| 6271 |
2024-01-17 08:10
|
 newestClient1.exe ffb72f98676269aeb972299b91a2d26c
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
0.6 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6272 |
2024-01-17 08:08
|
 conhost.exe 1b225b72fbc08f95e76634dc39a25b1a
Formbook Generic Malware .NET framework(MSIL) Antivirus AntiDebug AntiVM PE32 PE File .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
http://www.54xz.vip/jk56/?tXxh=QsxnamqBKHYfB2r7hfKh7iGwIx47ovwMcaPiu4O9k9c2M2UtruXKsS03YDnYGWBBOnu2E9x9&U48Tj=Ntx0ULS048u8gHz
http://www.sanifulimited.com/jk56/?tXxh=7HRrcs3TZOA/WH8UDVN9ZBaE8Rw1oacq0KoGerjE8eHA37nBx3g2UGphkhVW2ycriYHLgfvP&U48Tj=Ntx0ULS048u8gHz
|
6
www.sanifulimited.com(76.76.21.98)
www.54xz.vip(20.189.114.249)
www.pk2y6y.shop(8.212.102.132)
20.189.114.14
8.212.102.132
76.76.21.123 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6273 |
2024-01-17 08:07
|
 next.exe 855ab7dc7e6f028a7cf4c059e8b1a651
EnigmaProtector Malicious Packer UPX PE32 PE File Check memory unpack itself crashed |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6274 |
2024-01-16 17:47
|
 MAS_AIO.cmd 99ae4d160ce5c07cd5a88cff6668c41c
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6275 |
2024-01-16 10:23
|
browserforfindvideoswhichmakey... cac7fbeb22725d491739d21ce51d7cf2
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/DPx5S
http://23.94.239.93/5060/browserclear.vbs
|
5
paste.ee(104.21.84.67) - mailcious
wallpapercave.com(104.22.53.71) - malware
23.94.239.93 - mailcious
104.22.53.71
104.21.84.67 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6276 |
2024-01-16 10:20
|
BrowserUpdate.vbs 7eed4e5991eacf9b104dd2d2da0856fb
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4228677.png
http://107.175.113.207/3555/TH.txt
|
4
paste.ee(172.67.187.200) - mailcious
wallpapercave.com(104.22.53.71) - malware
172.67.29.26 - malware
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6277 |
2024-01-16 10:18
|
browserdatasavedforvideotocrea... 894868d948fb83d3039e9d0f13caa8f6
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://107.175.113.207/3555/BrowserUpdate.vbs
https://paste.ee/d/s5jMq
|
5
paste.ee(104.21.84.67) - mailcious
wallpapercave.com(104.22.53.71) - malware
104.22.53.71
104.21.84.67 - malware
107.175.113.207 - malware
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6278 |
2024-01-16 10:16
|
browserclear.vbs 955cba0154cb22d954e10771041d58b3
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
https://paste.ee/d/DPx5S
https://wallpapercave.com/uwp/uwp4228677.png
http://23.94.239.93/5060/CBL.txt
|
4
paste.ee(172.67.187.200) - mailcious
wallpapercave.com(104.22.53.71) - malware
172.67.29.26 - malware
104.21.84.67 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
9.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6279 |
2024-01-16 10:14
|
 Client-built.exe 6efb136f01bd7beeec9603924b79f5d0
Malicious Library .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6280 |
2024-01-16 10:04
|
 M.hta a712950af45bdc5e33863aae223c1ac6
AntiDebug AntiVM MSOffice File JPEG Format VirusTotal Malware Code Injection Check memory Checks debugger RWX flags setting exploit crash unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed |
2
https://mail.chapanakit-rta.com/favicon.ico
https://mail.chapanakit-rta.com/images/happynewyear.jpg
|
2
mail.chapanakit-rta.com(203.113.25.99) - mailcious
203.113.25.99 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
7.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6281 |
2024-01-16 08:15
|
 done.exe 750730cacee06f5b29188ef5050ff7ab
Client SW User Data Stealer Emotet Gen1 browser info stealer EnigmaProtector Generic Malware Google Chrome User Data Downloader Malicious Library UPX Malicious Packer .NET framework(MSIL) Http API PWS Code injection Create Service Socket DGA ScreenShot Es Browser Info Stealer VirusTotal Malware AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser Remote Code Execution DNS crashed |
15
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
https://www.facebook.com/favicon.ico
https://connect.facebook.net/security/hsts-pixel.gif
https://www.facebook.com/login
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yJ/l/0,cross/JtVgZ46o85N.css?_nc_x=Ij3Wp8lg5Kz
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
|
8
www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
static.xx.fbcdn.net(157.240.215.14)
fbcdn.net(157.240.215.35)
connect.facebook.net(157.240.215.14)
facebook.com(157.240.215.35)
157.240.215.35
157.240.215.14
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6282 |
2024-01-16 08:13
|
 MartDrum.exe 1e4352c43b8c5a6b5a10dd0ace9a57a4
Gen1 Downloader task schedule Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE32 Malware download AsyncRAT NetWireRC Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Windows ComputerName DDNS |
|
3
ILEBAjQfqsOIasLkjMdYuEw.ILEBAjQfqsOIasLkjMdYuEw()
leetman.dynuddns.com(94.156.64.207)
94.156.64.207
|
3
ET INFO DYNAMIC_DNS Query to a *.dynuddns .com Domain
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6283 |
2024-01-16 08:11
|
 khupdated.exe 4d9fb60e333f52c979bf29a3c945afc1
Downloader .NET framework(MSIL) UPX KeyLogger Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP P2P AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6284 |
2024-01-16 08:11
|
 bin.exe 784559c7325bfc51b99ef299c4279d10
NSIS Malicious Library UPX PE32 PE File DLL Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6285 |
2024-01-16 08:09
|
 GorgeousMovement.exe 37e6d31e2b00ce35a5e933147524f09d
Gen1 Hide_EXE Suspicious_Script_Bin Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P Anti Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Windows ComputerName |
|
1
QBKbTeFBWPHfG.QBKbTeFBWPHfG()
|
|
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|