?gSDpSqhg=udGRhKSFzWywOShfg4LrArlkOSU57jdgfHHoAEODJUB2/fB/f7uvWahs0ChcgR3p3uHY1bC8mP+rUPbsneCLatPp1qyYsRzD0wOOKHTt4GdecEtntAcROmt09OnVjaXmhkctiwE=&zd=lHTo3CucwT http://www.winnscce.com/xk70/ https://dukeenergyltd.top/bin2.scr
|
16
www.aritum.top(203.161.55.102) dukeenergyltd.top(172.67.134.136) - malware www.sjzsls.com(154.212.44.122) - mailcious www.carolinappttery.com(123.58.214.101) www.winnscce.com(123.58.214.101) www.ay62m.top(38.47.207.132) www.ybw73.top(38.47.232.233) www.w90dm.top(38.47.232.178) 38.47.232.178 203.161.55.102 38.47.232.233 154.212.44.122 - mailcious 38.47.207.132 45.33.6.223 172.67.134.136 - malware 123.58.214.101
|
3
ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to a *.top domain
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45297 |
2024-06-14 09:22
|
bin1.doc ab6398c625d0ae23c0582ad07d044581 MS_RTF_Obfuscation_Objects RTF File doc Cobalt Strike Cobalt VirusTotal Malware c&c RWX flags setting exploit crash Tofsee Exploit DNS crashed |
|
19
dukeenergyltd.top(104.21.25.202) - malware www.ekvassf.store() www.baldjourney.com(35.212.60.56) www.themirrorproject.org() www.planningexcellence.org(104.21.68.117) www.heolty.xyz(162.0.238.43) www.5597043.com(172.66.47.183) www.mildhicky.com(149.88.71.203) www.usebanq.com(198.54.117.242) www.vt0lcffi5.sbs(47.239.13.172) 47.239.13.172 35.212.60.56 172.66.44.73 198.54.117.242 - mailcious 45.33.6.223 172.67.134.136 - malware 149.88.71.203 162.0.238.43 104.21.68.117
|
4
ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP Request abnormal Content-Encoding header ET Threatview.io High Confidence Cobalt Strike C2 IP group 3
|
|
3.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45298 |
2024-06-14 09:24
|
sharo.scr 3935f15dafdd5edfca70895940dce681 Formbook Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM .NET EXE PE32 PE File DLL Browser Info Stealer VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself AppData folder malicious URLs Browser |
|
15
www.primeplay88.org(91.195.240.19) - mailcious www.mrart.co.kr(183.111.183.31) - mailcious www.99b6q.xyz() - mailcious www.besthomeincome24.com() - mailcious www.xn--matfrmn-jxa4m.se(194.9.94.85) - mailcious www.terelprime.com(66.96.161.166) - mailcious www.kinkynerdspro.blog(94.23.162.163) - mailcious www.aceautocorp.com(198.12.241.35) - mailcious 91.195.240.19 - mailcious 66.96.161.166 - mailcious 54.38.220.85 - mailcious 194.9.94.86 - mailcious 45.33.6.223 183.111.183.31 - mailcious 198.12.241.35 - mailcious
|
1
SURICATA HTTP Request abnormal Content-Encoding header
|
12
http://www.kinkynerdspro.blog/ufuh/ http://www.kinkynerdspro.blog/ufuh/ http://www.aceautocorp.com/ufuh/ http://www.xn--matfrmn-jxa4m.se/ufuh/ http://www.terelprime.com/ufuh/ http://www.terelprime.com/ufuh/ http://www.aceautocorp.com/ufuh/ http://www.xn--matfrmn-jxa4m.se/ufuh/ http://www.mrart.co.kr/ufuh/ http://www.primeplay88.org/ufuh/ http://www.primeplay88.org/ufuh/ http://www.mrart.co.kr/ufuh/
|
12.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45299 |
2024-06-14 09:24
|
sharo.doc 8b049d5e850fc75c1cef5edb8fc68feb Formbook MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself suspicious TLD Tofsee Exploit DNS crashed |
|
21
www.primeplay88.org(91.195.240.19) - mailcious covid19help.top(172.67.175.222) - mailcious www.kinkynerdspro.blog(94.23.162.163) - mailcious www.touchclean.top(67.223.117.189) www.99b6q.xyz() - mailcious www.mrart.co.kr(183.111.183.31) - mailcious www.besthomeincome24.com() - mailcious www.ibistradingco.com(191.101.228.74) www.terelprime.com(66.96.161.166) - mailcious www.xn--matfrmn-jxa4m.se(194.9.94.86) - mailcious www.aceautocorp.com(198.12.241.35) - mailcious 91.195.240.19 - mailcious 67.223.117.189 54.38.220.85 - mailcious 93.127.196.69 66.96.161.166 - mailcious 172.67.175.222 - mailcious 45.33.6.223 194.9.94.85 - mailcious 183.111.183.31 - mailcious 198.12.241.35 - mailcious
|
7
ET DNS Query to a *.top domain - Likely Hostile ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1 ET INFO HTTP Request to a *.top domain ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP Request abnormal Content-Encoding header ET HUNTING Possible COVID-19 Domain in SSL Certificate M2
|
12
http://www.kinkynerdspro.blog/ufuh/ http://www.terelprime.com/ufuh/ http://www.aceautocorp.com/ufuh/ http://www.aceautocorp.com/ufuh/ http://www.xn--matfrmn-jxa4m.se/ufuh/ http://www.mrart.co.kr/ufuh/ http://www.primeplay88.org/ufuh/ http://www.terelprime.com/ufuh/ http://www.xn--matfrmn-jxa4m.se/ufuh/ http://www.primeplay88.org/ufuh/ http://www.mrart.co.kr/ufuh/ http://www.kinkynerdspro.blog/ufuh/
|
3.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45300 |
2024-06-14 09:25
|
OfferedBuilt.exe 00614852dbe5c98d84c4501702d04e93 NSIS Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Windows ComputerName |
|
|
|
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|