7831 |
2023-10-11 10:58
|
REQUEST FOR OFFER.exe 40a0594721777a253cd4481267194ff9 Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
2.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7832 |
2023-10-11 08:07
|
updat1.exe 571ea8843de2bd01744f6caba0e202ea Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
M |
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7833 |
2023-10-11 08:03
|
sihost.exe 7ee626b72a7112befb6febbb8f635ede LokiBot Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7834 |
2023-10-11 08:01
|
marcolite2.1.exe 71ea87bcc822a68c4ef492ecbdba37f6 NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
1
http://www.cysh100th.com/t6tg/?RVE=C4RGcRJ+oFeN6Dw5JyxSSWJXrhqNO9HSkiwUjsu5KAkN06m/6Uw6tkK+9OBn6uuuNd9cxUAj&oX=Txo8ntIpM8sp
|
5
www.ascend-help.tech() www.ep0i.com() www.cysh100th.com(66.235.200.146) www.adam-automatik.com() 66.235.200.146 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7835 |
2023-10-11 07:59
|
fbinzx.exe 00b27694025e82652c1976c6745a2de1 Formbook PWS AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.couturewrap.com/btrd/?I6h=SG9A3Pt3xYazNmDlDw9fHiFSCreErl1UBTZXmuPCTcYswo69CAuXyrO6p7GwaEZoJbh+8dJR&nfutZl=xPJxZ6jp - rule_id: 34170 http://www.zimmerli.online/btrd/?I6h=TxZDFykc/keWgTeXgWWLM6uN5HzrA8yC53jils16edLR65eOdlp3LoNC2wSzs0M9J4jN2BYo&nfutZl=xPJxZ6jp
|
5
www.zimmerli.online(128.65.195.180) www.couturewrap.com(15.197.148.33) - mailcious www.fxsecuretrading-option.com() 128.65.195.180 - mailcious 3.33.130.190 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.couturewrap.com/btrd/
|
8.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7836 |
2023-10-11 07:57
|
sihost.exe 1d2e25e64e7c402540fa6ce6871257f4 Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.ipify.org(64.185.227.156) 172.67.196.133 - mailcious 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7837 |
2023-10-11 07:57
|
sihost.exe 8d91ce7f3a66bcfda11e488cc34c698f Formbook UPX .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor C FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
20
http://www.onlyleona.com/kniu/ - rule_id: 36720 http://www.palatepursuits.cfd/kniu/ - rule_id: 36726 http://www.onlyleona.com/kniu/?WwaYeLk_=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&154=h0P9RQvD - rule_id: 36720 http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719 http://www.xxkxcfkujyeft.xyz/kniu/?WwaYeLk_=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&154=h0P9RQvD - rule_id: 36719 http://www.flyingfoxnb.com/kniu/?WwaYeLk_=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&154=h0P9RQvD - rule_id: 36725 http://www.palatepursuits.cfd/kniu/?WwaYeLk_=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&154=h0P9RQvD - rule_id: 36726 http://www.flyingfoxnb.com/kniu/ - rule_id: 36725 http://www.tsygy.com/kniu/?WwaYeLk_=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&154=h0P9RQvD - rule_id: 36721 http://www.theartboxslidell.com/kniu/ - rule_id: 36718 http://www.frefire.top/kniu/ - rule_id: 36723 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717 http://www.theartboxslidell.com/kniu/?WwaYeLk_=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&154=h0P9RQvD - rule_id: 36718 http://23.95.106.3/350/122/Ekcflzifpij.mp3 http://www.poultry-symposium.com/kniu/?WwaYeLk_=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&154=h0P9RQvD - rule_id: 36722 http://www.frefire.top/kniu/?WwaYeLk_=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&154=h0P9RQvD - rule_id: 36723 http://www.poultry-symposium.com/kniu/ - rule_id: 36722 http://www.tsygy.com/kniu/ - rule_id: 36721 http://www.prosourcegraniteinc.com/kniu/?WwaYeLk_=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&154=h0P9RQvD - rule_id: 36717
|
24
www.palatepursuits.cfd(104.21.21.57) - mailcious www.onlyleona.com(104.21.13.143) - mailcious www.pengeloladata.click() - mailcious www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious www.siteapp.fun() - mailcious www.theartboxslidell.com(199.59.243.225) - mailcious www.8956kjw1.com(103.71.154.243) www.tsygy.com(23.104.137.185) - mailcious www.frefire.top(67.223.117.37) - mailcious www.poultry-symposium.com(85.128.134.237) - mailcious www.flyingfoxnb.com(216.40.34.41) - mailcious www.prosourcegraniteinc.com(216.239.36.21) - mailcious 216.239.38.21 - phishing 23.104.137.185 - mailcious 23.95.106.3 - mailcious 67.223.117.37 - mailcious 199.59.243.225 172.67.196.133 - mailcious 216.40.34.41 - mailcious 216.240.130.67 - mailcious 104.21.13.143 103.71.154.243 45.33.6.223 85.128.134.237 - mailcious
|
11
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SURICATA HTTP unable to match response to request ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .TOP Domain with Minimal Headers ET HUNTING Request to .XYZ Domain with Minimal Headers
|
18
http://www.onlyleona.com/kniu/ http://www.palatepursuits.cfd/kniu/ http://www.onlyleona.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.flyingfoxnb.com/kniu/ http://www.palatepursuits.cfd/kniu/ http://www.flyingfoxnb.com/kniu/ http://www.tsygy.com/kniu/ http://www.theartboxslidell.com/kniu/ http://www.frefire.top/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.theartboxslidell.com/kniu/ http://www.poultry-symposium.com/kniu/ http://www.frefire.top/kniu/ http://www.poultry-symposium.com/kniu/ http://www.tsygy.com/kniu/ http://www.prosourcegraniteinc.com/kniu/
|
11.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7838 |
2023-10-11 07:56
|
updat1.exe 571ea8843de2bd01744f6caba0e202ea Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7839 |
2023-10-11 07:55
|
ishost.exe e8ba8c2f63e7d3e3cbf0dd2a426e4eb5 Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7840 |
2023-10-11 07:52
|
ishost.exe f83a1ebac520b7deea9613aa2a7765c4 LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7841 |
2023-10-11 07:52
|
googluk.exe 07b8df6ee60cd20723ba20794e15d438 LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77) 104.237.62.212
|
4
ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
10.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7842 |
2023-10-11 07:51
|
romankon2.1.exe f66044875f6dff90814d4b09be15bde7 NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.seoulbeautytw.com/ge06/?cxlL6=Qc2b7R052BxaaIixZxZchyIrCtI6dOvdNg5lwCRd5bjXdsmVEtEF/rdDBYlFLrvTnx09Yrft&Tj=YBZ0 http://www.bowllywood.com/ge06/?cxlL6=uEJyp/LCRcqeyVkDqWXotAOO7ojlhdOeJwNXEXO62CdMmnp4nkE9E2jcl8Y9Q/hLDx6OjvQc&Tj=YBZ0 http://www.oneresi.com/ge06/?cxlL6=TxZz26qHBFBWLipdaFP8DXj847gFVWoG3E2dnld5pyULLNin+5TsGSuzug1CwjEl4T2LS/ZH&Tj=YBZ0 http://www.trailblazerbaby.com/ge06/?cxlL6=Vn36JpzNTKaSb0MTbSztLcrwH0nGOIWlPxp5C0tdRb7z35/kOAEpp28Rs4alwfkjtZwLX/a3&Tj=YBZ0
|
9
www.bowllywood.com(156.241.138.74) www.qianxz109.xyz() www.seoulbeautytw.com(151.101.194.236) www.oneresi.com(15.197.148.33) www.trailblazerbaby.com(198.49.23.144) 146.75.50.236 15.197.148.33 156.241.138.74 198.49.23.145 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7843 |
2023-10-11 07:50
|
strim2.exe f43edef896d4995aa3c4b488bbc3dab2 UPX PE File PE64 OS Processor Check VirusTotal Malware Buffer PE MachineGuid Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
3.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7844 |
2023-10-11 06:49
|
build.exe 06aff89f42cf65991c1bbc67515786d1 Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
53 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7845 |
2023-10-11 01:52
|
deliver.exe 6d62f962f2d3fbb718452f1ee915d4d7 Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.4 |
|
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|