7321 |
2023-11-02 10:11
|
Firefoxwzexefile.vbs 0b7f2e1c70bb997a5b6f1b0072c23679 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://107.175.113.212/file/12345Warzone.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7322 |
2023-11-02 10:11
|
12345Warzone.txt.exe 168457c869ff329fb895e314d1d8d61c Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check Remote Code Execution |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7323 |
2023-11-02 10:09
|
1stANzasWQA435786990Mqa9.js f757a1a6ca3595f7219e80540bcbbf52 Generic Malware Antivirus ActiveXObject PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://paste.ee/d/10dsb https://imageupload.io/ib/WJveX71agmOQ6Gw_1698762642.jpg
|
4
paste.ee(104.21.84.67) - mailcious imageupload.io(172.67.222.26) - malware 172.67.222.26 - malware 104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7324 |
2023-11-02 10:09
|
goblin.txt.exe faac5d3f56e2a6a204161fb0d29f49a6 Malicious Packer PE File PE32 .NET EXE |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7325 |
2023-11-02 10:08
|
cred64.dll 0111e5a2a49918b9c34cbfbf6380f3f3 Malicious Library UPX Anti_VM PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Malicious Traffic Checks debugger unpack itself Windows utilities sandbox evasion installed browsers check Windows Browser DNS Software |
1
http://167.235.20.126/bjdm32DP/index.php
|
1
|
|
|
7.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7326 |
2023-11-02 10:07
|
clip64.dll 8da053f9830880089891b615436ae761 Amadey Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware PDB Malicious Traffic Checks debugger unpack itself DNS |
1
http://167.235.20.126/bjdm32DP/index.php
|
1
|
|
|
3.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7327 |
2023-11-02 10:05
|
HTMLIEbrowserHistorycache.vbs 857f884bf745995ea1ccd1275446201fVirusTotal Malware wscript.exe payload download Tofsee |
1
|
2
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7328 |
2023-11-02 07:51
|
IGCC.exe b559f853c534c533f75d09966aec1a81 Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
5
http://www.vandistreet.com/sy22/?JjUdE2=ebYri2VV/sCK3b5rVJ3RboTDPGX+2LyTyMxHYnpzeShqSQ1cgB3Zd9ZvGXgE+e2ljlV5J+6Q&lzul=z8oHnHih3L http://www.mysonisgaythemovie.com/sy22/?JjUdE2=baQ1Jiu1kKGnkWcWqUZaFlU8q1reSZBP3QoqfGarl6ST99PuZCC+LuBenV9+EE94CjhJ8idN&lzul=z8oHnHih3L http://www.wb7mnp.com/sy22/?JjUdE2=D765QqECgZPQlxJkhVef5s22w98dFSb9s5LwarIZ8ZJKYWlk4eMvJUUamlKIenzgBZVLBjbY&lzul=z8oHnHih3L http://www.apneabirmingham.info/sy22/?JjUdE2=4HdrVjvyCAjpwzRQohtfN1+WvaRYgcN/d2hMNM296+jHjR54/eGnykfMDUW9i7A7oyCaMEwY&lzul=z8oHnHih3L http://www.sunspotplumbing.com/sy22/?JjUdE2=d6AqkGJ7bunbgmizHHRyxSnS+cE7N+DoqWC4nPxnpUsdFYm3pr534s62tX1C6jkDEl4YnzCY&lzul=z8oHnHih3L - rule_id: 36914
|
9
www.vandistreet.com(23.227.38.74) www.apneabirmingham.info(109.68.33.25) www.wb7mnp.com(15.197.148.33) www.mysonisgaythemovie.com(154.220.76.62) www.sunspotplumbing.com(15.197.148.33) - mailcious 23.227.38.74 - mailcious 3.33.130.190 - phishing 154.220.76.62 - mailcious 109.68.33.25 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.sunspotplumbing.com/sy22/
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7329 |
2023-11-02 07:48
|
strakonaj2.1.exe 4cb44bd5d786a7f2b53fd6d9602a2b8c NSIS Malicious Library UPX PE File PE32 OS Processor Check Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7330 |
2023-11-02 07:48
|
hussanzx.exe 83cdb597d20acd75dd60840276ca77b1 .NET framework(MSIL) PE File PE32 .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7331 |
2023-11-02 07:46
|
litoptics2.1.exe 77e2b6a251b3ed0440f515824c1d67fd PE File PE32 .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7332 |
2023-11-02 07:46
|
haloup.exe 3e6ed1ceb52c1d4e9ef09cd3aebe7741 Malicious Library UPX PE File PE64 OS Processor Check |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7333 |
2023-11-01 19:37
|
Biacs.exe 8bbba1d1448825a0c428dc296573cf8d Formbook AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Windows DNS Cryptographic key |
21
http://www.onlyleona.com/kniu/ - rule_id: 36720 http://www.prosourcegraniteinc.com/kniu/?hGC=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&iOwKE=__tE6 - rule_id: 36717 http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717 http://www.theartboxslidell.com/kniu/?hGC=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&iOwKE=__tE6 - rule_id: 36718 http://www.tsygy.com/kniu/?hGC=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&iOwKE=__tE6 - rule_id: 36721 http://192.3.64.154/1906/Pxgltvs.pdf http://www.poultry-symposium.com/kniu/ - rule_id: 36722 http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip http://www.theartboxslidell.com/kniu/ - rule_id: 36718 http://www.frefire.top/kniu/?hGC=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&iOwKE=__tE6 - rule_id: 36723 http://www.frefire.top/kniu/ - rule_id: 36723 http://www.xxkxcfkujyeft.xyz/kniu/?hGC=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&iOwKE=__tE6 - rule_id: 36719 http://www.flyingfoxnb.com/kniu/ - rule_id: 36725 http://www.palatepursuits.cfd/kniu/?hGC=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&iOwKE=__tE6 - rule_id: 36726 http://www.tsygy.com/kniu/ - rule_id: 36721 http://www.palatepursuits.cfd/kniu/ - rule_id: 36726 http://192.3.64.154/1906/HtmlIEcleanerHistory.exe http://www.onlyleona.com/kniu/?hGC=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&iOwKE=__tE6 - rule_id: 36720 http://www.flyingfoxnb.com/kniu/?hGC=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&iOwKE=__tE6 - rule_id: 36725 http://www.poultry-symposium.com/kniu/?hGC=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&iOwKE=__tE6 - rule_id: 36722
|
24
www.palatepursuits.cfd(104.21.21.57) - mailcious www.onlyleona.com(104.21.13.143) - mailcious www.prosourcegraniteinc.com(216.239.32.21) - mailcious www.pengeloladata.click() - mailcious www.xxkxcfkujyeft.xyz(142.171.29.133) - mailcious www.theartboxslidell.com(23.82.12.35) - mailcious www.8956kjw1.com(103.71.154.243) www.frefire.top(67.223.117.37) - mailcious www.tsygy.com(23.104.137.185) - mailcious www.poultry-symposium.com(85.128.134.237) - mailcious www.flyingfoxnb.com(216.40.34.41) - mailcious www.siteapp.fun() - mailcious 142.171.29.133 192.3.64.154 - mailcious 23.104.137.185 - mailcious 67.223.117.37 - mailcious 172.67.196.133 - mailcious 216.40.34.41 - mailcious 23.82.12.35 103.71.154.243 45.33.6.223 216.239.36.21 - phishing 172.67.132.228 - mailcious 85.128.134.237 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a *.top domain - Likely Hostile ET INFO Dotted Quad Host PDF Request SURICATA HTTP unable to match response to request ET INFO HTTP Request to a *.top domain ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers ET HUNTING Request to .TOP Domain with Minimal Headers
|
18
http://www.onlyleona.com/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.theartboxslidell.com/kniu/ http://www.tsygy.com/kniu/ http://www.poultry-symposium.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.theartboxslidell.com/kniu/ http://www.frefire.top/kniu/ http://www.frefire.top/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.flyingfoxnb.com/kniu/ http://www.palatepursuits.cfd/kniu/ http://www.tsygy.com/kniu/ http://www.palatepursuits.cfd/kniu/ http://www.onlyleona.com/kniu/ http://www.flyingfoxnb.com/kniu/ http://www.poultry-symposium.com/kniu/
|
11.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7334 |
2023-11-01 18:48
|
IGCC.exe f26a2f5b20109013af6303c9adc2546d Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Generic Malware Google Chrome User Data Downloader .NET framework(MSIL) Antivirus Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Internet API KeyLogger AntiDebu Remcos VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) sembe.duckdns.org(194.187.251.115) 178.237.33.50 194.187.251.115
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET JA3 Hash - Remcos 3.x TLS Connection
|
|
13.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7335 |
2023-11-01 18:47
|
2xf9uf.bat 0f74a2178106172bd65f8bda36eb2572 Generic Malware Downloader Antivirus UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.8 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|