| 8476 |
2023-09-20 11:12
|
 15348b72.exe a25c8bcd78bfffff86e911122d610ff5
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8477 |
2023-09-20 07:39
|
 obizx.exe 9330c7dbc1939e787f6a7b4524b8cb59
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156)
173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8478 |
2023-09-20 07:37
|
 nellyzx.exe 7a4aa60bed3cb92023b8ee1066cde9ac
Formbook .NET framework(MSIL) PWS AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.bestwhitetee.com/btrd/?uZi0=zSz9jMyj7mW3xtm3JwJD86cfGFIvQz4aBIZ0SRFfGyGCsd4G7+HEovFX5RjOMAxye5kPC6/A&Vnt4_=GTd0sn7PSL8x7PP
http://www.wewillrock.club/btrd/?uZi0=3CppJMNtpUvTq13WkMq7t3V2kHr3dGnAvKW3z8ul0pcoFjK4/aKIrrvXKPie7nMeT2w7vlOk&Vnt4_=GTd0sn7PSL8x7PP
http://www.saatvikteerthyatra.com/btrd/?uZi0=Tz0D1BpedOIBU3pgk8cJ1ooI1Z+Vt/BMHfmQI2MlwowsJ72Rh6PaSh+gU1gKVBYwFs7stG7S&Vnt4_=GTd0sn7PSL8x7PP
|
6
www.saatvikteerthyatra.com(198.54.117.210)
www.wewillrock.club(5.78.55.133)
www.bestwhitetee.com(198.54.117.216)
5.78.55.133
198.54.117.218 - mailcious
198.54.117.216 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8479 |
2023-09-20 07:36
|
 Bin.exe 3b989d8dd09e3c5d4e9544849a253906
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156)
173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8480 |
2023-09-20 07:34
|
 test.exe 8dc615a726d1e47c1bbda80d36de8eb4
UPX PE File PE64 VirusTotal Malware |
|
|
|
|
0.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8481 |
2023-09-20 07:32
|
 mtdocs.exe 847c4cd760ad16321f9ec78b672e81da
Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.thwmlohr.click/sy22/?-ZeHzZ4=MgkfgN3fpomwP7fWV5mTPmG15nWdJlegbQggwbe1T0jMd3AI1ruzVKLfVQH9NXyhXYV15IAt&Ntiptf=llvt - rule_id: 36312
http://www.91967.net/sy22/?-ZeHzZ4=uE9wR2Y3PY1yx307bieK+o21csjZIE3yfcLUSuw3Fyc4r02fwZ9qroRs52d1jBHfNCAz8DHk&Ntiptf=llvt - rule_id: 35908
http://www.summitstracecolumbus.com/sy22/?-ZeHzZ4=nHjvsxR8MNyek9Frd1eEkzxomyZgRhw7CXfe5CvZzjzDG9G5MlwArHUwsFbqxuFMI96piyiY&Ntiptf=llvt
http://www.hbiwhwr.shop/sy22/?-ZeHzZ4=yd0bSXVZUXdU8qKTRdtZDhtRbXCT/uJkAzwFnTNcMl5wHiXF5PZYexVTbwnTO0CSyNbsU44F&Ntiptf=llvt - rule_id: 35479
|
10
www.hbiwhwr.shop(34.102.136.180) - mailcious
www.278809.com(154.205.107.177)
www.thwmlohr.click(43.154.67.170) - mailcious
www.summitstracecolumbus.com(85.202.174.60)
www.91967.net(20.205.142.141) - mailcious
85.202.174.60 - mailcious
43.154.67.170 - mailcious
34.102.136.180 - mailcious
154.205.107.177 - mailcious
20.205.142.141 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
3
http://www.thwmlohr.click/sy22/
http://www.91967.net/sy22/
http://www.hbiwhwr.shop/sy22/
|
5.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8482 |
2023-09-20 07:32
|
 smss.exe 493562fc3240d634f797be4a433d72c7
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8483 |
2023-09-20 07:26
|
 TiWorker.exe ecf2a6a992825b3d7006296b443d6b3c
Admin Tool (Sysinternals etc ...) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156)
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8484 |
2023-09-20 07:26
|
 c.exe d1bb6bebfee80c4db2ade0d15ec80cf2
Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8485 |
2023-09-20 07:25
|
 v4install.exe ccd934c7dd80e3c5281f6912e8e5923e
Suspicious_Script_Bin Malicious Library UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution Cryptographic key |
|
|
|
|
10.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8486 |
2023-09-20 07:24
|
 3.exe 1926bb5ac7a4c61110f5ada103aee2d8
Malicious Library UPX PWS SMTP AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
|
|
10.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8487 |
2023-09-19 19:48
|
 run.bat 08379dbf8b11af191de471cff08a6de2
Generic Malware Downloader Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://103.68.109.31/stage2.ps1
http://103.68.109.31/rev.dll
|
1
|
3
ET INFO PS1 Powershell File Request
ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers
ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
|
10.0 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8488 |
2023-09-19 19:47
|
 rev.dll 054e68c5744a5646b005d1ded000c592
UPX PE File DLL PE64 VirusTotal Malware |
|
|
|
|
1.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8489 |
2023-09-19 19:41
|
 ni2n.ps1 c26875cc5153f5b41d2b6d512fb589b3
Suspicious_Script_Bin Generic Malware Malicious Library UPX Antivirus Malicious Packer PE File ftp PE64 OS Processor Check VirusTotal Malware powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wordpress.ductai.xyz/bdata/fbmain
https://wordpress.ductai.xyz/bdata/data
|
2
wordpress.ductai.xyz(172.67.213.69) - mailcious
104.21.93.173
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8490 |
2023-09-19 18:34
|
 bin.exe 1fcab65c8ca14af17470d1435b74d107
Malicious Library AntiDebug AntiVM PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege unpack itself AppData folder Browser |
8
http://www.lphone-xl.com/bxgk/?xxN=ikWHN4MijQY5AyJKGBKmp9RfDy9IY0OsXenjOEW69DvhU9R0B37fDkF3Su7Bxfr5RqIxN6lkpQFNqNDBJbqyXHPoN3ksIA9BqLmVomk=&cXM=MHHcxFFn5MCj
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
http://www.3lock.fund/bxgk/
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.lphone-xl.com/bxgk/
http://www.3lock.fund/bxgk/?xxN=Wu6jB5Q+lKuCukxPzm2WMbWjX+SIDKgUB3U7Kk8DOKw/GtTKhEmwqSjmItXDS9i2eb8Fhjph3IwM4PmyWCSQw+mgytZrpQ9sx2eLMjw=&cXM=MHHcxFFn5MCj
|
5
www.lphone-xl.com(216.246.47.37)
www.3lock.fund(35.192.39.194)
216.246.47.37
35.192.39.194
45.33.6.223
|
|
|
4.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|