| 7246 |
2023-11-06 09:52
|
 nonnyzx.exe a7871243c89d91c612b5611003531e30
UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7247 |
2023-11-06 09:51
|
 d-7 802cf804f8e94474c805d2fba97c2f41
Malicious Library Downloader UPX AntiDebug AntiVM PE File DLL PE32 JPEG Format ZIP Format Malware download VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Windows utilities suspicious process sandbox evasion Windows Browser ComputerName DNS Downloader |
4
http://202.79.173.167:8000/4
http://202.79.173.167:8000/1
http://202.79.173.167:8000/2
http://202.79.173.167:8000/3
|
2
feetifu.net()
202.79.173.167
|
5
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/WSF Downloader Dec 08 2016 M7
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
8.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7248 |
2023-11-06 09:51
|
 defounderzx.exe 2ed10c1ecb18c82e28180b08eb96fbc2
LokiBot .NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Discord Browser Email ComputerName DNS crashed keylogger |
1
https://discordapp.com/api/webhooks/1164197415147020358/r6DHDEdEVlubS99_mqTR2EYAvLqIPvG1AA9kVN_oApRfIgXgxydFAbvOjcrA0W4bxbuR
|
2
discordapp.com(162.159.130.233) - mailcious
162.159.129.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7249 |
2023-11-06 09:49
|
 amday.exe 3e478dcc2a01b6115012627f06045690
Themida Packer Downloader UPX Malicious Packer VMProtect Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM Malware download Amadey VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process AppData folder malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName Remote Code Execution Firmware DNS crashed Downloader |
3
http://185.172.128.100/u6vhSc3PPq/index.php
http://tinsignsnmore.com/clips.exe
http://cynorix.com/mnr.exe
|
5
cynorix.com(64.34.75.145)
tinsignsnmore.com(45.79.14.106) - malware
64.34.75.145 - mailcious
185.172.128.100
45.79.14.106 - malware
|
5
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
|
16.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7250 |
2023-11-06 09:48
|
 Output.exe f5c18dc1c7bb825ab9355fcf0772f398
UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself ComputerName DNS |
|
1
185.119.88.77 - mailcious
|
|
|
2.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7251 |
2023-11-06 09:45
|
 governorzx.exe 45ab39f2cc353535047f5a5d4e8bcbd1
LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed |
|
4
webmail.euroschool-bg.com(185.119.88.77)
api.ipify.org(173.231.16.77)
185.119.88.77 - mailcious
104.237.62.212
|
6
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
12.4 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7252 |
2023-11-06 09:43
|
 MMkNn.exe 576ea37ddee70b9062761e4bcc0c6a64
RedLine Infostealer UltraVNC Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows DNS Cryptographic key crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
transfer.sh(144.76.136.153) - malware
121.254.136.9
144.76.136.153 - mailcious
|
5
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
|
|
4.0 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7253 |
2023-11-06 09:41
|
 soyazx.exe 6713d6eadee3ad9164e66e555eaa16ee
Formbook AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.robinsons-pools.com/s20a/?5j=X0kB3yCe2DbMHBjyZyduHI61R9zJKpP/1yM9ANRcG2StAR10Wwf8tUVEWg3X5jDkk9455Rxw&vTax-=LJBPmD1
http://www.25egypt.net/s20a/?5j=KTT9+VCcA37+xtRGjaV8luty/MFMKL8hzZvZ6YYNfMtl9gwTEgJdqydErXPa1splGINEUr1P&vTax-=LJBPmD1
|
5
www.robinsons-pools.com(13.248.243.5)
www.25egypt.net(3.64.163.50)
www.alexpresswholesaler.com()
3.64.163.50 - mailcious
76.223.105.230 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7254 |
2023-11-06 09:41
|
 spacezx.exe 1536cc9a88c87ba6a5e0dc22e2b876c2
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7255 |
2023-11-06 09:41
|
 s5.exe e4c5c50d9c573109411348e4c7f79dd8
Malicious Library UPX Http API HTTP Internet API AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS |
8
http://85.209.11.204/api/files/client/s54
http://85.209.11.204/api/files/client/s51
http://85.209.11.204/ip.php
http://85.209.11.204/api/files/client/s53
http://85.209.11.204/api/files/client/s52
http://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000¶m=empty
https://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000¶m=empty
https://script.googleusercontent.com/macros/echo?user_content_key=rq3I6Pvq31ESr42SRVFCcH8cBMrOvGfc9LjrAFAjXKqooXQVZnHoVSKZ49ywNUr7mn_h-t_4xp16ZbQUh0u7vYizKKleUSwSOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa0CRDStSlAiWe9EsIf9E4ZPsnymwtpgwALY3ZEKNbUPKTwCm-q5YBdK9ax9ulRNROyEZlBVHKdgUzc9XRB8G-pFIaTITfR7fJ9yLw_QwlOLh3sVTfjuTogDzV_l7Cl_ErHbadLHwSTw0RLfCUlcjW3aqDyDBdoyuR54_mWWztr2JN0ZmedBznvo&lib=MGiFI8QOoThWusP0Kv6sJRfccXc-Ar0ZC
|
5
script.google.com(142.250.206.238)
script.googleusercontent.com(142.250.206.225)
85.209.11.204
172.217.24.78
142.251.220.33
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7256 |
2023-11-06 09:40
|
 whesilozx.exe a117d7af8f85cacb310671b834482605
LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Software crashed keylogger |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7257 |
2023-11-06 09:37
|
 patch.exe 836f7ee9f560b60cd68b2e3b3b6e1a26
Malicious Library UPX ASPack PE File PE32 ZIP Format ftp VirusTotal Malware PDB Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7258 |
2023-11-06 09:37
|
 isbinzx.exe f297b0f6ff8bace56e8bc669a63df2a7
Formbook PWS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
3
www.tcbbuilds.com()
www.lambdasigmarho.com()
www.vurporn.com()
|
|
|
9.2 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7259 |
2023-11-06 09:35
|
 kellyzx.exe 76a433c70bad5aa138a6c1ee1597dbb8
LokiBot .NET framework(MSIL) Socket PWS DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
1
http://kelly.spencerstuartllc.top/_errorpages/kelly/five/fre.php
|
2
kelly.spencerstuartllc.top(172.67.137.192)
172.67.137.192
|
9
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7260 |
2023-11-06 09:34
|
 millianozx.exe 4aec69a71dff9be27f998272b34a445d
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|