| 106 |
2025-04-02 10:09
|
Albion.ps1 c498ec828bc8f082a5f43215db42a4b6
Generic Malware Antivirus VirusTotal Malware unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
2
http://213.209.150.191/documents/albion/file/ActivationKey-GLEO.FUN.txt
http://213.209.150.191/documents/albion/file/Albion.zip
|
1
213.209.150.191 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 54
|
|
4.4 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 107 |
2025-04-02 10:08
|
 V8.ps1 35d5cb3cfaea0d5f5f062a1ef39ec519
Generic Malware Antivirus Check memory Creates executable files unpack itself WriteConsoleW Windows Cryptographic key crashed |
|
|
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 108 |
2025-04-02 10:07
|
kozlina2.ps1 28c2058bb9e2e99158ef3d5ed0b6c1bd
Generic Malware Antivirus ZIP Format VirusTotal Malware powershell Malicious Traffic buffers extracted unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
1
http://104.245.241.157/documents/files/zip/devops.pdf
|
1
104.245.241.157 - mailcious
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
ET INFO Dotted Quad Host ZIP Request
ET HUNTING Terse Request for Zip File (GET)
ET INFO Dotted Quad Host PDF Request
|
|
6.6 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 109 |
2025-04-02 10:07
|
 newnew.url 53af7ebed1ba61fb8f303affcba618c7
Generic Malware Antivirus AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Tofsee Windows ComputerName Cloudflare DNS Cryptographic key |
4
http://hot-browser-luke-granted.trycloudflare.com/rename.lnk
http://hot-browser-luke-granted.trycloudflare.com/desktop.ini
http://hot-browser-luke-granted.trycloudflare.com/
https://hot-browser-luke-granted.trycloudflare.com/mine.exe
|
2
hot-browser-luke-granted.trycloudflare.com(104.16.231.132)
104.16.230.132 - mailcious
|
6
ET HUNTING TryCloudFlare Domain in TLS SNI
ET INFO Observed trycloudflare .com Domain in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
ET HUNTING Successful PROPFIND Response for Application Media Type
ET INFO LNK File Downloaded via HTTP
|
|
7.0 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 110 |
2025-04-02 10:05
|
 invoice.exe 57bcb61167abd03d9d98705ab39e79ab
UPX PE File PE32 VirusTotal Malware Check memory unpack itself sandbox evasion DNS |
|
1
|
|
|
3.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 111 |
2025-04-02 10:04
|
r.msi 36458266f31dc9867c144bf20bd9ca05
CAB MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
2.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 112 |
2025-04-02 10:02
|
 clip64.dll a3379448f4304fbc3d94ce7dd4f6b3d8
Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://185.81.68.156/jb87ejvjdsS/index.php
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
|
|
3.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 113 |
2025-04-02 10:00
|
 raw_cbot.exe ac00294c21bca514a06403c4853fd4c9
PE File PE64 VirusTotal Malware DNS |
|
2
cbot.galaxias.cc(176.65.142.252)
176.65.142.252 - malware
|
1
|
|
2.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 114 |
2025-04-02 10:00
|
 VC_redist.x64.exe 94d6494667a6ad5b91f26f46959086a6
Emotet Generic Malware Malicious Library UPX PE File PE32 OS Processor Check PE64 VirusTotal Malware PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
6.0 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 115 |
2025-04-02 09:58
|
 raw_cbot_debug.exe db907401fe1676d0e67b655799c4dcd9
PE File PE64 VirusTotal Malware DNS |
|
2
cbot.galaxias.cc(176.65.142.252)
176.65.142.252 - malware
|
1
|
|
2.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 116 |
2025-04-02 09:57
|
 cbot_debug.exe 55e5364c24cbe9979dbb77e2a6370a8d
PE File PE64 VirusTotal Malware DNS |
|
2
cbot.galaxias.cc(176.65.142.252)
176.65.142.252 - malware
|
1
|
|
2.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 117 |
2025-04-02 09:55
|
 cbot.exe cbb0a9271f42274b0455094768ca416d
PE File PE64 VirusTotal Malware suspicious TLD DNS |
|
2
cbot.galaxias.cc(176.65.142.252)
176.65.142.252 - malware
|
1
|
|
3.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 118 |
2025-04-02 09:55
|
terms-of-service.pdf.lnk 42f75d30a3b3bd136a542cb3b318a95d
Generic Malware Antivirus Lnk Format GIF Format VirusTotal Malware Creates shortcut unpack itself WriteConsoleW |
1
http://104.245.241.157/documents/pwsh/kozlina2.ps1
|
|
|
|
1.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 119 |
2025-04-02 09:48
|
rename.lnk a2fe80a8537b1fd2c03d7fad654aae1d
Generic Malware AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware Code Injection Creates shortcut Windows utilities suspicious process WriteConsoleW Windows |
1
https://shot-browser-luke-granted.trycloudflare.com/yes.bat
|
|
|
|
3.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 120 |
2025-04-02 09:48
|
references.pdf.lnk 99e60187abde030675774de31cc6e8d6
Generic Malware Antivirus Lnk Format GIF Format VirusTotal Malware Creates shortcut unpack itself WriteConsoleW |
1
http://213.209.150.191/documents/pwsh/albion.ps1
|
|
|
|
1.6 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|