| 9721 |
2024-05-24 07:52
|
 gHIvTf22qvmZjum.exe 8b7b19184d4eaa008d1cbba2bfece478
AgentTesla Malicious Library PWS KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Browser Email ComputerName crashed |
1
http://ip-api.com/line/?fields=hosting
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
11.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9722 |
2024-05-24 07:51
|
 7zipsilentinstaller.exe 09fc747681c810bf422de1d30713800c
Malicious Library Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
|
2
7-zip.org(49.12.202.237)
49.12.202.237
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.8 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9723 |
2024-05-24 07:50
|
 ChromeSetup.exe fe2f9e211bfaf529c92bc28cb847da46
Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName RCE DNS |
4
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=12:n6EyV-uvoCaVgxFxDQet4WSYiBFRf-2C5HNBwb81dao&cup2hreq=1617e93f4cc0a87c8eec0ba442964150753038fe712f2774cc7d587abbdc23fd
|
28
edgedl.me.gvt1.com(34.104.35.123)
dns.google(8.8.4.4)
www.google.com(172.217.25.164)
www.gstatic.com(172.217.25.163)
play.google.com(142.250.207.110)
r1---sn-3u-bh2ss.gvt1.com(211.114.64.12)
clients2.googleusercontent.com(172.217.161.225)
accounts.google.com(64.233.188.84)
_googlecast._tcp.local()
apis.google.com(172.217.161.238)
clientservices.googleapis.com(142.250.206.195)
108.177.125.84
172.217.25.170 - malware
211.114.64.12
172.217.27.36
142.250.206.234 - malware
142.250.204.110
142.250.76.131
172.217.161.225 - mailcious
45.33.6.223
216.58.200.228
34.104.35.123
142.250.76.142 - mailcious
142.251.222.195
172.217.24.78
172.217.24.97
172.217.27.46
172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9724 |
2024-05-24 07:49
|
 xxxz.exe fba7a7675a7db49f2e2d06c74912a706
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9725 |
2024-05-24 07:49
|
 csrss.exe e5cb8c66cab6a972529a85480b9881bc
Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9726 |
2024-05-24 07:47
|
 Client.exe 7ac0adf482250172280defec7a7054da
Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.6 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9727 |
2024-05-24 07:47
|
 sharonzx.exe 0b67adeb422396c047e87fa78a9e8e80
Loki LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://rocheholding.top/evie3/five/fre.php - rule_id: 39724
|
16
rocheholding.top(172.67.165.74) - malware
108.177.125.84
172.217.25.170 - malware
104.21.65.180 - mailcious
172.217.27.36
142.250.206.234 - malware
142.250.204.110
142.250.76.131
216.58.203.67
216.58.200.228
142.250.76.142 - mailcious
142.251.222.195
172.217.24.78
172.217.24.97
172.217.27.46
172.217.25.174 - mailcious
|
8
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Fake 404 Response
|
1
http://rocheholding.top/evie3/five/fre.php
|
16.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9728 |
2024-05-24 07:47
|
 Testing.exe 144f1b1c4b9cdad97d8dd1a3a89e7ea1
Suspicious_Script_Bin Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX Confuser .NET PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Telegram Buffer PE AutoRuns Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder installed browsers check Tofsee Windows Browser DNS |
|
4
api64.ipify.org(173.231.16.77)
api.telegram.org(149.154.167.220)
173.231.16.77
149.154.167.220
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
7.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9729 |
2024-05-24 07:46
|
 vax.exe efb0c31543ca816cd9a55cafd730224c
Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Check memory Checks debugger unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9730 |
2024-05-24 07:42
|
 Bypass3_Pure_Mode.exe 6e1e63e97c09758e3db18ea31bd95284
Generic Malware Malicious Library Malicious Packer UPX Antivirus Anti_VM PE File .NET EXE PE32 PE64 ftp OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
5.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9731 |
2024-05-24 07:41
|
 rooma.exe 1dcce19e1a6306424d073487af821ff0
Generic Malware Malicious Library PE File PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
19
http://www.magmadokum.com/fo8o/?wZKEjc=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Waqa=s-tm2C8j
http://www.magmadokum.com/fo8o/
http://www.rssnewscast.com/fo8o/?wZKEjc=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Waqa=s-tm2C8j
http://www.3xfootball.com/fo8o/
http://www.donnavariedades.com/fo8o/
http://www.elettrosistemista.zip/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.goldenjade-travel.com/fo8o/?wZKEjc=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Waqa=s-tm2C8j
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.techchains.info/fo8o/?wZKEjc=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Waqa=s-tm2C8j
http://www.antonio-vivaldi.mobi/fo8o/
http://www.3xfootball.com/fo8o/?wZKEjc=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Waqa=s-tm2C8j
http://www.kasegitai.tokyo/fo8o/?wZKEjc=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Waqa=s-tm2C8j
http://www.antonio-vivaldi.mobi/fo8o/?wZKEjc=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Waqa=s-tm2C8j
http://www.donnavariedades.com/fo8o/?wZKEjc=l+301ZvITCxaX9AA7VU8BaNl0giE4t3JgzctOQx29qSsrxX8kw490hU6vymbZWA2w8GmYCogcgx/MI4pNd8ITQiOXzox9fl9oCNBaJd4bIe7oyUKC5LhLVNYvjLZULJxgsfERiI=&Waqa=s-tm2C8j
http://www.elettrosistemista.zip/fo8o/?wZKEjc=bO1UBvtoHFNUmlWB73HniX/lRhcpQxU1qF418M7UHpKKa2cgLZsmK6mwaSCrivds7LXL3uoK+MTOMGhYNdwtdjBMQu6yx1bfgOYvdpbzJPd/eSD2kHjCkD+QxgbYBRdZBXmxn1k=&Waqa=s-tm2C8j
|
20
www.elettrosistemista.zip(195.110.124.133)
www.liangyuen528.com()
www.magmadokum.com(85.159.66.93)
www.techchains.info(66.29.149.46)
www.donnavariedades.com(23.227.38.74)
www.kasegitai.tokyo(202.172.28.202)
www.3xfootball.com(154.215.72.110)
www.goldenjade-travel.com(116.50.37.244)
www.antonio-vivaldi.mobi(46.30.213.191)
www.rssnewscast.com(91.195.240.94)
202.172.28.202
85.159.66.93 - mailcious
116.50.37.244
195.110.124.133 - mailcious
46.30.213.191 - mailcious
66.29.149.46
45.33.6.223
23.227.38.74 - mailcious
91.195.240.94 - phishing
154.215.72.110
|
3
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Observed DNS Query to .zip TLD
ET INFO HTTP Request to a *.zip Domain
|
|
6.6 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9732 |
2024-05-24 07:41
|
 SrbijaSetupHokej.exe 528b9a26fd19839aeba788171c568311
Generic Malware Malicious Library UPX PE File PE32 MZP Format OS Processor Check PE64 VirusTotal Malware Checks debugger unpack itself AppData folder |
|
|
|
|
2.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9733 |
2024-05-24 07:40
|
 GoogleUpdateTaskMachineQCW.exe 4e9292f02efc44abd5a2671439283405
PE64 PE File VirusTotal Cryptocurrency Miner Malware Cryptocurrency DNS CoinMiner |
|
2
xmr.2miners.com(162.19.139.184) - mailcious
162.19.139.184 - mailcious
|
1
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
|
|
2.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9734 |
2024-05-24 07:38
|
 svc.exe 92c57dd80b764a028749520017d44e76
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9735 |
2024-05-23 20:54
|
 1.jpg d1a446c5c7563fb7901a33313ddb9d05
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself RCE |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|