| 11221 |
2023-07-26 11:41
|
 CMSh.hta d73b4775abeed46e879675ddd0d311d2
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
1
http://103.16.215.196/M247T/wininit.exe
|
|
|
|
7.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11222 |
2023-07-26 11:23
|
File_pass1234.7z dd48d433b225a68e26ca5b6446f0e5f9
Escalate priviledges PWS KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11223 |
2023-07-26 09:44
|
vbcript.vbs 75281ab6ea5a12725d427b34accd2325
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://cdn.pixelbin.io/v2/red-wildflower-1b0af4/original/universo_vbs.jpeg
http://192.3.243.146/update/IE_CACHE.txt
|
2
cdn.pixelbin.io(54.230.167.16) - malware
54.230.167.126
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11224 |
2023-07-26 09:41
|
 setup-rc18.exe c7feee4698e4d22fead87c243d9cb8ad
UPX PE64 PE File VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself crashed |
|
|
|
|
3.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11225 |
2023-07-26 09:39
|
system32.vbs 08548ae48deaeeb8bb880d74ccaf9707
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://cdn.pixelbin.io/v2/red-wildflower-1b0af4/original/universo_vbs.jpeg
http://195.178.120.24/cousin_GEF_BAS64dgfhjgfxzjgfzgfjzz.txt
|
2
cdn.pixelbin.io(54.230.167.117) - malware
54.230.167.111 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11226 |
2023-07-26 09:39
|
ohoyeczx.doc 51dfac37926ca4687d0a84dd43f491ce
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://87.121.221.212/ohoyeczx.exe
|
2
91.207.102.163
87.121.221.212 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11227 |
2023-07-26 08:09
|
secdukaszx.doc b3da431b3d8c5c8680024b81ce71bd85
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
13
http://www.bc081.com/mcon/?uGlQwPJu=pskxmoRFchsAbXFIn6Ds6WJWm93GPZXrd/fIfWEPkz26aGEkZ87oGPy24JF+yxwF1h0P/zwK8gLwn+yMtUteEtVFAkBJqDM7Jup+RKc=&9Y84=6fRJZ
http://www.triplemshipssupplies.com/mcon/?uGlQwPJu=dnPohqZh5otnQV3RPwhvaI5Uo8JzxtGuHQ1wIyfjEImxMkpvtO72FR5odLVFga56TxKG3zu640027WzcyBBbGjRHowMwiJmzi8hzv3g=&9Y84=6fRJZ
http://www.paybillnow.info/mcon/?uGlQwPJu=6l2bJH3lYuggsJGye7Ek7Djc2AhxQovbvd2YkjgUuVZ2vqa0aW8Pwj2WXOk/QoHCXwbnfhEZTCtL08rWUqnG/IhfnQVtlui9LEQGFPc=&9Y84=6fRJZ
http://www.purelyunorthodox.com/mcon/
http://www.fagallery.com/mcon/
http://www.bc081.com/mcon/
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.triplemshipssupplies.com/mcon/
http://www.fagallery.com/mcon/?uGlQwPJu=rJW8o27P/gqPRSI0wuqXCcBWV3MCPe3Qi8ROeqUr40lzOd+BRDuNmyU/daBjpYLNNDfdIaWQHB2/zU0cdz0dSZCY/Bbb6xMd8kQ8zBA=&9Y84=6fRJZ
http://www.superxwin.app/mcon/?uGlQwPJu=zXOJUe1DiQqRpKX/iPrmQy7/Wg64w+pTL1bjt+yOL2NGV+wW4eH3xNfsFSFyKke75OeaWtpTehrF3ed1/bJdwY3kBcAY+jnnbA/ldzE=&9Y84=6fRJZ
http://www.purelyunorthodox.com/mcon/?uGlQwPJu=JxkY46YC9LBm3OkL8orXF7D68oVhabe0uO4APku638FfxldkBjOvcbwo9sb38aK0GSbzu/P0eNN4w2ybAPlnTHOTDB1A0VrJVW01pJA=&9Y84=6fRJZ
http://www.superxwin.app/mcon/
http://www.paybillnow.info/mcon/
|
14
www.paybillnow.info(162.0.225.178)
www.bc081.com(170.178.212.131)
www.fagallery.com(156.234.49.125)
www.purelyunorthodox.com(154.204.19.73)
www.superxwin.app(91.195.240.94)
www.triplemshipssupplies.com(173.254.104.74)
173.254.104.74
154.204.19.73
91.195.240.94 - phishing
87.121.221.212 - malware
45.33.6.223
156.234.49.125
170.178.212.131
162.0.225.178 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11228 |
2023-07-26 08:08
|
 wininit.exe 99566b51018706a1b36b1440dc9b9d23
Formbook .NET framework(MSIL) AntiDebug AntiVM .NET EXE PE File PE32 Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
14
http://www.sisbom.online/pta7/ - rule_id: 35245
http://www.playcups.life/pta7/ - rule_id: 35250
http://www.sisbom.online/pta7/?fjoqq6=9K+XUf37kaVDuc0IEb/en1sQBc6oG59LX1JpxUbzLe92mNGRZFlQ32afb7pO3FMoswo/Nr7Bt7+lgxXjhaaHcK0lGMXqPnmX0dOCo/8=&QWzs=CeDXTsS6HepRd8sX - rule_id: 35245
http://www.playcups.life/pta7/?fjoqq6=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&QWzs=CeDXTsS6HepRd8sX - rule_id: 35250
http://www.yh66985.com/pta7/ - rule_id: 35249
http://www.yh66985.com/pta7/?fjoqq6=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&QWzs=CeDXTsS6HepRd8sX - rule_id: 35249
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.selfstorage.koeln/pta7/ - rule_id: 35247
http://www.cosmicearthgoddess.com/pta7/ - rule_id: 35248
http://www.maytag36.com/pta7/?fjoqq6=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&QWzs=CeDXTsS6HepRd8sX - rule_id: 35246
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.maytag36.com/pta7/ - rule_id: 35246
http://www.selfstorage.koeln/pta7/?fjoqq6=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&QWzs=CeDXTsS6HepRd8sX - rule_id: 35247
http://www.cosmicearthgoddess.com/pta7/?fjoqq6=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&QWzs=CeDXTsS6HepRd8sX - rule_id: 35248
|
13
www.sisbom.online(162.240.81.18) - mailcious
www.yh66985.com(154.215.247.58) - mailcious
www.selfstorage.koeln(81.169.145.157) - mailcious
www.playcups.life(203.161.58.192) - mailcious
www.cosmicearthgoddess.com(74.208.236.61) - mailcious
www.maytag36.com(76.223.26.96) - mailcious
74.208.236.61 - mailcious
154.215.247.58 - mailcious
81.169.145.157 - mailcious
13.248.148.254 - mailcious
45.33.6.223
162.240.81.18 - mailcious
203.161.58.192 - mailcious
|
2
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
|
12
http://www.sisbom.online/pta7/
http://www.playcups.life/pta7/
http://www.sisbom.online/pta7/
http://www.playcups.life/pta7/
http://www.yh66985.com/pta7/
http://www.yh66985.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.maytag36.com/pta7/
http://www.maytag36.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.cosmicearthgoddess.com/pta7/
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11229 |
2023-07-26 08:02
|
IDBHIDBHIDBHIDBHIDBHIDBH%23%23... 454cb83cf56a83f08d9506a7de9e475a
MS_RTF_Obfuscation_Objects RTF File doc Vulnerability Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed |
1
http://192.3.243.146/ibi/IDBh.hta
|
1
192.3.243.146 - mailcious
|
3
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11230 |
2023-07-26 08:00
|
no_halt_7891.msi 394f500a708c457b2a5eb4e839896c22
Malicious Library OS Processor Check CAB MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName DNS |
|
1
|
|
|
4.4 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11231 |
2023-07-26 07:58
|
 secdukaszx.exe 410dec2d786b542c67397ab8cc7ecaf3
.NET framework(MSIL) AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
12
http://www.purelyunorthodox.com/mcon/
http://www.fagallery.com/mcon/?gN=rJW8o27P/gqPRSI0wuqXCcBWV3MCPe3Qi8ROeqUr40lzOd+BRDuNmyU/daBjpYLNNDfdIaWQHB2/zU0cdz0dSZCY/Bbb6xMd8kQ8zBA=&i50Q=_ezxJv-JovO9
http://www.fagallery.com/mcon/
http://www.bc081.com/mcon/
http://www.purelyunorthodox.com/mcon/?gN=JxkY46YC9LBm3OkL8orXF7D68oVhabe0uO4APku638FfxldkBjOvcbwo9sb38aK0GSbzu/P0eNN4w2ybAPlnTHOTDB1A0VrJVW01pJA=&i50Q=_ezxJv-JovO9
http://www.triplemshipssupplies.com/mcon/
http://www.paybillnow.info/mcon/?gN=6l2bJH3lYuggsJGye7Ek7Djc2AhxQovbvd2YkjgUuVZ2vqa0aW8Pwj2WXOk/QoHCXwbnfhEZTCtL08rWUqnG/IhfnQVtlui9LEQGFPc=&i50Q=_ezxJv-JovO9
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
http://www.bc081.com/mcon/?gN=pskxmoRFchsAbXFIn6Ds6WJWm93GPZXrd/fIfWEPkz26aGEkZ87oGPy24JF+yxwF1h0P/zwK8gLwn+yMtUteEtVFAkBJqDM7Jup+RKc=&i50Q=_ezxJv-JovO9
http://www.superxwin.app/mcon/?gN=zXOJUe1DiQqRpKX/iPrmQy7/Wg64w+pTL1bjt+yOL2NGV+wW4eH3xNfsFSFyKke75OeaWtpTehrF3ed1/bJdwY3kBcAY+jnnbA/ldzE=&i50Q=_ezxJv-JovO9
http://www.superxwin.app/mcon/
http://www.paybillnow.info/mcon/
|
13
www.paybillnow.info(162.0.225.178)
www.bc081.com(170.178.212.131)
www.fagallery.com(156.234.49.125)
www.purelyunorthodox.com(154.204.19.73)
www.superxwin.app(91.195.240.94)
www.triplemshipssupplies.com(173.254.104.74)
173.254.104.74
154.204.19.73
91.195.240.94 - phishing
45.33.6.223
156.234.49.125
170.178.212.131
162.0.225.178 - mailcious
|
|
|
9.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11232 |
2023-07-26 07:58
|
IBMCENTOSIBMCENTOSIBMCENTOSIBM... 2d691029ea7c7963db78038eab462842
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://192.3.243.146/update/ck/vbcript.vbs
|
4
cdn.pixelbin.io(54.230.167.117) - malware
173.254.104.74
192.3.243.146 - mailcious
54.230.167.117
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11233 |
2023-07-26 07:58
|
BBCGBBCGBBCGBBCGBBCGCBBCGBBCGB... 434a56206f1cda6955268658efeb1db3
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.243.150/500/system_root.vbs
|
3
cdn.pixelbin.io(54.230.167.126) - malware
192.3.243.150 - malware
54.230.167.117
|
2
ET INFO Dotted Quad Host VBS Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11234 |
2023-07-26 07:56
|
 file.exe 7c18df4a1aab5314b4a499c3e84f055c
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11235 |
2023-07-26 07:54
|
CMSHCMSHCMSHCMSHCMSHCMSH%23%23... 0697564d77f5fbf7c18d046b70afecb1
MS_RTF_Obfuscation_Objects RTF File doc Vulnerability VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed |
1
http://192.3.243.146/ibi/CMSh.hta
|
1
192.3.243.146 - mailcious
|
3
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
|
|
4.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|