| 46321 |
2024-07-26 12:07
|
 winiti.exe 076d40b4c480dbd3a0e84260aab18cff
Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
13
http://www.askvanta.com/hhti/
http://www.gotvoom.pro/yagd/
http://www.askvanta.com/hhti/?Dc08XbzK=fjRDIvTmNEJNTuTcr8del2WQp76nRU4WKVyXC6Y4v5xhqnRixQ6zeb282ydBwPMN2XVyKj7Iv4bMnoolEkDYP7t2qkRY0AApd+m94wn/hzh5njk5AnE5TcuZf+A5lnJQAByr72U=&0zGHU=_wG0Y4Ypi
http://www.c7v88.top/v6ba/?Dc08XbzK=nJtV0xxVonYleLmyEDIGF1GRtIwzCkYblW7ymF81wwUwIwWLid3Lr9yJw2X9YaLdXd5m2mo1Ok9Zsjhn2cbjbjbKzyMWkQ/uC8atz3xgP0khh14CmXxCw976WGM8OA3qn6b9QMQ=&0zGHU=_wG0Y4Ypi
http://www.eworld.org/18e1/
http://www.gotvoom.pro/yagd/?Dc08XbzK=uEwhQtN8d9WFSPX3vcuayxdpQqb8c/D/UpaKbFjD70Hg2gjUyZfmxqkinXZDMhG9GrAjDWM/1uaY6+kvF7tL6dHrL5YWOt4Y3qm+cyYTZ0PahKZdxCx3NJ3PVHCt9uZUePj8NnU=&0zGHU=_wG0Y4Ypi
http://www.eworld.org/18e1/?Dc08XbzK=Pm7pKTMIYdCMccpB3xsAXFwsVOfU5MHbomtkvn/TIB3o6VHyHDbhzBEtFW9t5aJY+pX07Evew+XtfHVHXf6tslmSqwg1OujBiiUxK9iHVQ3RBf96wgYN9V5GQcLy17oB+M1M8tY=&0zGHU=_wG0Y4Ypi
http://www.microsofr.fun/omnp/?Dc08XbzK=GQSd+8pi26b7zJhOJIQXVD/h3K/inFV8tNrqSt2nhXuDaWJRns1If/+gRxLu2YDerAFibGs6WR2Qt7jgVufvyJTnycUzu8Yso7GmTERVlWVgi3ROCwKMdFc5FOB0p/g90EsMQlA=&0zGHU=_wG0Y4Ypi
http://www.juliakoppel.org/9wjj/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.juliakoppel.org/9wjj/?Dc08XbzK=3pAkfJORuRgA59m5D3Ccm/a2baSHIB7ZSYQ2sF+aO2KWoeTfZIMk0oynOCre8P7un/vWh9+jgjqgzzA3WVgVD2gacPCD8hv2BH56l/1+ZEKULaKcv9mw30410B/1ELsaBxrqqsU=&0zGHU=_wG0Y4Ypi
http://www.c7v88.top/v6ba/
http://www.microsofr.fun/omnp/
|
11
www.c7v88.top(3.33.130.190)
www.eworld.org(76.223.54.146)
www.microsofr.fun(76.223.67.189)
www.gotvoom.pro(15.197.148.33)
www.juliakoppel.org(109.172.114.38)
www.askvanta.com(15.197.148.33)
15.197.148.33 - mailcious
13.248.213.45 - mailcious
109.172.114.38
13.248.169.48 - mailcious
45.33.6.223
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET) M5
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46322 |
2024-07-26 12:08
|
simplethingstobefranksheisvery... 13d8c6fac85c9bc52cdd1b3f03acdf2c
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
15
http://104.219.239.104/54/winiti.exe
http://www.askvanta.com/hhti/
http://www.askvanta.com/hhti/?siFuhe3N=fjRDIvTmNEJNTuTcr8del2WQp76nRU4WKVyXC6Y4v5xhqnRixQ6zeb282ydBwPMN2XVyKj7Iv4bMnoolEkDYP7t2qkRY0AApd+m94wn/hzh5njk5AnE5TcuZf+A5lnJQAByr72U=&Qt3=HJYf
http://www.juliakoppel.org/9wjj/?siFuhe3N=3pAkfJORuRgA59m5D3Ccm/a2baSHIB7ZSYQ2sF+aO2KWoeTfZIMk0oynOCre8P7un/vWh9+jgjqgzzA3WVgVD2gacPCD8hv2BH56l/1+ZEKULaKcv9mw30410B/1ELsaBxrqqsU=&Qt3=HJYf
http://www.eworld.org/18e1/
http://www.eworld.org/18e1/?siFuhe3N=Pm7pKTMIYdCMccpB3xsAXFwsVOfU5MHbomtkvn/TIB3o6VHyHDbhzBEtFW9t5aJY+pX07Evew+XtfHVHXf6tslmSqwg1OujBiiUxK9iHVQ3RBf96wgYN9V5GQcLy17oB+M1M8tY=&Qt3=HJYf
http://www.ninunveiled.shop/y2xs/
http://www.c7v88.top/v6ba/?siFuhe3N=nJtV0xxVonYleLmyEDIGF1GRtIwzCkYblW7ymF81wwUwIwWLid3Lr9yJw2X9YaLdXd5m2mo1Ok9Zsjhn2cbjbjbKzyMWkQ/uC8atz3xgP0khh14CmXxCw976WGM8OA3qn6b9QMQ=&Qt3=HJYf
http://www.microsofr.fun/omnp/?siFuhe3N=GQSd+8pi26b7zJhOJIQXVD/h3K/inFV8tNrqSt2nhXuDaWJRns1If/+gRxLu2YDerAFibGs6WR2Qt7jgVufvyJTnycUzu8Yso7GmTERVlWVgi3ROCwKMdFc5FOB0p/g90EsMQlA=&Qt3=HJYf
http://www.juliakoppel.org/9wjj/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.gotvoom.pro/yagd/?siFuhe3N=uEwhQtN8d9WFSPX3vcuayxdpQqb8c/D/UpaKbFjD70Hg2gjUyZfmxqkinXZDMhG9GrAjDWM/1uaY6+kvF7tL6dHrL5YWOt4Y3qm+cyYTZ0PahKZdxCx3NJ3PVHCt9uZUePj8NnU=&Qt3=HJYf
http://www.gotvoom.pro/yagd/
http://www.c7v88.top/v6ba/
http://www.microsofr.fun/omnp/
|
14
www.c7v88.top(15.197.148.33)
www.eworld.org(13.248.169.48)
www.ninunveiled.shop(172.67.170.124)
www.microsofr.fun(13.248.213.45)
www.gotvoom.pro(15.197.148.33)
www.juliakoppel.org(109.172.114.38)
www.askvanta.com(3.33.130.190)
13.248.213.45 - mailcious
76.223.54.146
109.172.114.38
104.219.239.104 - mailcious
172.67.170.124
3.33.130.190 - phishing
45.33.6.223
|
8
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46323 |
2024-07-26 12:09
|
 peinf.exe eed7347593de2141727d3960041d8c8e
UPX PE File PE32 VirusTotal Malware DNS |
|
1
|
|
|
1.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46324 |
2024-07-26 18:28
|
멀티캠퍼스 강연의뢰서_ 김병로 교수님 .docx.lnk... 16074a3f76b7860a180e0ec54dd19ed6
Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46325 |
2024-07-26 18:31
|
 ????impactfulbrands.co.uk_____... eb39f61659de025b97dc88f3c6eea279
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell ftp powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
3
https://www.mediafire.com/file/uq6estxvdnk3zze/ofeduqin1.rar/file
https://www.mediafire.com/file/hzktcfc598wc4c7/bipucowova2.rar/file
https://maper.info/1wHV45
|
8
download2280.mediafire.com(199.91.155.21)
www.mediafire.com(104.16.114.74) - mailcious
maper.info(104.21.82.89) - mailcious
download2275.mediafire.com(199.91.155.16) - mailcious
199.91.155.16 - mailcious
199.91.155.21
104.21.82.89
104.16.113.74 - mailcious
|
4
ET POLICY IP Logger Redirect Domain in SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
|
|
7.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46326 |
2024-07-26 18:39
|
somethinggreatwithmeentiretime... 02e73ef6a6bde5caa7628ee916111f60
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://198.46.174.139/71/winiti.exe
|
5
smtp.jlahuachem.com(208.91.199.224)
api.ipify.org(172.67.74.152)
104.26.13.205
208.91.199.224 - mailcious
198.46.174.139 - malware
|
10
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SURICATA SMTP invalid reply
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46327 |
2024-07-26 18:39
|
 c.cmd 948fdedc86c635c28b83bcd72f3557bd
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46328 |
2024-07-26 18:41
|
jiopdssa.lnk 370e93fbd938d0a6a8bae14c7b6a32d6
Generic Malware Antivirus Lnk Format GIF Format Creates shortcut unpack itself WriteConsoleW |
1
http://ceeaapaint.xyz:5100/new.bat
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46329 |
2024-07-26 18:41
|
 test2.jpg.exe ed6763398d7969ed28874c431402ee31
UPX PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46330 |
2024-07-26 18:42
|
 csrss.exe 4fb3e6e7b8f9c12cd2d5e161f7b94760
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Google Chrome User Data Downloader Malicious Library Malicious Packer Antivirus UPX Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Internet API KeyLogger AntiDe Remcos VirusTotal Malware PDB Code Injection Malicious Traffic Check memory buffers extracted Remote Code Execution |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
unifrieghtmovers.com(23.95.60.82)
178.237.33.50
23.95.60.82
|
1
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
|
|
6.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46331 |
2024-07-26 18:43
|
E_Sales_Doc43032234647380921_p... 0a8c019dde3aafa90a3cd96efd391df8
Generic Malware Lnk Format GIF Format Creates shortcut unpack itself WriteConsoleW |
1
http://ceeaapaint.xyz:5100/new.bat
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46332 |
2024-07-26 18:44
|
 5346347634735.exe eff57bbdb0bd6825a3a3476e2fcc86be
Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46333 |
2024-07-26 18:46
|
 winiti.exe 3d33cbde84d0a1197ec0d459d634473e
North Korea Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46334 |
2024-07-26 18:46
|
 cliente.exe 3ef97e69a4c36ab5dc588a8aca155241
UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46335 |
2024-07-26 18:51
|
 Proxy.exe 979c9b19507478fe8f08d537ec70538b
Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files |
|
|
|
|
1.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|