| 7831 |
2023-10-11 10:58
|
 REQUEST FOR OFFER.exe 40a0594721777a253cd4481267194ff9
Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
2.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7832 |
2023-10-11 08:07
|
 updat1.exe 571ea8843de2bd01744f6caba0e202ea
Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
M |
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7833 |
2023-10-11 08:03
|
 sihost.exe 7ee626b72a7112befb6febbb8f635ede
LokiBot Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7834 |
2023-10-11 08:01
|
 marcolite2.1.exe 71ea87bcc822a68c4ef492ecbdba37f6
NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
1
http://www.cysh100th.com/t6tg/?RVE=C4RGcRJ+oFeN6Dw5JyxSSWJXrhqNO9HSkiwUjsu5KAkN06m/6Uw6tkK+9OBn6uuuNd9cxUAj&oX=Txo8ntIpM8sp
|
5
www.ascend-help.tech()
www.ep0i.com()
www.cysh100th.com(66.235.200.146)
www.adam-automatik.com()
66.235.200.146 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7835 |
2023-10-11 07:59
|
 fbinzx.exe 00b27694025e82652c1976c6745a2de1
Formbook PWS AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.couturewrap.com/btrd/?I6h=SG9A3Pt3xYazNmDlDw9fHiFSCreErl1UBTZXmuPCTcYswo69CAuXyrO6p7GwaEZoJbh+8dJR&nfutZl=xPJxZ6jp - rule_id: 34170
http://www.zimmerli.online/btrd/?I6h=TxZDFykc/keWgTeXgWWLM6uN5HzrA8yC53jils16edLR65eOdlp3LoNC2wSzs0M9J4jN2BYo&nfutZl=xPJxZ6jp
|
5
www.zimmerli.online(128.65.195.180)
www.couturewrap.com(15.197.148.33) - mailcious
www.fxsecuretrading-option.com()
128.65.195.180 - mailcious
3.33.130.190 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.couturewrap.com/btrd/
|
8.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7836 |
2023-10-11 07:57
|
 sihost.exe 1d2e25e64e7c402540fa6ce6871257f4
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.ipify.org(64.185.227.156)
172.67.196.133 - mailcious
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7837 |
2023-10-11 07:57
|
 sihost.exe 8d91ce7f3a66bcfda11e488cc34c698f
Formbook UPX .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor C FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
20
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://www.palatepursuits.cfd/kniu/ - rule_id: 36726
http://www.onlyleona.com/kniu/?WwaYeLk_=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&154=h0P9RQvD - rule_id: 36720
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.xxkxcfkujyeft.xyz/kniu/?WwaYeLk_=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&154=h0P9RQvD - rule_id: 36719
http://www.flyingfoxnb.com/kniu/?WwaYeLk_=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&154=h0P9RQvD - rule_id: 36725
http://www.palatepursuits.cfd/kniu/?WwaYeLk_=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&154=h0P9RQvD - rule_id: 36726
http://www.flyingfoxnb.com/kniu/ - rule_id: 36725
http://www.tsygy.com/kniu/?WwaYeLk_=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&154=h0P9RQvD - rule_id: 36721
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.frefire.top/kniu/ - rule_id: 36723
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.theartboxslidell.com/kniu/?WwaYeLk_=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&154=h0P9RQvD - rule_id: 36718
http://23.95.106.3/350/122/Ekcflzifpij.mp3
http://www.poultry-symposium.com/kniu/?WwaYeLk_=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&154=h0P9RQvD - rule_id: 36722
http://www.frefire.top/kniu/?WwaYeLk_=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&154=h0P9RQvD - rule_id: 36723
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.prosourcegraniteinc.com/kniu/?WwaYeLk_=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&154=h0P9RQvD - rule_id: 36717
|
24
www.palatepursuits.cfd(104.21.21.57) - mailcious
www.onlyleona.com(104.21.13.143) - mailcious
www.pengeloladata.click() - mailcious
www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious
www.siteapp.fun() - mailcious
www.theartboxslidell.com(199.59.243.225) - mailcious
www.8956kjw1.com(103.71.154.243)
www.tsygy.com(23.104.137.185) - mailcious
www.frefire.top(67.223.117.37) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.flyingfoxnb.com(216.40.34.41) - mailcious
www.prosourcegraniteinc.com(216.239.36.21) - mailcious
216.239.38.21 - phishing
23.104.137.185 - mailcious
23.95.106.3 - mailcious
67.223.117.37 - mailcious
199.59.243.225
172.67.196.133 - mailcious
216.40.34.41 - mailcious
216.240.130.67 - mailcious
104.21.13.143
103.71.154.243
45.33.6.223
85.128.134.237 - mailcious
|
11
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA HTTP unable to match response to request
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
18
http://www.onlyleona.com/kniu/
http://www.palatepursuits.cfd/kniu/
http://www.onlyleona.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.flyingfoxnb.com/kniu/
http://www.palatepursuits.cfd/kniu/
http://www.flyingfoxnb.com/kniu/
http://www.tsygy.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.frefire.top/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.frefire.top/kniu/
http://www.poultry-symposium.com/kniu/
http://www.tsygy.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
|
11.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7838 |
2023-10-11 07:56
|
 updat1.exe 571ea8843de2bd01744f6caba0e202ea
Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7839 |
2023-10-11 07:55
|
 ishost.exe e8ba8c2f63e7d3e3cbf0dd2a426e4eb5
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7840 |
2023-10-11 07:52
|
 ishost.exe f83a1ebac520b7deea9613aa2a7765c4
LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7841 |
2023-10-11 07:52
|
 googluk.exe 07b8df6ee60cd20723ba20794e15d438
LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77)
104.237.62.212
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
10.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7842 |
2023-10-11 07:51
|
 romankon2.1.exe f66044875f6dff90814d4b09be15bde7
NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.seoulbeautytw.com/ge06/?cxlL6=Qc2b7R052BxaaIixZxZchyIrCtI6dOvdNg5lwCRd5bjXdsmVEtEF/rdDBYlFLrvTnx09Yrft&Tj=YBZ0
http://www.bowllywood.com/ge06/?cxlL6=uEJyp/LCRcqeyVkDqWXotAOO7ojlhdOeJwNXEXO62CdMmnp4nkE9E2jcl8Y9Q/hLDx6OjvQc&Tj=YBZ0
http://www.oneresi.com/ge06/?cxlL6=TxZz26qHBFBWLipdaFP8DXj847gFVWoG3E2dnld5pyULLNin+5TsGSuzug1CwjEl4T2LS/ZH&Tj=YBZ0
http://www.trailblazerbaby.com/ge06/?cxlL6=Vn36JpzNTKaSb0MTbSztLcrwH0nGOIWlPxp5C0tdRb7z35/kOAEpp28Rs4alwfkjtZwLX/a3&Tj=YBZ0
|
9
www.bowllywood.com(156.241.138.74)
www.qianxz109.xyz()
www.seoulbeautytw.com(151.101.194.236)
www.oneresi.com(15.197.148.33)
www.trailblazerbaby.com(198.49.23.144)
146.75.50.236
15.197.148.33
156.241.138.74
198.49.23.145 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7843 |
2023-10-11 07:50
|
 strim2.exe f43edef896d4995aa3c4b488bbc3dab2
UPX PE File PE64 OS Processor Check VirusTotal Malware Buffer PE MachineGuid Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
3.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7844 |
2023-10-11 06:49
|
 build.exe 06aff89f42cf65991c1bbc67515786d1
Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
53 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7845 |
2023-10-11 01:52
|
 deliver.exe 6d62f962f2d3fbb718452f1ee915d4d7
Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.4 |
|
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|