5281 |
2024-02-15 08:09
|
parkazx.exe 40481437ab27f01ff888644faf6681c5 AgentTesla .NET framework(MSIL) Escalate priviledges PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Browser Email ComputerName DNS Software crashed keylogger |
|
1
|
|
|
11.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5282 |
2024-02-15 08:08
|
resources.dll 5d8d5a9c46e621f31d129bcd671c8c8a Emotet Gen1 Generic Malware Malicious Library UPX Antivirus PE32 PE File DLL OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software |
|
4
195.133.88.98 45.33.6.223 62.173.146.41 91.201.67.85
|
|
|
15.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5283 |
2024-02-15 08:06
|
resources.dll 6c072be39ed9066026637c0b74e74047 Emotet Gen1 Generic Malware Malicious Library UPX Antivirus PE32 PE File DLL OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Interception Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software |
|
3
195.133.88.98 62.173.146.41 91.201.67.85
|
|
|
15.4 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5284 |
2024-02-15 08:05
|
dropper_cs.exe 44570b59b21c1a35fe275b929cae1cb1 PE32 PE File .NET EXE VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
9
https://185.234.216.64/status/995598521343541248/query=/2b9ccd88-b78a-4e0d-a501-443a64e2861f/?o2LlLnlV94xEyay https://185.234.216.64/uasclient/0.1.34/modules/6ff70043-72f1-44c5-814d-cac488223681/?o2LlLnlV94xEyay https://185.234.216.64/bootstrap/3.1.1/bootstrap.min.js/f4cd251a-54ce-4d0d-a384-3130b75daddd/?o2LlLnlV94xEyay https://185.234.216.64/vfe01s/1/vsopts.js/c21da95f-473e-4f3e-b738-a32b31840f7a/?o2LlLnlV94xEyay https://185.234.216.64/Philips/v902/?c https://185.234.216.64/Philips/v902/7bb20a37-7410-46b4-8924-887ca08a72fb/?o2LlLnlV94xEyay https://185.234.216.64/business/retail-business/insurance.asp/c7252337-bf29-422f-a535-3e253da22cb4/?o2LlLnlV94xEyay https://185.234.216.64/vfe01s/1/vsopts.js/4f5070ad-59b6-4a2a-b63d-1975c49f4bc5/?o2LlLnlV94xEyay https://185.234.216.64/wpaas/load.php/0c0530f9-1676-4838-94bb-106f5f80e445/?o2LlLnlV94xEyay
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
|
|
5.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5285 |
2024-02-15 08:05
|
resources.dll e758e07113016aca55d9eda2b0ffeebe Emotet Gen1 Generic Malware Malicious Library UPX Antivirus PE32 PE File DLL OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Collect installed applications powershell.exe wrote suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Windows Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software |
|
3
195.133.88.98 62.173.146.41 91.201.67.85
|
|
|
15.4 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5286 |
2024-02-15 08:04
|
binzx.exe 28527ceca95ca154ef0830e7e1d12cca .NET framework(MSIL) Escalate priviledges PWS AntiDebug AntiVM PE32 PE File .NET EXE DLL Browser Info Stealer VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Browser DNS |
15
http://www.towelhoodie.com/e3ir/ http://www.lululimon.homes/e3ir/?0zn1=MnAfW/PLVzL+awu+6py0DyhswC5lFb+KzQiUKGmL/dfkSBHwZ8KWhT5hSDOW2oy6+Ubgx8oLXj7rxmN/eM9gBRJNNdGyUBNB+DjATonn4e7YLJW2ZcIa7WkhxxUE2i2jRhqAhH4=&j-iRJ=MN2lRzxb1 http://www.homeezy.xyz/e3ir/ http://www.lululimon.homes/e3ir/ http://www.angelasboutiquesc.com/e3ir/ http://www.angelasboutiquesc.com/e3ir/?0zn1=U0e2VHQ3Q2kyrLYhN2GWjSinnXx1ELCrndILgHYZMReWye+UcSXtg0pUu5j/7KiXTsRhKWuHtZ3JDKzUJZ5ugnqdFdmORM2d/PXI9FqAPeGXz7TGzng7+fzpiLEjIEMXUx5nKdk=&j-iRJ=MN2lRzxb1 http://www.o649o.vip/e3ir/?0zn1=Dc6dvVHcKVxHUFHU7dtgcU0qTcIEXGIWjWEa7iVRqU3b1fWYpAX3J8LrsZPreVHDp7m66+C/Ugm92KDYdsc8zOND/q/WH4KBj5QCzcMv46MMie2ljUgumyrEg7gvztvYnlUJ/V4=&j-iRJ=MN2lRzxb1 http://www.lunarlagoon.xyz/e3ir/ http://www.towelhoodie.com/e3ir/?0zn1=wSa9TQYXgZofyGtyzliiZqTk1pWBsV3myGsiQjI6L1DL0/6jdc6zf58HxjcH6k3ssNwv6Kebp336XMF5QmwpFXFf9vZLo8xa/7w70H+lQos+yycCw3W/iJeO9/vYxYYDZnj5GOk=&j-iRJ=MN2lRzxb1 http://www.lunarlagoon.xyz/e3ir/?0zn1=amDQF+aWZ2u8NZ8aYBJwb1bsIBWP1X0Jfb6hq4auJT4ZjmIe2NaBMUhUedHzP+HaoY1NqTnL44ec8o658owhNxPhMIc1rPvjcxp0qdJT+Fqim8zDujyy2UMH/u96kS8xddhAL60=&j-iRJ=MN2lRzxb1 http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip http://www.homeezy.xyz/e3ir/?0zn1=/UdOclaXQTxl1ky5HcaRYYcCUZ2kj8MRQ605n19Q4prrCJvQhbIstt1hAyUzE02YEnvpJQUNL+kmUSpVs3gZuZQBeBXeKl/p0qloAw6J088CYYck737OCpMXrGh2TMtetAW0xg0=&j-iRJ=MN2lRzxb1 http://www.martproduct.info/e3ir/ http://www.o649o.vip/e3ir/ http://www.martproduct.info/e3ir/?0zn1=ANHQbUDMy3IIyelXfbXsNOKXSS6Kb87qQyPZ6MgFk2MLfdv9lIzhXmdPRPJGdPkalJmBN+1EhrDaFZkBtumsyGL0T0rBPjzZW8FxF1Je0oSqG0wcoCtPBPZdohpB6FRwa4ruNJ0=&j-iRJ=MN2lRzxb1
|
16
www.lululimon.homes(91.195.240.19) www.homeezy.xyz(216.40.34.41) www.italiangreyhounds.online() www.martproduct.info(199.59.243.225) www.o649o.vip(35.227.226.177) www.angelasboutiquesc.com(15.235.86.83) www.towelhoodie.com(91.195.240.19) www.lunarlagoon.xyz(162.0.222.196) 91.195.240.19 - mailcious 162.0.222.196 199.59.243.225 - mailcious 216.40.34.41 - mailcious 91.201.67.85 45.33.6.223 35.227.226.177 15.235.86.83 - mailcious
|
|
|
13.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5287 |
2024-02-15 08:04
|
amert.exe a6ba2dcff4afc522c78bf7470d968f5d Admin Tool (Sysinternals etc ...) UPX PE32 PE File VirusTotal Malware AutoRuns Checks debugger unpack itself Checks Bios Detects VMWare AppData folder VMware anti-virtualization Windows crashed |
|
|
|
|
6.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5288 |
2024-02-15 08:02
|
lt.exe a24578763f9a5b238646dc03268027cd .NET framework(MSIL) UPX PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5289 |
2024-02-15 01:26
|
test.exe 6737be0f15b6ddf4e13110708202eb84 Generic Malware Admin Tool (Sysinternals etc ...) UPX Anti_VM PE File PE64 OS Processor Check RWX flags setting unpack itself Check virtual network interfaces |
|
|
|
|
2.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5290 |
2024-02-14 18:31
|
cases_2024-02-12_16-01-13-0368... 58888d54d24b730ab10fcd26cc871d19 Escalate priviledges PWS KeyLogger AntiDebug AntiVM CAB Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself DNS |
5
http://95.164.63.54/documents/build-x64.zip/build-x64.msi - rule_id: 39462 http://secure.globalsign.com/cacert/codesigningrootr45.crt http://95.164.63.54/documents/build-x64.zip - rule_id: 39463 http://95.164.63.54/documents http://95.164.63.54/
|
5
secure.globalsign.com(104.18.20.226) prodomainnameeforappru.com(46.21.157.142) - mailcious 46.21.157.142 - mailcious 95.164.63.54 - malware 104.18.21.226
|
2
ET INFO Dotted Quad Host ZIP Request ET HUNTING WebDAV Retrieving .zip
|
2
http://95.164.63.54/documents/build-x64.zip/build-x64.msi http://95.164.63.54/documents/build-x64.zip
|
4.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5291 |
2024-02-14 18:26
|
cases_2024-02-12_16-01-12-8843... 90cb2bce91cc50e9f1244c94bd714be7 Escalate priviledges PWS KeyLogger AntiDebug AntiVM CAB Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself DNS |
6
http://95.164.63.54/documents/build-x64.zip/build-x64.msi
http://95.164.63.54/documents/build-x64.zip
http://secure.globalsign.com/cacert/codesigningrootr45.crt
http://95.164.63.54/documents/
http://95.164.63.54/documents
http://95.164.63.54/
|
5
secure.globalsign.com(104.18.20.226)
prodomainnameeforappru.com(46.21.157.142) - mailcious 46.21.157.142 - mailcious
95.164.63.54 - malware
104.18.20.226
|
2
ET INFO Dotted Quad Host ZIP Request ET HUNTING WebDAV Retrieving .zip
|
|
4.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5292 |
2024-02-14 18:14
|
build.exe 674f0e284bdd2795be4948c911c14fc3 Gen1 Generic Malware Malicious Library ASPack Malicious Packer UPX Antivirus Anti_VM PE File PE64 DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
2.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5293 |
2024-02-14 18:11
|
agodzx.exe 2d80ba25d567362815d7c3fe8217fb9f AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Windows Browser Email ComputerName Software crashed |
1
http://ip-api.com/line/?fields=hosting
|
4
webmail.missiontool.net(67.20.76.187) ip-api.com(208.95.112.1) 67.20.76.187 - mailcious 208.95.112.1
|
3
SURICATA Applayer Detect protocol only one direction ET POLICY External IP Lookup ip-api.com ET MALWARE AgentTesla Exfil Via SMTP
|
|
14.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5294 |
2024-02-14 18:10
|
observ.msi ee5ceff4974b7e5c42476e9537820a80 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX MSOffice File CAB OS Processor Check PE32 PE File DLL VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AppData folder AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
3.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5295 |
2024-02-14 14:38
|
Wezwanie_swiadka.pdf.exe d7ff05311350b4990ccd642a44679d1d Client SW User Data Stealer browser info stealer NSIS Generic Malware Themida Packer Google Chrome User Data Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code Browser Info Stealer VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files exploit crash unpack itself Checks Bios Detects VirtualBox Detects VMWare AppData folder malicious URLs VMware anti-virtualization installed browsers check Tofsee Windows Exploit Browser ComputerName Firmware DNS crashed |
|
3
sqlite.org(45.33.6.223) 46.246.97.61 45.33.6.223
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Wrong direction first Data
|
|
13.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|