| 10381 |
2023-07-12 07:49
|
blblbllblbblblblblbkblkblbklbk... c363485726353a04555f2042cd5ceb23
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself suspicious TLD Windows Exploit DNS crashed Downloader |
2
http://192.3.179.134/400/win.exe
http://192.3.179.134/bl/FvJlkzeqoyT174.bin
|
4
www.blackoutbundles.com() -
www.japanesesake.top() -
162.55.60.2 -
192.3.179.134 -
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.top domain - Likely Hostile
|
|
5.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10382 |
2023-07-12 07:49
|
20AC0B78.Png 9c84926dac4e5e7037747c49f58f1724
Malicious Library CAB MSOffice File VirusTotal Malware |
|
|
|
|
1.2 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10383 |
2023-07-12 07:48
|
setup.jpg 20bec50362e877fa5935cb1fc67012f9
Generic Malware Malicious Library Antivirus OS Processor Check CAB MSOffice File VirusTotal Malware |
|
|
|
|
1.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10384 |
2023-07-12 07:47
|
mpomzx.doc 45bc6b0241b35b2b24e44e624280b598
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://87.121.221.212/mpomzx.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10385 |
2023-07-12 07:45
|
centoscentosnetocosnetocentosn... 32ac431fbfa6ede6a96784bc956a6434
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://showip.net/
http://198.23.156.251/40/wins.exe
|
3
showip.net(162.55.60.2) -
162.55.60.2 -
198.23.156.251 -
|
6
ET POLICY IP Check Domain (showip in HTTP Host)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10386 |
2023-07-12 07:45
|
secdivinezx.doc f7c101969fb10e121abf500446015d73
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://87.121.221.212/secdivinezx.exe
|
3
api.ipify.org(173.231.16.76) -
173.231.16.76 -
87.121.221.212 -
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10387 |
2023-07-12 07:44
|
ibmibmibmibmibmibmibmibmibbimb... 84d01d5aa89f99aeeffaa21cde19abb6
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
2
http://showip.net/
http://198.23.156.251/42/wins.exe
|
5
us2.smtp.mailhostbox.com(208.91.199.225) -
showip.net(162.55.60.2) -
162.55.60.2 -
208.91.199.224 -
198.23.156.251 -
|
7
SURICATA Applayer Detect protocol only one direction
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY IP Check Domain (showip in HTTP Host)
|
|
5.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10388 |
2023-07-12 07:44
|
hussanzx.doc a83e6f6df3139c61ceacd87c890e809a
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://138.68.56.139/?p=9220839
http://87.121.221.212/hussanzx.exe
|
2
138.68.56.139 -
87.121.221.212 -
|
10
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
5.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10389 |
2023-07-12 07:44
|
 YoDo_Fake.exe 10adfd55d2fe1b14553f911adc389e89
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware Checks debugger Tofsee Discord DNS crashed |
|
2
cdn.discordapp.com(162.159.135.233) -
162.159.134.233 -
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
|
|
1.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10390 |
2023-07-12 07:44
|
 hussanzx.exe d963fa6b125fcb22bcb5357a203f6e24
LokiBot Socket PWS DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://138.68.56.139/?p=9220839
|
2
162.55.60.2 -
138.68.56.139 -
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
14.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10391 |
2023-07-12 07:43
|
pablozx.doc 6bad9606e870b69823f32c9255c194c4
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10392 |
2023-07-12 07:40
|
 win.exe db69af7fee69d61e4eb0268afb7cd9f8
UPX Malicious Library PE File PE32 DLL PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10393 |
2023-07-12 07:40
|
 secdivinezx.exe 23896fb7fd3c88ed96f3dc35e58c9d28
AgentTesla Generic Malware .NET framework(MSIL) Antivirus KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(104.237.62.211) -
64.185.227.156 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10394 |
2023-07-12 07:38
|
 pablozx.exe ca24c99f8463d5c9a7b696bd364e7547
LokiBot Generic Malware .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://171.22.30.164/pablo/five/fre.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
15.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10395 |
2023-07-12 07:35
|
 mpomzx.exe 23d9fbc39ec74f969e07953b833a1679
AgentTesla Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
12.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|