| 7561 |
2023-10-20 17:38
|
 n1.txt.vbs 86b1b6e92a96b3af518441183ee8fe21
Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7562 |
2023-10-20 17:37
|
 n.txt.vbs d3a0f829492384059994c6d1c53d9d5f
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://185.81.157.213:222/a3.jpg
|
2
185.81.157.213 - mailcious
172.111.167.99 - mailcious
|
2
ET HUNTING [TW] Likely Hex Executable String
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7563 |
2023-10-20 17:36
|
lllllillilililiil.vbs c22b3eab9a5dbb2ac744e6d3c683bc30
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4082989.png
http://94.156.253.236/yeyeyeyyeeyyeyeye.txt
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7564 |
2023-10-20 17:36
|
 bQK0.exe 7910bff79818720386ddbf4fa2d00b3c
Malicious Packer Downloader ScreenShot AntiDebug AntiVM PE File PE32 Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
salwanazeeze.duckdns.org(172.111.167.99) - mailcious
178.237.33.50
172.111.167.99 - mailcious
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
11.6 |
|
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7565 |
2023-10-20 17:36
|
 gen.txt.vbs 73e726752629a1a3dba427ec1c2927fa
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://185.81.157.213:222/9X.jpg
|
1
185.81.157.213 - mailcious
|
|
|
9.2 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7566 |
2023-10-20 17:33
|
 a3_2.jpg.exe d08f3729495ae6ed7e5d63e605c80cb1
.NET DLL PE File DLL PE32 VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7567 |
2023-10-20 16:35
|
 a3.jpg.exe ca0299d9cfce19b30bedc50656f16983
AsyncRAT UPX Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check Malware download AsyncRAT NetWireRC Malware DNS DDNS |
|
2
rxrr.duckdns.org(185.81.157.213) - mailcious
185.81.157.213 - mailcious
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7568 |
2023-10-20 16:35
|
 2.txt.ps1 133848a60273204305d389b93d512a2b
Generic Malware Antivirus VirusTotal Malware unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.2 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7569 |
2023-10-20 16:35
|
 0ef3m78ofl.js 294821b2898d04ac7d4972e00582c64d
Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
2
http://rxrr.duckdns.org:222/g.jpg
http://rxrr.duckdns.org:222/n1.txt
|
2
rxrr.duckdns.org(185.81.157.213) - mailcious
185.81.157.213 - mailcious
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
|
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7570 |
2023-10-20 09:26
|
HTMLincache.doc 0f8b57f118a80ad75a56a9bb3f1206ea
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://94.156.253.236/lllllillilililiil.vbs
|
3
wallpapercave.com(104.22.53.71) - malware
172.67.29.26 - malware
94.156.253.236 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7571 |
2023-10-20 07:34
|
 macringa2.1.exe f231a02d229e5f504eacc706629ae2f1
NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.jys639.com/t6tg/?ARr=iZSd4WcVLoxrty2SI4zYYm+k8zxr4doV+JNRrflDFWaXgV8umUmWRFTZcO/6j4IcEfQ2bA86&ndlpdZ=u4itArTPyX7D
http://www.verificardsa.com/t6tg/?ARr=e3AQhDkaG9eafEaUpLL/rSilDzf/hET9ej10VBCXgx4U67QE0b9NWX3D0BBjP0VOu+agMW4z&ndlpdZ=u4itArTPyX7D
http://www.izeera.com/t6tg/?ARr=m529FBdnR7W3BTzP5MxjwgE+mkLjoMm+UZfynz2FhzEQtAjK+eSB/JNk4Nuy1iudF5erJ+NJ&ndlpdZ=u4itArTPyX7D
http://www.nextino.app/t6tg/?ARr=hbKaBdJJ6vFN8tzB35DGgEHrZG9ClC0kvKQfUGuMd838c0khCL09IqdRU/B5FhQhg2CjjGkb&ndlpdZ=u4itArTPyX7D
|
8
www.jys639.com(203.210.27.41)
www.nextino.app(91.195.240.19)
www.verificardsa.com(23.145.120.242)
www.izeera.com(185.199.111.153)
91.195.240.19 - mailcious
23.145.120.242
203.210.27.41
185.199.109.153 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7572 |
2023-10-20 07:32
|
 truever0510dn.exe 93556130a3846a62780b2b331cd19ea0
Gen1 Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM PE File PE32 CAB OS Processor Check PE64 DLL ftp DllRegisterServer dll PNG Format Malware PDB Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Tofsee ComputerName DNS |
1
https://i.imgur.com/pRZqSZX.png
|
7
i.imgur.com(146.75.92.193) - mailcious
ctrip.com(114.80.56.121)
i.ibb.co(172.96.160.210) - mailcious
104.194.8.143 - mailcious
146.75.92.193 - mailcious
51.15.65.182 - mailcious
114.80.56.121
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7573 |
2023-10-20 07:32
|
 yes.exe 355e758c66e73f61dbaaeb7174f74de0
PE File PE64 |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7574 |
2023-10-20 07:31
|
 newumma.exe dfd00cebfa70ea1470514e2c03770fd4
Malicious Library UPX Malicious Packer AntiDebug AntiVM PE File PE32 OS Processor Check PE64 Malware download Amadey Cryptocurrency Miner Malware AutoRuns PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Kelihos Tofsee Windows ComputerName DNS CoinMiner |
4
http://79.137.192.18/latestX.exe - rule_id: 37269
http://galandskiyher5.com/downloads/toolspub2.exe - rule_id: 37268
http://193.42.33.7/mbSDvj3/index.php
https://foxandcatbet.org/e0cbefcb1af40c7d4aff4aca26621a98.exe - rule_id: 37364
|
13
rangeroverfan.org(172.67.165.223) - malware
galandskiyher5.com(194.169.175.127) - malware
foxandcatbet.org(104.21.71.26) - malware
pastebin.com(104.20.67.143) - mailcious
xmr-eu1.nanopool.org(51.15.193.130) - mailcious
51.255.34.118
193.42.33.7 - mailcious
194.169.175.127 - malware
79.137.192.18 - malware
104.21.66.240
104.21.71.26 - malware
51.15.65.182 - mailcious
172.67.34.170 - mailcious
|
10
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
|
3
http://79.137.192.18/latestX.exe
http://galandskiyher5.com/downloads/toolspub2.exe
https://foxandcatbet.org/e0cbefcb1af40c7d4aff4aca26621a98.exe
|
12.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7575 |
2023-10-20 07:29
|
 198.exe 0171e926fc187d40081567eeb2b2ef27
Malicious Library UPX PE File PE32 OS Processor Check |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|