| 6616 |
2023-12-14 18:50
|
 fol4.exe 16d69d752dfb1211e0e67596d59caca1
Malicious Packer UPX PE File PE64 VirusTotal Malware buffers extracted RWX flags setting Check virtual network interfaces DNS |
|
1
|
|
|
4.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6617 |
2023-12-14 16:48
|
 new_image.jpg.exe d772e2dc4d5e6901bf6fdaba17caa985
Generic Malware Antivirus PE32 PE File DLL .NET DLL VirusTotal Malware PDB |
|
|
|
|
0.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6618 |
2023-12-14 16:41
|
 new_image.jpg.exe d772e2dc4d5e6901bf6fdaba17caa985
Generic Malware Antivirus PE32 PE File DLL .NET DLL VirusTotal Malware PDB |
|
|
|
|
0.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6619 |
2023-12-14 16:40
|
nj.txt.exe 20f7d231a4c2c00595c943dc7633a24c
PE File VirusTotal Malware |
|
|
|
|
0.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6620 |
2023-12-14 13:02
|
 Pikabot.dll 61c58c2bebffb3b3590f24675721fa5b
Malicious Library UPX PE32 PE File DLL MZP Format VirusTotal Malware |
|
|
|
|
2.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6621 |
2023-12-14 11:07
|
미신고 자금출처명세서(부가가치세법 시행규칙).hwp.l... ceb4847592b0b9ddc2b9c239fa48c471
Generic Malware Malicious Library Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell PE32 PE File CAB MSOffice File HWP Malware download VirusTotal Malware Campaign powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI heapspray Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Konni Windows ComputerName Cryptographic key |
2
http://ddsdata.net/upload.php
https://aufildeseaux.com/wp-admin/includes/main/read/get.php?pw=xlse&cm=ns0010
|
2
ddsdata.net(5.255.127.177)
5.255.127.177
|
1
ET MALWARE [ANY.RUN] Konni.APT Exfiltration
|
|
14.0 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6622 |
2023-12-14 11:06
|
Statement of undeclared funds ... ceb4847592b0b9ddc2b9c239fa48c471
Generic Malware Malicious Library Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell PE32 PE File MSOffice File HWP CAB Malware download VirusTotal Malware Campaign powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI heapspray Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Konni Windows ComputerName Cryptographic key |
2
http://ddsdata.net/upload.php
https://aufildeseaux.com/wp-admin/includes/main/read/get.php?pw=xlse&cm=ns0010
|
2
ddsdata.net(5.255.127.177)
5.255.127.177
|
1
ET MALWARE [ANY.RUN] Konni.APT Exfiltration
|
|
14.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6623 |
2023-12-14 11:00
|
 481-5412-09.pdf .cmd 0ebda52c2e35dd7d3088b5364a4583fd
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://147.78.46.40:37662/office/1.pdf - rule_id: 38756
http://147.78.46.40:37662/office/1.pdf
|
1
|
1
ET INFO Dotted Quad Host PDF Request
|
1
http://147.78.46.40:37662/office/1.pdf
|
10.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6624 |
2023-12-14 10:53
|
 0.26620849638416144.dat.dll 61c58c2bebffb3b3590f24675721fa5b
Malicious Library UPX PE32 PE File DLL MZP Format VirusTotal Malware |
|
|
|
|
2.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6625 |
2023-12-14 10:47
|
 Pikabot.dll 61c58c2bebffb3b3590f24675721fa5b
Malicious Library UPX PE32 PE File DLL MZP Format VirusTotal Malware |
|
|
|
|
1.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6626 |
2023-12-14 10:29
|
 ORDER-231211.Xls.js 516442412f0c621f39abd64b645f587cVirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://nac-ecs.co.mz/onedrive/wp.vbs
|
2
nac-ecs.co.mz(144.208.78.130) - malware
144.208.78.130 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6627 |
2023-12-14 10:28
|
 ORDER-232111.pdf.js ad919f29a6186c40a5bcb76d18803bfbVirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://grapemundo.com/Apk/good.vbs
|
2
grapemundo.com(103.50.163.157) - mailcious
103.50.163.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6628 |
2023-12-14 10:28
|
 ORDER-232112.pdf.js ad919f29a6186c40a5bcb76d18803bfbVirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://grapemundo.com/Apk/good.vbs
|
2
grapemundo.com(103.50.163.157) - mailcious
103.50.163.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6629 |
2023-12-14 10:17
|
 wp.vbs 4d09dbc70709eb2790c491dc476d508bMalware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS DDNS Dropper |
2
http://chongmei33.publicvm.com:7045/is-processes - rule_id: 37041
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(103.47.144.44) - mailcious
103.47.144.44
|
6
ET MALWARE WSHRAT CnC Checkin
ET HUNTING Suspicious Possible Process Dump in POST body
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
2
http://chongmei33.publicvm.com:7045/is-processes
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6630 |
2023-12-14 10:16
|
ORDER-2320884.jar c2cfe1bc4cc6ec14cd510cd4ac40d6f5
Antivirus Malicious Library UPX MSOffice File ZIP Format PE32 PE File DLL OS Processor Check VirusTotal Malware AutoRuns Check memory buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Java ComputerName DNS DDNS crashed |
|
8
objects.githubusercontent.com(185.199.108.133) - malware
jinvestments.duckdns.org(103.47.144.44)
github.com(20.200.245.247) - mailcious
repo1.maven.org(199.232.196.209)
151.101.196.209
185.199.109.133 - mailcious
20.200.245.247 - malware
103.47.144.44
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
7.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|