6931 |
2023-11-28 09:23
|
htmljason.vbs e64be178e12b020963cc38980edc18f8 VirusTotal Malware wscript.exe payload download Tofsee |
1
|
2
paste.ee(172.67.187.200) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6932 |
2023-11-28 09:21
|
wlanext.exe 9aeed55e2703a03cf9e922dc695db1ab Formbook .NET framework(MSIL) PWS AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser ComputerName DNS |
16
http://www.velvet-key-properties.top/zqco/?ZuTSz8Jg=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&0VGHl=xHLDPw - rule_id: 38342 http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.oneillspubs.com/zqco/?ZuTSz8Jg=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&0VGHl=xHLDPw - rule_id: 38338 http://www.54c7pv.top/zqco/?ZuTSz8Jg=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&0VGHl=xHLDPw - rule_id: 38344 http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip http://www.brls.money/zqco/?ZuTSz8Jg=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&0VGHl=xHLDPw - rule_id: 38345 http://www.wearehydrant.com/zqco/?ZuTSz8Jg=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&0VGHl=xHLDPw - rule_id: 38343 http://www.stprov.biz/zqco/?ZuTSz8Jg=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&0VGHl=xHLDPw - rule_id: 38346 http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip http://www.speedbikesglobal.com/zqco/?ZuTSz8Jg=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&0VGHl=xHLDPw - rule_id: 38340 http://www.ofupakoshi.com/zqco/?ZuTSz8Jg=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&0VGHl=xHLDPw - rule_id: 38341 http://www.zz23xw.top/zqco/?ZuTSz8Jg=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&0VGHl=xHLDPw - rule_id: 38337 http://www.talknconvert.com/zqco/?ZuTSz8Jg=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&0VGHl=xHLDPw - rule_id: 38336 http://www.talknconvert.com/zqco/ - rule_id: 38336 http://www.ezus.life/zqco/?ZuTSz8Jg=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&0VGHl=xHLDPw - rule_id: 38339 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
24
www.ofupakoshi.com(118.27.125.154) - mailcious www.talknconvert.com(34.120.137.41) - mailcious www.velvet-key-properties.top(162.0.222.119) - mailcious www.cardsfinanse.online() - mailcious www.brls.money(76.76.21.9) - mailcious www.wearehydrant.com(216.40.34.41) - mailcious www.oneillspubs.com(199.59.243.225) - mailcious www.stprov.biz(208.91.197.132) - mailcious www.speedbikesglobal.com(207.244.126.150) - mailcious www.zz23xw.top(198.44.187.121) - mailcious www.54c7pv.top(154.91.180.241) - mailcious www.ezus.life(34.96.147.60) - mailcious 34.96.147.60 - mailcious 198.44.187.121 - mailcious 207.244.126.150 - mailcious 154.91.180.241 - mailcious 199.59.243.225 - mailcious 216.40.34.41 - mailcious 76.76.21.142 - mailcious 45.33.6.223 208.91.197.132 - mailcious 34.120.137.41 - mailcious 118.27.125.154 - mailcious 162.0.222.119 - mailcious
|
5
ET INFO HTTP Request to a *.top domain ET INFO Observed DNS Query to .biz TLD ET DNS Query to a *.top domain - Likely Hostile ET INFO Observed DNS Query to .life TLD ET INFO HTTP Request to Suspicious *.life Domain
|
12
http://www.velvet-key-properties.top/zqco/ http://www.oneillspubs.com/zqco/ http://www.54c7pv.top/zqco/ http://www.brls.money/zqco/ http://www.wearehydrant.com/zqco/ http://www.stprov.biz/zqco/ http://www.speedbikesglobal.com/zqco/ http://www.ofupakoshi.com/zqco/ http://www.zz23xw.top/zqco/ http://www.talknconvert.com/zqco/ http://www.talknconvert.com/zqco/ http://www.ezus.life/zqco/
|
10.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6933 |
2023-11-28 09:21
|
MicrosoftbrowserEdgeentierhist... 1363064ab295a3d2cb98232cc188eb42 Formbook MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware RWX flags setting exploit crash Windows Exploit DNS crashed |
|
16
www.talknconvert.com(34.120.137.41) - mailcious www.ofupakoshi.com(118.27.125.154) - mailcious www.velvet-key-properties.top(162.0.222.119) - mailcious www.oneillspubs.com(199.59.243.225) - mailcious www.speedbikesglobal.com(207.244.126.150) - mailcious www.zz23xw.top(198.44.187.121) - mailcious www.ezus.life(34.96.147.60) - mailcious 34.96.147.60 - mailcious 198.44.187.121 - mailcious 207.244.126.150 - mailcious 199.59.243.225 - mailcious 172.245.208.19 - malware 45.33.6.223 34.120.137.41 - mailcious 118.27.125.154 - mailcious 162.0.222.119 - mailcious
|
10
ET INFO HTTP Request to Suspicious *.life Domain ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET DNS Query to a *.top domain - Likely Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO HTTP Request to a *.top domain ET INFO Observed DNS Query to .life TLD SURICATA HTTP Request abnormal Content-Encoding header
|
14
http://www.zz23xw.top/zqco/ http://www.oneillspubs.com/zqco/ http://www.ofupakoshi.com/zqco/ http://www.oneillspubs.com/zqco/ http://www.velvet-key-properties.top/zqco/ http://www.velvet-key-properties.top/zqco/ http://www.ezus.life/zqco/ http://www.speedbikesglobal.com/zqco/ http://www.ezus.life/zqco/ http://www.ofupakoshi.com/zqco/ http://www.zz23xw.top/zqco/ http://www.talknconvert.com/zqco/ http://www.speedbikesglobal.com/zqco/ http://www.talknconvert.com/zqco/
|
3.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6934 |
2023-11-28 09:21
|
InstallSetup2.exe 631a53494c133f38982b1c8e73f1a42c PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6935 |
2023-11-28 09:21
|
microsoftdeltedentirefileschac... 880f0c9bc44adc32f0cab0a386d338ee MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6936 |
2023-11-27 10:05
|
a.ps1 d80666f445b6a86fbf383d69186a2cae Generic Malware Antivirus VirusTotal Malware Check memory Creates executable files unpack itself Windows DNS Cryptographic key |
|
|
|
|
2.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6937 |
2023-11-27 10:02
|
traff.html 1741302811bd4ccf06fe466aa79a7c4f Suspicious_Script_Bin AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6938 |
2023-11-27 09:39
|
balotek2.1.exe cf52e32f7257ad06e9436c2090585f55 NSIS Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.earthdatascape.com/t2ti/?tXxh=kstlMeg9IcwzJYyFLKGxy4q3LInO5BAGxn+RlyiQLQgBmQ7dbCQPEHLv7OQh7nVjyOSdc9Py&U48Hj=Nte0PL1048jDrzg http://www.merelweb.com/t2ti/?tXxh=BOOThCPjnUM7lSCFBnH2BimjClSgW0h7VqsAOgTwhlCUKhxaVw8OFbF4wmCxnm287AtkZOd7&U48Hj=Nte0PL1048jDrzg http://www.studio352events.com/t2ti/?tXxh=8VRVJ2RxNdqDCe39p/mzazLWBvMIpzi1TvcwnZg1FNPprXhJpJwCdr2o+lwBqF61wTFgCK1+&U48Hj=Nte0PL1048jDrzg http://www.office-honu.com/t2ti/?tXxh=tZ9f+xkGPYGlMQD6QUQgW7Bu5011mP3F3RfKADEubwWsw8RZnTP/abNvRo2Y4yuWOfFkav01&U48Hj=Nte0PL1048jDrzg
|
8
www.office-honu.com(163.44.185.180) www.studio352events.com(208.91.197.132) www.earthdatascape.com(62.149.128.45) www.merelweb.com(172.67.158.89) 163.44.185.180 104.21.82.142 208.91.197.132 - mailcious 62.149.128.45 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6939 |
2023-11-27 09:38
|
UnityLibManager.exe 1cf04f58323fc1139560daee9b3d1831 Gen1 RedLine stealer NSIS Downloader Generic Malware Malicious Library UPX Malicious Packer Javascript_Blob Anti_VM PE32 PE File ftp DLL PE64 OS Processor Check MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files RWX flags setting unpack itself Check virtual network interfaces AppData folder IP Check Ransomware crashed |
|
1
|
|
|
6.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6940 |
2023-11-27 09:38
|
amd.exe f4ba796f39305262e65d0ebd9d0ee33e Amadey Themida Packer Malicious Library UPX Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PWS Anti_VM AntiDebug AntiVM PE32 PE File DLL OS Processor Check .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces suspicious process AppData folder WriteConsoleW VMware anti-virtualization installed browsers check SectopRAT Windows Browser Backdoor ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed Downloader |
2
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993 http://185.172.128.113/hv.exe
|
5
45.77.97.135 185.172.128.113 142.251.220.46 185.172.128.100 - mailcious 138.201.120.172 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Arechclient2 Backdoor CnC Init ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
23.8 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6941 |
2023-11-27 09:36
|
PsExec.exe 9f26f723df0ce1ad3e928f983dffc61e Malicious Library .NET framework(MSIL) UPX PE32 PE File MZP Format JPEG Format DLL .NET EXE VirusTotal Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself AppData folder Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
1
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
|
7
docs.google.com(142.250.206.206) - mailcious xred.mooo.com() - mailcious freedns.afraid.org(69.42.215.252) www.dropbox.com(162.125.84.18) - mailcious 69.42.215.252 142.251.220.46 162.125.84.18 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6942 |
2023-11-27 09:34
|
windows_amd64.exe 42da12e3d8a9fc15574df76234e52b57 UPX PE File PE64 VirusTotal Malware Check virtual network interfaces DNS |
|
1
|
1
SURICATA Applayer Detect protocol only one direction
|
|
3.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6943 |
2023-11-27 09:33
|
client.exe 0170f9a9cf779fefa88e3a93dd551712 Malicious Library Malicious Packer Antivirus UPX PE File PE64 ftp OS Processor Check WriteConsoleW |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6944 |
2023-11-27 09:31
|
updater.exe 2ef140966b38a9c3025a123423e36667 Gen1 RedLine stealer NSIS Downloader Generic Malware Malicious Library UPX Malicious Packer Anti_VM Javascript_Blob PE32 PE File ftp DLL OS Processor Check PE64 MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Ransomware |
|
|
|
|
3.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6945 |
2023-11-27 09:30
|
hv.exe 36bd43b2792ce1ea475f91074eb2ef61 Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX Malicious Library PE32 PE File .NET EXE DLL OS Processor Check VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Windows Cryptographic key crashed |
|
|
|
|
8.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|