| 8461 |
2023-09-20 18:07
|
 clip64.dll 03f32c1a791dd8e77edfa3461e31abd1
Amadey Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File DLL PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8462 |
2023-09-20 18:07
|
 cred64.dll be88f13ad2e21025d52e61a57bc1fe12
Browser Login Data Stealer Malicious Library UPX PE File DLL PE64 OS Processor Check VirusTotal Malware PDB |
1
http://5.42.64.45/8bmeVwqx/index.php
|
|
|
|
1.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8463 |
2023-09-20 18:07
|
 calc2.exe 3d4e0dc6f80820315996f16eb5a5f03b
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB |
1
http://bryanzachary.top/e9c345fc99a4e67e.php
|
|
|
|
1.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8464 |
2023-09-20 18:05
|
 TiWorker.exe 75b192f9b810dedde93595a8a1b1dd8d
LokiBot .NET framework(MSIL) Socket PWS DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software crashed |
1
http://fresh2.shunfengpower.buzz/_errorpages/fresh2/fre.php
|
2
fresh2.shunfengpower.buzz(104.21.58.179)
104.21.58.179
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.buzz domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
13.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8465 |
2023-09-20 18:05
|
 hh.txt.ps1 4735c60f2a61a338443ce8091601ca23
Generic Malware Antivirus powershell Check memory unpack itself powershell.exe wrote WriteConsoleW Windows Cryptographic key |
1
https://sygnifyme.com/wp-content/plugins/jetpack/Flag.SVG
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8466 |
2023-09-20 18:05
|
 harbar.exe cc735bbb997be4520efb4943f2db3f6c
Emotet Gen1 Malicious Library UPX Confuser .NET AntiDebug AntiVM PE File PE32 .NET EXE DLL MZP Format OS Processor Check CHM Format PE64 DllRegisterServer dll VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces AppData folder WriteConsoleW Tofsee Windows ComputerName DNS crashed |
|
3
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
193.42.32.61 - mailcious
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
|
|
12.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8467 |
2023-09-20 18:04
|
 Rzcjkedka.exe cd47b64e420b472464001891ff312ff6
AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
21
http://www.onlyleona.com/kniu/
http://www.tsygy.com/kniu/?j1=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&meUIyw=UGh-NJxfZ0
http://www.onlyleona.com/kniu/?j1=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&meUIyw=UGh-NJxfZ0
http://www.prosourcegraniteinc.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.poultry-symposium.com/kniu/?j1=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&meUIyw=UGh-NJxfZ0
http://www.frefire.top/kniu/?j1=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&meUIyw=UGh-NJxfZ0
http://www.poultry-symposium.com/kniu/
http://192.3.179.157/zs/Pkzvwkppdn.mp4
http://www.flyingfoxnb.com/kniu/
http://www.flyingfoxnb.com/kniu/?j1=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&meUIyw=UGh-NJxfZ0
http://www.theartboxslidell.com/kniu/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.frefire.top/kniu/
http://www.siteapp.fun/kniu/
http://www.prosourcegraniteinc.com/kniu/?j1=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&meUIyw=UGh-NJxfZ0
http://www.xxkxcfkujyeft.xyz/kniu/?j1=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&meUIyw=UGh-NJxfZ0
http://www.theartboxslidell.com/kniu/?j1=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&meUIyw=UGh-NJxfZ0
http://www.tsygy.com/kniu/
http://www.siteapp.fun/kniu/?j1=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&meUIyw=UGh-NJxfZ0
http://192.3.179.157/112/TiWorker.exe
|
23
www.onlyleona.com(104.21.13.143)
www.prosourcegraniteinc.com(216.239.36.21)
www.pengeloladata.click()
www.xxkxcfkujyeft.xyz(216.240.130.67)
www.theartboxslidell.com(199.59.243.224)
www.8956kjw1.com(103.71.154.244)
www.frefire.top(67.223.117.37)
www.tsygy.com(23.104.137.185) - mailcious
www.poultry-symposium.com(85.128.134.237)
www.flyingfoxnb.com(216.40.34.41)
www.siteapp.fun(23.82.12.35)
216.239.38.21 - phishing
81.171.28.43
23.104.137.185 - mailcious
199.59.243.224 - mailcious
67.223.117.37
216.40.34.41 - mailcious
216.240.130.67 - mailcious
192.3.179.157 - mailcious
103.71.154.244
45.33.6.223
172.67.132.228
85.128.134.237
|
11
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA HTTP unable to match response to request
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
10.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8468 |
2023-09-20 18:03
|
 wealthzx.exe aa8c14edf65d09f549ac88306d2e8610
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8469 |
2023-09-20 18:01
|
 Owpxkxlhneicvr.scr 79b7474ded312cda4a0bd477ddf78378
Malicious Library UPX PE File PE32 MZP Format URL Format Remcos VirusTotal Malware Malicious Traffic Check memory unpack itself Windows keylogger |
2
http://geoplugin.net/json.gp
http://troubletorn.ydns.eu/x/yaztdtgfd/Owpxkxlhnei
|
5
tornado.ydns.eu(193.42.32.61) - mailcious
geoplugin.net(178.237.33.50)
troubletorn.ydns.eu(193.42.32.61)
178.237.33.50
193.42.32.61 - mailcious
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
3.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8470 |
2023-09-20 18:00
|
 TiWorker.exe 9809924a1fb0082898813c23dbc84b24
Malicious Library PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself suspicious TLD DNS |
21
http://www.palatepursuits.cfd/kniu/
http://www.poultry-symposium.com/kniu/?zM2u=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&r8LF=ldF1y4FXSVpJ
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.tsygy.com/kniu/?zM2u=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&r8LF=ldF1y4FXSVpJ
http://www.flyingfoxnb.com/kniu/?zM2u=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&r8LF=ldF1y4FXSVpJ
http://www.poultry-symposium.com/kniu/
http://www.siteapp.fun/kniu/?zM2u=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&r8LF=ldF1y4FXSVpJ
http://www.flyingfoxnb.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/?zM2u=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&r8LF=ldF1y4FXSVpJ
http://www.frefire.top/kniu/
http://www.siteapp.fun/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.theartboxslidell.com/kniu/
http://www.palatepursuits.cfd/kniu/?zM2u=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&r8LF=ldF1y4FXSVpJ
http://www.prosourcegraniteinc.com/kniu/?zM2u=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&r8LF=ldF1y4FXSVpJ
http://www.theartboxslidell.com/kniu/?zM2u=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&r8LF=ldF1y4FXSVpJ
http://www.tsygy.com/kniu/
http://www.onlyleona.com/kniu/
http://www.onlyleona.com/kniu/?zM2u=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&r8LF=ldF1y4FXSVpJ
http://www.frefire.top/kniu/?zM2u=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&r8LF=ldF1y4FXSVpJ
|
24
www.palatepursuits.cfd(104.21.21.57)
www.onlyleona.com(172.67.132.228)
www.prosourcegraniteinc.com(216.239.38.21)
www.pengeloladata.click()
www.xxkxcfkujyeft.xyz(216.240.130.67)
www.theartboxslidell.com(199.59.243.224)
www.8956kjw1.com(103.71.154.244)
www.frefire.top(67.223.117.37)
www.tsygy.com(23.104.137.185) - mailcious
www.poultry-symposium.com(85.128.134.237)
www.flyingfoxnb.com(216.40.34.41)
www.siteapp.fun(23.82.12.35)
85.128.134.237
81.171.28.43
104.21.13.143
199.59.243.224 - mailcious
23.104.137.185 - mailcious
67.223.117.37
216.40.34.41 - mailcious
216.240.130.67 - mailcious
103.71.154.244
104.21.21.57
216.239.36.21 - phishing
45.33.6.223
|
6
SURICATA HTTP unable to match response to request
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8471 |
2023-09-20 17:59
|
 ark.exe 9dadfc8f01d8b789ce9267cc188591bb
Admin Tool (Sysinternals etc ...) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.ipify.org(104.237.62.212)
64.185.227.156
104.21.21.57
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8472 |
2023-09-20 17:58
|
 SBqxEB20ZJgWYrR.exe c6f8afa65badddd3590c98f05c766c01
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Disables Windows Security Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.130.0)
158.101.44.242
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
15.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8473 |
2023-09-20 15:39
|
 bypass.ps1.exe 6efe15382531ae994f2f220046421b1d
PE File PE64 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8474 |
2023-09-20 15:31
|
 bypass.ps1 1c5d05def6e3baabe8da94a3d275c5e5
Hide_EXE Generic Malware Antivirus PE File PE64 .NET EXE VirusTotal Malware powershell MachineGuid Check memory Checks debugger Creates executable files unpack itself powershell.exe wrote |
|
|
|
|
4.2 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8475 |
2023-09-20 11:12
|
 73243017.exe be527f26f13962e89509dd096166f55e
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|