| 7966 |
2023-10-06 13:55
|
 ReklamX.ps1 05931e59a873435df1111513cc67eb0c
Generic Malware Antivirus Check memory unpack itself Windows Cryptographic key |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7967 |
2023-10-06 13:55
|
 vc.js 9c334d578b33e9df286d5973198f7344Malware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS DDNS Dropper |
1
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(103.47.144.38) - mailcious
103.47.144.38 - mailcious
|
4
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7968 |
2023-10-06 13:54
|
 UGFH.txt.exe 3c3580dfbc1f06636fe5696879cbdd85
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156)
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7969 |
2023-10-06 13:40
|
okl.vbs 41ae735bd929dfe448cc75d19fed57a2
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/okilo.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7970 |
2023-10-06 13:39
|
 powerwinner.ps1 d56818ec2778b8a3b3b13e2c7e88dc63
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://torna.ydns.eu/on/bsv/Wblxhuaksujvhq.exe
|
|
|
|
4.8 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7971 |
2023-10-06 13:39
|
HTMLcode.vbs 49bad06e91f748e94a260cbfdb0fffed
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://103.182.16.23/900/UGFH.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
23.67.53.17
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7972 |
2023-10-06 13:28
|
 d9e1c3_0ec2df3125b34e10ad269f8... 5e63744a4fad5be640aa0a7a2e444a3d
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7973 |
2023-10-06 13:28
|
 castororiginbase64.txt.exe e94f7fd09efeb9e90655b64a6e4fced7
AgentTesla Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName crashed |
|
|
|
|
3.8 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7974 |
2023-10-06 13:28
|
2022 1040 (Cornelius Morgan G)... c7daf9fd5c8718275c25494e3dba8982
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://taxnewmon.blogspot.com/////////////////////////////////atom.xml
|
|
|
|
5.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7975 |
2023-10-06 10:22
|
 mtxrI8N.exe ecdf7acb35e4268bcafb03b8af12f659
UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
3.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7976 |
2023-10-06 10:21
|
 skxeYqr.exe 20bb118569b859e64feaaf30227e04b8
UPX .NET framework(MSIL) Socket DNS persistence AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
9.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7977 |
2023-10-06 10:18
|
 updat2.exe 2353ef140fcfb38add13c74b388b710d
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7978 |
2023-10-06 10:16
|
i0ioi0iooioo0IOI0OIOIOiooioi00... 9f6c58103198c1158277e4e0a8137006
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed |
1
|
2
i8.ae(172.67.198.4)
104.21.60.158
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7979 |
2023-10-06 10:14
|
i0iioi0IOIOi0ioiioi0ioI0IOI0I9... b033c79a643e692668723f11af0e9484
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://192.3.101.8/270/audiodg.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7980 |
2023-10-06 10:14
|
 vc.js 9c334d578b33e9df286d5973198f7344Malware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS DDNS Dropper |
2
http://chongmei33.publicvm.com:7045/is-processes
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(103.47.144.38) - mailcious
103.47.144.38
|
6
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
ET HUNTING Suspicious Possible Process Dump in POST body
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|