8461 |
2023-09-20 18:07
|
clip64.dll 03f32c1a791dd8e77edfa3461e31abd1 Amadey Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File DLL PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8462 |
2023-09-20 18:07
|
cred64.dll be88f13ad2e21025d52e61a57bc1fe12 Browser Login Data Stealer Malicious Library UPX PE File DLL PE64 OS Processor Check VirusTotal Malware PDB |
1
http://5.42.64.45/8bmeVwqx/index.php
|
|
|
|
1.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8463 |
2023-09-20 18:07
|
calc2.exe 3d4e0dc6f80820315996f16eb5a5f03b Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB |
1
http://bryanzachary.top/e9c345fc99a4e67e.php
|
|
|
|
1.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8464 |
2023-09-20 18:05
|
TiWorker.exe 75b192f9b810dedde93595a8a1b1dd8d LokiBot .NET framework(MSIL) Socket PWS DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software crashed |
1
http://fresh2.shunfengpower.buzz/_errorpages/fresh2/fre.php
|
2
fresh2.shunfengpower.buzz(104.21.58.179) 104.21.58.179
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP Request to a *.buzz domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8465 |
2023-09-20 18:05
|
hh.txt.ps1 4735c60f2a61a338443ce8091601ca23 Generic Malware Antivirus powershell Check memory unpack itself powershell.exe wrote WriteConsoleW Windows Cryptographic key |
1
https://sygnifyme.com/wp-content/plugins/jetpack/Flag.SVG
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8466 |
2023-09-20 18:05
|
harbar.exe cc735bbb997be4520efb4943f2db3f6c Emotet Gen1 Malicious Library UPX Confuser .NET AntiDebug AntiVM PE File PE32 .NET EXE DLL MZP Format OS Processor Check CHM Format PE64 DllRegisterServer dll VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder WriteConsoleW Tofsee Windows ComputerName DNS crashed |
|
3
iplogger.com(148.251.234.93) - mailcious 148.251.234.93 - mailcious 193.42.32.61 - mailcious
|
4
ET INFO TLS Handshake Failure ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
|
|
12.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8467 |
2023-09-20 18:04
|
Rzcjkedka.exe cd47b64e420b472464001891ff312ff6 AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
21
http://www.onlyleona.com/kniu/
http://www.tsygy.com/kniu/?j1=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&meUIyw=UGh-NJxfZ0
http://www.onlyleona.com/kniu/?j1=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&meUIyw=UGh-NJxfZ0
http://www.prosourcegraniteinc.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.poultry-symposium.com/kniu/?j1=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&meUIyw=UGh-NJxfZ0
http://www.frefire.top/kniu/?j1=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&meUIyw=UGh-NJxfZ0
http://www.poultry-symposium.com/kniu/
http://192.3.179.157/zs/Pkzvwkppdn.mp4
http://www.flyingfoxnb.com/kniu/
http://www.flyingfoxnb.com/kniu/?j1=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&meUIyw=UGh-NJxfZ0
http://www.theartboxslidell.com/kniu/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.frefire.top/kniu/
http://www.siteapp.fun/kniu/
http://www.prosourcegraniteinc.com/kniu/?j1=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&meUIyw=UGh-NJxfZ0
http://www.xxkxcfkujyeft.xyz/kniu/?j1=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&meUIyw=UGh-NJxfZ0
http://www.theartboxslidell.com/kniu/?j1=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&meUIyw=UGh-NJxfZ0
http://www.tsygy.com/kniu/
http://www.siteapp.fun/kniu/?j1=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&meUIyw=UGh-NJxfZ0
http://192.3.179.157/112/TiWorker.exe
|
23
www.onlyleona.com(104.21.13.143)
www.prosourcegraniteinc.com(216.239.36.21)
www.pengeloladata.click()
www.xxkxcfkujyeft.xyz(216.240.130.67)
www.theartboxslidell.com(199.59.243.224)
www.8956kjw1.com(103.71.154.244)
www.frefire.top(67.223.117.37)
www.tsygy.com(23.104.137.185) - mailcious
www.poultry-symposium.com(85.128.134.237)
www.flyingfoxnb.com(216.40.34.41)
www.siteapp.fun(23.82.12.35) 216.239.38.21 - phishing
81.171.28.43
23.104.137.185 - mailcious
199.59.243.224 - mailcious
67.223.117.37
216.40.34.41 - mailcious
216.240.130.67 - mailcious
192.3.179.157 - mailcious
103.71.154.244
45.33.6.223
172.67.132.228
85.128.134.237
|
11
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SURICATA HTTP unable to match response to request ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
10.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8468 |
2023-09-20 18:03
|
wealthzx.exe aa8c14edf65d09f549ac88306d2e8610 .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141) 91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8469 |
2023-09-20 18:01
|
Owpxkxlhneicvr.scr 79b7474ded312cda4a0bd477ddf78378 Malicious Library UPX PE File PE32 MZP Format URL Format Remcos VirusTotal Malware Malicious Traffic Check memory unpack itself Windows keylogger |
2
http://geoplugin.net/json.gp http://troubletorn.ydns.eu/x/yaztdtgfd/Owpxkxlhnei
|
5
tornado.ydns.eu(193.42.32.61) - mailcious geoplugin.net(178.237.33.50) troubletorn.ydns.eu(193.42.32.61) 178.237.33.50 193.42.32.61 - mailcious
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
3.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8470 |
2023-09-20 18:00
|
TiWorker.exe 9809924a1fb0082898813c23dbc84b24 Malicious Library PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself suspicious TLD DNS |
21
http://www.palatepursuits.cfd/kniu/ http://www.poultry-symposium.com/kniu/?zM2u=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&r8LF=ldF1y4FXSVpJ http://www.xxkxcfkujyeft.xyz/kniu/ http://www.tsygy.com/kniu/?zM2u=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&r8LF=ldF1y4FXSVpJ http://www.flyingfoxnb.com/kniu/?zM2u=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&r8LF=ldF1y4FXSVpJ http://www.poultry-symposium.com/kniu/ http://www.siteapp.fun/kniu/?zM2u=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&r8LF=ldF1y4FXSVpJ http://www.flyingfoxnb.com/kniu/ http://www.xxkxcfkujyeft.xyz/kniu/?zM2u=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&r8LF=ldF1y4FXSVpJ http://www.frefire.top/kniu/ http://www.siteapp.fun/kniu/ http://www.prosourcegraniteinc.com/kniu/ http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip http://www.theartboxslidell.com/kniu/ http://www.palatepursuits.cfd/kniu/?zM2u=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&r8LF=ldF1y4FXSVpJ http://www.prosourcegraniteinc.com/kniu/?zM2u=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&r8LF=ldF1y4FXSVpJ http://www.theartboxslidell.com/kniu/?zM2u=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&r8LF=ldF1y4FXSVpJ http://www.tsygy.com/kniu/ http://www.onlyleona.com/kniu/ http://www.onlyleona.com/kniu/?zM2u=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&r8LF=ldF1y4FXSVpJ http://www.frefire.top/kniu/?zM2u=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&r8LF=ldF1y4FXSVpJ
|
24
www.palatepursuits.cfd(104.21.21.57) www.onlyleona.com(172.67.132.228) www.prosourcegraniteinc.com(216.239.38.21) www.pengeloladata.click() www.xxkxcfkujyeft.xyz(216.240.130.67) www.theartboxslidell.com(199.59.243.224) www.8956kjw1.com(103.71.154.244) www.frefire.top(67.223.117.37) www.tsygy.com(23.104.137.185) - mailcious www.poultry-symposium.com(85.128.134.237) www.flyingfoxnb.com(216.40.34.41) www.siteapp.fun(23.82.12.35) 85.128.134.237 81.171.28.43 104.21.13.143 199.59.243.224 - mailcious 23.104.137.185 - mailcious 67.223.117.37 216.40.34.41 - mailcious 216.240.130.67 - mailcious 103.71.154.244 104.21.21.57 216.239.36.21 - phishing 45.33.6.223
|
6
SURICATA HTTP unable to match response to request ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .TOP Domain with Minimal Headers ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8471 |
2023-09-20 17:59
|
ark.exe 9dadfc8f01d8b789ce9267cc188591bb Admin Tool (Sysinternals etc ...) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.ipify.org(104.237.62.212) 64.185.227.156 104.21.21.57
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8472 |
2023-09-20 17:58
|
SBqxEB20ZJgWYrR.exe c6f8afa65badddd3590c98f05c766c01 Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Disables Windows Security Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.130.0) 158.101.44.242
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
15.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8473 |
2023-09-20 15:39
|
bypass.ps1.exe 6efe15382531ae994f2f220046421b1d PE File PE64 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8474 |
2023-09-20 15:31
|
bypass.ps1 1c5d05def6e3baabe8da94a3d275c5e5 Hide_EXE Generic Malware Antivirus PE File PE64 .NET EXE VirusTotal Malware powershell MachineGuid Check memory Checks debugger Creates executable files unpack itself powershell.exe wrote |
|
|
|
|
4.2 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8475 |
2023-09-20 11:12
|
73243017.exe be527f26f13962e89509dd096166f55e Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|