| 9106 |
2023-11-06 09:41
|
 soyazx.exe 6713d6eadee3ad9164e66e555eaa16ee
Formbook AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.robinsons-pools.com/s20a/?5j=X0kB3yCe2DbMHBjyZyduHI61R9zJKpP/1yM9ANRcG2StAR10Wwf8tUVEWg3X5jDkk9455Rxw&vTax-=LJBPmD1
http://www.25egypt.net/s20a/?5j=KTT9+VCcA37+xtRGjaV8luty/MFMKL8hzZvZ6YYNfMtl9gwTEgJdqydErXPa1splGINEUr1P&vTax-=LJBPmD1
|
5
www.robinsons-pools.com(13.248.243.5)
www.25egypt.net(3.64.163.50)
www.alexpresswholesaler.com()
3.64.163.50 - mailcious
76.223.105.230 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9107 |
2023-11-06 09:41
|
 spacezx.exe 1536cc9a88c87ba6a5e0dc22e2b876c2
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9108 |
2023-11-06 09:41
|
 s5.exe e4c5c50d9c573109411348e4c7f79dd8
Malicious Library UPX Http API HTTP Internet API AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS |
8
http://85.209.11.204/api/files/client/s54
http://85.209.11.204/api/files/client/s51
http://85.209.11.204/ip.php
http://85.209.11.204/api/files/client/s53
http://85.209.11.204/api/files/client/s52
http://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000¶m=empty
https://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000¶m=empty
https://script.googleusercontent.com/macros/echo?user_content_key=rq3I6Pvq31ESr42SRVFCcH8cBMrOvGfc9LjrAFAjXKqooXQVZnHoVSKZ49ywNUr7mn_h-t_4xp16ZbQUh0u7vYizKKleUSwSOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa0CRDStSlAiWe9EsIf9E4ZPsnymwtpgwALY3ZEKNbUPKTwCm-q5YBdK9ax9ulRNROyEZlBVHKdgUzc9XRB8G-pFIaTITfR7fJ9yLw_QwlOLh3sVTfjuTogDzV_l7Cl_ErHbadLHwSTw0RLfCUlcjW3aqDyDBdoyuR54_mWWztr2JN0ZmedBznvo&lib=MGiFI8QOoThWusP0Kv6sJRfccXc-Ar0ZC
|
5
script.google.com(142.250.206.238)
script.googleusercontent.com(142.250.206.225)
85.209.11.204
172.217.24.78
142.251.220.33
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9109 |
2023-11-06 09:40
|
 whesilozx.exe a117d7af8f85cacb310671b834482605
LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Software crashed keylogger |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9110 |
2023-11-06 09:37
|
 patch.exe 836f7ee9f560b60cd68b2e3b3b6e1a26
Malicious Library UPX ASPack PE File PE32 ZIP Format ftp VirusTotal Malware PDB Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9111 |
2023-11-06 09:37
|
 isbinzx.exe f297b0f6ff8bace56e8bc669a63df2a7
Formbook PWS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs |
|
3
www.tcbbuilds.com()
www.lambdasigmarho.com()
www.vurporn.com()
|
|
|
9.2 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9112 |
2023-11-06 09:35
|
 kellyzx.exe 76a433c70bad5aa138a6c1ee1597dbb8
LokiBot .NET framework(MSIL) Socket PWS DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
1
http://kelly.spencerstuartllc.top/_errorpages/kelly/five/fre.php
|
2
kelly.spencerstuartllc.top(172.67.137.192)
172.67.137.192
|
9
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9113 |
2023-11-06 09:34
|
 millianozx.exe 4aec69a71dff9be27f998272b34a445d
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9114 |
2023-11-05 12:48
|
 cred64.dll d4d558b12d16080148ba9fb0079810d2
Malicious Library UPX PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Malicious Traffic Checks debugger unpack itself Windows utilities sandbox evasion installed browsers check Windows Browser Email DNS Software |
1
http://185.196.8.176/u8v5zeQ/index.php
|
1
|
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9115 |
2023-11-05 12:46
|
 Hjohkjkzcgv.exe 537157883e3ef69f372d96136069c476
Hide_EXE PE File PE64 Check memory Checks debugger unpack itself DNS |
|
1
27.124.46.157 - mailcious
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9116 |
2023-11-05 12:43
|
 j-10 c9e0712a084fa3eb3742eb3d690217dd
Malicious Library Downloader PE File DLL PE32 Malware download Malware Malicious Traffic Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check GameoverP2P Zeus Windows DNS Downloader |
1
http://27.124.46.157:8000/1
|
1
27.124.46.157 - mailcious
|
9
SURICATA HTTP Request abnormal Content-Encoding header
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE OneLouder EXE download possibly installing Zeus P2P
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M6
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9117 |
2023-11-05 12:41
|
 TrueCrypt_CQTwbm.exe d77ff29db2a60bfadf7d453323aa90c4
Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check crashed |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9118 |
2023-11-05 12:41
|
 Output2.exe dbc8b6ebbaee6a3eb1359b4540b04028
UPX PE File PE32 .NET EXE Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9119 |
2023-11-05 12:38
|
 1 4de247341257c7ce18d6edfa52a1035b
UPX Downloader PE File PE32 crashed |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9120 |
2023-11-05 12:38
|
HTMLieBrowserHistoryIE.dOC a8bbff822a016aa570f55c4986ed8946
MS_RTF_Obfuscation_Objects RTF File doc buffers extracted exploit crash unpack itself Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious
45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|