7786 |
2023-10-12 09:28
|
bQ6f.exe 955a7deb29f4b03b35faa62100d416fd Malicious Packer Downloader ScreenShot AntiDebug AntiVM PE File PE32 Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) salwanazeeze.duckdns.org(172.111.167.99) - mailcious 178.237.33.50 172.111.167.99 - mailcious
|
3
ET JA3 Hash - Remcos 3.x TLS Connection ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
11.6 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7787 |
2023-10-12 07:52
|
sihost.exe 7f6feed7fc881b9b450fb7f3b726c2ae AgentTesla Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.212) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7788 |
2023-10-12 07:50
|
macbomard2.1.exe 7f4be9fcb7371a4a4c98462602a33639 NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.new-minerals.com/t6tg/?Tj=KAteo39jXhYLV1ChmFznVIk+hBqN4AymFECkKH2GQakbZ7TdByL07ntBP05Gab5nXO3C3vF7&RX=dn98bVV8c4CP http://www.tugerdi.site/t6tg/?Tj=Za8NgA951HtgEMA/N1pbqY3Eng45w2byd25/9jAsmGZLSXWq5l9klRymntmNRw3MeMdtayU2&RX=dn98bVV8c4CP http://www.aspiredstudio.com/t6tg/?Tj=2Be6iIgSXmfB1nqJxUfd7To44XQGyUfcHTuBHOXScd6rc4VNel4uavXkn/Sr1IDzPZX3+Zir&RX=dn98bVV8c4CP http://www.ocoala.com/t6tg/?Tj=Bo69CXQCSq8YAZlSXsSXSHHhzBc0NkTLrUDc3+XWv9vtXAWnC5Ex0xTxf+gUzISZTYrGWz37&RX=dn98bVV8c4CP
|
9
www.tugerdi.site(93.89.226.17) www.abstractcertify.com() www.aspiredstudio.com(199.36.158.100) www.ocoala.com(13.248.169.48) www.new-minerals.com(103.146.179.167) 76.223.54.146 93.89.226.17 - mailcious 103.146.179.167 199.36.158.100 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7789 |
2023-10-12 07:48
|
5ea275.exe 1c576ece1cb918832be3d9e5f665388b Themida Packer Generic Malware UPX Anti_VM PE File PE32 VirusTotal Malware Check memory unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization Windows Firmware crashed |
|
|
|
|
7.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7790 |
2023-10-12 07:47
|
random.exe c47b267a11aaf34abcf7ceec04e629c1 Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
0.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7791 |
2023-10-12 07:45
|
sa.exe 3e2647ddf841fd56db65ef710f6801f8 Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7792 |
2023-10-12 07:45
|
smss.exe ced4af5a976fb361bfded06260f5985f Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
3.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7793 |
2023-10-12 02:23
|
up.exe 5e6716377dc71d7fa5c97d778c154ce4 Malicious Packer PE File PE32 MZP Format Lnk Format GIF Format VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself AntiVM_Disk anti-virtualization VM Disk Size Check human activity check Interception ComputerName Remote Code Execution Firmware crashed |
1
http://1717mu.1000uc.com/gg.htm
|
4
jq.727mu.com(61.147.93.44) 1717mu.1000uc.com(47.246.29.9) 61.147.93.44 47.246.29.10
|
|
|
9.2 |
|
55 |
malware123
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7794 |
2023-10-11 18:38
|
cleanse.exe 0e85f5058fa30907be18273932a6f917 Generic Malware Antivirus Malicious Library UPX Anti_VM PE File PE32 .NET EXE OS Processor Check ZIP Format BMP Format CHM Format DLL MSOffice File JPEG Format Word 2007 file format(docx) VirusTotal Malware Check memory Checks debugger unpack itself AppData folder Ransomware |
|
|
|
|
3.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7795 |
2023-10-11 18:36
|
typhon.exe 3fad6c3e0604ee091f2b2a61a91e2b4d Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Telegram Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee ComputerName DNS |
2
http://api.ipify.org/ https://ipapi.co/175.208.134.152/json
|
6
ipapi.co(104.26.9.44) api.ipify.org(173.231.16.77) api.telegram.org(149.154.167.220) 104.26.9.44 - mailcious 104.237.62.212 149.154.167.220
|
7
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup api.ipify.org ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
4.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7796 |
2023-10-11 18:36
|
build.exe 71535cb29a844c48321528d0fdfdb6d9 PE File PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency Check memory unpack itself Auto service Check virtual network interfaces ComputerName Firmware DNS |
|
1
|
2
ET 3CORESec Poor Reputation IP group 16 ET POLICY Cryptocurrency Miner Checkin
|
|
4.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7797 |
2023-10-11 18:12
|
bQ5J.exe 82f98bb613a30f61ceb9ca7686f97847 PE File PE32 .NET EXE VirusTotal Malware Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212) 148.72.177.212 - mailcious 121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7798 |
2023-10-11 18:12
|
BYxYP9c1.ps1 ee4cabf85331d01dcc5fa75be75b5598 Generic Malware Antivirus .NET DLL PE File DLL PE32 VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7799 |
2023-10-11 18:11
|
Ooseha.exe cb75f58a8d5e9ab38bf5e6afdb09d7c8 Formbook UPX .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
16
http://www.onlyleona.com/kniu/ - rule_id: 36720 http://www.frefire.top/kniu/ - rule_id: 36723 http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717 http://www.poultry-symposium.com/kniu/ - rule_id: 36722 http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719 http://www.prosourcegraniteinc.com/kniu/?WvaMk96=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&tP=06tUJ - rule_id: 36717 http://www.theartboxslidell.com/kniu/ - rule_id: 36718 http://www.theartboxslidell.com/kniu/?WvaMk96=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&tP=06tUJ - rule_id: 36718 http://23.95.106.3/479/Kodviywuey.mp3 http://www.tsygy.com/kniu/?WvaMk96=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&tP=06tUJ - rule_id: 36721 http://www.onlyleona.com/kniu/?WvaMk96=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&tP=06tUJ - rule_id: 36720 http://www.tsygy.com/kniu/ - rule_id: 36721 http://www.xxkxcfkujyeft.xyz/kniu/?WvaMk96=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&tP=06tUJ - rule_id: 36719 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip http://www.frefire.top/kniu/?WvaMk96=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&tP=06tUJ - rule_id: 36723 http://www.poultry-symposium.com/kniu/?WvaMk96=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&tP=06tUJ - rule_id: 36722
|
19
www.onlyleona.com(172.67.132.228) - mailcious www.prosourcegraniteinc.com(216.239.34.21) - mailcious www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious www.frefire.top(67.223.117.37) - mailcious www.8956kjw1.com(103.71.154.243) www.theartboxslidell.com(199.59.243.225) - mailcious www.tsygy.com(23.104.137.185) - mailcious www.poultry-symposium.com(85.128.134.237) - mailcious www.pengeloladata.click() - mailcious 216.239.38.21 - phishing 23.104.137.185 - mailcious 23.95.106.3 - mailcious 199.59.243.225 67.223.117.37 - mailcious 85.128.134.237 - mailcious 216.240.130.67 - mailcious 104.21.13.143 103.71.154.243 45.33.6.223
|
12
SURICATA HTTP unable to match response to request ET INFO HTTP Request to a *.top domain ET MALWARE FormBook CnC Checkin (POST) M2 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers ET HUNTING Request to .TOP Domain with Minimal Headers
|
14
http://www.onlyleona.com/kniu/ http://www.frefire.top/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.poultry-symposium.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.theartboxslidell.com/kniu/ http://www.theartboxslidell.com/kniu/ http://www.tsygy.com/kniu/ http://www.onlyleona.com/kniu/ http://www.tsygy.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.frefire.top/kniu/ http://www.poultry-symposium.com/kniu/
|
11.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7800 |
2023-10-11 18:11
|
KjAvj6Vu.ps1 ea8465175894190a7542d07bcea179b8 Generic Malware Antivirus .NET DLL PE File DLL PE32 VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|