| 6931 |
2023-11-28 09:23
|
htmljason.vbs e64be178e12b020963cc38980edc18f8
VirusTotal Malware wscript.exe payload download Tofsee |
1
|
2
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6932 |
2023-11-28 09:21
|
 wlanext.exe 9aeed55e2703a03cf9e922dc695db1ab
Formbook .NET framework(MSIL) PWS AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser ComputerName DNS |
16
http://www.velvet-key-properties.top/zqco/?ZuTSz8Jg=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&0VGHl=xHLDPw - rule_id: 38342
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.oneillspubs.com/zqco/?ZuTSz8Jg=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&0VGHl=xHLDPw - rule_id: 38338
http://www.54c7pv.top/zqco/?ZuTSz8Jg=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&0VGHl=xHLDPw - rule_id: 38344
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
http://www.brls.money/zqco/?ZuTSz8Jg=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&0VGHl=xHLDPw - rule_id: 38345
http://www.wearehydrant.com/zqco/?ZuTSz8Jg=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&0VGHl=xHLDPw - rule_id: 38343
http://www.stprov.biz/zqco/?ZuTSz8Jg=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&0VGHl=xHLDPw - rule_id: 38346
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
http://www.speedbikesglobal.com/zqco/?ZuTSz8Jg=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&0VGHl=xHLDPw - rule_id: 38340
http://www.ofupakoshi.com/zqco/?ZuTSz8Jg=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&0VGHl=xHLDPw - rule_id: 38341
http://www.zz23xw.top/zqco/?ZuTSz8Jg=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&0VGHl=xHLDPw - rule_id: 38337
http://www.talknconvert.com/zqco/?ZuTSz8Jg=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&0VGHl=xHLDPw - rule_id: 38336
http://www.talknconvert.com/zqco/ - rule_id: 38336
http://www.ezus.life/zqco/?ZuTSz8Jg=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&0VGHl=xHLDPw - rule_id: 38339
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
24
www.ofupakoshi.com(118.27.125.154) - mailcious
www.talknconvert.com(34.120.137.41) - mailcious
www.velvet-key-properties.top(162.0.222.119) - mailcious
www.cardsfinanse.online() - mailcious
www.brls.money(76.76.21.9) - mailcious
www.wearehydrant.com(216.40.34.41) - mailcious
www.oneillspubs.com(199.59.243.225) - mailcious
www.stprov.biz(208.91.197.132) - mailcious
www.speedbikesglobal.com(207.244.126.150) - mailcious
www.zz23xw.top(198.44.187.121) - mailcious
www.54c7pv.top(154.91.180.241) - mailcious
www.ezus.life(34.96.147.60) - mailcious
34.96.147.60 - mailcious
198.44.187.121 - mailcious
207.244.126.150 - mailcious
154.91.180.241 - mailcious
199.59.243.225 - mailcious
216.40.34.41 - mailcious
76.76.21.142 - mailcious
45.33.6.223
208.91.197.132 - mailcious
34.120.137.41 - mailcious
118.27.125.154 - mailcious
162.0.222.119 - mailcious
|
5
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .biz TLD
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
|
12
http://www.velvet-key-properties.top/zqco/
http://www.oneillspubs.com/zqco/
http://www.54c7pv.top/zqco/
http://www.brls.money/zqco/
http://www.wearehydrant.com/zqco/
http://www.stprov.biz/zqco/
http://www.speedbikesglobal.com/zqco/
http://www.ofupakoshi.com/zqco/
http://www.zz23xw.top/zqco/
http://www.talknconvert.com/zqco/
http://www.talknconvert.com/zqco/
http://www.ezus.life/zqco/
|
10.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6933 |
2023-11-28 09:21
|
MicrosoftbrowserEdgeentierhist... 1363064ab295a3d2cb98232cc188eb42
Formbook MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware RWX flags setting exploit crash Windows Exploit DNS crashed |
|
16
www.talknconvert.com(34.120.137.41) - mailcious
www.ofupakoshi.com(118.27.125.154) - mailcious
www.velvet-key-properties.top(162.0.222.119) - mailcious
www.oneillspubs.com(199.59.243.225) - mailcious
www.speedbikesglobal.com(207.244.126.150) - mailcious
www.zz23xw.top(198.44.187.121) - mailcious
www.ezus.life(34.96.147.60) - mailcious
34.96.147.60 - mailcious
198.44.187.121 - mailcious
207.244.126.150 - mailcious
199.59.243.225 - mailcious
172.245.208.19 - malware
45.33.6.223
34.120.137.41 - mailcious
118.27.125.154 - mailcious
162.0.222.119 - mailcious
|
10
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .life TLD
SURICATA HTTP Request abnormal Content-Encoding header
|
14
http://www.zz23xw.top/zqco/
http://www.oneillspubs.com/zqco/
http://www.ofupakoshi.com/zqco/
http://www.oneillspubs.com/zqco/
http://www.velvet-key-properties.top/zqco/
http://www.velvet-key-properties.top/zqco/
http://www.ezus.life/zqco/
http://www.speedbikesglobal.com/zqco/
http://www.ezus.life/zqco/
http://www.ofupakoshi.com/zqco/
http://www.zz23xw.top/zqco/
http://www.talknconvert.com/zqco/
http://www.speedbikesglobal.com/zqco/
http://www.talknconvert.com/zqco/
|
3.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6934 |
2023-11-28 09:21
|
 InstallSetup2.exe 631a53494c133f38982b1c8e73f1a42c
PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6935 |
2023-11-28 09:21
|
microsoftdeltedentirefileschac... 880f0c9bc44adc32f0cab0a386d338ee
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6936 |
2023-11-27 10:05
|
 a.ps1 d80666f445b6a86fbf383d69186a2cae
Generic Malware Antivirus VirusTotal Malware Check memory Creates executable files unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6937 |
2023-11-27 10:02
|
 traff.html 1741302811bd4ccf06fe466aa79a7c4f
Suspicious_Script_Bin AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6938 |
2023-11-27 09:39
|
 balotek2.1.exe cf52e32f7257ad06e9436c2090585f55
NSIS Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.earthdatascape.com/t2ti/?tXxh=kstlMeg9IcwzJYyFLKGxy4q3LInO5BAGxn+RlyiQLQgBmQ7dbCQPEHLv7OQh7nVjyOSdc9Py&U48Hj=Nte0PL1048jDrzg
http://www.merelweb.com/t2ti/?tXxh=BOOThCPjnUM7lSCFBnH2BimjClSgW0h7VqsAOgTwhlCUKhxaVw8OFbF4wmCxnm287AtkZOd7&U48Hj=Nte0PL1048jDrzg
http://www.studio352events.com/t2ti/?tXxh=8VRVJ2RxNdqDCe39p/mzazLWBvMIpzi1TvcwnZg1FNPprXhJpJwCdr2o+lwBqF61wTFgCK1+&U48Hj=Nte0PL1048jDrzg
http://www.office-honu.com/t2ti/?tXxh=tZ9f+xkGPYGlMQD6QUQgW7Bu5011mP3F3RfKADEubwWsw8RZnTP/abNvRo2Y4yuWOfFkav01&U48Hj=Nte0PL1048jDrzg
|
8
www.office-honu.com(163.44.185.180)
www.studio352events.com(208.91.197.132)
www.earthdatascape.com(62.149.128.45)
www.merelweb.com(172.67.158.89)
163.44.185.180
104.21.82.142
208.91.197.132 - mailcious
62.149.128.45 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6939 |
2023-11-27 09:38
|
 UnityLibManager.exe 1cf04f58323fc1139560daee9b3d1831
Gen1 RedLine stealer NSIS Downloader Generic Malware Malicious Library UPX Malicious Packer Javascript_Blob Anti_VM PE32 PE File ftp DLL PE64 OS Processor Check MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files RWX flags setting unpack itself Check virtual network interfaces AppData folder IP Check Ransomware crashed |
|
1
|
|
|
6.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6940 |
2023-11-27 09:38
|
 amd.exe f4ba796f39305262e65d0ebd9d0ee33e
Amadey Themida Packer Malicious Library UPX Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PWS Anti_VM AntiDebug AntiVM PE32 PE File DLL OS Processor Check .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces suspicious process AppData folder WriteConsoleW VMware anti-virtualization installed browsers check SectopRAT Windows Browser Backdoor ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed Downloader |
2
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993
http://185.172.128.113/hv.exe
|
5
45.77.97.135
185.172.128.113
142.251.220.46
185.172.128.100 - mailcious
138.201.120.172 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Arechclient2 Backdoor CnC Init
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
23.8 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6941 |
2023-11-27 09:36
|
 PsExec.exe 9f26f723df0ce1ad3e928f983dffc61e
Malicious Library .NET framework(MSIL) UPX PE32 PE File MZP Format JPEG Format DLL .NET EXE VirusTotal Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself AppData folder Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
1
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
|
7
docs.google.com(142.250.206.206) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious
69.42.215.252
142.251.220.46
162.125.84.18 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6942 |
2023-11-27 09:34
|
windows_amd64.exe 42da12e3d8a9fc15574df76234e52b57
UPX PE File PE64 VirusTotal Malware Check virtual network interfaces DNS |
|
1
|
1
SURICATA Applayer Detect protocol only one direction
|
|
3.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6943 |
2023-11-27 09:33
|
 client.exe 0170f9a9cf779fefa88e3a93dd551712
Malicious Library Malicious Packer Antivirus UPX PE File PE64 ftp OS Processor Check WriteConsoleW |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6944 |
2023-11-27 09:31
|
 updater.exe 2ef140966b38a9c3025a123423e36667
Gen1 RedLine stealer NSIS Downloader Generic Malware Malicious Library UPX Malicious Packer Anti_VM Javascript_Blob PE32 PE File ftp DLL OS Processor Check PE64 MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Ransomware |
|
|
|
|
3.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6945 |
2023-11-27 09:30
|
 hv.exe 36bd43b2792ce1ea475f91074eb2ef61
Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX Malicious Library PE32 PE File .NET EXE DLL OS Processor Check VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Windows Cryptographic key crashed |
|
|
|
|
8.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|