| 10201 |
2023-07-18 18:41
|
 Project15.exe 2f8a3dfa7e89ffc2fd4166dc2db5bbe7
UPX Downloader Malicious Library OS Processor Check PE64 PE File VirusTotal Open Directory Malware MachineGuid Malicious Traffic Creates executable files Windows Exploit DNS |
1
http://116.62.11.90/main.exe
|
2
162.55.60.2 -
116.62.11.90 -
|
6
ET INFO Executable Download from dotted-quad Host
ET HUNTING Rejetto HTTP File Sever Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
3.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10202 |
2023-07-18 18:37
|
 csrssnj.exe 3b08d70445120f2ef571828dde9d6be3
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder suspicious TLD ComputerName DNS |
25
http://www.ketotop5reviews.com/hjdr/
http://www.redhelpers.com/hjdr/
http://www.grandiosoyacht.com/hjdr/?JoeyZNb=ZIVepfGD+AffZCHV3Ol2oKUOXbfpNq4HeENG2f+1jk6NDjMSW9zSeGZmFetCeOX/fHb8BZzbaKu2Gddb3M9ccYXeJy9E2DDJWKKyeEo=&kiz0=gXOMyhyi
http://www.tugrow.top/hjdr/?JoeyZNb=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6U88mjUIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&kiz0=gXOMyhyi - rule_id: 28388
http://www.tugrow.top/hjdr/?JoeyZNb=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6U88mjUIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&kiz0=gXOMyhyi
http://www.selectenoil.ru/hjdr/
http://www.ketotop5reviews.com/hjdr/?JoeyZNb=Yijs5dzIRgyLtiEm8YVKzxzJARaaz1ygyQUAo47Y9YLXxcdZabP3kXt0loAI/PeeKKlEWCnqNGNFZU2DmCnSgcsd1psmTY3qHW8m6k0=&kiz0=gXOMyhyi
http://www.amateurshow.online/hjdr/ - rule_id: 28385
http://www.amateurshow.online/hjdr/
http://www.kbtcoin.store/hjdr/
http://www.selectenoil.ru/hjdr/?JoeyZNb=sypAAqbL6Kbr584vXjavsMmnNbwkS+CAk00myYDn5pA6KuObmwsMPbuKx5sNOB5qiBdVaRcAgh8i/dcpaiFWtM7VI0mAReEdx1J8t80=&kiz0=gXOMyhyi
http://www.my-bbs.com/hjdr/?JoeyZNb=gZwhwv+rj0JfbTlqQcvCJrahgucLKkM9Bn0g5rP7m3ePlM4d2wH7QHnXu7wnbI4S+7v4pDbRSdO7OKXzsqAdXWWFdviCngERcentyWw=&kiz0=gXOMyhyi
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.fatimaest.com/hjdr/?JoeyZNb=n5l8tCTW94Gw/giJefkHUbcRETzENs4hM9d2TK2mvTwTwL/1t4K1O3bDrGWsk3Qh+CJ6/CMThOr1qV0fFyX4yPVWltqTiQZmXL1as4k=&kiz0=gXOMyhyi
http://www.my-bbs.com/hjdr/
http://www.amateurshow.online/hjdr/?JoeyZNb=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4SKSfyO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&kiz0=gXOMyhyi - rule_id: 28385
http://www.amateurshow.online/hjdr/?JoeyZNb=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4SKSfyO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&kiz0=gXOMyhyi
http://www.fatimaest.com/hjdr/
http://www.morubixaba.com/hjdr/
http://www.redhelpers.com/hjdr/?JoeyZNb=YpqjTLELgUY/d4HafFE0oWZw/2NHDnY7eLtpu3Vtdcx4Jmz4rSZ5sKv2kTetxC3MAYUYmW4b6AXmlFI5jsCc5u3R6xF6PL4DkSBTPts=&kiz0=gXOMyhyi
http://www.morubixaba.com/hjdr/?JoeyZNb=64l4nBwickRj5+B55yI4aT/AdbB/zOm/2hMG5E84rPCqZYVtS3+3gGKYYg0k5NU9ycD4+LRnqZYt8h6mEz9Kk96FRyUaLOgeH1rhAn8=&kiz0=gXOMyhyi
http://www.tugrow.top/hjdr/ - rule_id: 28388
http://www.tugrow.top/hjdr/
http://www.grandiosoyacht.com/hjdr/
http://www.kbtcoin.store/hjdr/?JoeyZNb=OwT5fv3sMTyOF+WfoJr7V4VQqd+KzZL/KnHGdxnHtEh6vKw2S4OQP3sFw22/E53lopKvyHA6/BpX1iqNoYoz3wrhxCmlsV1/FTq7bdo=&kiz0=gXOMyhyi
|
24
www.grandiosoyacht.com(195.110.124.133) -
www.amateurshow.online(37.220.1.68) -
www.my-bbs.com(136.143.186.12) -
www.kbtcoin.store() -
www.selectenoil.ru(185.26.122.80) -
www.morubixaba.com(84.32.84.32) -
www.dsgdltrg.top(20.239.76.242) -
www.ketotop5reviews.com(192.145.237.146) -
www.fatimaest.com(184.168.113.171) -
www.tugrow.top(66.29.131.66) -
www.redhelpers.com(185.53.178.54) -
185.53.178.54 -
162.55.60.2 -
98.124.224.17 -
20.239.76.242 -
37.220.1.68 -
195.110.124.133 -
192.145.237.146 -
185.26.122.80 -
136.143.186.12 -
184.168.113.171 -
84.32.84.32 -
45.33.6.223 -
66.29.131.66 -
|
2
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
|
4
http://www.tugrow.top/hjdr/
http://www.amateurshow.online/hjdr/
http://www.amateurshow.online/hjdr/
http://www.tugrow.top/hjdr/
|
6.8 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10203 |
2023-07-18 18:36
|
 Account.pdf bfd3ae8bb20e06f32f5b46100dc498c2
PDF ZIP Format Windows utilities Windows DNS |
5
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
|
1
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10204 |
2023-07-18 18:35
|
 csrssop.EXE 28054120effda1f940bff3c6fb9c125b
Formbook AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
23
http://www.sisbom.online/pta7/ - rule_id: 35245
http://www.sisbom.online/pta7/
http://www.playcups.life/pta7/ - rule_id: 35250
http://www.playcups.life/pta7/
http://www.sisbom.online/pta7/?HKo0O=9K+XUf37kaVDuc0IEb/en1sQBc6oG59LX1JpxUbzLe92mNGRZFlQ32afb7pO3FMoswo/Nr7Bt7+lgxXjhaaHcK0lGMXqPnmX0dOCo/8=&VDxqzI=9mcccHfMu - rule_id: 35245
http://www.sisbom.online/pta7/?HKo0O=9K+XUf37kaVDuc0IEb/en1sQBc6oG59LX1JpxUbzLe92mNGRZFlQ32afb7pO3FMoswo/Nr7Bt7+lgxXjhaaHcK0lGMXqPnmX0dOCo/8=&VDxqzI=9mcccHfMu
http://www.yh66985.com/pta7/?HKo0O=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&VDxqzI=9mcccHfMu - rule_id: 35249
http://www.yh66985.com/pta7/?HKo0O=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&VDxqzI=9mcccHfMu
http://www.yh66985.com/pta7/ - rule_id: 35249
http://www.yh66985.com/pta7/
http://www.cosmicearthgoddess.com/pta7/ - rule_id: 35248
http://www.cosmicearthgoddess.com/pta7/
http://www.maytag36.com/pta7/?HKo0O=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&VDxqzI=9mcccHfMu - rule_id: 35246
http://www.maytag36.com/pta7/?HKo0O=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&VDxqzI=9mcccHfMu
http://www.selfstorage.koeln/pta7/?HKo0O=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&VDxqzI=9mcccHfMu - rule_id: 35247
http://www.selfstorage.koeln/pta7/?HKo0O=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&VDxqzI=9mcccHfMu
http://www.cosmicearthgoddess.com/pta7/?HKo0O=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&VDxqzI=9mcccHfMu - rule_id: 35248
http://www.cosmicearthgoddess.com/pta7/?HKo0O=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&VDxqzI=9mcccHfMu
http://www.maytag36.com/pta7/ - rule_id: 35246
http://www.maytag36.com/pta7/
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip
http://www.selfstorage.koeln/pta7/ - rule_id: 35247
http://www.selfstorage.koeln/pta7/
|
13
www.sisbom.online(162.240.81.18) -
www.selfstorage.koeln(81.169.145.157) -
www.yh66985.com(154.215.247.58) -
www.playcups.life(203.161.58.192) -
www.cosmicearthgoddess.com(74.208.236.61) -
www.maytag36.com(13.248.148.254) -
74.208.236.61 -
154.215.247.58 -
81.169.145.157 -
13.248.148.254 -
45.33.6.223 -
162.240.81.18 -
203.161.58.192 -
|
2
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
|
11
http://www.sisbom.online/pta7/
http://www.playcups.life/pta7/
http://www.sisbom.online/pta7/
http://www.yh66985.com/pta7/
http://www.yh66985.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.maytag36.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.maytag36.com/pta7/
http://www.selfstorage.koeln/pta7/
|
9.0 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10205 |
2023-07-18 18:34
|
kwen.vbs d9d77de313534367ddce55a717e370f9
Generic Malware Antivirus PowerShell VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10206 |
2023-07-18 18:32
|
 ohoyeczx.exe f7d1117ace1e63a2a3cf9d45cb94b9b5
email stealer Generic Malware Downloader UPX Antivirus Escalate priviledges PWS DNS Code injection persistence KeyLogger Create Service Socket P2P DGA Steal credential Http API Sniff Audio HTTP ScreenShot Internet API FTP AntiDebug AntiVM PE64 PE File OS VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Checks Bios Auto service Detects VirtualBox powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW VMware anti-virtualization Tofsee Windows ComputerName Cryptographic key Software crashed |
1
https://kyliansuperm92139124.shop/customer/1236
|
2
kyliansuperm92139124.shop(172.67.183.88) -
172.67.183.88 -
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
18.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10207 |
2023-07-18 18:31
|
 wikimap.exe caafec374594c5b93a986bc31df97f17
UPX Malicious Library PE File PE32 DLL VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
4.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10208 |
2023-07-18 18:31
|
 Uni.bat 488a8bd72bd92554832ec260181e949b
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10209 |
2023-07-18 18:30
|
 lolMiner.exe 055eaec478c4a8490041b8fa3db1119d
PE64 PE File VirusTotal Malware Checks debugger |
|
|
|
|
2.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10210 |
2023-07-18 18:28
|
 winBx.exe 1482780bd41df6d1dfe68b2629c26d08
UPX Malicious Library PE File PE32 DLL VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder DNS |
|
1
|
|
|
4.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10211 |
2023-07-18 18:27
|
WIZXWIXWIZXIZWIXZIWXIZWIZX%23%... 59bbe490b56e19b6ea1eeff988e390ef
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
2
http://107.175.202.150/55/win32.exe
http://showip.net/
|
5
us2.smtp.mailhostbox.com(208.91.199.224) -
showip.net(162.55.60.2) -
162.55.60.2 -
208.91.199.223 -
107.175.202.150 -
|
9
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY IP Check Domain (showip in HTTP Host)
SURICATA Applayer Detect protocol only one direction
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10212 |
2023-07-18 18:27
|
invoice.pdf.lnk e2ef58cea3134177185a50584111495d
Antivirus AntiDebug AntiVM GIF Format PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10213 |
2023-07-18 18:26
|
WWWEWEIEEWEEIWEEIIWEEIIWEE%23%... 3190bb8beecc3effa69bf79cc32be9eb
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://107.175.202.150/50/win32.exe
http://showip.net/
|
3
showip.net(162.55.60.2) -
162.55.60.2 -
107.175.202.150 -
|
8
ET POLICY IP Check Domain (showip in HTTP Host)
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10214 |
2023-07-18 18:25
|
 shedin2.1.exe 3237ac71bbc1b1153dda35c76e1b80b8
NSIS UPX Malicious Library PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(173.231.16.76) -
104.237.62.211 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10215 |
2023-07-18 18:22
|
 win32.exe d5d3f11ec57ac1722ca2ac9fab41b480
UPX Malicious Library PE File PE32 DLL VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself suspicious process AppData folder Windows DNS crashed |
|
1
|
|
|
5.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|