| 11731 |
2023-07-06 07:24
|
CGSS1FFDSDFFFDDF.doc 3483e943d6094354b09c224b748a3f4b
MS_RTF_Obfuscation_Objects RTF File doc Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS crashed |
1
http://192.3.243.150/232/ChatGTP.exe
|
1
|
1
ET INFO Executable Download from dotted-quad Host
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11732 |
2023-07-06 07:05
|
 PNe5J9o1XCKpHYk.exe 40be18ff344e38f80cec056f5bd97f21
UPX .NET framework(MSIL) Admin Tool (Sysinternals etc ...) DNS AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
14.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11733 |
2023-07-05 18:30
|
 149.exe 2cca5c1b1f00170bd750694d9511015b
Cutwail UPX Malicious Library Escalate priviledges Code injection HTTP DNS Scre Malware download VirusTotal Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious process suspicious TLD sandbox evasion Tofsee Windows Backdoor ComputerName DNS Cryptographic key |
213
http://www.xaicom.es/ - rule_id: 24556
http://www.xaicom.es/
http://www.railbook.net/ - rule_id: 26023
http://www.railbook.net/
http://www.valselit.com/ - rule_id: 23216
http://www.valselit.com/
http://www.yocinc.org/ - rule_id: 23202
http://www.yocinc.org/
http://gbp-jp.com/ - rule_id: 26056
http://gbp-jp.com/
http://www.stajum.com/
http://vivastay.com/ - rule_id: 24694
http://vivastay.com/
http://www.stnic.co.uk/ - rule_id: 26026
http://www.stnic.co.uk/
http://www.fnsds.org/ - rule_id: 24655
http://www.fnsds.org/
http://msl-lock.com/ - rule_id: 24957
http://msl-lock.com/
http://www.snugpak.com/ - rule_id: 23198
http://www.snugpak.com/
http://www.valdal.com/ - rule_id: 23188
http://www.valdal.com/
http://ramkome.com/ - rule_id: 24657
http://ramkome.com/
http://arowines.com/ - rule_id: 24919
http://arowines.com/
http://jsaps.com/ - rule_id: 24660
http://jsaps.com/
http://x1.i.lencr.org/
http://mcseurope.nl/ - rule_id: 24661
http://mcseurope.nl/
http://clinicasanluis.com.co/ - rule_id: 24662
http://clinicasanluis.com.co/
http://www.myropcb.com/ - rule_id: 24663
http://www.myropcb.com/
http://www.depalo.com/ - rule_id: 23191
http://www.depalo.com/
http://fifa-ews.com/ - rule_id: 24665
http://fifa-ews.com/
http://www.fink.com/ - rule_id: 26028
http://www.fink.com/
http://www.quadlock.com/ - rule_id: 23184
http://www.quadlock.com/
http://orbitgas.com/ - rule_id: 24666
http://orbitgas.com/
http://www.hummer.hu/ - rule_id: 23200
http://www.hummer.hu/
http://www.findbc.com/ - rule_id: 24562
http://www.findbc.com/
http://www.ka-mo-me.com/ - rule_id: 26050
http://uhsa.edu.ag/ - rule_id: 24671
http://www.aevga.com/ - rule_id: 26030
http://www.holleman.us/ - rule_id: 23213
http://www.ex-olive.com/ - rule_id: 23224
http://portoccd.org/ - rule_id: 24924
http://metaforacom.com/ - rule_id: 24673
http://www.cel-cpa.com/ - rule_id: 26032
http://dog-jog.net/ - rule_id: 26192
http://avse.hu/ - rule_id: 26193
http://sokuwan.net/ - rule_id: 26033
http://www.wifi4all.nl/ - rule_id: 23195
http://pers.com/ - rule_id: 24927
http://ruzee.com/ - rule_id: 24928
http://www.spanesi.com/ - rule_id: 26024
http://tabbles.net/ - rule_id: 24677
http://orlyhotel.com/ - rule_id: 24651
http://hbfuels.com/ - rule_id: 24929
http://magicomm.co.uk/ - rule_id: 24678
http://tbvlugus.nl/ - rule_id: 24930
http://akr.co.id/ - rule_id: 24679
http://acraloc.com/ - rule_id: 24945
http://www.item-pr.com/ - rule_id: 24680
http://www.jchysk.com/ - rule_id: 24561
http://coxkitchensandbaths.com/ - rule_id: 24716
http://www.domon.com/ - rule_id: 24688
http://missnue.com/ - rule_id: 24937
http://yhsll.com/ - rule_id: 24939
http://sanfotek.net/ - rule_id: 24964
http://mondopp.net/ - rule_id: 26195
http://nekono.net/ - rule_id: 24941
http://www.photo4b.com/ - rule_id: 23201
http://www.crcsi.org/ - rule_id: 23206
http://www.kernsafe.com/ - rule_id: 23218
http://ccssinc.com/ - rule_id: 24698
http://mackusick.com/ - rule_id: 24699
http://www.vitaindu.com/ - rule_id: 23210
http://semuk.com/ - rule_id: 24690
http://nts-web.net/ - rule_id: 24749
http://bigzz.by/ - rule_id: 24946
http://holp-ai.com/ - rule_id: 24942
http://karmy.com.pl/ - rule_id: 24703
http://www.pdqhomes.com/ - rule_id: 23183
http://www.transsib.com/ - rule_id: 23204
http://s5w.com/ - rule_id: 24953
http://www.nelipak.nl/ - rule_id: 23217
http://midap.com/ - rule_id: 24704
http://www.iamdirt.com/ - rule_id: 23192
http://impexnc.com/ - rule_id: 24706
http://oozkranj.com/ - rule_id: 24951
http://floopis.com/
http://tcpoa.com/ - rule_id: 26039
http://www.medius.si/ - rule_id: 26038
http://www.t-tre.com/ - rule_id: 23214
http://www.yoruksut.com/ - rule_id: 26042
http://atb-lit.com/
http://www.edimart.hu/ - rule_id: 23221
http://www.abdg.com/ - rule_id: 23193
http://www.netcr.com/ - rule_id: 23219
http://x96.com/ - rule_id: 24710
http://t-mould.com/ - rule_id: 24711
http://www.abart.pl/ - rule_id: 23208
http://valselit.com/ - rule_id: 26197
http://komie.com/ - rule_id: 26044
http://yoruksut.com/ - rule_id: 24714
http://geecl.com/ - rule_id: 24958
http://unicus.jp/ - rule_id: 24715
http://www.com-sit.com/ - rule_id: 26045
http://www.x0c.com/ - rule_id: 23225
http://skgm.ru/
http://www.fcwcvt.org/ - rule_id: 23196
http://www.gpthink.com/ - rule_id: 23215
http://adventist.ro/ - rule_id: 24959
http://kayoaiba.com/ - rule_id: 24718
http://78san.com/ - rule_id: 24961
http://www.maktraxx.com/ - rule_id: 24720
http://dhh.la.gov/ - rule_id: 24721
http://insia.com/ - rule_id: 24722
http://bount.com.tw/
http://www.credo.edu.pl/ - rule_id: 23190
http://www.dayvo.com/ - rule_id: 24724
http://www.dgmna.com/ - rule_id: 23187
http://www.sjbs.org/ - rule_id: 24664
http://rappich.de/ - rule_id: 26201
http://www.ottospm.com/ - rule_id: 24727
http://ftmobile.com/ - rule_id: 24728
http://www.mobilnic.net/ - rule_id: 24643
http://www.naoi-a.com/ - rule_id: 23209
http://www.2print.com/ - rule_id: 23222
http://www.lrsuk.com/ - rule_id: 23223
http://www.petsfan.com/ - rule_id: 23194
http://muhr-soehne.de/ - rule_id: 24732
http://www.mqs.com.br/ - rule_id: 23205
http://www.rs-ag.com/ - rule_id: 23199
http://www.olras.com/ - rule_id: 23186
http://sinwal.com/ - rule_id: 24734
http://siongann.com/ - rule_id: 24966
http://diamir.de/ - rule_id: 24736
http://www.alteor.cl/ - rule_id: 23182
http://www.fe-bauer.de/ - rule_id: 24738
http://alexpope.biz/ - rule_id: 24968
http://www.baijaku.com/ - rule_id: 23181
http://top1oil.com/ - rule_id: 26202
http://www.pwd.org/ - rule_id: 24741
http://www.c9dd.com/ - rule_id: 26051
http://sigtoa.com/ - rule_id: 24742
http://hyab.se/ - rule_id: 24743
http://www.tc17.com/ - rule_id: 24745
http://rast.se/ - rule_id: 24747
http://btsi.com.ph/ - rule_id: 24748
http://kairel.com/ - rule_id: 24969
http://www.speelhal.net/ - rule_id: 23228
http://bggs.com/ - rule_id: 24751
http://www.jenco.co.uk/ - rule_id: 23179
http://touchfam.ca/ - rule_id: 24975
http://duiops.net/ - rule_id: 24976
http://cbras.com/ - rule_id: 26205
http://www.pupi.cz/ - rule_id: 24758
http://flamingorecordings.com/ - rule_id: 24759
http://www.tvtools.fi/ - rule_id: 23185
http://www.jacomfg.com/ - rule_id: 23226
http://www.ora-ito.com/ - rule_id: 23211
http://www.waldi.pl/ - rule_id: 23207
http://ludea.cz/
http://ifesnet.com/ - rule_id: 26055
http://revoldia.net/ - rule_id: 26189
http://cubodown.com/ - rule_id: 24762
http://www.pr-park.com/ - rule_id: 23180
http://bidroll.com/ - rule_id: 26054
http://cjborden.com/ - rule_id: 24985
http://www.vazir.se/ - rule_id: 23203
http://webways.com/ - rule_id: 26207
http://www.koz1.net/ - rule_id: 23262
http://www.evcpa.com/ - rule_id: 24550
http://www.vexcom.com/ - rule_id: 24764
http://dbnet.at/ - rule_id: 24765
http://kallman.net/
http://www.cokocoko.com/ - rule_id: 23220
http://xult.org/ - rule_id: 26057
http://www.ora.ecnet.jp/ - rule_id: 23212
http://jabian.com/
http://www.pcgrate.com/ - rule_id: 24560
http://e-kami.net/ - rule_id: 24770
http://popbook.com/ - rule_id: 24991
http://notis.ru/ - rule_id: 24992
http://plaske.ua/
http://esmoke.net/
http://www.tyrns.com/ - rule_id: 23227
http://dspears.com/ - rule_id: 24683
http://enguita.net/ - rule_id: 24916
http://www.synetik.net/ - rule_id: 23197
http://www.nqks.com/ - rule_id: 24775
http://www.otena.com/ - rule_id: 24532
http://strazynski.pl/ - rule_id: 24777
http://hazmatt.com/ - rule_id: 24779
http://apps.identrust.com/roots/dstrootcax3.p7c
http://indonesiamedia.com/ - rule_id: 24781
http://web-york.com/ - rule_id: 24782
http://mackusick.de/ - rule_id: 24769
http://www.elpro.si/ - rule_id: 23189
http://pleszew.policja.gov.pl/ - rule_id: 24773
https://dataform.co.uk/wp-signup.php?new=magicomm.co.uk
https://www.muhr-soehne.de/ - rule_id: 24785
|
531
nts-web.net(49.212.235.175) - mailcious
www.pohlfood.com(104.218.10.254)
gbp-jp.com(208.80.123.195) - mailcious
shesfit.com(172.67.158.251) - mailcious
kairel.com(54.217.118.81) - mailcious
www.reglera.com(64.125.133.18)
valselit.com(193.70.68.254) - mailcious
slower.it(127.0.0.11)
workplus.hu() - mailcious
cjborden.com(15.197.142.173) - mailcious
sinwal.com(104.21.50.138) - mailcious
www.pcgrate.com(104.21.66.46) - mailcious
duiops.net(135.125.108.170) - mailcious
someikan.com()
www.ex-olive.com(210.140.73.39)
metaforacom.com(185.42.105.162) - mailcious
www.cokocoko.com(3.18.7.81) - mailcious
agitz.com.br()
www.kernsafe.com(104.26.2.124)
nblewis.com(52.0.29.214)
www.hummer.hu(185.80.51.179)
xsui.com(127.0.0.1)
www.olras.com(80.93.82.33) - mailcious
xult.org(65.52.128.33) - mailcious
www.yoruksut.com(93.187.206.66)
kamptal.at(128.204.134.138) - mailcious
wantapc.net(157.7.107.49) - mailcious
techtrans.de(185.237.66.112)
gphpedit.org(127.0.0.1)
nekono.net(202.172.28.187) - mailcious
in1.smtp.messagingengine.com(103.168.172.217)
www.jroy.net() - mailcious
pleszew.policja.gov.pl(91.229.22.126) - mailcious
juso-gr.ch() - mailcious
ludea.cz(46.8.8.200)
avse.hu(185.129.138.60) - mailcious
floopis.com(3.64.163.50)
lpver.com(92.204.129.113) - mailcious
acraloc.com(192.64.150.164) - mailcious
www.fcwcvt.org(104.21.25.200)
ftchat.com()
www.nqks.com(147.154.0.23) - mailcious
de()
esmoke.net(204.15.134.44)
dataform.co.uk(83.223.113.46)
www.crcsi.org(165.227.252.190)
fr-dat.com(127.0.0.1)
notis.ru(185.178.208.141) - mailcious
mackusick.com(217.160.0.179) - mailcious
cubodown.com(172.67.150.50) - mailcious
univi.it(18.197.121.220) - mailcious
kallman.net(185.76.64.25)
insia.com(82.208.6.9) - mailcious
midap.com(198.49.23.145) - mailcious
www.fink.com(69.163.218.51)
www.t-tre.com(135.181.73.98)
envogen.com(104.21.73.149) - mailcious
www.mqs.com.br(170.82.174.30)
unicus.jp(49.212.232.113) - mailcious
kursavto.ru(31.177.76.70) - mailcious
plaske.ua(5.181.161.11)
yhsll.com(102.134.49.77) - mailcious
www.photo4b.com(195.78.66.50)
www.baijaku.com(59.106.19.204) - mailcious
aoinko.net(157.7.107.38) - mailcious
mackusick.de(217.160.0.131) - mailcious
www.sjbs.org(69.163.239.62) - mailcious
kavram.com(172.67.189.68) - mailcious
www.jenco.co.uk(172.67.208.67) - mailcious
dspears.com(52.71.57.184) - mailcious
78san.com(133.242.15.119) - mailcious
tbvlugus.nl(174.129.25.170) - mailcious
www.valselit.com(193.70.68.254)
magicomm.co.uk(83.223.113.46) - mailcious
adventist.ro(49.12.155.123) - mailcious
mkm-gr.com(79.124.76.247)
muhr-soehne.de(5.189.171.125) - mailcious
sanfotek.net(216.69.141.67) - mailcious
www.fnsds.org(3.212.23.181) - mailcious
jabian.com(104.26.6.17)
www.ora.ecnet.jp(60.43.154.138)
www.item-pr.com(185.15.129.58) - mailcious
missnue.com(104.21.234.121) - mailcious
mcseurope.nl(46.19.218.80) - mailcious
webways.com(104.21.1.51) - mailcious
www.rs-ag.com(172.67.152.88)
pro-fa.com()
strazynski.pl(85.128.196.22) - mailcious
www.transsib.com(80.74.154.6)
www.depalo.com(142.250.207.115) - mailcious
skgm.ru(91.201.52.102)
websy.com(34.98.99.30)
www.mobilnic.net(154.203.14.100)
www.pdqhomes.com(52.86.6.113) - mailcious
www.fe-bauer.de(3.65.101.129) - mailcious
www.medius.si(99.86.207.38)
alexpope.biz(76.74.184.61) - mailcious
nettlinx.org(202.53.77.146) - mailcious
oozkranj.com(212.44.102.57) - mailcious
www.ora-ito.com(213.186.33.40)
top1oil.com(104.26.0.82) - mailcious
www.wnsavoy.com(96.91.204.114)
www.dgmna.com(192.124.249.20) - mailcious
www.netcr.com(3.140.13.188) - mailcious
www.jchysk.com(208.97.178.138) - mailcious
host.do(217.79.248.38) - mailcious
fifa-ews.com(104.21.10.34) - mailcious
msl-lock.com(165.160.15.20) - mailcious
dog-jog.net(153.122.24.177) - mailcious
www.spanesi.com(5.196.166.214)
hyab.com(104.21.65.224)
www.xaicom.es(188.165.133.163)
gmail-smtp-in.l.google.com(142.251.170.27)
roewer.de(45.142.176.225) - mailcious
dwid.de(87.230.93.218)
bd-style.com(103.112.69.92) - mailcious
www.iamdirt.com(34.117.168.233) - mailcious
alt4.gmail-smtp-in.l.google.com(142.250.152.27)
hazmatt.com(205.178.189.131) - mailcious
coxkitchensandbaths.com(205.149.134.32) - mailcious
e-kami.net(202.172.28.89) - mailcious
komie.com(59.106.13.181) - mailcious
cbras.com(54.39.198.18) - mailcious
hyab.se(104.21.52.126) - mailcious
www.alteor.cl(34.149.87.45)
www.usadig.com(198.100.146.220)
smtp.compuserve.com(106.10.139.31)
wahw.com.au(54.194.190.151)
smtp.sbcglobal.yahoo.com(67.195.12.38)
www.stajum.com(162.43.120.128)
www.holleman.us(51.79.51.72) - mailcious
www.abart.pl(89.161.163.246)
www.domon.com(23.227.38.74) - mailcious
indonesiamedia.com(74.208.215.145) - mailcious
web-york.com(219.94.129.97) - mailcious
holp-ai.com(59.106.13.169) - mailcious
smitko.net(31.15.12.103) - mailcious
portoccd.org(51.89.6.56) - mailcious
bggs.com(35.230.155.43) - mailcious
com()
www.vexcom.com(172.67.173.200) - mailcious
sokuwan.net(185.230.63.107) - mailcious
c-drop.net()
bigzz.by(178.249.70.75) - mailcious
www.petsfan.com(3.19.116.195) - mailcious
mxs.mail.ru(217.69.139.150)
bount.com.tw(172.67.196.25)
avc.com.sa()
t-mould.com(81.169.145.175) - mailcious
ymlp15.net()
www.nelipak.nl(82.201.61.230)
www.waldi.pl(46.242.238.60) - mailcious
www.nunomira.com(192.241.158.94)
ldh.la.gov(75.2.95.235)
www.synetik.net(193.166.255.171)
haigh-me.com()
usadig.com(198.100.146.220)
www.yumgiskor.kz()
www.railbook.net(103.224.212.221)
clinicasanluis.com.co(104.21.66.220) - mailcious
revoldia.net(154.210.36.66) - mailcious
kayoaiba.com(154.213.117.166) - mailcious
gbmfg.com(151.101.2.132)
www.elpro.si(104.26.15.53) - mailcious
www.x0c.com(185.53.177.50) - mailcious
pellys.co.uk(77.72.4.226) - mailcious
chzko.ru()
burstner.ru(62.122.170.171) - mailcious
kumaden.com(49.212.180.178) - mailcious
www.credo.edu.pl(62.122.190.121)
www.muhr-soehne.de(5.189.171.125) - mailcious
www.yocinc.org(66.94.119.160)
www.tyrns.com(62.75.216.137)
pers.com(192.124.249.3) - mailcious
dhh.la.gov(52.200.51.73) - mailcious
www.wkhk.net() - mailcious
dbnet.at(188.94.254.88) - mailcious
s5w.com(192.99.226.184) - mailcious
www.ftchat.com() - mailcious
fundeo.com(104.24.161.27) - mailcious
tabbles.net(80.211.41.39) - mailcious
touchfam.ca(15.197.142.173) - mailcious
cnti.krsn.ru(217.74.161.133)
zugseil.com(92.42.191.40) - mailcious
orlyhotel.com(104.21.48.207) - mailcious
sgk.home.pl(89.161.136.188) - mailcious
anteph.org()
www.naoi-a.com(202.254.236.40) - mailcious
ifesnet.com(172.67.137.15) - mailcious
nt-hat.com()
btsi.com.ph(69.46.30.77) - mailcious
kewlmail.com() - mailcious
yoruksut.com(93.187.206.66) - mailcious
www.pupi.cz(103.224.182.241) - mailcious
oh28ya.com(13.113.237.140) - mailcious
tcpoa.com(159.89.244.183) - mailcious
ncn.de(46.30.60.158) - mailcious
x96.com(104.21.73.229) - mailcious
akr.co.id(104.20.122.68) - mailcious
invictus.pl()
webband.com()
bosado.com(5.39.75.157) - mailcious
www.quadlock.com(70.39.251.249) - mailcious
www.cel-cpa.com(104.196.26.65)
www.pwd.org(208.109.214.162) - mailcious
www.wifi4all.nl(172.67.198.26) - mailcious
hamaker.net(34.102.136.180) - mailcious
semuk.com(86.105.245.69) - mailcious
bidroll.com(13.56.33.8) - mailcious
www.findbc.com(13.248.169.48) - mailcious
impexnc.com(204.11.56.48) - mailcious
enguita.net(195.5.116.23) - mailcious
www.dayvo.com(104.21.68.7) - mailcious
ccssinc.com(172.67.185.152) - mailcious
www.lrsuk.com(13.225.131.114) - mailcious
karmy.com.pl(185.253.212.22) - mailcious
popbook.com(47.91.167.60) - mailcious
atis-sk.ca()
www.myropcb.com(74.208.236.101) - mailcious
www.koz1.net() - mailcious
atb-lit.com(208.100.26.245)
adeesa.net(104.21.77.146) - mailcious
www.2print.com(107.180.98.101)
rappich.de(89.31.143.1) - mailcious
iranytu.net() - mailcious
sigtoa.com(104.21.49.75) - mailcious
e-asset.net()
madjek.com()
kustnara.com(75.2.70.75)
www.com-sit.com(104.26.10.81)
ramkome.com(62.75.216.107) - mailcious
www.ottospm.com(104.21.63.28) - mailcious
www.speelhal.net(217.19.237.54)
rast.se(93.188.2.51) - mailcious
www.vitaindu.com(122.128.109.107)
yasuma.com(61.200.81.21) - mailcious
www.evcpa.com(192.124.249.10) - mailcious
noblesse.be(5.134.4.115) - mailcious
hbfuels.com(85.233.160.146) - mailcious
www.fnw.us(137.118.26.67)
www.jacomfg.com(96.127.180.42) - mailcious
arowines.com(75.2.18.233) - mailcious
mondopp.net() - mailcious
tozzhin.com(202.94.166.30) - mailcious
www.vazir.se() - mailcious
www.maktraxx.com(72.44.93.236) - mailcious
www.pr-park.com(118.27.125.181)
flamingorecordings.com(35.214.171.193) - mailcious
www.snugpak.com(23.227.38.74) - mailcious
vivastay.com(3.18.7.81) - mailcious
www.ka-mo-me.com(211.1.226.67)
grlawcc.com()
org()
www.tvtools.fi(172.67.152.159) - mailcious
www.udesign.biz()
www.edimart.hu(81.2.194.241) - mailcious
www.medisa.info()
x1.i.lencr.org(104.76.70.102)
thiessen.net(62.75.251.116)
siongann.com(104.21.8.75) - mailcious
jsaps.com(49.212.235.59) - mailcious
awfraser.com()
aba.org.eg(192.169.149.78) - mailcious
www.c9dd.com(188.166.152.188)
ruzee.com(207.180.198.201) - mailcious
www.stnic.co.uk(77.68.50.105)
geecl.com(194.76.27.77) - mailcious
mail7.digitalwaves.co.nz()
www.tc17.com(104.21.79.244) - mailcious
xinhui.net(43.255.29.192)
www.gpthink.com(39.99.233.155) - mailcious
www.otena.com(3.64.163.50)
scintel.com(23.239.201.14)
ciicsc.com()
www.owsports.ca() - mailcious
rtcasey.com(69.195.90.46) - mailcious
uhsa.edu.ag(192.124.249.13) - mailcious
ftmobile.com(199.34.228.78) - mailcious
www.valdal.com(104.26.6.221)
diamir.de(94.130.146.206) - mailcious
orbitgas.com(107.180.58.31) - mailcious
www.abdg.com(192.252.154.18)
www.aevga.com(108.167.164.216)
13.248.155.104 - suspicious
79.124.76.247
192.64.150.164 - mailcious
204.15.134.44
192.241.158.94
5.181.161.11
198.41.0.4
172.67.206.199 - mailcious
3.64.163.50 - mailcious
188.166.152.188
104.21.26.154 - mailcious
86.105.245.69 - mailcious
159.89.244.183
198.100.146.220
107.180.98.101
172.67.134.134
135.181.73.98
193.70.68.254 - mailcious
45.142.176.225 - mailcious
104.24.160.27 - mailcious
13.56.33.8 - mailcious
49.212.235.59 - mailcious
74.208.236.101
153.120.34.73
194.76.27.77
192.169.149.78 - mailcious
151.101.130.132
104.21.234.121 - mailcious
178.249.70.75 - mailcious
217.74.161.133
74.125.23.27
142.250.152.27
142.250.66.147
208.100.26.245 - phishing
31.177.76.70 - suspicious
172.67.184.30 - mailcious
192.124.249.3 - mailcious
205.149.134.32 - mailcious
185.15.129.58
137.118.26.67
60.43.154.138
83.223.113.46 - mailcious
153.122.24.177 - mailcious
34.149.87.45 - phishing
104.21.66.46 - mailcious
80.74.154.6 - mailcious
35.214.171.193
121.254.136.27
104.21.23.9
202.172.28.187 - mailcious
185.129.138.60 - mailcious
99.86.207.38
213.186.33.40 - mailcious
205.178.189.131 - phishing
104.21.48.207
54.217.118.81 - mailcious
103.168.172.221
47.91.167.60 - mailcious
122.128.109.107
172.67.193.133
133.242.15.119 - mailcious
154.213.117.166 - mailcious
77.68.50.105
18.197.121.220 - mailcious
192.36.148.17
128.8.10.90
210.140.73.39 - mailcious
185.53.177.50 - mailcious
31.15.12.103 - mailcious
5.39.75.157 - mailcious
107.180.58.31 - mailcious
154.210.36.66
208.97.178.138 - mailcious
172.67.185.152
170.82.174.30
217.19.237.54 - mailcious
217.160.0.179 - mailcious
128.204.134.138 - mailcious
192.99.226.184 - mailcious
211.1.226.67
5.134.4.115 - mailcious
202.94.166.30 - mailcious
104.26.7.17
5.196.166.214
34.117.168.233 - mailcious
172.67.198.26 - phishing
192.5.5.241
213.186.33.17 - mailcious
89.31.143.1 - mailcious
104.26.10.81
49.212.180.178 - mailcious
108.167.164.216
80.211.41.39
173.231.184.124 - mailcious
106.10.139.31
54.161.222.85 - mailcious
75.2.18.233 - mailcious
94.100.180.31
185.178.208.141 - mailcious
66.94.119.160
104.21.77.146
118.27.125.181
202.254.236.40 - mailcious
69.163.218.51 - mailcious
51.89.6.56 - mailcious
172.67.156.237 - mailcious
43.255.29.192
69.195.90.46 - mailcious
198.1.81.28
52.0.29.214
185.237.66.112
195.78.66.50 - mailcious
192.33.4.12
61.200.81.21
192.252.154.18 - mailcious
91.229.22.126 - mailcious
104.21.66.220 - mailcious
92.204.129.113 - mailcious
34.102.136.180 - mailcious
154.203.14.100
72.251.233.245
104.21.30.14
216.69.141.67
62.75.216.107 - mailcious
219.94.129.97 - mailcious
62.122.190.121
82.208.6.9 - mailcious
172.67.160.168
102.134.49.77
165.227.252.190 - suspicious
104.21.63.28 - mailcious
82.201.61.230 - mailcious
172.67.152.88
157.7.107.49 - malware
81.2.194.241 - mailcious
66.163.170.48
172.67.163.101
202.172.28.89 - mailcious
185.42.105.162 - mailcious
192.124.249.20 - mailcious
207.180.198.201 - mailcious
188.165.133.163
23.227.38.74 - mailcious
104.21.1.51
174.129.25.170 - mailcious
104.21.52.126 - mailcious
35.230.155.43 - mailcious
74.208.215.145 - mailcious
211.13.196.162
202.53.77.146 - mailcious
3.212.23.181
34.205.242.146 - mailcious
172.67.70.22
172.67.189.227 - mailcious
5.189.171.125 - mailcious
46.242.238.60 - mailcious
89.161.163.246 - mailcious
185.80.51.179 - mailcious
80.93.82.33 - mailcious
89.161.136.188 - mailcious
204.11.56.48 - phishing
92.42.191.40
72.44.93.236 - mailcious
93.187.206.66 - mailcious
81.169.145.175 - mailcious
193.166.255.171 - mailcious
104.76.70.102
64.125.133.18
162.43.120.128
65.52.128.33 - malware
198.49.23.144 - mailcious
3.33.152.147 - mailcious
172.67.158.251 - phishing
3.130.204.160
59.106.19.204 - mailcious
13.225.131.92
185.76.64.25
77.72.4.226 - mailcious
103.224.212.221 - mailcious
103.224.182.241 - mailcious
94.130.146.206
165.160.13.20 - mailcious
54.39.198.18 - mailcious
3.140.13.188 - mailcious
172.67.71.55 - mailcious
85.233.160.146
76.74.184.61 - mailcious
188.94.254.88 - mailcious
39.99.233.155 - mailcious
70.39.251.249 - mailcious
69.163.239.62
46.19.218.80 - mailcious
185.230.63.107 - phishing
54.194.190.151
104.21.79.244 - mailcious
49.212.232.113 - mailcious
96.127.180.42 - mailcious
104.196.26.65 - mailcious
87.230.93.218
185.253.212.22 - mailcious
104.21.55.224 - mailcious
212.44.102.57 - mailcious
172.67.196.25
208.80.123.104
85.128.196.22 - mailcious
104.26.7.221
13.113.237.140
49.12.155.123
195.5.116.23 - mailcious
208.109.214.162
51.79.51.72 - mailcious
23.239.201.14
103.112.69.92
217.160.0.131 - mailcious
69.46.30.77 - mailcious
3.65.101.129 - mailcious
62.75.216.137
104.21.76.140
3.19.116.195 - mailcious
46.30.60.158 - mailcious
217.79.248.38 - mailcious
172.67.72.98
49.212.235.175 - mailcious
75.2.95.235
199.34.228.78 - mailcious
59.106.13.169 - mailcious
62.122.170.171
172.67.33.252
93.188.2.51 - malware
172.67.167.96
172.67.152.159 - mailcious
96.91.204.114 - mailcious
62.75.251.116
135.125.108.170 - mailcious
172.67.189.68 - mailcious
76.223.54.146
192.124.249.13 - mailcious
91.201.52.102
192.124.249.10 - mailcious
185.174.174.220 - phishing
206.191.152.37
157.7.107.38 - mailcious
59.106.13.181 - mailcious
3.94.41.167 - mailcious
147.154.0.23 - mailcious
46.8.8.200
52.200.51.73 - mailcious
34.98.99.30 - phishing
|
7
ET MALWARE Backdoor.Win32.Pushdo.s Checkin
ET INFO Observed DNS Query to .biz TLD
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
ET INFO HTTP Request to a *.tw domain
|
|
16.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11734 |
2023-07-05 17:42
|
tonyspecialzx.doc 524a7c0b9bd2e45a5d6c0c400067eaf3
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://87.121.221.212/tonyspecialzx.exe
|
2
208.67.107.123 -
87.121.221.212 -
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
|
|
4.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11735 |
2023-07-05 17:42
|
 Qjhihl.exe f5a0c42c6c223c05be08f3552ecf723e
Hide_EXE UPX .NET framework(MSIL) Anti_VM AntiDebug AntiVM OS Processor Check PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows DNS Cryptographic key |
|
53
kewlmail.com(63.251.106.25) -
webband.com() -
165.160.13.20 -
104.218.10.254 -
76.74.184.61 -
192.241.158.94 -
5.181.161.11 -
3.64.163.50 -
154.213.117.166 -
185.230.63.107 -
86.105.245.69 -
159.89.244.183 -
77.68.50.105 -
102.134.49.77 -
104.196.26.65 -
76.223.54.146 -
13.56.33.8 -
154.210.36.66 -
49.12.155.123 -
153.120.34.73 -
49.212.232.113 -
207.180.198.201 -
85.128.196.22 -
217.160.0.179 -
23.239.201.14 -
192.99.226.184 -
211.1.226.67 -
178.249.70.75 -
74.208.215.145 -
217.160.0.131 -
46.30.60.158 -
208.100.26.245 -
3.212.23.181 -
199.34.228.78 -
62.75.216.137 -
46.242.238.60 -
192.124.249.3 -
217.79.248.38 -
205.149.134.32 -
75.2.18.233 -
93.188.2.51 -
93.187.206.66 -
153.122.24.177 -
135.125.108.170 -
65.52.128.33 -
198.49.23.144 -
3.33.152.147 -
192.124.249.13 -
35.214.171.193 -
91.201.52.102 -
212.44.102.57 -
62.75.216.107 -
147.154.0.23 -
|
|
|
11.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11736 |
2023-07-05 17:40
|
mazx.doc eda69f7aa485bc2603035654f6483a50
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://87.121.221.212/mazx.exe
http://www.redetextbox.com/mf6w/?tZU4=pjWpl36LZOtia767yTTCK0333COCQNS6rlD33l8BLXiiM/aMzDv/apiATWG2HVwrC0KxOq7r&Ulq8E=GTgP1na8nVYXkF
|
5
www.redetextbox.com(167.172.228.26) -
www.padokhep.com() -
167.172.228.26 -
91.235.136.155 -
87.121.221.212 -
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11737 |
2023-07-05 17:36
|
 RFQ098654578.exe 246ba2f9ceb20a58fe5c16540ba7ad2b
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Malware download Remcos VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files unpack itself AppData folder Windows DNS keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50) -
178.237.33.50 -
208.67.107.123 -
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET MALWARE Remcos 3.x Unencrypted Checkin
ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
6.4 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11738 |
2023-07-05 17:34
|
 trapline-drivers.exe 2fe56b5f4728f2fd8839ac9d937c097d
Generic Malware Antivirus PE File PE64 PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process Windows ComputerName Cryptographic key |
1
https://upload.nugeta.net/uploads/386vt2rj873tzuiw.bat
|
2
upload.nugeta.net(172.67.183.35) -
172.67.183.35 -
|
|
|
6.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11739 |
2023-07-05 17:34
|
 setop.exe 7104f635a41839bac7835703f06f744e
Downloader Malicious Library Create Service Socket DGA Steal credential Escalate priviledges Code injection HTTP PWS Sniff Audio DNS ScreenShot Http API Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Lobshot AutoRuns MachineGuid Code Injection Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows Browser ComputerName DNS |
|
1
|
1
ET MALWARE Suspected Win32/HMR RAT/LOBSHOT Initial Handshake
|
|
7.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11740 |
2023-07-05 17:34
|
 OYH.exe 5e20a6acf6cfec604e8f1fa9421385bc
PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
4
mail.udpl.top(185.174.174.220) -
api.ipify.org(173.231.16.76) -
185.174.174.220 -
104.237.62.211 -
|
5
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
13.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11741 |
2023-07-05 17:34
|
 owenzx.exe 2fea32b618ef47c56804ca6cff00f01d
Formbook PWS AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.xrtrump.com/ge83/?lhr0k=RsNUPwAO2TiU0GJGzJ/y8Ps7GcAlTmqePcUTt21A+tZOBeFu31OAHszpaf+FVOusF523Z9IY&1bm=3fedQNGPaRzlHp
http://www.olliex.com/ge83/?lhr0k=bJEK5Jm7WtjeGb58dlxSpip3Qi8DTbeKN4BEwykpD1a0K75BQ+Ulqj9ctO7dFfZ/D7qGoN33&1bm=3fedQNGPaRzlHp
|
5
www.olliex.com(45.14.226.43) -
www.anchordp.com() -
www.xrtrump.com(3.64.163.50) -
3.64.163.50 -
45.14.226.43 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11742 |
2023-07-05 17:31
|
 dukaszx.exe 07a900b9ecc4bd5bd4137137961769a2
LokiBot Generic Malware .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
|
|
|
16.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11743 |
2023-07-05 17:30
|
 tonyspecialzx.exe b4df3d7f0826501829e1a03991e1fe81
Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
13.2 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11744 |
2023-07-05 17:28
|
 mazx.exe 1a37304d7ec2fd94deae95562ce9cc77
Formbook PWS AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.tearsofthekingdomrecipes.com/mf6w/?GzuX=ZkIy8VjsTo0Wu5r/ollZ0eiz022tJID8+To2ewbgCHNJqJffAtI048vNn11iTczpE1mriWij&AnB=O0DXNTu0N0 - rule_id: 34881
http://www.tearsofthekingdomrecipes.com/mf6w/?GzuX=ZkIy8VjsTo0Wu5r/ollZ0eiz022tJID8+To2ewbgCHNJqJffAtI048vNn11iTczpE1mriWij&AnB=O0DXNTu0N0
http://www.bearshelpingbabies.com/mf6w/?GzuX=tw67StR8tvpAYJUj/oeVxgype9TFaR8/lqGnIRk4OfgxhtEvf7ewI0wrCh/Wdq/IEqyUVKel&AnB=O0DXNTu0N0
|
5
www.tearsofthekingdomrecipes.com(217.70.184.50) -
www.bearshelpingbabies.com(172.67.167.21) -
www.padokhep.com() -
217.70.184.50 -
172.67.167.21 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.tearsofthekingdomrecipes.com/mf6w/
|
8.4 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11745 |
2023-07-05 17:27
|
 haitianzx.exe b7933e126bd2fadfae8d36319c9e9e26
UltraVNC UPX Malicious Library SMTP KeyLogger AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
mail.bretoffice.com(185.174.174.220) -
121.254.136.27 -
185.174.174.220 -
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|