| 9076 |
2023-08-26 21:31
|
 alotdatas.exe 8baf3a087399d0e0021ebbe699321333
Malicious Library UPX OS Processor Check PE File PE32 VirusTotal Malware PDB DNS |
|
1
193.142.147.59 - mailcious
|
|
|
3.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9077 |
2023-08-26 21:29
|
 Moriwnrn.exe f91db36135a994d00b92ec2b1be0fca9
Generic Malware .NET framework(MSIL) Antivirus PE File .NET EXE PE32 PowerShell VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
|
1
193.142.147.59 - mailcious
|
|
|
11.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9078 |
2023-08-26 21:28
|
 Eppzjtedzmk.exe 8a1c6ab6aeeec522d4d2d483543cb6ad
LokiBot Generic Malware task schedule .NET framework(MSIL) Antivirus PWS DNS ScreenShot KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 PowerShell VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
11.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9079 |
2023-08-26 21:27
|
 TPB-1.exe 5de87b373a800e9ec989dc08dfd4ded0
.NET framework(MSIL) Http API PWS HTTP ScreenShot Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download VirusTotal Malware RecordBreaker suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion installed browsers check Stealer Windows Browser DNS Cryptographic key |
8
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://193.142.147.59/e1fb217729efc3471848bf7aa6f6c49e
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
|
1
193.142.147.59 - mailcious
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
|
13.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9080 |
2023-08-26 21:26
|
 Z2K-1.exe 140510ca012bf95c60b339b6388c2ca9
Gen1 .NET framework(MSIL) Malicious Library UPX Malicious Packer Http API PWS HTTP ScreenShot Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Malware RecordBreaker suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder sandbox evasion installed browsers check Stealer Windows Browser DNS Cryptographic key crashed |
8
http://193.142.147.59/db6a9919d0fc0d9c5f81c7bb4a3bc636
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://193.142.147.59/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
|
1
193.142.147.59 - mailcious
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
|
13.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9081 |
2023-08-26 21:26
|
 Lrbaski.exe b2f1ba65b5e4d49ff785247fc553bd94
PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces |
|
|
|
|
2.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9082 |
2023-08-26 21:23
|
 55555.exe 70d02e692f264a782f5c6142d4804caa
Malicious Library UPX Malicious Packer Anti_VM OS Processor Check PE File PE64 DLL VirusTotal Malware Creates executable files |
|
|
|
|
1.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9083 |
2023-08-26 04:25
|
http://smp-device-content.appl...
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://smp-device-content.apple.com/
|
2
smp-device-content.apple.com(17.253.69.204)
17.253.75.205
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9084 |
2023-08-26 04:22
|
http://d3js.org 1bd32f457f2dc057f8c0beb9107212cd
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM MSOffice File Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
6
http://d3js.org/
https://d3js.org/favicon.ico
https://d3js.org/assets/app.b8957a3f.js
https://d3js.org/assets/style.37c4d7e2.css
https://d3js.org/
https://d3js.org/logo.svg
|
4
static.observableusercontent.com(18.64.8.37)
d3js.org(172.67.73.126)
18.64.8.28
104.26.6.30
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9085 |
2023-08-26 03:43
|
http://bag.itunes.apple.com
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://bag.itunes.apple.com/
|
2
bag.itunes.apple.com(104.76.96.30)
23.52.32.17
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9086 |
2023-08-26 03:26
|
http://netcts.cdn-apple.com 73a78ff5bd7e5e88aa445826d4d6eecb
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://netcts.cdn-apple.com/favicon.ico
http://netcts.cdn-apple.com/
|
2
netcts.cdn-apple.com(23.67.53.26)
121.254.136.64
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9087 |
2023-08-26 03:00
|
http://mask-api.icloud.com
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://mask-api.icloud.com/
|
2
mask-api.icloud.com(17.248.221.65)
17.248.221.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9088 |
2023-08-26 02:29
|
http://mask-api.icloud.com
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://mask-api.icloud.com/
|
2
mask-api.icloud.com(17.248.221.64)
17.248.221.64
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9089 |
2023-08-26 00:23
|
http://risorse.tim.it
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
|
2
risorse.tim.it(81.74.236.236)
81.74.228.24
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9090 |
2023-08-25 20:13
|
 vbc.exe 90d7398bd4bb66384b309201ce5f20f0
Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
60 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|