| 9736 |
2023-08-04 09:20
|
 73cceb_b5b6005e2aa74cf48cd55dc... 9932fab98f2c021632045d04966db4fd
ZIP Format Word 2007 file format(docx) VirusTotal Malware unpack itself Tofsee |
2
https://huskidkifklaoksikfkfijsju.blogspot.com/atom.xml
https://huskidkifklaoksikfkfijsju.blogspot.com/
|
2
huskidkifklaoksikfkfijsju.blogspot.com(142.250.206.193)
142.250.199.65
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9737 |
2023-08-04 09:19
|
 plugmanzx.exe 5ec330fe2550aa08c66a9ffc6c034306
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Google Chrome User Data Downloader .NET framework(MSIL) Create Service Socket Escalate priviledges PWS Sniff Audio DNS ScreenShot Internet API KeyLogger AntiDebug AntiVM .NET EXE PE File Remcos VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
b6079658.sytes.net(109.206.243.174)
178.237.33.50
109.206.243.174 - mailcious
|
2
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.sytes.net Domain
|
|
10.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9738 |
2023-08-04 09:17
|
Document_20022949450%23.doc 5c90c56d044b8660bd78f51bec0b4795
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://2.59.254.19/fresh2/five/fre.php
http://103.37.60.77/350/ChromeSetups.exe
|
3
2.59.254.19
103.37.60.77 - malware
34.102.136.180 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Fake 404 Response
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9739 |
2023-08-04 09:17
|
 utilsxupdater.exe 96c30f7179f2d7045aba556d3b8f92af
Generic Malware UPX Malicious Library Antivirus PE64 PE File VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9740 |
2023-08-04 09:16
|
 defounderzx.exe 7b429c29a5d488db61e5c22bbb162293
Formbook .NET framework(MSIL) AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
4
http://www.engaugemate.com/fd62/?JjUdE2=w3iRoJKNMZff+mGYYWMWYRBrnbrLMEl1bjGl8S2ZgkzbfvvvyHRxnzLWDOCJth9SQvHEe5LW&YvLT_=z8o4nHbh36&sql=1
http://www.fifaworldcupatl.com/fd62/?JjUdE2=YVMoob9AlkCy4aE8qYQKw/O3VF2mHSImqoz7Z4r1FJJFGxv0iwEoaCSEuPRDATpRiXd/kVuC&YvLT_=z8o4nHbh36&sql=1
http://www.fifaworldcupatl.com/fd62/
http://www.engaugemate.com/fd62/
|
4
www.fifaworldcupatl.com(34.102.136.180)
www.engaugemate.com(34.102.136.180)
www.jiaypafc.cfd()
34.102.136.180 - mailcious
|
|
|
9.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9741 |
2023-08-04 09:15
|
 chrome.exe 8a967536e1b964e0b81a0e0964e26a02
.NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself DNS |
|
1
91.207.102.163 - mailcious
|
|
|
2.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9742 |
2023-08-04 09:13
|
 nNC0F21PVf7hKUD.exe 0874189f078f8e3fcb59e2900e078b7e
.NET framework(MSIL) Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9743 |
2023-08-04 09:12
|
ohoyeczx.doc 84fc75d62738624137845bd3c180ebe6
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://2.59.254.18/_errorpages/ohoyeczx.exe
|
3
91.207.102.163 - mailcious
2.59.254.18 - malware
38.53.14.81
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9744 |
2023-08-04 09:11
|
defounderzx.doc f453b83cb4f6c27b4796816e0f628abf
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic ICMP traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
5
http://www.sdxgwnkf.cfd/fd62/
http://www.soc34m.com/fd62/
http://www.soc34m.com/fd62/?JjUdE2=xn0HKfGIZzHBtebtM2PJoTiRmP7tmvS0K83HwlewIFGHtZl2UfwiPMnZWATjhy2Ku2mJdV27&t8o=FrFL&sql=1
http://www.sdxgwnkf.cfd/fd62/?JjUdE2=ghnUtiMEyEw2O5h1P7vo9Byhe/usWh543+65PpmWc9PRh4YewV0BtpdKaxjHtlCT/jMo+a/V&t8o=FrFL&sql=1
http://2.59.254.18/_errorpages/defounderzx.exe
|
7
www.soc34m.com(34.102.136.180)
www.sdxgwnkf.cfd(38.53.14.81)
www.ag6622.com()
38.53.14.81
34.102.136.180 - mailcious
94.156.6.225
2.59.254.18 - malware
|
7
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (POST) M2
|
|
6.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9745 |
2023-08-04 09:11
|
 yyyyy.exe 686da75c6922eddfe714217f777126e1
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware DNS |
|
1
194.169.175.124 - mailcious
|
|
|
2.8 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9746 |
2023-08-04 09:09
|
 whatGodcando.exe 93b477baa88c9520aa5249bb3514d191
Generic Malware .NET framework(MSIL) Antivirus DNS AntiDebug AntiVM .NET EXE PE File PE32 Malware download Nanocore Cobalt Strike NetWireRC VirusTotal Malware c&c Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows RAT ComputerName DNS Cryptographic key DDNS |
|
3
chibuikemusic.duckdns.org(94.156.6.225)
91.207.102.163 - mailcious
94.156.6.225
|
7
ET MALWARE Possible NanoCore C2 60B
ET MALWARE NanoCore RAT CnC 7
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
ET MALWARE NanoCore RAT Keepalive Response 3
ET MALWARE NanoCore RAT Keepalive Response 1
|
|
14.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9747 |
2023-08-04 09:09
|
 lega.exe 253dcfc72aa745e063bc035a1e93daab
Gen1 Emotet UPX Malicious Library CAB PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
|
2
45.33.6.223
77.91.124.156 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
11.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9748 |
2023-08-04 09:07
|
 j1neaa.bat 1551e43ba5cc0468ffa4d54d29870ac0
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9749 |
2023-08-04 09:07
|
810000000%23%23%23%23%23%23%23... 925753e9dd326a0cedae8e21f0c23f14
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
1
http://23.94.148.61/810/ChromeSetup.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9750 |
2023-08-04 09:07
|
 ohoyeczx.exe f3ba23553ad0411c937414c4de068c5b
Gen1 email stealer Downloader UPX .NET framework(MSIL) Malicious Packer Malicious Library Escalate priviledges PWS DNS Code injection persistence KeyLogger AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 DLL Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key crashed |
|
1
91.207.102.163 - mailcious
|
|
|
14.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|