| 11371 |
2023-07-20 07:53
|
 yugozx.exe 764cb439deb85a06073c46f475956fc4
.NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
208.91.199.224 - mailcious
|
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11372 |
2023-07-20 07:52
|
 MNKLOP873.exe a79a555d8074362ce42e03465fc6655d
RedLine Infostealer UltraVNC UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
15
http://www.globourd.life/im0n/?hejeEiw=5tf/8dj/eN2+ceR3RgQ57gpqpXD7ZLeehNhmvk6YF2YhpYsb1jOJ09L0EvHjptkOpa7fFYEzay1EV6NPRS2gwPg5iNQOwT0+BeKgpWA=&D6hm=jOua5v
http://www.alannamershon.lol/im0n/
http://www.aquatic-organisms.info/im0n/
http://www.bvgroupcos.com/im0n/
http://www.rcosewe.com/im0n/?hejeEiw=KI+kJwpdsPvzoihrct6O+87Xk4PyfxIetYGKXAtKf4ZOaMK/E93JTX1mxFDgsPS99iov27I97GFTzVC2xNSHMx/bXfjZncuWa1wyyIs=&D6hm=jOua5v
http://www.claycountycompass.com/im0n/
http://www.adkoplan.net/im0n/?hejeEiw=YDOXNTfxU0JD7txBac3A8smkukDsBR698QaZNoqaXIkGbzmD1XDmW+uDLr4tiPyK8a/F+aWo0zvpbVdCKu9S34oWienqtQquCK2q9as=&D6hm=jOua5v
http://www.bvgroupcos.com/im0n/?hejeEiw=QLS70cqyyFTrHSP3+ZSMntARCP/tzE0lBA81dKJoiiN3wUIvdjfDKnc+qw6jKIOsjlxuk6bGrWGgdTY/PCm+3BJZYOiYOewPkXwe+Jk=&D6hm=jOua5v
http://www.aquatic-organisms.info/im0n/?hejeEiw=TrW6pHqt1MKD12fzlTIVY/zAdF+2OR7UWbm4lQzyVasMFf6YImOjdlT2uIyIHS8WT1QpyWZSRhwQrnxPMdhDKMi9esOBqOXPb2vniSE=&D6hm=jOua5v
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.globourd.life/im0n/
http://www.adkoplan.net/im0n/
http://www.alannamershon.lol/im0n/?hejeEiw=BtWsWYH8mR03jhsXlFBDofLGiJ0nWsYBlzTiwVSDx/H0EYvrQ8F2562MoCXeDPwHUyeNtzpJcr0VJBs2NlhuiMvceUnMecZSMshjYM4=&D6hm=jOua5v
http://www.rcosewe.com/im0n/
http://www.claycountycompass.com/im0n/?hejeEiw=6nVoOeydDdvEQoPzwGPbqVgi08ClPM7fMf2WAdo25FxHApFMgRyGDr8Xy0pHB84PirmLfNDueGK1IwqBROdGhKr6EMwVGq4Q7vg2wcU=&D6hm=jOua5v
|
18
www.lissa.shop(185.83.214.222)
www.adkoplan.net(85.13.151.78)
www.rcosewe.com(167.172.228.26)
www.claycountycompass.com(34.117.168.233)
www.aquatic-organisms.info(199.59.243.224)
www.bvgroupcos.com(91.195.240.123)
www.alannamershon.lol(172.67.191.76)
www.globourd.life(162.0.214.109)
162.55.60.2
34.117.168.233 - mailcious
199.59.243.224
104.21.20.36
167.172.228.26 - mailcious
85.13.151.78
162.0.214.109
45.33.6.223
91.195.240.123 - mailcious
185.83.214.222 - mailcious
|
2
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
|
|
10.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11373 |
2023-07-20 07:51
|
 smss.exe 9c72d48f384e384c0e3b159f4039298f
Malicious Library PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11374 |
2023-07-20 07:48
|
 ChromeSetup.exe 12864f3dc3fbedfb22b049d0b7ea8958
NSIS UPX Malicious Library PE File PE32 ZIP Format OS Processor Check DLL VirusTotal Email Client Info Stealer Malware Check memory buffers extracted Creates executable files RWX flags setting unpack itself AppData folder Email ComputerName crashed |
1
|
4
us2.smtp.mailhostbox.com(208.91.199.225)
showip.net(162.55.60.2)
162.55.60.2
208.91.199.224 - mailcious
|
3
ET POLICY IP Check Domain (showip in HTTP Host)
SURICATA Applayer Detect protocol only one direction
ET INFO Possible SMTP Data Exfiltration - File Attachment Named Files.zip
|
|
6.4 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11375 |
2023-07-20 07:48
|
 dollzx.exe e6c0c8446f60500e85ea72e966bfcc76
Formbook .NET framework(MSIL) AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD Windows DNS Cryptographic key |
2
http://www.djtescao.store/xy18/?sXLXkX3=m19SvEhrSItrAUKX3Xbl1jz8SJ1SDm/8MimMTSxEHPRpqSCgmUQJbyfsnS8hrIVi1xs+Vqey&CdTHm=Cj6tO
http://www.ex-sideproject.com/xy18/?sXLXkX3=X56z6+zy1MKrxoKWKU//XnGdtRx6ueWJln4Kjq7+x+gu62rHDZsWTxOq5YLIV5B2+0bJxpLu&CdTHm=Cj6tO
|
5
www.djtescao.store(31.31.196.193)
www.ex-sideproject.com(198.54.117.215)
www.cygoodshopgogo.top()
31.31.196.193
198.54.117.210 - mailcious
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11376 |
2023-07-20 07:47
|
taskhostamd.exe 54cbe835ac726ec258b58566cab62aaa
UPX MPRESS PE File PE32 JPEG Format Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Check memory unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization human activity check Windows ComputerName Remote Code Execution Firmware DNS crashed |
2
http://45.15.156.208/jd9dd3Vw/index.php?scr=1
http://45.15.156.208/jd9dd3Vw/index.php
|
2
second.amadgood.com()
45.15.156.208
|
3
ET MALWARE Amadey Bot Activity (POST) M1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
|
13.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11377 |
2023-07-20 07:47
|
 zerno_opt.exe d2192209d6892b9bf8e6d155a53b69a5
Vidar LokiBot Gen1 Themida Packer UPX Malicious Library Malicious Packer PWS Anti_VM AntiDebug AntiVM BitCoin .NET EXE PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare malicious URLs sandbox evasion VMware anti-virtualization installed browsers check Tofsee Windows Browser Email ComputerName Firmware DNS Software crashed Downloader |
6
http://91.103.252.31/clp8.exe
http://116.202.177.109/upgrade.zip - rule_id: 35280
http://116.202.177.109/ - rule_id: 35279
http://116.202.177.109/4aa69ee33f6cb36c303532e7ef290ddf
https://steamcommunity.com/profiles/76561198982268531 - rule_id: 35281
https://t.me/sundayevent
|
8
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
91.103.252.31
185.174.172.194
116.202.177.109 - mailcious
94.142.138.116 - malware
104.76.78.101 - mailcious
|
9
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host ZIP Request
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
3
http://116.202.177.109/upgrade.zip
http://116.202.177.109/
https://steamcommunity.com/profiles/76561198982268531
|
22.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11378 |
2023-07-20 07:46
|
 choileety.exe da9534900ee0d11c9b30cf33152ea03c
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Generic Malware Google Chrome User Data Downloader Admin Tool (Sysinternals etc ...) Antivirus Create Service Socket Escalate priviledges PWS Sniff Audio DNS ScreenShot Internet API KeyLo VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
|
2
91.192.100.10 - mailcious
91.103.252.31
|
|
|
15.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11379 |
2023-07-20 07:43
|
 lzoCW4lLiTNeo.exe bacd8202f058ddcc5fddf57f8fce99d8
Formbook NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
5
http://www.1xboro7.click/k2l0/?v2Jx4=gdIo5mM9lXBdi558t2eJ3ed4IEH2JjF3YUJjs/DuOxOlHAWx6kMfp5pai83Dg+nwI9+C5pp6&jJBP_F=PPJHa6cP0fV4ANB0
http://www.trwc.online/k2l0/?v2Jx4=TY0eLS25TbGWIPoAvIBkbiGMyWIlUL+junlCch65rY0chgQMasfhvMnMRaLp/GGSn7X9xMH4&jJBP_F=PPJHa6cP0fV4ANB0
http://www.getflooringservices.today/k2l0/?v2Jx4=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&jJBP_F=PPJHa6cP0fV4ANB0 - rule_id: 34670
http://www.ezkiosystem.com/k2l0/?v2Jx4=xqYImV8HKxPdTcT8y9GMwftV4Cj/nHOqtw0ItIHCgt3zlewQWki2gcTtgHbczwBAu8VEYRGB&jJBP_F=PPJHa6cP0fV4ANB0
http://www.mtproductions.xyz/k2l0/?v2Jx4=o2du+VOpfCxxrHF0jTeQdwEN/Nb3oP3iwGp0y37hEj8zJFJ0k0b8cpmxFrA37JuCeHQ21Z1q&jJBP_F=PPJHa6cP0fV4ANB0
|
10
www.mtproductions.xyz(103.138.151.78)
www.ezkiosystem.com(170.130.208.37)
www.getflooringservices.today(172.67.183.64) - mailcious
www.1xboro7.click(104.21.47.7)
www.trwc.online(162.0.238.217)
104.21.48.94
104.21.47.7
103.138.151.78
170.130.208.37
162.0.238.217
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.getflooringservices.today/k2l0/
|
4.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11380 |
2023-07-20 07:43
|
 paki.exe 5e756bc5d404f987517b2684e209b219
.NET framework(MSIL) .NET EXE PE File PE32 Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11381 |
2023-07-20 07:41
|
 file.exe bedbe012a1b5826fe7f1dec74b63b729
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11382 |
2023-07-20 07:40
|
 odinakazx.exe 780aa063c9da33582456aae81ca77cc8
.NET framework(MSIL) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
cp7nl.hyperhost.ua(185.174.172.194)
185.174.172.194
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11383 |
2023-07-20 07:40
|
windwindiwindiwndinwindnwindin... f2501e6b88713ee6aabc13e51bf710a9
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed |
1
http://192.3.216.144/456/system_root.vbs
|
3
45.88.66.43 - mailcious
162.55.60.2
192.3.216.144 - mailcious
|
1
ET INFO Dotted Quad Host VBS Request
|
|
5.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11384 |
2023-07-20 07:35
|
IBMIBMIBMIBMIBMIBMIBMIBMIBMIBM... a69fc2a504cae835fb45b6a52d05022c
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://showip.net/
http://107.175.202.150/60/ChromeSetup.exe
|
3
showip.net(162.55.60.2)
162.55.60.2
107.175.202.150 - malware
|
6
ET POLICY IP Check Domain (showip in HTTP Host)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11385 |
2023-07-20 07:34
|
idbkiidbkidibkidibkidbkidibki%... 072892874a099e1dc789a8c94a38ce7b
MS_RTF_Obfuscation_Objects RTF File doc Vulnerability VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed |
1
http://192.3.243.146/232/idbk.hta
|
1
192.3.243.146 - mailcious
|
3
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
|
|
4.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|