8476 |
2023-09-20 11:12
|
15348b72.exe a25c8bcd78bfffff86e911122d610ff5 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8477 |
2023-09-20 07:39
|
obizx.exe 9330c7dbc1939e787f6a7b4524b8cb59 .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8478 |
2023-09-20 07:37
|
nellyzx.exe 7a4aa60bed3cb92023b8ee1066cde9ac Formbook .NET framework(MSIL) PWS AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.bestwhitetee.com/btrd/?uZi0=zSz9jMyj7mW3xtm3JwJD86cfGFIvQz4aBIZ0SRFfGyGCsd4G7+HEovFX5RjOMAxye5kPC6/A&Vnt4_=GTd0sn7PSL8x7PP http://www.wewillrock.club/btrd/?uZi0=3CppJMNtpUvTq13WkMq7t3V2kHr3dGnAvKW3z8ul0pcoFjK4/aKIrrvXKPie7nMeT2w7vlOk&Vnt4_=GTd0sn7PSL8x7PP http://www.saatvikteerthyatra.com/btrd/?uZi0=Tz0D1BpedOIBU3pgk8cJ1ooI1Z+Vt/BMHfmQI2MlwowsJ72Rh6PaSh+gU1gKVBYwFs7stG7S&Vnt4_=GTd0sn7PSL8x7PP
|
6
www.saatvikteerthyatra.com(198.54.117.210) www.wewillrock.club(5.78.55.133) www.bestwhitetee.com(198.54.117.216) 5.78.55.133 198.54.117.218 - mailcious 198.54.117.216 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8479 |
2023-09-20 07:36
|
Bin.exe 3b989d8dd09e3c5d4e9544849a253906 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8480 |
2023-09-20 07:34
|
test.exe 8dc615a726d1e47c1bbda80d36de8eb4 UPX PE File PE64 VirusTotal Malware |
|
|
|
|
0.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8481 |
2023-09-20 07:32
|
mtdocs.exe 847c4cd760ad16321f9ec78b672e81da Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.thwmlohr.click/sy22/?-ZeHzZ4=MgkfgN3fpomwP7fWV5mTPmG15nWdJlegbQggwbe1T0jMd3AI1ruzVKLfVQH9NXyhXYV15IAt&Ntiptf=llvt - rule_id: 36312 http://www.91967.net/sy22/?-ZeHzZ4=uE9wR2Y3PY1yx307bieK+o21csjZIE3yfcLUSuw3Fyc4r02fwZ9qroRs52d1jBHfNCAz8DHk&Ntiptf=llvt - rule_id: 35908 http://www.summitstracecolumbus.com/sy22/?-ZeHzZ4=nHjvsxR8MNyek9Frd1eEkzxomyZgRhw7CXfe5CvZzjzDG9G5MlwArHUwsFbqxuFMI96piyiY&Ntiptf=llvt http://www.hbiwhwr.shop/sy22/?-ZeHzZ4=yd0bSXVZUXdU8qKTRdtZDhtRbXCT/uJkAzwFnTNcMl5wHiXF5PZYexVTbwnTO0CSyNbsU44F&Ntiptf=llvt - rule_id: 35479
|
10
www.hbiwhwr.shop(34.102.136.180) - mailcious www.278809.com(154.205.107.177) www.thwmlohr.click(43.154.67.170) - mailcious www.summitstracecolumbus.com(85.202.174.60) www.91967.net(20.205.142.141) - mailcious 85.202.174.60 - mailcious 43.154.67.170 - mailcious 34.102.136.180 - mailcious 154.205.107.177 - mailcious 20.205.142.141 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
3
http://www.thwmlohr.click/sy22/ http://www.91967.net/sy22/ http://www.hbiwhwr.shop/sy22/
|
5.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8482 |
2023-09-20 07:32
|
smss.exe 493562fc3240d634f797be4a433d72c7 .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8483 |
2023-09-20 07:26
|
TiWorker.exe ecf2a6a992825b3d7006296b443d6b3c Admin Tool (Sysinternals etc ...) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156) 104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8484 |
2023-09-20 07:26
|
c.exe d1bb6bebfee80c4db2ade0d15ec80cf2 Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8485 |
2023-09-20 07:25
|
v4install.exe ccd934c7dd80e3c5281f6912e8e5923e Suspicious_Script_Bin Malicious Library UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution Cryptographic key |
|
|
|
|
10.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8486 |
2023-09-20 07:24
|
3.exe 1926bb5ac7a4c61110f5ada103aee2d8 Malicious Library UPX PWS SMTP AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response)
|
|
10.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8487 |
2023-09-19 19:48
|
run.bat 08379dbf8b11af191de471cff08a6de2 Generic Malware Downloader Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://103.68.109.31/stage2.ps1
http://103.68.109.31/rev.dll
|
1
|
3
ET INFO PS1 Powershell File Request ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
|
10.0 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8488 |
2023-09-19 19:47
|
rev.dll 054e68c5744a5646b005d1ded000c592 UPX PE File DLL PE64 VirusTotal Malware |
|
|
|
|
1.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8489 |
2023-09-19 19:41
|
ni2n.ps1 c26875cc5153f5b41d2b6d512fb589b3 Suspicious_Script_Bin Generic Malware Malicious Library UPX Antivirus Malicious Packer PE File ftp PE64 OS Processor Check VirusTotal Malware powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wordpress.ductai.xyz/bdata/fbmain https://wordpress.ductai.xyz/bdata/data
|
2
wordpress.ductai.xyz(172.67.213.69) - mailcious 104.21.93.173
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8490 |
2023-09-19 18:34
|
bin.exe 1fcab65c8ca14af17470d1435b74d107 Malicious Library AntiDebug AntiVM PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege unpack itself AppData folder Browser |
8
http://www.lphone-xl.com/bxgk/?xxN=ikWHN4MijQY5AyJKGBKmp9RfDy9IY0OsXenjOEW69DvhU9R0B37fDkF3Su7Bxfr5RqIxN6lkpQFNqNDBJbqyXHPoN3ksIA9BqLmVomk=&cXM=MHHcxFFn5MCj http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip http://www.3lock.fund/bxgk/ http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.lphone-xl.com/bxgk/ http://www.3lock.fund/bxgk/?xxN=Wu6jB5Q+lKuCukxPzm2WMbWjX+SIDKgUB3U7Kk8DOKw/GtTKhEmwqSjmItXDS9i2eb8Fhjph3IwM4PmyWCSQw+mgytZrpQ9sx2eLMjw=&cXM=MHHcxFFn5MCj
|
5
www.lphone-xl.com(216.246.47.37) www.3lock.fund(35.192.39.194) 216.246.47.37 35.192.39.194 45.33.6.223
|
|
|
4.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|