| 10561 |
2023-08-18 10:02
|
 wpp.vbs d87d4c42c10f332a96aa10ffb455f49d
VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download ICMP traffic AntiVM_Disk VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
1
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(103.47.144.122) - mailcious
103.47.144.122
|
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10562 |
2023-08-18 09:55
|
 ap.vbs 57ce47f3c71f44a6e1270ba954ab3a9a
WSHRAT Hide_EXE Anti_VM PE File VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download Creates executable files unpack itself AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS crashed Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
4
chongmei33.publicvm.com(103.47.144.122) - mailcious
ip-api.com(208.95.112.1)
103.47.144.122
208.95.112.1
|
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10563 |
2023-08-18 09:51
|
HVS.vbs b5ada8744016020003b96b679475b933
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://94.156.161.167/tl/ha88.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.27
104.21.45.138 - malware
|
|
|
8.8 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10564 |
2023-08-18 07:54
|
 Amday.exe 7be1e9a1eade9773de6643fb1e4e0ffc
Amadey .NET framework(MSIL) UPX Admin Tool (Sysinternals etc ...) Http API HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Lnk Format GIF Format VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Windows ComputerName DNS |
1
http://45.9.74.182/b7djSDcPcZ/index.php - rule_id: 35747
|
1
|
|
1
http://45.9.74.182/b7djSDcPcZ/index.php
|
12.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10565 |
2023-08-18 07:52
|
 fotod300.exe e802b1dbc1f2d392ab7b809d0f177763
Gen1 Emotet Malicious Library UPX PE File CAB PE32 VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Update Remote Code Execution |
|
|
|
|
8.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10566 |
2023-08-18 07:43
|
 dasHost.exe 7cfc2520e8fd8a455538e88efa9f9357
Malicious Library UPX OS Processor Check PE File PE32 VirusTotal Malware PDB |
|
|
|
|
2.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10567 |
2023-08-18 07:41
|
 foto4055.exe 3e829ce0029df6886e3e865dc44860b0
Gen1 Emotet Malicious Library UPX PE File CAB PE32 AutoRuns PDB Check memory Creates executable files unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Remote Code Execution |
|
|
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10568 |
2023-08-18 07:40
|
 Setup2potok.exe e6b8cfb15c6fce9abcea7a716345d537
Admin Tool (Sysinternals etc ...) Http API HTTP ScreenShot Internet API AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
2
http://gstatic-node.io/ - rule_id: 35379
http://gstatic-node.io/c2conf - rule_id: 35380
|
2
gstatic-node.io(104.21.37.53) - mailcious
104.21.37.53 - mailcious
|
|
2
http://gstatic-node.io/
http://gstatic-node.io/c2conf
|
9.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10569 |
2023-08-18 07:39
|
 settings.exe cfff2b043a6c98616a197315a813ca6d
Formbook NSIS Malicious Library UPX ASPack PE File PE32 OS Processor Check DLL VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder |
5
http://www.vaskaworldairways.com/sy22/?pPX=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&-ZP=W6RpsLRPH
http://www.qixservice.online/sy22/?pPX=VBKd4i1TBAeTlYBnm9tWLCP4ww2vn+XVFOQPMnsW4AFxqlBX+KApyR5y0aXQ0sSyxSIvT0ne&-ZP=W6RpsLRPH
http://www.docomo-mobileconsulting.com/sy22/?pPX=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&-ZP=W6RpsLRPH - rule_id: 35906
http://www.sx15k.com/sy22/?pPX=uDOmxGSZOI7byjRwM2VfDnyujtJEJ3PREhDiUuqfTZK7lE43sYjySeizw7LCJ3MdEZKjGoPp&-ZP=W6RpsLRPH
http://www.gracefullytouchedartistry.com/sy22/?pPX=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&-ZP=W6RpsLRPH
|
10
www.vaskaworldairways.com(71.218.237.83)
www.sx15k.com(211.149.249.34) - mailcious
www.qixservice.online(81.88.57.70)
www.docomo-mobileconsulting.com(91.195.240.109) - mailcious
www.gracefullytouchedartistry.com(34.149.87.45)
34.149.87.45 - phishing
71.218.237.83
211.149.249.34
91.195.240.109 - mailcious
81.88.57.70 - mailcious
|
|
1
http://www.docomo-mobileconsulting.com/sy22/
|
5.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10570 |
2023-08-18 07:38
|
 ChromeSetup.exe 3d65e5bf187bdb64286f9982c330ca14
Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
11.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10571 |
2023-08-18 07:36
|
 Al.exe 95d977a14fbc0eb268d4aae47bdb4dee
Generic Malware WinRAR Malicious Library UPX Antivirus AntiDebug AntiVM OS Processor Check PE File PE32 .NET EXE VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Firewall state off Windows ComputerName Remote Code Execution Cryptographic key crashed |
|
2
www.logpasta.com(188.166.57.133)
188.166.57.133
|
|
|
13.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10572 |
2023-08-18 07:36
|
 dasHost.exe 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
Malicious Library UPX OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10573 |
2023-08-18 01:11
|
iboostup.dmg b9e4503135b0961e20e3b636c4d6e140
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10574 |
2023-08-17 18:25
|
 vxODSBwqrEMac.exe e53f4ce45bbc5ea4dd247b4aab7d6be2
NSIS Malicious Library UPX ASPack PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Windows Browser Email ComputerName Software crashed keylogger |
|
2
api.ipify.org(173.231.16.76)
173.231.16.76
|
|
|
7.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10575 |
2023-08-17 18:25
|
 %E4%B8%80%E9%94%AE%E9%87%8D%E8... f9d4a14f2de2540ca26fc868055c65b3
Emotet Gen1 Generic Malware PhysicalDrive Malicious Library UPX Malicious Packer MPRESS ASPack Anti_VM OS Processor Check PE File ftp PE32 DLL MZP Format ZIP Format PE64 Lnk Format GIF Format VirusTotal Malware PDB suspicious privilege Check memory buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk VM Disk Size Check ComputerName Remote Code Execution Firmware |
6
http://jsy.newitboy.com/wllinfo/newoemjsyunion/oemsq.dat
http://tjonekeynew.klmsdn.com/?ver=8.23.6.20&osver=WIN7_64&sfmark=ai&oem=sq×tamp=1692298582-1&start=1&diskinfo=nospace&kernelver=6.1.7601.17514&product=Oracle%20Corporation_VirtualBox
http://ia.51.la/go1?id=21680199&rt=1692298586542&rl=1024*768&lang=en-us&ct=unknow&pf=1&ins=1&vd=1&ce=1&cd=32&ds=&ing=1&ekc=&sid=1692298586542&tt=%25E6%2581%25AD%25E5%2596%259C%25EF%25BC%258C%25E7%25AB%2599%25E7%2582%25B9%25E5%2588%259B%25E5%25BB%25BA%25E6%2588%2590%25E5%258A%259F%25EF%25BC%2581&kw=&cu=http%253A%252F%252Ftjonekeynew.klmsdn.com%252F%253Fver%253D8.23.6.20~_~osver%253DWIN7_64~_~sfmark%253Dai~_~oem%253Dsq~_~timestamp%253D1692298582-1~_~start%253D1~_~diskinfo%253Dnospace~_~kernelver%253D6.1.7601.17514~_~product%253DOracle%2520Corporation_VirtualBox&pu=
http://js.users.51.la/21680199.js
https://hm.baidu.com/hm.js?1b7b7736d7138eb27990166b18aaaa6e
https://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1024x768&vl=496&et=0&ja=1&ln=en-us&lo=0&rnd=1141383092&si=1b7b7736d7138eb27990166b18aaaa6e&v=1.3.0&lv=1&sn=53817&r=0&ww=679&u=http%3A%2F%2Ftjonekeynew.klmsdn.com%2F%3Fver%3D8.23.6.20%26osver%3DWIN7_64%26sfmark%3Dai%26oem%3Dsq%26timestamp%3D1692298582-1%26start%3D1%26diskinfo%3Dnospace%26kernelver%3D6.1.7601.17514%26product%3DOracle%20Corporation_VirtualBox&tt=%E6%81%AD%E5%96%9C%EF%BC%8C%E7%AB%99%E7%82%B9%E5%88%9B%E5%BB%BA%E6%88%90%E5%8A%9F%EF%BC%81
|
13
tj.klmsdn.com(101.34.214.169)
www.services-1222.info()
hm.baidu.com(103.235.46.191) - mailcious
jsy.newitboy.com(113.207.69.190)
ia.51.la(42.236.73.39)
js.users.51.la(42.236.73.41) - mailcious
tjonekeynew.klmsdn.com(36.248.64.77)
42.236.73.38
101.34.214.169
42.236.74.130
42.56.78.61
103.235.46.191 - mailcious
61.243.158.194
|
|
|
9.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|