| 9676 |
2023-10-11 11:31
|
 Documenti.url 605a545fcf4bdb9f72cccce6f96c3b00
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.72/scarica/impresa.exe
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9677 |
2023-10-11 11:30
|
 disruptive.lnk 70964a6ad358b8e1ed36b1d6ebd3a03b
PDF unpack itself Windows utilities Windows |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9678 |
2023-10-11 11:29
|
 Azienda.url 7d41622bb8e2d0cc1e148b9d536c792b
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting unpack itself Windows utilities Tofsee Windows DNS |
1
http://62.173.145.25/scarica/unito.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9679 |
2023-10-11 11:27
|
 ReklamX.ps1 89e77fe3f7bc59200ede7741097bd7e4
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself Windows Cryptographic key |
|
|
|
|
1.2 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9680 |
2023-10-11 11:27
|
Report6.msi 08b7acfc53290cda3cc74fcef70f6e65
DarkGate Malicious Library MSOffice File CAB OS Processor Check VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Windows ComputerName |
5
http://prestige-castom.com:2351/hnbidn - rule_id: 37159
http://prestige-castom.com:2351/dflqow - rule_id: 37159
http://prestige-castom.com:2351/ - rule_id: 37159
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
5
www.ssl.com(54.174.96.153)
vintagecarsforlife.com(162.33.179.65)
prestige-castom.com(162.33.179.65) - mailcious
162.33.179.65 - mailcious
54.236.82.84
|
3
ET POLICY curl User-Agent Outbound
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
3
http://prestige-castom.com:2351/
http://prestige-castom.com:2351/
http://prestige-castom.com:2351/
|
5.2 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9681 |
2023-10-11 11:18
|
 ebd.zip 6e1bfdcf1577db9886dd1440808ed4f2
DarkGate ZIP Format Windows |
4
http://secure.globalsign.com/cacert/codesigningrootr45.crt
http://prestige-castom.com:2351/ - rule_id: 37159
http://prestige-castom.com:2351/msirzgnzamg - rule_id: 37159
http://prestige-castom.com:2351/gqcsfd - rule_id: 37159
|
5
secure.globalsign.com(104.18.21.226)
vintagecarsforlife.com(162.33.179.65)
prestige-castom.com(162.33.179.65) - mailcious
162.33.179.65 - mailcious
104.18.20.226
|
3
ET POLICY curl User-Agent Outbound
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
3
http://prestige-castom.com:2351/
http://prestige-castom.com:2351/
http://prestige-castom.com:2351/
|
1.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9682 |
2023-10-11 10:58
|
 REQUEST FOR OFFER.exe 40a0594721777a253cd4481267194ff9
Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
2.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9683 |
2023-10-11 08:07
|
 updat1.exe 571ea8843de2bd01744f6caba0e202ea
Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
M |
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9684 |
2023-10-11 08:03
|
 sihost.exe 7ee626b72a7112befb6febbb8f635ede
LokiBot Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9685 |
2023-10-11 08:01
|
 marcolite2.1.exe 71ea87bcc822a68c4ef492ecbdba37f6
NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
1
http://www.cysh100th.com/t6tg/?RVE=C4RGcRJ+oFeN6Dw5JyxSSWJXrhqNO9HSkiwUjsu5KAkN06m/6Uw6tkK+9OBn6uuuNd9cxUAj&oX=Txo8ntIpM8sp
|
5
www.ascend-help.tech()
www.ep0i.com()
www.cysh100th.com(66.235.200.146)
www.adam-automatik.com()
66.235.200.146 - malware
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9686 |
2023-10-11 07:59
|
 fbinzx.exe 00b27694025e82652c1976c6745a2de1
Formbook PWS AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.couturewrap.com/btrd/?I6h=SG9A3Pt3xYazNmDlDw9fHiFSCreErl1UBTZXmuPCTcYswo69CAuXyrO6p7GwaEZoJbh+8dJR&nfutZl=xPJxZ6jp - rule_id: 34170
http://www.zimmerli.online/btrd/?I6h=TxZDFykc/keWgTeXgWWLM6uN5HzrA8yC53jils16edLR65eOdlp3LoNC2wSzs0M9J4jN2BYo&nfutZl=xPJxZ6jp
|
5
www.zimmerli.online(128.65.195.180)
www.couturewrap.com(15.197.148.33) - mailcious
www.fxsecuretrading-option.com()
128.65.195.180 - mailcious
3.33.130.190 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.couturewrap.com/btrd/
|
8.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9687 |
2023-10-11 07:57
|
 sihost.exe 1d2e25e64e7c402540fa6ce6871257f4
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.ipify.org(64.185.227.156)
172.67.196.133 - mailcious
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9688 |
2023-10-11 07:57
|
 sihost.exe 8d91ce7f3a66bcfda11e488cc34c698f
Formbook UPX .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor C FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
20
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://www.palatepursuits.cfd/kniu/ - rule_id: 36726
http://www.onlyleona.com/kniu/?WwaYeLk_=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&154=h0P9RQvD - rule_id: 36720
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.xxkxcfkujyeft.xyz/kniu/?WwaYeLk_=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&154=h0P9RQvD - rule_id: 36719
http://www.flyingfoxnb.com/kniu/?WwaYeLk_=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&154=h0P9RQvD - rule_id: 36725
http://www.palatepursuits.cfd/kniu/?WwaYeLk_=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&154=h0P9RQvD - rule_id: 36726
http://www.flyingfoxnb.com/kniu/ - rule_id: 36725
http://www.tsygy.com/kniu/?WwaYeLk_=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&154=h0P9RQvD - rule_id: 36721
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.frefire.top/kniu/ - rule_id: 36723
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.theartboxslidell.com/kniu/?WwaYeLk_=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&154=h0P9RQvD - rule_id: 36718
http://23.95.106.3/350/122/Ekcflzifpij.mp3
http://www.poultry-symposium.com/kniu/?WwaYeLk_=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&154=h0P9RQvD - rule_id: 36722
http://www.frefire.top/kniu/?WwaYeLk_=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&154=h0P9RQvD - rule_id: 36723
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.prosourcegraniteinc.com/kniu/?WwaYeLk_=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&154=h0P9RQvD - rule_id: 36717
|
24
www.palatepursuits.cfd(104.21.21.57) - mailcious
www.onlyleona.com(104.21.13.143) - mailcious
www.pengeloladata.click() - mailcious
www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious
www.siteapp.fun() - mailcious
www.theartboxslidell.com(199.59.243.225) - mailcious
www.8956kjw1.com(103.71.154.243)
www.tsygy.com(23.104.137.185) - mailcious
www.frefire.top(67.223.117.37) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.flyingfoxnb.com(216.40.34.41) - mailcious
www.prosourcegraniteinc.com(216.239.36.21) - mailcious
216.239.38.21 - phishing
23.104.137.185 - mailcious
23.95.106.3 - mailcious
67.223.117.37 - mailcious
199.59.243.225
172.67.196.133 - mailcious
216.40.34.41 - mailcious
216.240.130.67 - mailcious
104.21.13.143
103.71.154.243
45.33.6.223
85.128.134.237 - mailcious
|
11
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA HTTP unable to match response to request
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
18
http://www.onlyleona.com/kniu/
http://www.palatepursuits.cfd/kniu/
http://www.onlyleona.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.flyingfoxnb.com/kniu/
http://www.palatepursuits.cfd/kniu/
http://www.flyingfoxnb.com/kniu/
http://www.tsygy.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.frefire.top/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.frefire.top/kniu/
http://www.poultry-symposium.com/kniu/
http://www.tsygy.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
|
11.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9689 |
2023-10-11 07:56
|
 updat1.exe 571ea8843de2bd01744f6caba0e202ea
Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9690 |
2023-10-11 07:55
|
 ishost.exe e8ba8c2f63e7d3e3cbf0dd2a426e4eb5
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|