8551 |
2023-09-18 13:41
|
po# 348839.exe 4a7a9da9b5d246c23e12315e4eac1fcd Formbook NSIS UPX Malicious Library PE File PE32 OS Processor Check Malware download VirusTotal Malware suspicious privilege Check memory Creates executable files ICMP traffic unpack itself AppData folder |
13
http://www.houtaijiaju.com/stcf/?el=1dqEu7FqG0Fk44M2SsORztBhqeVPz5dcffezXnqN6lUv5lMi6TOQp3fd1b+R5p9IBvl5i/IMrCH65j4DnfcQMtwjHinribTwYdLVWxQ=&isnBX=nywdxOY_N7CAIHs - rule_id: 36372 http://www.ronikonmet.online/stcf/?el=uecC1YIjKds5pfO1EToES15TCdBTvi7vIYoUJgTFy6qDYT2nEUgo5MyoghBmj6FTuqUN6uVJE1bE0H4aXubCPUG1zI5pjeamkbBuCmA=&isnBX=nywdxOY_N7CAIHs - rule_id: 36374 http://www.innovativefewsustra.com/stcf/?el=KMOD9sTNx2YSpovUrRJUEzn1Yx0Z43DK6JEh/zvUzYRR0vvq/o2vdjVBrU8HPW3QMgYOZkgxf1P3X+8HybL4wtlflHnPghnD15Ngsf8=&isnBX=nywdxOY_N7CAIHs - rule_id: 36377 http://www.saintprojetdesalers.com/stcf/ - rule_id: 36373 http://www.saintprojetdesalers.com/stcf/?el=+e/LxL8BCb5JT2mwgKzbp1bNGh3lgePyU3D6l90SLvlYtUAerZBoaAu+StBCYI+EmdbaVLlpQ9qQs+tY0i0hLe/6ntyVXpS6CIyxXlk=&isnBX=nywdxOY_N7CAIHs - rule_id: 36373 http://www.innovativefewsustra.com/stcf/ - rule_id: 36377 http://www.hummall.com/stcf/ - rule_id: 36375 http://www.admiralx-qjff.buzz/stcf/ - rule_id: 36376 http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip http://www.ronikonmet.online/stcf/ - rule_id: 36374 http://www.houtaijiaju.com/stcf/ - rule_id: 36372 http://www.hummall.com/stcf/?el=Nk5K1Xbn5LNktyygdQF3BnmJ+burJ+ny2OkZcNPXdwEtJdOtq79vPWmp/B6BaLcWj3tVzmTo+5PqGZIC/UTM1vSFnsb91g1hVUGRl4c=&isnBX=nywdxOY_N7CAIHs - rule_id: 36375 http://www.admiralx-qjff.buzz/stcf/?el=/cN5NAnYyQNGkv6VI4g5hCl6zLANo+Uxyk0R0Gf4W9JvbRZK1NaF3DJOi9LLfoZAma38Eec3ft5h7udphOb57G+0pUhbPZipWhAdHO0=&isnBX=nywdxOY_N7CAIHs - rule_id: 36376
|
15
www.houtaijiaju.com(206.237.167.5) - mailcious www.aboutmart.info(66.29.149.4) - mailcious www.saintprojetdesalers.com(103.224.182.252) - mailcious www.hummall.com(192.187.101.110) - mailcious www.innovativefewsustra.com() - mailcious www.admiralx-qjff.buzz(104.21.79.241) - mailcious www.ronikonmet.online(194.58.112.174) - mailcious 103.224.182.252 - mailcious 192.187.101.110 - mailcious 206.237.167.5 - mailcious 199.21.76.77 - mailcious 194.58.112.174 - mailcious 66.29.149.4 - mailcious 45.33.6.223 104.21.79.241
|
2
ET INFO HTTP Request to a *.buzz domain ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
|
12
http://www.houtaijiaju.com/stcf/ http://www.ronikonmet.online/stcf/ http://www.innovativefewsustra.com/stcf/ http://www.saintprojetdesalers.com/stcf/ http://www.saintprojetdesalers.com/stcf/ http://www.innovativefewsustra.com/stcf/ http://www.hummall.com/stcf/ http://www.admiralx-qjff.buzz/stcf/ http://www.ronikonmet.online/stcf/ http://www.houtaijiaju.com/stcf/ http://www.hummall.com/stcf/ http://www.admiralx-qjff.buzz/stcf/
|
6.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8552 |
2023-09-18 13:40
|
po# 348839.exe 4a7a9da9b5d246c23e12315e4eac1fcd Formbook NSIS UPX Malicious Library PE File PE32 OS Processor Check Malware download VirusTotal Malware suspicious privilege Check memory Creates executable files ICMP traffic unpack itself AppData folder |
13
http://www.admiralx-qjff.buzz/stcf/?Pve=/cN5NAnYyQNGkv6VI4g5hCl6zLANo+Uxyk0R0Gf4W9JvbRZK1NaF3DJOi9LLfoZAma38Eec3ft5h7udphOb57G+0pUhbPZipWhAdHO0=&LSiIl=htN9PL45qap - rule_id: 36376 http://www.houtaijiaju.com/stcf/?Pve=1dqEu7FqG0Fk44M2SsORztBhqeVPz5dcffezXnqN6lUv5lMi6TOQp3fd1b+R5p9IBvl5i/IMrCH65j4DnfcQMtwjHinribTwYdLVWxQ=&LSiIl=htN9PL45qap - rule_id: 36372 http://www.hummall.com/stcf/?Pve=Nk5K1Xbn5LNktyygdQF3BnmJ+burJ+ny2OkZcNPXdwEtJdOtq79vPWmp/B6BaLcWj3tVzmTo+5PqGZIC/UTM1vSFnsb91g1hVUGRl4c=&LSiIl=htN9PL45qap - rule_id: 36375 http://www.saintprojetdesalers.com/stcf/?Pve=+e/LxL8BCb5JT2mwgKzbp1bNGh3lgePyU3D6l90SLvlYtUAerZBoaAu+StBCYI+EmdbaVLlpQ9qQs+tY0i0hLe/6ntyVXpS6CIyxXlk=&LSiIl=htN9PL45qap - rule_id: 36373 http://www.ronikonmet.online/stcf/?Pve=uecC1YIjKds5pfO1EToES15TCdBTvi7vIYoUJgTFy6qDYT2nEUgo5MyoghBmj6FTuqUN6uVJE1bE0H4aXubCPUG1zI5pjeamkbBuCmA=&LSiIl=htN9PL45qap - rule_id: 36374 http://www.innovativefewsustra.com/stcf/?Pve=KMOD9sTNx2YSpovUrRJUEzn1Yx0Z43DK6JEh/zvUzYRR0vvq/o2vdjVBrU8HPW3QMgYOZkgxf1P3X+8HybL4wtlflHnPghnD15Ngsf8=&LSiIl=htN9PL45qap - rule_id: 36377 http://www.saintprojetdesalers.com/stcf/ - rule_id: 36373 http://www.houtaijiaju.com/stcf/ - rule_id: 36372 http://www.innovativefewsustra.com/stcf/ - rule_id: 36377 http://www.hummall.com/stcf/ - rule_id: 36375 http://www.admiralx-qjff.buzz/stcf/ - rule_id: 36376 http://www.ronikonmet.online/stcf/ - rule_id: 36374 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
|
15
www.houtaijiaju.com(206.237.167.5) - mailcious www.aboutmart.info(66.29.149.4) - mailcious www.saintprojetdesalers.com(103.224.182.252) - mailcious www.hummall.com(192.187.101.110) - mailcious www.innovativefewsustra.com() - mailcious www.admiralx-qjff.buzz(172.67.172.5) - mailcious www.ronikonmet.online(194.58.112.174) - mailcious 103.224.182.252 - mailcious 192.187.101.110 - mailcious 206.237.167.5 - mailcious 199.21.76.77 - mailcious 194.58.112.174 - mailcious 66.29.149.4 - mailcious 45.33.6.223 172.67.172.5 - mailcious
|
2
ET INFO HTTP Request to a *.buzz domain ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
|
12
http://www.admiralx-qjff.buzz/stcf/ http://www.houtaijiaju.com/stcf/ http://www.hummall.com/stcf/ http://www.saintprojetdesalers.com/stcf/ http://www.ronikonmet.online/stcf/ http://www.innovativefewsustra.com/stcf/ http://www.saintprojetdesalers.com/stcf/ http://www.houtaijiaju.com/stcf/ http://www.innovativefewsustra.com/stcf/ http://www.hummall.com/stcf/ http://www.admiralx-qjff.buzz/stcf/ http://www.ronikonmet.online/stcf/
|
6.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8553 |
2023-09-18 11:35
|
364D4FDF430477222FE854B3CD5B6D... 364d4fdf430477222fe854b3cd5b6d40 Suspicious_Script_Bin Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM CHM Format VirusTotal Malware AutoRuns MachineGuid Code Injection Check memory Checks debugger Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
1
http://00701111.000webhostapp.com/wp-extra/show.php?query=50
|
|
|
|
5.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8554 |
2023-09-18 11:30
|
XMYFCPT9speAh98pdf.lnk 6d164ac8281441a98190607ceff43264 Lnk Format GIF Format VirusTotal Malware Creates shortcut AntiVM_Disk WriteConsoleW VM Disk Size Check |
|
|
|
|
1.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8555 |
2023-09-18 11:25
|
북의 핵위협 양상과 한국의 대응방향.chm... 364d4fdf430477222fe854b3cd5b6d40 AntiDebug AntiVM CHM Format VirusTotal Malware Code Injection Check memory unpack itself crashed |
|
|
|
|
2.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8556 |
2023-09-18 11:22
|
ob.ps1 19f25adb285db21f0f11e966bc57d48e Generic Malware Antivirus unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8557 |
2023-09-18 09:49
|
winlogin.exe 64aa45857bbf819ca0516126748ddfdb UPX PE File PE32 .NET EXE OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
2
180.ip.ply.gg(209.25.142.180) 209.25.142.180
|
|
|
3.6 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8558 |
2023-09-18 09:48
|
forex.msi 452db598b23ac2a6cd0d4d4692f1c438 Generic Malware Malicious Library CAB MSOffice File OS Processor Check Malware download VirusTotal Malware Buffer PE suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check Lumma Stealer ComputerName |
2
http://leaseagent.xyz/c2conf http://leaseagent.xyz/
|
2
leaseagent.xyz(104.21.42.182) 104.21.42.182
|
2
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt ET INFO Unconfigured nginx Access
|
|
5.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8559 |
2023-09-18 09:47
|
Magic_Stage.ps1 3377b4e386b5ef09b80f96c3b121f9c8 Generic Malware Antivirus PE File .NET DLL DLL PE32 VirusTotal Malware powershell Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
3
http://44.203.122.41/mini.ps1 https://paste.ee/r/AqqN6/0 - rule_id: 36575 https://paste.ee/r/AqqN6/0
|
3
paste.ee(104.21.84.67) - mailcious 104.21.84.67 - malware 44.203.122.41 - mailcious
|
3
ET INFO PS1 Powershell File Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://paste.ee/r/AqqN6/0
|
7.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8560 |
2023-09-18 09:44
|
ClickMe.lnk 08b5b3505abb428c860598363761f2e8 Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8561 |
2023-09-18 09:43
|
3fdbfc74.exe 5ba328846dad5cb3e3a41f579d25b7fd UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8562 |
2023-09-18 09:42
|
Cmstp.bat 31254e5f0a767dba0d013d83d8949be8 Generic Malware Hide_EXE Downloader WebCam Antivirus UPX Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM PE File .NET DLL DLL PE32 Malware powershell MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself suspicious process AppData folder WriteConsoleW Windows DNS Cryptographic key |
3
http://44.203.122.41/mini.ps1 http://44.203.122.41/winlogin.exe http://44.203.122.41/Night_uac/down.ps1
|
3
180.ip.ply.gg(209.25.142.180) 209.25.142.180 44.203.122.41 - mailcious
|
6
ET INFO PS1 Powershell File Request ET HUNTING Generic Powershell DownloadFile Command ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8563 |
2023-09-18 07:51
|
champ.exe 1ac6fd0301c47ecb144702fd7a9ffe22 .NET framework(MSIL) PE File PE32 .NET EXE suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8564 |
2023-09-18 07:50
|
index.php 5ba328846dad5cb3e3a41f579d25b7fd UPX Malicious Library PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8565 |
2023-09-18 07:48
|
Arch_scam.ps1 671f5371312d91c2e723fe2035655aac Generic Malware Antivirus AntiDebug AntiVM PE File PE32 .NET EXE Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted WMI Creates executable files unpack itself Detects VMWare powershell.exe wrote Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware VM Disk Size Check Windows ComputerName DNS Cryptographic key crashed |
1
http://44.203.122.41/Archevod_XWorm.exe
|
1
44.203.122.41 - mailcious
|
4
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
14.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|