| 8416 |
2023-12-14 11:07
|
미신고 자금출처명세서(부가가치세법 시행규칙).hwp.l... ceb4847592b0b9ddc2b9c239fa48c471
Generic Malware Malicious Library Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell PE32 PE File CAB MSOffice File HWP Malware download VirusTotal Malware Campaign powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI heapspray Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Konni Windows ComputerName Cryptographic key |
2
http://ddsdata.net/upload.php
https://aufildeseaux.com/wp-admin/includes/main/read/get.php?pw=xlse&cm=ns0010
|
2
ddsdata.net(5.255.127.177)
5.255.127.177
|
1
ET MALWARE [ANY.RUN] Konni.APT Exfiltration
|
|
14.0 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8417 |
2023-12-14 11:06
|
Statement of undeclared funds ... ceb4847592b0b9ddc2b9c239fa48c471
Generic Malware Malicious Library Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell PE32 PE File MSOffice File HWP CAB Malware download VirusTotal Malware Campaign powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI heapspray Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Konni Windows ComputerName Cryptographic key |
2
http://ddsdata.net/upload.php
https://aufildeseaux.com/wp-admin/includes/main/read/get.php?pw=xlse&cm=ns0010
|
2
ddsdata.net(5.255.127.177)
5.255.127.177
|
1
ET MALWARE [ANY.RUN] Konni.APT Exfiltration
|
|
14.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8418 |
2023-12-14 11:00
|
 481-5412-09.pdf .cmd 0ebda52c2e35dd7d3088b5364a4583fd
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://147.78.46.40:37662/office/1.pdf - rule_id: 38756
http://147.78.46.40:37662/office/1.pdf
|
1
|
1
ET INFO Dotted Quad Host PDF Request
|
1
http://147.78.46.40:37662/office/1.pdf
|
10.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8419 |
2023-12-14 10:53
|
 0.26620849638416144.dat.dll 61c58c2bebffb3b3590f24675721fa5b
Malicious Library UPX PE32 PE File DLL MZP Format VirusTotal Malware |
|
|
|
|
2.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8420 |
2023-12-14 10:47
|
 Pikabot.dll 61c58c2bebffb3b3590f24675721fa5b
Malicious Library UPX PE32 PE File DLL MZP Format VirusTotal Malware |
|
|
|
|
1.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8421 |
2023-12-14 10:29
|
 ORDER-231211.Xls.js 516442412f0c621f39abd64b645f587cVirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://nac-ecs.co.mz/onedrive/wp.vbs
|
2
nac-ecs.co.mz(144.208.78.130) - malware
144.208.78.130 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8422 |
2023-12-14 10:28
|
 ORDER-232111.pdf.js ad919f29a6186c40a5bcb76d18803bfbVirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://grapemundo.com/Apk/good.vbs
|
2
grapemundo.com(103.50.163.157) - mailcious
103.50.163.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8423 |
2023-12-14 10:28
|
 ORDER-232112.pdf.js ad919f29a6186c40a5bcb76d18803bfbVirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://grapemundo.com/Apk/good.vbs
|
2
grapemundo.com(103.50.163.157) - mailcious
103.50.163.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8424 |
2023-12-14 10:17
|
 wp.vbs 4d09dbc70709eb2790c491dc476d508bMalware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS DDNS Dropper |
2
http://chongmei33.publicvm.com:7045/is-processes - rule_id: 37041
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(103.47.144.44) - mailcious
103.47.144.44
|
6
ET MALWARE WSHRAT CnC Checkin
ET HUNTING Suspicious Possible Process Dump in POST body
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
2
http://chongmei33.publicvm.com:7045/is-processes
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8425 |
2023-12-14 10:16
|
ORDER-2320884.jar c2cfe1bc4cc6ec14cd510cd4ac40d6f5
Antivirus Malicious Library UPX MSOffice File ZIP Format PE32 PE File DLL OS Processor Check VirusTotal Malware AutoRuns Check memory buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Java ComputerName DNS DDNS crashed |
|
8
objects.githubusercontent.com(185.199.108.133) - malware
jinvestments.duckdns.org(103.47.144.44)
github.com(20.200.245.247) - mailcious
repo1.maven.org(199.232.196.209)
151.101.196.209
185.199.109.133 - mailcious
20.200.245.247 - malware
103.47.144.44
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
7.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8426 |
2023-12-14 10:15
|
 POA35BT56TT.bat 5409f23480db5358d2cc2417f2c41494
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell ZIP Format VirusTotal Malware powershell AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://eusketxe.com/s/putty.jar
http://brahmacouncil.com/fs/fs/run_hidden.vbs
|
5
eusketxe.com(167.250.5.28)
brahmacouncil.com(67.20.115.231) - mailcious
154.127.53.176
67.20.115.231 - mailcious
167.250.5.28
|
|
|
12.4 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8427 |
2023-12-14 10:15
|
Payment_Slip.jar 39396afaa066833586662903487761f2
Antivirus MSOffice File VirusTotal Malware Check memory heapspray unpack itself Java |
|
|
|
|
2.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8428 |
2023-12-14 08:08
|
 021983908713.exe 5553b09479b6bb61784ac90f9089d889
PE File PE64 VirusTotal Malware DNS |
|
1
|
|
|
3.0 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8429 |
2023-12-14 08:07
|
 file.exe db9836afc44b9a8fd086abd3e882524e
Amadey Downloader Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX MPRESS Malicious Library Http API ScreenShot Create Service Socket DGA Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API pe Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder suspicious TLD sandbox evasion WriteConsoleW VMware anti-virtualization installed browsers check Ransomware Lumma Stealer Windows Browser Email ComputerName Firmware DNS Cryptographic key Software crashed Downloader |
4
http://185.172.128.5/v8sjh3hs8/index.php?scr=1 - rule_id: 38703
http://gatelistcoldyeisa.pw/api
http://185.172.128.5/v8sjh3hs8/index.php - rule_id: 38703
http://185.172.128.5/v8sjh3hs8/Plugins/cred64.dll
|
4
gatelistcoldyeisa.pw(104.21.7.219)
185.172.128.5 - malware
172.67.188.16
185.172.128.8 - malware
|
12
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO HTTP Request to a *.pw domain
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey Bot Activity (POST) M1
|
2
http://185.172.128.5/v8sjh3hs8/index.php
http://185.172.128.5/v8sjh3hs8/index.php
|
25.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8430 |
2023-12-14 08:06
|
 artifact.exe a9cd040f3de100f802ccbce93bebd7a3
Malicious Library PE32 PE File Malware download Cobalt Strike Cobalt VirusTotal Malware Malicious Traffic RWX flags setting unpack itself ComputerName DNS |
2
http://81.70.153.38/ga.js
http://81.70.153.38/zZ5S
|
1
|
1
ET MALWARE Cobalt Strike Beacon Observed
|
|
4.6 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|