| 11761 |
2023-07-05 07:46
|
 nellyzx.exe ba9d8785d107282c333d8dd8a80de1fa
Formbook AgentTesla PWS AntiDebug AntiVM PE File .NET EXE PE32 FormBook Malware download Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
4
http://www.fanatics-international.com/btrd/?wh=Qks0PjRxOVp3YjLqM6UzXaXWzvTwLkvk8ayReQSORSiEbEol+Sszu0U7+SUPM2K7jvwZrDVw&Tj=CpFH - rule_id: 34172
http://www.fanatics-international.com/btrd/?wh=Qks0PjRxOVp3YjLqM6UzXaXWzvTwLkvk8ayReQSORSiEbEol+Sszu0U7+SUPM2K7jvwZrDVw&Tj=CpFH
http://www.hardscapesofflorida.com/btrd/?wh=AmgPWBLkQfYgu+cImsHRMNogX0JnRzmL7Zrvmwd/vtKHrkREKDd630Yx4/ca2rifgVa1gRw7&Tj=CpFH - rule_id: 34171
http://www.hardscapesofflorida.com/btrd/?wh=AmgPWBLkQfYgu+cImsHRMNogX0JnRzmL7Zrvmwd/vtKHrkREKDd630Yx4/ca2rifgVa1gRw7&Tj=CpFH
|
5
www.hardscapesofflorida.com(34.102.136.180) -
www.fanatics-international.com(3.64.163.50) -
www.202402.xyz() -
3.64.163.50 -
34.102.136.180 -
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.fanatics-international.com/btrd/
http://www.hardscapesofflorida.com/btrd/
|
7.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11762 |
2023-07-05 07:45
|
bbgbbbgbbbgbgbbgbgbgbbggb%23%2... c915d2fefa022d2192b9a31d7d60e392
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://23.95.122.102/221/RegEdit.exe
|
3
api.ipify.org(173.231.16.76) -
173.231.16.76 -
23.95.122.102 -
|
7
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11763 |
2023-07-05 07:43
|
wealthzx.doc 62b760433ef4ba2fc244274cb5e45d46
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://87.121.221.212/wealthzx.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11764 |
2023-07-05 07:39
|
 inteldrv.exe 5ade6e0edac7caf4c1913d717009f954
Gen1 UPX Malicious Library OS Processor Check PE File PE64 DLL ZIP Format Check memory Creates executable files |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11765 |
2023-07-05 07:37
|
 wealthzx.exe 844a7515a88d095b9cbaea9345ca55b0
Formbook AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11766 |
2023-07-05 07:37
|
 gvailantzx.exe 00550de2665e6d7cb87ebea46b8b6cbf
Formbook AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(64.185.227.156) -
shark.ipchina163.com(111.90.144.60) -
111.90.144.60 -
104.237.62.211 -
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
11.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11767 |
2023-07-05 07:36
|
 FACTURA XML y PDF.29941.pdf 364810b2f1137e03bb976a512902e954unpack itself Windows utilities Windows |
|
|
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11768 |
2023-07-05 07:36
|
 zillow.exe 7f3c39a1bc7cb595a6e65ab7485cb01e
UPX .NET framework(MSIL) PE File .NET EXE PE32 Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key crashed |
1
http://23.137.249.127/efsdff3/frgsrgd/panel/uploads/Mxfvmrvjoki.vdf
|
1
|
3
ET MALWARE PE EXE or DLL Windows file download disguised as ASCII
ET MALWARE PE EXE or DLL Windows file download Text M2
ET HUNTING [TW] Likely Hex Executable String
|
|
6.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11769 |
2023-07-05 07:36
|
millianozx.doc 564bde462391879098bfb71072ae2398
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://87.121.221.212/millianozx.exe
|
3
smtp.quartziax.com(208.91.199.224) -
208.91.199.224 -
87.121.221.212 -
|
6
SURICATA Applayer Detect protocol only one direction
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11770 |
2023-07-05 07:35
|
 obizx.exe c1095a10913a5b0bf7952a253fc80d59
Formbook AgentTesla Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
3
api.ipify.org(104.237.62.211) -
111.90.144.60 -
64.185.227.156 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11771 |
2023-07-05 07:35
|
 2.exe b4201f7cb7c1c06c4f728c8d92987285
RedLine stealer UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172) -
149.100.138.146 -
172.67.75.172 -
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
11.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11772 |
2023-07-05 07:33
|
 RegEdit.exe 5bd88ba0dc7f4c9f08af071f1d8a8214
AgentTesla Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.76) -
104.237.62.211 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11773 |
2023-07-05 07:33
|
 millianozx.exe a5daa62256c1b3d7ddbc6c45ac5b52e1
Formbook AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
smtp.quartziax.com(208.91.199.223) -
208.91.199.224 -
|
1
SURICATA Applayer Detect protocol only one direction
|
|
10.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11774 |
2023-07-05 04:49
|
 3225ce04d0b89652ac6b1f59180eef... eb26c95e87039bab5984d6cd03cc3ff1
UPX Malicious Library OS Processor Check PE File PE32 PDB unpack itself |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11775 |
2023-07-04 19:22
|
 visalostpassp.doc d0807bfc6b65ec81e4c2cb6bc91d026c
VBA_macro MSOffice File VirusTotal Malware unpack itself |
|
2
config.messenger.msn.com(64.4.26.155)
64.4.26.155
|
|
|
4.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|