6796 |
2023-12-04 18:23
|
setup_uncnow.msi c8903eb5763c670a15049d74d764188c Malicious Library MSOffice File CAB OS Processor Check VirusTotal Malware Buffer PE suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
25
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAZ%2FYEeVZiSnFZlhdD2BlJM%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D http://cacerts.digicert.com/DigiCertTrustedRootG4.crt https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fa997abf-161c-45ba-8c23-eb9e58c2ebc6&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d2f1aa4f-0183-476d-a2e3-299d68f68dbc&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=52d7e394-0ece-46e3-8b6b-50e4a912a514&tr=36&tt=17016814893833119&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5e3b6223-9356-471b-8ac4-06d55cb06d5b&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/5780c94a-62cb-449e-9e29-62028b992d0a/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=fa13dc40-7442-45d8-b4cf-15fea528e53d&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://agent-api.atera.com/Production/Agent/AcknowledgeCommands https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9da37a0f-6450-432f-b7a1-af20384a430c&tr=36&tt=17016814904842809&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/35.1/AgentPackageAgentInformation.zip?roGNp1CdFuW2ipdOZb4w/41XQvxne4mlIzFBGwsZ58tRkOqxVI2UbLZy7MqqWuPA https://agent-api.atera.com/Production/Agent/CommandResult https://agent-api.atera.com/Production/Agent/GetRecurringPackages https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2fb99e22-8755-4d28-ae1e-e175b97d7c3a&tr=36&tt=17016814905518788&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5996b0eb-9297-42ce-aa13-d91471083548&tt=0&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=368707d7-109a-4dc7-acd7-fb1c39ca60c6&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://agent-api.atera.com/Production/Agent/GetCommands https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=300c78de-6012-42af-8bad-63e197a87eee&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ad6f65e6-9e21-4436-8c50-b62c1d8d24cd&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=77b274d5-4946-40ea-93d8-7fa53e59e643&tr=36&tt=17016814901254509&uuid=5780c94a-62cb-449e-9e29-62028b992d0a https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus https://agent-api.atera.com/Production/Agent/AgentStarting https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=75d31a17-5a77-4055-85d2-3b3e2ce36570&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
|
9
ocsp.digicert.com(152.195.38.76) ps.pndsn.com(18.179.18.153) cacerts.digicert.com(152.195.38.76) ps.atera.com(13.107.213.46) agent-api.atera.com(20.37.139.187) 13.107.213.74 20.37.139.187 152.195.38.76 18.179.18.155
|
|
|
4.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6797 |
2023-12-04 18:22
|
microsoftdeletedentirehistoryc... 6a1c0cb2c30f2bd30ac02506afd5701a MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://geoplugin.net/json.gp
http://107.173.143.18/155/wlanext.exe
|
7
geoplugin.net(178.237.33.50)
grantadistciaret.com(91.92.247.119) 178.237.33.50
152.195.38.76
107.173.143.18 - mailcious
18.179.18.155
91.92.247.119
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6798 |
2023-12-04 18:21
|
z1.bat 97dc80d3844b01587d9fd6377b9ab0a7 Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Anti_VM AntiDebug AntiVM VirusTotal Malware suspicious privilege WMI Windows utilities suspicious process WriteConsoleW Windows ComputerName |
|
|
|
|
4.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6799 |
2023-12-04 18:18
|
clip64.dll 3727880831612b8461cf81cc4e05d2a3 Amadey Malicious Library UPX PE32 PE File DLL OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://77.91.76.37/g8samsA2/index.php
|
1
|
|
|
3.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6800 |
2023-12-04 18:17
|
wlanext.exe 925cc5d77586311bd5cefbb430d051e1 PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6801 |
2023-12-04 18:17
|
ngrok.exe e2eadf60d8f25cae9b29decab461177b Malicious Library Malicious Packer UPX PE File PE64 wget OS Processor Check VirusTotal Malware sandbox evasion WriteConsoleW |
|
|
|
|
2.2 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6802 |
2023-12-04 18:16
|
g.exe 2c32f30ee011f338d4cb5ebc852d4ee5 Generic Malware Malicious Library Malicious Packer ASPack UPX PE32 PE File OS Processor Check VirusTotal Malware AutoRuns Windows Remote Code Execution |
|
13
spa.gotohttp.com(152.32.197.201) usw.gotohttp.com(43.130.10.102) hk.gotohttp.com(47.241.41.42) def.gotohttp.com(43.130.10.102) tk.gotohttp.com(103.143.72.251) eu.gotohttp.com(43.131.61.143) use.gotohttp.com(49.51.102.118) 47.241.41.42 152.32.197.201 43.130.10.102 103.143.72.251 43.131.61.143 49.51.102.118
|
|
|
2.2 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6803 |
2023-12-04 18:14
|
kjox.exe 3c6b3c50afec4a49e616569559d4a749 Formbook UPX PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName DNS |
|
1
|
|
|
4.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6804 |
2023-12-04 18:13
|
Microsoftdeletedentirehistoryf... 6ee6e6e58e88fbb222f7b1c8e37973d7 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6805 |
2023-12-04 18:12
|
1.dll 60cdf8bcf6966eac70e5f38c26c0003c Emotet Gen1 Generic Malware Malicious Library Malicious Packer Antivirus UPX PE32 PE File DLL DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6806 |
2023-12-04 18:11
|
demon.x64.exe f89c632c014ae133e895eaca52caecf5 Generic Malware PE File PE64 VirusTotal Malware Malicious Traffic unpack itself Check virtual network interfaces Sliver DNS |
1
|
1
|
1
ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
|
|
4.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6807 |
2023-12-04 18:11
|
herewgo.exe 8bfd7886121330aca3002b5b1e768740 NSIS Malicious Library UPX Downloader PE32 PE File OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Browser Email ComputerName crashed |
|
|
|
|
5.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6808 |
2023-12-04 18:09
|
cred64.dll a17a5ab2d131cd9eefcece4f1d22e531 Malicious Library UPX PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Malicious Traffic Checks debugger unpack itself Windows utilities sandbox evasion installed browsers check Windows Browser Email DNS Software |
1
http://77.91.76.37/g8samsA2/index.php
|
1
|
|
|
8.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6809 |
2023-12-04 18:09
|
ma.exe 81145190d0c6cb7c04a3c7b8de03fd16 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself DNS |
|
1
|
|
|
3.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6810 |
2023-12-04 18:07
|
WILD_PRIDE.exe 6b44d99b258c275ee7fcf230da177f3e Malicious Packer UPX PE File PE64 VirusTotal Malware Checks debugger DNS |
|
1
94.198.53.143 - mailcious
|
|
|
4.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|