| 11851 |
2023-06-30 17:52
|
 TJeAjWEEeH.exe d65f5542509366672c1224cc31adfbf0
Generic Malware Malicious Packer Antivirus PE64 PE File VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
5.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11852 |
2023-06-30 17:50
|
 1500381323.exe 9ddd093cef3f15d6fd8d5d0ec9e0e014
PE File PE32 Browser Info Stealer VirusTotal Malware Check memory Creates executable files suspicious process WriteConsoleW Browser DNS |
1
http://65.21.213.208:3000/ - rule_id: 26337
|
1
65.21.213.208 - mailcious
|
|
1
http://65.21.213.208:3000/
|
4.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11853 |
2023-06-30 17:50
|
 build.exe 2bc310d6ebdae84ce4f495336e996ca7
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11854 |
2023-06-30 17:48
|
 f429fjd4uf84u.exe aaead1169523638d40ca4d884e3d787a
UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 VirusTotal Malware |
|
|
|
|
2.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11855 |
2023-06-30 17:48
|
 fortnite3.exe ed0a563d3d57d03356187c1a2fbcce3f
UPX Malicious Library ASPack OS Processor Check PE File PE32 Malware download VirusTotal Malware PDB DNS |
|
1
dba692117be7b6d3480fe5220fdd58b38bf.xyz() - mailcious
|
1
ET MALWARE AllcomeClipper CnC Domain (dba692117be7b6d3480fe5220fdd58b38bf .xyz) in DNS Lookup
|
|
1.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11856 |
2023-06-30 17:46
|
 knm.exe b0011be8c7cd1c9865e1f1ed406197d4
PE64 PE File VirusTotal Malware PDB MachineGuid Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
kyliansuperm92139124.sbs(104.21.17.88)
23.67.53.19
104.21.17.88
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11857 |
2023-06-30 17:45
|
 fortnite2.exe 1eb611dcb30106eec15555718e953cff
Malicious Library Antivirus MZP Format PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11858 |
2023-06-30 17:43
|
 Server.exe 56f10385f411be078b84b42560ddea61
njRAT backdoor Generic Malware .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself WriteConsoleW DNS DDNS |
|
2
windwosupdata.ddns.net(178.80.111.72)
178.80.111.72
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
4.6 |
|
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11859 |
2023-06-30 17:43
|
 LylaSetUp0628.exe 87440297f51a44bae4caffaaa42c866d
.NET EXE PE File PE32 VirusTotal Malware Buffer PE PDB Check memory Checks debugger buffers extracted unpack itself Remote Code Execution |
|
|
|
|
3.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11860 |
2023-06-30 17:41
|
 iccu.exe 7c52031c4ed1a6922317bf2c668a3308
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.237.62.211)
173.231.16.76
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11861 |
2023-06-30 17:41
|
 services.exe b19945ffc8f7a693e79c1677aa827750
Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware AutoRuns PDB MachineGuid Check memory Checks debugger unpack itself Windows |
|
|
|
|
3.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11862 |
2023-06-30 14:09
|
dollzx.doc 5452ebd4ac62c603d22998055e7534ac
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash IP Check Tofsee Windows Gmail Exploit DNS crashed |
2
http://79.110.49.21/dollzx.exe - rule_id: 34720
https://api.ipify.org/
|
5
api.ipify.org(104.237.62.211)
smtp.gmail.com(142.250.157.108)
79.110.49.21 - malware
64.185.227.155
142.250.157.109
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://79.110.49.21/dollzx.exe
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11863 |
2023-06-30 13:35
|
 1.bat a6d60304c3c87b7ca21aa38c1ed9fb83
LokiBot Gen1 Generic Malware Downloader task schedule UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Create Service Socket DGA Steal credential Escalate priviledges Code injection HTTP PWS Sniff Audio DNS ScreenShot Htt Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS NetSupport |
6
http://geo.netsupportsoftware.com/location/loca.asp
http://94.158.244.118:1203/
http://94.158.244.118/fakeurl.htm
https://kororo.com/tu5466s/tempy.7z
https://kororo.com/tu5466s/7zz.exe
https://kororo.com/tu5466s/2.bat
|
5
geo.netsupportsoftware.com(62.172.138.67)
kororo.com(188.127.225.231) - mailcious
188.127.225.231 - mailcious
62.172.138.67
94.158.244.118
|
3
ET POLICY NetSupport GeoLocation Lookup Request
ET INFO NetSupport Remote Admin Checkin
ET INFO NetSupport Remote Admin Response
|
|
9.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11864 |
2023-06-30 11:36
|
 Chrome_update.js 93635d186fe35af3395de954feb2f258VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://kororo.com/tu5466s/1.bat?587789
|
2
kororo.com(188.127.225.231)
188.127.225.231
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11865 |
2023-06-30 09:46
|
 2111.exe 175ac1e037521a1d29bffe5abe0d9d92
Raccoon Stealer Gen1 Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Malware RecordBreaker MachineGuid Malicious Traffic Check memory Creates executable files Collect installed applications AppData folder installed browsers check Stealer Windows Browser DNS |
9
http://89.208.107.176/1eaae3b81d638c46a80f7e2ea4ea952c
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://89.208.107.176/
|
1
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
|
6.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|