| 6796 |
2023-12-04 18:23
|
setup_uncnow.msi c8903eb5763c670a15049d74d764188c
Malicious Library MSOffice File CAB OS Processor Check VirusTotal Malware Buffer PE suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
25
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAZ%2FYEeVZiSnFZlhdD2BlJM%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fa997abf-161c-45ba-8c23-eb9e58c2ebc6&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d2f1aa4f-0183-476d-a2e3-299d68f68dbc&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=52d7e394-0ece-46e3-8b6b-50e4a912a514&tr=36&tt=17016814893833119&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5e3b6223-9356-471b-8ac4-06d55cb06d5b&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/5780c94a-62cb-449e-9e29-62028b992d0a/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=fa13dc40-7442-45d8-b4cf-15fea528e53d&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9da37a0f-6450-432f-b7a1-af20384a430c&tr=36&tt=17016814904842809&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/35.1/AgentPackageAgentInformation.zip?roGNp1CdFuW2ipdOZb4w/41XQvxne4mlIzFBGwsZ58tRkOqxVI2UbLZy7MqqWuPA
https://agent-api.atera.com/Production/Agent/CommandResult
https://agent-api.atera.com/Production/Agent/GetRecurringPackages
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2fb99e22-8755-4d28-ae1e-e175b97d7c3a&tr=36&tt=17016814905518788&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5996b0eb-9297-42ce-aa13-d91471083548&tt=0&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=368707d7-109a-4dc7-acd7-fb1c39ca60c6&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://agent-api.atera.com/Production/Agent/GetCommands
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=300c78de-6012-42af-8bad-63e197a87eee&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ad6f65e6-9e21-4436-8c50-b62c1d8d24cd&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5780c94a-62cb-449e-9e29-62028b992d0a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=77b274d5-4946-40ea-93d8-7fa53e59e643&tr=36&tt=17016814901254509&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
https://agent-api.atera.com/Production/Agent/AgentStarting
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=75d31a17-5a77-4055-85d2-3b3e2ce36570&uuid=5780c94a-62cb-449e-9e29-62028b992d0a
|
9
ocsp.digicert.com(152.195.38.76)
ps.pndsn.com(18.179.18.153)
cacerts.digicert.com(152.195.38.76)
ps.atera.com(13.107.213.46)
agent-api.atera.com(20.37.139.187)
13.107.213.74
20.37.139.187
152.195.38.76
18.179.18.155
|
|
|
4.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6797 |
2023-12-04 18:22
|
microsoftdeletedentirehistoryc... 6a1c0cb2c30f2bd30ac02506afd5701a
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://geoplugin.net/json.gp
http://107.173.143.18/155/wlanext.exe
|
7
geoplugin.net(178.237.33.50)
grantadistciaret.com(91.92.247.119)
178.237.33.50
152.195.38.76
107.173.143.18 - mailcious
18.179.18.155
91.92.247.119
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6798 |
2023-12-04 18:21
|
 z1.bat 97dc80d3844b01587d9fd6377b9ab0a7
Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Anti_VM AntiDebug AntiVM VirusTotal Malware suspicious privilege WMI Windows utilities suspicious process WriteConsoleW Windows ComputerName |
|
|
|
|
4.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6799 |
2023-12-04 18:18
|
 clip64.dll 3727880831612b8461cf81cc4e05d2a3
Amadey Malicious Library UPX PE32 PE File DLL OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://77.91.76.37/g8samsA2/index.php
|
1
|
|
|
3.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6800 |
2023-12-04 18:17
|
 wlanext.exe 925cc5d77586311bd5cefbb430d051e1
PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6801 |
2023-12-04 18:17
|
 ngrok.exe e2eadf60d8f25cae9b29decab461177b
Malicious Library Malicious Packer UPX PE File PE64 wget OS Processor Check VirusTotal Malware sandbox evasion WriteConsoleW |
|
|
|
|
2.2 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6802 |
2023-12-04 18:16
|
 g.exe 2c32f30ee011f338d4cb5ebc852d4ee5
Generic Malware Malicious Library Malicious Packer ASPack UPX PE32 PE File OS Processor Check VirusTotal Malware AutoRuns Windows Remote Code Execution |
|
13
spa.gotohttp.com(152.32.197.201)
usw.gotohttp.com(43.130.10.102)
hk.gotohttp.com(47.241.41.42)
def.gotohttp.com(43.130.10.102)
tk.gotohttp.com(103.143.72.251)
eu.gotohttp.com(43.131.61.143)
use.gotohttp.com(49.51.102.118)
47.241.41.42
152.32.197.201
43.130.10.102
103.143.72.251
43.131.61.143
49.51.102.118
|
|
|
2.2 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6803 |
2023-12-04 18:14
|
 kjox.exe 3c6b3c50afec4a49e616569559d4a749
Formbook UPX PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName DNS |
|
1
|
|
|
4.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6804 |
2023-12-04 18:13
|
Microsoftdeletedentirehistoryf... 6ee6e6e58e88fbb222f7b1c8e37973d7
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6805 |
2023-12-04 18:12
|
 1.dll 60cdf8bcf6966eac70e5f38c26c0003c
Emotet Gen1 Generic Malware Malicious Library Malicious Packer Antivirus UPX PE32 PE File DLL DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6806 |
2023-12-04 18:11
|
 demon.x64.exe f89c632c014ae133e895eaca52caecf5
Generic Malware PE File PE64 VirusTotal Malware Malicious Traffic unpack itself Check virtual network interfaces Sliver DNS |
1
|
1
|
1
ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
|
|
4.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6807 |
2023-12-04 18:11
|
 herewgo.exe 8bfd7886121330aca3002b5b1e768740
NSIS Malicious Library UPX Downloader PE32 PE File OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Browser Email ComputerName crashed |
|
|
|
|
5.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6808 |
2023-12-04 18:09
|
 cred64.dll a17a5ab2d131cd9eefcece4f1d22e531
Malicious Library UPX PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Malicious Traffic Checks debugger unpack itself Windows utilities sandbox evasion installed browsers check Windows Browser Email DNS Software |
1
http://77.91.76.37/g8samsA2/index.php
|
1
|
|
|
8.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6809 |
2023-12-04 18:09
|
 ma.exe 81145190d0c6cb7c04a3c7b8de03fd16
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself DNS |
|
1
|
|
|
3.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6810 |
2023-12-04 18:07
|
 WILD_PRIDE.exe 6b44d99b258c275ee7fcf230da177f3e
Malicious Packer UPX PE File PE64 VirusTotal Malware Checks debugger DNS |
|
1
94.198.53.143 - mailcious
|
|
|
4.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|