| 9181 |
2023-11-02 07:46
|
 litoptics2.1.exe 77e2b6a251b3ed0440f515824c1d67fd
PE File PE32 .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9182 |
2023-11-02 07:46
|
 haloup.exe 3e6ed1ceb52c1d4e9ef09cd3aebe7741
Malicious Library UPX PE File PE64 OS Processor Check |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9183 |
2023-11-01 19:37
|
 Biacs.exe 8bbba1d1448825a0c428dc296573cf8d
Formbook AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Windows DNS Cryptographic key |
21
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://www.prosourcegraniteinc.com/kniu/?hGC=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&iOwKE=__tE6 - rule_id: 36717
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.theartboxslidell.com/kniu/?hGC=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&iOwKE=__tE6 - rule_id: 36718
http://www.tsygy.com/kniu/?hGC=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&iOwKE=__tE6 - rule_id: 36721
http://192.3.64.154/1906/Pxgltvs.pdf
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.frefire.top/kniu/?hGC=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&iOwKE=__tE6 - rule_id: 36723
http://www.frefire.top/kniu/ - rule_id: 36723
http://www.xxkxcfkujyeft.xyz/kniu/?hGC=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&iOwKE=__tE6 - rule_id: 36719
http://www.flyingfoxnb.com/kniu/ - rule_id: 36725
http://www.palatepursuits.cfd/kniu/?hGC=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&iOwKE=__tE6 - rule_id: 36726
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.palatepursuits.cfd/kniu/ - rule_id: 36726
http://192.3.64.154/1906/HtmlIEcleanerHistory.exe
http://www.onlyleona.com/kniu/?hGC=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&iOwKE=__tE6 - rule_id: 36720
http://www.flyingfoxnb.com/kniu/?hGC=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&iOwKE=__tE6 - rule_id: 36725
http://www.poultry-symposium.com/kniu/?hGC=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&iOwKE=__tE6 - rule_id: 36722
|
24
www.palatepursuits.cfd(104.21.21.57) - mailcious
www.onlyleona.com(104.21.13.143) - mailcious
www.prosourcegraniteinc.com(216.239.32.21) - mailcious
www.pengeloladata.click() - mailcious
www.xxkxcfkujyeft.xyz(142.171.29.133) - mailcious
www.theartboxslidell.com(23.82.12.35) - mailcious
www.8956kjw1.com(103.71.154.243)
www.frefire.top(67.223.117.37) - mailcious
www.tsygy.com(23.104.137.185) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.flyingfoxnb.com(216.40.34.41) - mailcious
www.siteapp.fun() - mailcious
142.171.29.133
192.3.64.154 - mailcious
23.104.137.185 - mailcious
67.223.117.37 - mailcious
172.67.196.133 - mailcious
216.40.34.41 - mailcious
23.82.12.35
103.71.154.243
45.33.6.223
216.239.36.21 - phishing
172.67.132.228 - mailcious
85.128.134.237 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Dotted Quad Host PDF Request
SURICATA HTTP unable to match response to request
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers
|
18
http://www.onlyleona.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.tsygy.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.theartboxslidell.com/kniu/
http://www.frefire.top/kniu/
http://www.frefire.top/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.flyingfoxnb.com/kniu/
http://www.palatepursuits.cfd/kniu/
http://www.tsygy.com/kniu/
http://www.palatepursuits.cfd/kniu/
http://www.onlyleona.com/kniu/
http://www.flyingfoxnb.com/kniu/
http://www.poultry-symposium.com/kniu/
|
11.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9184 |
2023-11-01 18:48
|
 IGCC.exe f26a2f5b20109013af6303c9adc2546d
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Generic Malware Google Chrome User Data Downloader .NET framework(MSIL) Antivirus Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Internet API KeyLogger AntiDebu Remcos VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
sembe.duckdns.org(194.187.251.115)
178.237.33.50
194.187.251.115
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
13.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9185 |
2023-11-01 18:47
|
 2xf9uf.bat 0f74a2178106172bd65f8bda36eb2572
Generic Malware Downloader Antivirus UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.8 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9186 |
2023-11-01 18:46
|
htmlIREcontentwritingcache.doc 0e17386f4c9bd1dc872a1b00a5ec1ce0
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS DDNS crashed |
2
http://geoplugin.net/json.gp
http://146.70.78.28/3500/IGCC.exe
|
5
geoplugin.net(178.237.33.50)
sembe.duckdns.org(194.187.251.115)
178.237.33.50
146.70.78.28 - malware
194.187.251.115
|
8
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9187 |
2023-11-01 18:42
|
Archive.rar 8988dd76e0075a66d1030daa58d220f1
Escalate priviledges PWS KeyLogger AntiDebug AntiVM ftp Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee DNS |
5
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://94.142.138.113/api/tracemap.php - rule_id: 28877
https://vk.com/doc26060933_667173484?hash=A1dmV4pq2EY7qgmQUNzGLIsxaMexd8IeIWU9C4qfGWs&dl=HW3dyNuyU3NU5OenwscyGVYZxNCzBaTesYkhsTpR8qs&api=1&no_preview=1
https://sun6-21.userapi.com/c237231/u26060933/docs/d41/b01ef5bd7b4a/Setup.bmp?extra=fPPLkVjVVeEJBIi4Of7fAGBCJkUgPJP0zTNhqwXCyZxyqQK-ShKZ5pV0Q9N_iwIsrcQGex6idPQM1iCflk3FKizdrZfEwMM53QuRuvk2p_dEZymICGeJzS0sCUFyDI0lpF31qoWurBw1MNPi
https://api.myip.com/
|
13
iplis.ru(148.251.234.93) - mailcious
iplogger.org(148.251.234.83) - mailcious
ipinfo.io(34.117.59.81)
api.myip.com(172.67.75.163)
vk.com(87.240.132.72) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
148.251.234.83
148.251.234.93 - mailcious
104.26.9.59
95.142.206.1 - mailcious
87.240.137.164 - mailcious
94.142.138.113 - mailcious
34.117.59.81
|
8
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
|
2
http://94.142.138.113/api/firegate.php
http://94.142.138.113/api/tracemap.php
|
5.0 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9188 |
2023-11-01 18:39
|
 IGCC.exe d49b62e60e0e42b43f32adf23acfd369
UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9189 |
2023-11-01 09:58
|
 questionnaire.exe 065f0871b6025b8e61f35a188bca1d5c
Generic Malware Malicious Library Anti_VM PE File PE64 ftp OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself Check virtual network interfaces DNS crashed |
2
http://146.70.149.61:8008/access/JWrapper-Windows64JRE-00084000053-archive.p2.l2
http://146.70.149.61:8008/access/JWrapper-Windows64JRE-version.txt?time=2322853908
|
1
|
|
|
3.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9190 |
2023-11-01 09:58
|
 document_issued_ticket.bat 36615e952d3d0230e01c4aa0007c5cfa
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
3.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9191 |
2023-11-01 09:48
|
 settings.md.ps1 d4a8463332d11c465c311485626a089e
Lnk Format GIF Format VirusTotal Malware powershell AutoRuns MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://www.dropbox.com/scl/fi/xomwf87h5an20v2gilmvv/m.zip?rlkey=xg1osj3s43fl9pagr7zgj6y70&dl=1
|
4
www.dropbox.com(162.125.84.18) - mailcious
ambjulio.com(154.56.63.216) - mailcious
154.56.63.216 - mailcious
162.125.84.18 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9192 |
2023-11-01 09:47
|
 vpke8.js 64fb844512400c176e18d956894663ddcrashed |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9193 |
2023-11-01 09:44
|
CNOZ1237_3680420.js 8bc1516039ff6f4e48087ae01613c98aVirusTotal Malware WMI ComputerName |
|
|
|
|
1.4 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9194 |
2023-11-01 09:40
|
 pwdw54.js 13d3bf04f274c2d9282623217acbbb5eunpack itself crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9195 |
2023-11-01 09:39
|
 3mmusbi9y.js e6e3eb6eddb12bdddc85bb59707dd4e4crashed |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|