| 9811 |
2023-10-06 17:53
|
 putty.exe 9872c3c580e8bd1a22cd4698e73e3f9a
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9812 |
2023-10-06 17:51
|
 get4.exe ff7517e244f6545e7936becd68aa0578
PE File PE64 VirusTotal Malware Check memory |
|
|
|
|
1.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9813 |
2023-10-06 17:49
|
 Tugksta.exe 1f4795e3a6a434601ec37a38ffc99ff5
Formbook UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
17
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://www.frefire.top/kniu/?mc=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&1E=_Z4Fpo3srXsvqpV - rule_id: 36723
http://www.tsygy.com/kniu/?mc=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&1E=_Z4Fpo3srXsvqpV - rule_id: 36721
http://www.prosourcegraniteinc.com/kniu/?mc=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&1E=_Z4Fpo3srXsvqpV - rule_id: 36717
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zip
http://www.poultry-symposium.com/kniu/?mc=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&1E=_Z4Fpo3srXsvqpV - rule_id: 36722
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.frefire.top/kniu/ - rule_id: 36723
http://23.95.106.3/250/process.exe
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.theartboxslidell.com/kniu/?mc=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&1E=_Z4Fpo3srXsvqpV - rule_id: 36718
http://www.xxkxcfkujyeft.xyz/kniu/?mc=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&1E=_Z4Fpo3srXsvqpV - rule_id: 36719
http://23.95.106.3/250/Aqjjqk.wav
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.onlyleona.com/kniu/?mc=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&1E=_Z4Fpo3srXsvqpV - rule_id: 36720
|
20
www.onlyleona.com(172.67.132.228) - mailcious
www.prosourcegraniteinc.com(216.239.36.21) - mailcious
www.pengeloladata.click() - mailcious
www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious
www.frefire.top(67.223.117.37) - mailcious
www.8956kjw1.com(103.71.154.243)
www.tsygy.com(23.104.137.185) - mailcious
www.theartboxslidell.com(199.59.243.225) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.siteapp.fun() - mailcious
85.128.134.237 - mailcious
216.239.34.21 - mailcious
23.104.137.185 - mailcious
23.95.106.3 - mailcious
199.59.243.225
67.223.117.37 - mailcious
216.240.130.67 - mailcious
103.71.154.243
45.33.6.223
172.67.132.228 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (POST) M2
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
SURICATA HTTP unable to match response to request
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers
|
14
http://www.onlyleona.com/kniu/
http://www.frefire.top/kniu/
http://www.tsygy.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.theartboxslidell.com/kniu/
http://www.frefire.top/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.tsygy.com/kniu/
http://www.onlyleona.com/kniu/
|
11.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9814 |
2023-10-06 17:49
|
 HTMLc.exe ac1e4067e159504a3bfc2c12b1221d10
LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77)
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9815 |
2023-10-06 17:47
|
 fotha0925877.exe 65ef2eef1ccf3146b44010406a235cb7
Gen1 Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 CAB OS Processor Check DLL PE64 Lnk Format GIF Format VirusTotal Malware AutoRuns PDB Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check Windows ComputerName Remote Code Execution crashed |
|
3
61c73c03354116965937587030000611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(172.67.184.100)
61c73c03354116965937587030100611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(176.126.85.160)
176.10.119.186
|
|
|
8.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9816 |
2023-10-06 17:44
|
 Akh.exe ea7e83d83566d5aeceef44caf31cc59d
PE File PE64 VirusTotal Malware Check memory |
|
|
|
|
1.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9817 |
2023-10-06 14:45
|
 doser.exe 4b30467bb8a0c1f50d0705febb02c35d
Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
1.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9818 |
2023-10-06 14:09
|
 okilo.txt.exe f2d429cdb651892f83759f28ae6b939c
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9819 |
2023-10-06 13:56
|
 ReklamX.ps1 4529da5fd57f762d9286c19c609f015c
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself Windows Cryptographic key |
|
|
|
|
1.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9820 |
2023-10-06 13:55
|
 ReklamX.ps1 05931e59a873435df1111513cc67eb0c
Generic Malware Antivirus Check memory unpack itself Windows Cryptographic key |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9821 |
2023-10-06 13:55
|
 vc.js 9c334d578b33e9df286d5973198f7344Malware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS DDNS Dropper |
1
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(103.47.144.38) - mailcious
103.47.144.38 - mailcious
|
4
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9822 |
2023-10-06 13:54
|
 UGFH.txt.exe 3c3580dfbc1f06636fe5696879cbdd85
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156)
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9823 |
2023-10-06 13:40
|
okl.vbs 41ae735bd929dfe448cc75d19fed57a2
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/okilo.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9824 |
2023-10-06 13:39
|
 powerwinner.ps1 d56818ec2778b8a3b3b13e2c7e88dc63
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://torna.ydns.eu/on/bsv/Wblxhuaksujvhq.exe
|
|
|
|
4.8 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9825 |
2023-10-06 13:39
|
HTMLcode.vbs 49bad06e91f748e94a260cbfdb0fffed
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://103.182.16.23/900/UGFH.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
23.67.53.17
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|