| 10351 |
2023-07-12 17:33
|
 KGC.exe af90d735ce31e71e2d2204957dddd081
.NET framework(MSIL) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
4
mail.awelleh3.top(185.198.59.26) - mailcious
api.ipify.org(64.185.227.156)
185.198.59.26 - mailcious
64.185.227.156
|
4
SURICATA Applayer Detect protocol only one direction
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10352 |
2023-07-12 17:31
|
 chicka.exe 2bf0aebcee63482e0068407b25adc5f3
RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
4.4 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10353 |
2023-07-12 17:31
|
 dwmop.exe 9749f1713629f82f7c889752d3c616e5
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10354 |
2023-07-12 17:30
|
 HVB.exe c624cef40138f7e0e3749b519b93b47a
PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
4
mail.awelleh3.top(185.198.59.26) - mailcious
api.ipify.org(173.231.16.76)
185.198.59.26 - mailcious
64.185.227.156
|
4
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
13.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10355 |
2023-07-12 17:30
|
 HHH1.exe 6f665047f3ccce8c93bdd5eead1318de
Generic Malware UPX Antivirus AntiDebug AntiVM PE64 PE File OS Processor Check VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Auto service Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
1
https://kyliansuperm92139124.shop/customer/978
|
2
kyliansuperm92139124.shop(104.21.18.206)
104.21.18.206
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10356 |
2023-07-12 17:25
|
 cred64.dll 60cf7bdab887c8e4d3425d94ececd8d0
Browser Login Data Stealer UPX Malicious Library OS Processor Check DLL PE64 PE File VirusTotal Malware PDB Checks debugger unpack itself installed browsers check Browser ComputerName crashed |
|
|
|
|
2.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10357 |
2023-07-12 17:25
|
 Setup122.exe bcfac13ce46c95646e1d922d4a8493cf
UPX PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
1.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10358 |
2023-07-12 15:18
|
 xmrig.exe 4813fa6d610e180b097eae0ce636d2aa
Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware unpack itself ComputerName |
|
|
|
|
1.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10359 |
2023-07-12 15:15
|
 templezx.exe 9c66f681dd4f45e909bb6cec6fa8e20f
AgentTesla PWS KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(104.237.62.211)
173.231.16.76
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10360 |
2023-07-12 14:50
|
pablozx.doc 6bad9606e870b69823f32c9255c194c4
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash Windows Exploit DNS crashed |
2
http://171.22.30.164/pablo/five/fre.php - rule_id: 35071
http://87.121.221.212/pablozx.exe
|
2
171.22.30.164 - mailcious
87.121.221.212 - malware
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://171.22.30.164/pablo/five/fre.php
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10361 |
2023-07-12 14:01
|
templezx.doc 96908698ef1a19e7b6c4cc2f52637d3b
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Telegram Malicious Traffic exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://87.121.221.212/templezx.exe
|
5
api.ipify.org(104.237.62.211)
api.telegram.org(149.154.167.220)
87.121.221.212 - malware
64.185.227.156
149.154.167.220
|
9
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET HUNTING Telegram API Domain in DNS Lookup
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10362 |
2023-07-12 10:10
|
 Financial_Budget2023.js 9b5b8fd2b485387fb5e16a6a714ff3c6Malware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS Dropper |
1
http://139.177.146.165:4848/is-ready
|
3
jemyy.theworkpc.com(109.248.144.235) -
109.248.144.235 -
139.177.146.165 -
|
2
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
|
|
10.0 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10363 |
2023-07-12 09:37
|
 new64.dll 9872f989cd453187ec12ffd4744be0db
Malicious Library DLL PE64 PE File VirusTotal Malware Checks debugger buffers extracted unpack itself Remote Code Execution DNS |
3
http://check2.zennolab.com/proxy.php
http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js
http://ip0.zenno.services/proxy.php
|
7
check2.zennolab.com(5.45.94.247) -
ajax.googleapis.com(172.217.161.202) -
ip0.zenno.services(185.87.150.22) -
185.87.150.22
5.45.94.247
142.251.220.106
5.42.65.67 -
|
|
|
3.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10364 |
2023-07-12 09:30
|
 schtasks.exe a0bcd3b7d2ab3ff1beb3ee7d87e736d0
AsyncRAT UPX .NET framework(MSIL) Malicious Packer OS Processor Check .NET EXE PE File PE32 |
|
2
azjulyosnftr5btinbm.ooguy.com(104.255.175.11)
104.255.175.11
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10365 |
2023-07-12 08:15
|
 schtasks.exe 25eb3575a5fdaefcf6f3b5c1d91c262d
AsyncRAT UPX .NET framework(MSIL) Malicious Packer OS Processor Check .NET EXE PE File PE32 |
|
2
MARLI27.kozow.com(181.131.218.41) -
181.131.218.41 -
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|