| 11911 |
2023-06-28 07:56
|
 Nano.exe 01beaefb0f56383b0c2906619fc03f19
Confuser .NET DNS AntiDebug AntiVM PE64 PE File VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
3
ezemnia3.ddns.net(197.210.84.48) - mailcious
91.193.75.178 - mailcious
197.210.84.48
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
13.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11912 |
2023-06-28 07:54
|
 R.exe 5ba4bab377c6656e50a48cd48bd84c59
Formbook Confuser .NET AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
10
http://www.g2g2sport.xyz/p9ao/?Uxk=XT67LxJVileSUZubvPnUPegaTgZ/6jQtKal3VjDKoEwa5II03LuvqSNChaRu2iUoBEt/Y1rs6QWzksNnW/YxdPu4ukuWTQMQOAWrwp4=&5Vxux=S3XwcJd1aE_ - rule_id: 33955
http://www.solarwachstum.com/p9ao/?Uxk=CRBGmlvLKSdWYJTLFdYUqNcl5XacT7p2l/bsj7rBz10wHnkWrMrpIEuQZVcc3zXzkIzXuCRWtiUMrr5dZy1sHRpRgJUYDyiz+Rr4X1g=&5Vxux=S3XwcJd1aE_ - rule_id: 33952
http://www.suzheng22.top/p9ao/ - rule_id: 33954
http://www.windmarkdijital.xyz/p9ao/ - rule_id: 33956
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.bluhenhalfte.xyz/p9ao/?Uxk=vRFPeW+a5eWj78d95ZChSzUnWBErJOu6BL+rqrQuXzoLgBIyf+8wG4E0yzEkSL259muf+heCu3SYFxv43Rue+P6JisHwLR8+s0aKyro=&5Vxux=S3XwcJd1aE_ - rule_id: 33953
http://www.solarwachstum.com/p9ao/ - rule_id: 33952
http://www.g2g2sport.xyz/p9ao/ - rule_id: 33955
http://www.suzheng22.top/p9ao/?Uxk=UF1gbyBA2KpG8m0Rm9ehbXR0zJmaFb1dyUpi9VFZIpYgOTVtiTl0F+cTQPY8C/xJkCHyK8gaxezu3hN4hseR4mpCn7WT9y60MQraZ8Q=&5Vxux=S3XwcJd1aE_ - rule_id: 33954
http://www.bluhenhalfte.xyz/p9ao/ - rule_id: 33953
|
11
www.bluhenhalfte.xyz(109.123.121.243) - mailcious
www.suzheng22.top(172.67.162.131) - mailcious
www.solarwachstum.com(89.31.143.1) - mailcious
www.g2g2sport.xyz(198.54.117.210) - mailcious
www.windmarkdijital.xyz(85.159.66.93) - mailcious
109.123.121.243 - mailcious
85.159.66.93 - mailcious
89.31.143.1 - mailcious
198.54.117.211 - phishing
172.67.162.131 - mailcious
45.33.6.223
|
6
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
9
http://www.g2g2sport.xyz/p9ao/
http://www.solarwachstum.com/p9ao/
http://www.suzheng22.top/p9ao/
http://www.windmarkdijital.xyz/p9ao/
http://www.bluhenhalfte.xyz/p9ao/
http://www.solarwachstum.com/p9ao/
http://www.g2g2sport.xyz/p9ao/
http://www.suzheng22.top/p9ao/
http://www.bluhenhalfte.xyz/p9ao/
|
9.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11913 |
2023-06-28 07:51
|
 grace.exe ef4980e4520551d402c1723432a424ea
Generic Malware Confuser .NET DNS AntiDebug AntiVM PE64 PE File VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
3
yesican.ddns.net(103.212.81.152)
103.212.81.152
84.200.69.80 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
12.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11914 |
2023-06-28 07:49
|
 mo.exe 8ef917494a0e51cc61e491173b16150d
UltraVNC UPX Malicious Library DNS AntiDebug AntiVM OS Processor Check PE32 PE File VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key DDNS crashed |
|
4
futurist40.duckdns.org(103.212.81.152)
37.235.1.177 - mailcious
37.235.1.174 - mailcious
103.212.81.152
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
14.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11915 |
2023-06-28 07:48
|
 btt.exe e052e7de9592d69a07411a1d2bb182b6
UltraVNC UPX Malicious Library DNS AntiDebug AntiVM OS Processor Check PE32 PE File VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS Cryptographic key DDNS crashed |
|
4
atelilian99.ddns.net(197.210.55.66)
37.235.1.177 - mailcious
37.235.1.174 - mailcious
197.210.55.66
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
12.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11916 |
2023-06-28 07:47
|
 SY.exe e7a2ab8911263403853a67fce20941e7
.NET EXE PE32 PE File VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
6.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11917 |
2023-06-28 07:45
|
 next.exe 253e1a1c0adc27865a30a66de4b55b45
Generic Malware Confuser .NET DNS AntiDebug AntiVM PE64 PE File VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
4
jmtjmt.ddns.net(184.75.221.59)
37.235.1.177 - mailcious
37.235.1.174 - mailcious
184.75.221.59 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
12.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11918 |
2023-06-28 07:45
|
 vik.exe 5f859ce795a09f858adc51815cc0faf8
Generic Malware task schedule Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM .NET EXE PE32 PE File Malware download AsyncRAT NetWireRC VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
2
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
13.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11919 |
2023-06-28 07:40
|
 Dollar.exe 75c279006f649b36303f4167f5617c53
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Downloader Google Chrome User Data Confuser .NET Create Service Socket Escalate priviledges PWS Sniff Audio DNS ScreenShot Internet API KeyLogger AntiDebug AntiVM PE64 PE File Browser Info Stealer Remcos VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser DNS keylogger |
|
1
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
9.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11920 |
2023-06-28 07:37
|
 AR.exe 1ba7ea81ce6384aa8ce61f8295c5822a
Confuser .NET PWS SMTP KeyLogger AntiDebug AntiVM PE64 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.6.168)
193.122.6.168
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
12.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11921 |
2023-06-28 07:36
|
 Adobe.ClientSetup.exe d70cc583716119d01c718d49c5bd6af9
njRAT backdoor Generic Malware UPX Malicious Library Antivirus OS Name Check OS Processor Check CAB PE32 MSOffice File PE File DLL VirusTotal Malware PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName Remote Code Execution Cryptographic key crashed |
|
2
instance-nlf9kz-relay.screenconnect.com(147.28.146.16)
147.28.146.16
|
|
|
5.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11922 |
2023-06-28 07:35
|
 HH.exe 859f5ba01acb6e8183db471ce9dd1ba9
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Downloader Google Chrome User Data Confuser .NET Create Service Socket Escalate priviledges PWS Sniff Audio DNS ScreenShot Internet API KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself DNS DDNS |
|
2
pekonomiana.duckdns.org(134.19.179.211) - mailcious
134.19.179.211 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11923 |
2023-06-28 07:34
|
 D.exe 62768c1c66df7acd5ce554069ea6a205
Formbook Confuser .NET AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
19
http://www.0096061.com/6huu/ - rule_id: 33949
http://www.0096061.com/6huu/?ft51=cmX/07TqI3ZVBqSk8R867+hdp8bVOoL06AzKIpvdRFeyAj6hvaaJUHhkQ/toAIcVWWdRQEgjpGpGrDxsMG4sQneWN+dP3qrEhepv/3Q=&cha_c=Zc4Fjd7OCfzyoFR - rule_id: 33949
http://www.14zhibo.work/6huu/ - rule_id: 33945
http://www.lancele.com/6huu/?ft51=lkPChsOgbmG6IllhHTLtf7ULj1acQ37do+96zoOFU1wEZ7Q3pDLdySJi8tX/LksgKKJ2zleSV8oD4OY5SI7MA2q2BuCSDDIq7z8yKSo=&cha_c=Zc4Fjd7OCfzyoFR - rule_id: 33947
http://www.kp69f.top/6huu/ - rule_id: 33944
http://www.lancele.com/6huu/ - rule_id: 33947
http://www.tarolstroy.store/6huu/ - rule_id: 33946
http://www.terrenoscampestres.com/6huu/?ft51=vPEZFS80w83TR1ISai5AEG4cZjK/Z0sPVYJxvP0qkrafDKWjEP7E989Tf/65iA6Wv6B2G+FeAz/F94bTMl2+G2T5U6uSTMLdr8gHGso=&cha_c=Zc4Fjd7OCfzyoFR - rule_id: 33950
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.14zhibo.work/6huu/?ft51=DY82kxx300f8Ik70WvLdREOGU4sx5WmLPZ3/q1TGOtAA9/Gzsd9nceuxwkKKmb1RPsemirf5O/kWho3f6FGpO5KONInBcJ6F+ssJurA=&cha_c=Zc4Fjd7OCfzyoFR - rule_id: 33945
http://www.solarwachstum.com/6huu/?ft51=w02mQAblJWbyIo6ozgnxrIUPRxqR4gn//aKR4b4C2qQSYqcw3Vi29oLFIvtOIeXnZF+XC4+RsLS3HuGm7zRt9dlAuIsc4gbzWXQ9ldM=&cha_c=Zc4Fjd7OCfzyoFR - rule_id: 33943
http://www.ticimmo.com/6huu/ - rule_id: 33951
http://www.terrenoscampestres.com/6huu/ - rule_id: 33950
http://www.tarolstroy.store/6huu/?ft51=En7LCrBqRDvhnDHpczrHWaIedYbeAgZr6OxVyCrdWihd6XEAizhpO0j/kkT3E0Ail4lmu+00ROJTwCbrXgrUq/0FdQ7yD2DHgTmcEH4=&cha_c=Zc4Fjd7OCfzyoFR - rule_id: 33946
http://www.ticimmo.com/6huu/?ft51=TigSyFlwP0RNpBbhC/rdMwC8b/Qg/Ivp2etxz330Y/wAN2mEJT4yMf4cHTRgrqo8FsDkyKZ/RDxnb9SkkKZ8CLMuGFsv81COs/EjZGo=&cha_c=Zc4Fjd7OCfzyoFR - rule_id: 33951
http://www.kp69f.top/6huu/?ft51=c/0CEmjcp1qhbjrBdr7qFpTEdTMNmdGL+2G3nk26J8C5sXkvdYxGabdoDx2ERzE1q79WMkYCDIvd6DDSGqF5RzVKrD1kqEcaGqxbLU4=&cha_c=Zc4Fjd7OCfzyoFR - rule_id: 33944
http://www.qfx88.com/6huu/ - rule_id: 33948
http://www.qfx88.com/6huu/?ft51=ai4Hj7VNL/eal8v50vngd1esaVL80O28AVhmObBuZqCvkNevFGLtvLG4llGxYwRMqic01nY12J0ERo7jbuO1GzAlXIwPB2kWrkts/2A=&cha_c=Zc4Fjd7OCfzyoFR - rule_id: 33948
http://www.solarwachstum.com/6huu/ - rule_id: 33943
|
19
www.tarolstroy.store(91.106.207.17) - mailcious
www.kp69f.top(34.149.198.43) - mailcious
www.14zhibo.work(43.154.196.178) - mailcious
www.solarwachstum.com(89.31.143.1) - mailcious
www.ticimmo.com(217.26.48.101) - mailcious
www.qfx88.com(120.48.139.92) - mailcious
www.terrenoscampestres.com(109.106.251.102) - mailcious
www.lancele.com(38.239.160.233) - mailcious
www.0096061.com(154.55.172.139) - mailcious
43.154.196.178 - mailcious
38.239.160.233 - mailcious
154.55.172.139 - mailcious
109.106.251.102 - mailcious
120.48.139.92 - mailcious
34.149.198.43 - mailcious
89.31.143.1 - mailcious
217.26.48.101 - mailcious
45.33.6.223
91.106.207.17 - malware
|
6
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Observed DNS Query to .work TLD
ET INFO HTTP Request to Suspicious *.work Domain
ET HUNTING Request to .TOP Domain with Minimal Headers
|
18
http://www.0096061.com/6huu/
http://www.0096061.com/6huu/
http://www.14zhibo.work/6huu/
http://www.lancele.com/6huu/
http://www.kp69f.top/6huu/
http://www.lancele.com/6huu/
http://www.tarolstroy.store/6huu/
http://www.terrenoscampestres.com/6huu/
http://www.14zhibo.work/6huu/
http://www.solarwachstum.com/6huu/
http://www.ticimmo.com/6huu/
http://www.terrenoscampestres.com/6huu/
http://www.tarolstroy.store/6huu/
http://www.ticimmo.com/6huu/
http://www.kp69f.top/6huu/
http://www.qfx88.com/6huu/
http://www.qfx88.com/6huu/
http://www.solarwachstum.com/6huu/
|
9.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11924 |
2023-06-28 07:33
|
 ARR.exe 295830947cfc8aa0980ddb245c526843
Confuser .NET PWS SMTP KeyLogger AntiDebug AntiVM PE64 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.130.0)
132.226.8.169
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
12.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11925 |
2023-06-28 07:31
|
 H2.exe 2b262120999e89d0fae7cacf763301a6
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Downloader Google Chrome User Data Confuser .NET Create Service Socket Escalate priviledges PWS Sniff Audio DNS ScreenShot Internet API KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware AutoRuns PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself WriteConsoleW Windows |
|
|
|
|
8.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|