| 12106 |
2023-06-20 09:36
|
 sn.exe 1a3c1fc575e887613a939ac922be008e
Generic Malware UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware RWX flags setting unpack itself crashed |
|
|
|
|
2.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12107 |
2023-06-20 09:29
|
 wp-admin.php 0ed12af50c4a344bc3f1466048f58c39Check memory |
|
|
|
|
0.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12108 |
2023-06-20 09:19
|
 Amadey_SC.bat 555b0d888a0bafb00f76527b6c264962
PWS Downloader Create Service DGA Socket DNS Steal credential Code injection HTTP Sniff Audio Http API Internet API ScreenShot Escalate priviledges P2P FTP KeyLogger AntiDebug AntiVM suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12109 |
2023-06-20 09:19
|
 bqn1kx9furd80.exe f8f90dde30c804bc48218e20ccec81bc
RedLine stealer UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
1
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
10.4 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12110 |
2023-06-20 07:47
|
 SOF.exe b559e2f8aa0df6e07429859121702a4c
PWS .NET framework(MSIL) Admin Tool (Sysinternals etc ...) KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(64.185.227.155)
173.231.16.76
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12111 |
2023-06-20 07:44
|
 setup.exe 9a97e9f36c856d7660f1dedd940a7527
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12112 |
2023-06-20 07:44
|
 Bin (2).exe b17445243117804a2a0b91906c6e0094
PWS .NET framework(MSIL) Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
4
api.ipify.org(104.237.62.211)
mail.cutecycles.com(103.212.121.151)
103.212.121.151
64.185.227.155
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12113 |
2023-06-20 07:44
|
 unsecapp.exe d295211b783d0ef3be258ab3c84eaf74
Formbook NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder suspicious TLD Windows DNS |
16
http://www.gnhxxiazai03.com/ogeb/ - rule_id: 33861
http://www.nicejunq.com/ogeb/ - rule_id: 33864
http://www.poshkits.info/ogeb/?zS=AqRXXMRheGbbuzNJ7gUd3ELHirevyxJNjMj6aH1i+QGnsBV8j36ZsXkdOVofclXLXJuwnJ0etyY1DKNGveWcGaTGb3YRrubSnMygGeg=&lQHIIB=UDOd2iazjyW - rule_id: 33866
http://www.poshkits.info/ogeb/ - rule_id: 33866
http://www.drstephaniebest.com/ogeb/ - rule_id: 33863
http://www.ketocanadmqy.cloud/ogeb/?zS=JCW7LwLHnn7ptjGjE5oXohZmdFlQQ26ARwAmaoNxO6ijvQN7ubUT60jiWusc3p3YeBdlnORuW+NtBTBOf6MBl7CRUR/NRW0MRl+FZL4=&lQHIIB=UDOd2iazjyW - rule_id: 33860
http://www.ketocanadmqy.cloud/ogeb/ - rule_id: 33860
http://www.r1146.xyz/ogeb/?zS=hQC9FzST15eBXJ4J4T0DlrZN3V4nndOGJI8rCOq0KQaVihaPabvY2aUaE4N/PK/Cku54qUwIUhcWHwQfhhinhH5BJGjDnxoo3iDp4OU=&lQHIIB=UDOd2iazjyW - rule_id: 33862
http://www.fstrainingllc.com/ogeb/
http://www.drstephaniebest.com/ogeb/?zS=+v0OuBHGG6cw5ZwrQCjmtsYbU4xaGL5HoMfXaXw9oSi2F/e6KL+7wkfrHW9mkq7nBIGbSiwCyL8lMMQd9mW+kFWaqBx5WK5Isw5ml80=&lQHIIB=UDOd2iazjyW - rule_id: 33863
http://www.gnhxxiazai03.com/ogeb/?zS=wBih4ktWfPNsySsqn3uI1HmQOkxE78XnlLTDvxJFz8Ksfyo9cnxjh72KIWiVUUXAXHwdyJ5YpLQGYf4Z+A02Vjn9hAcAu81BvwPbwlI=&lQHIIB=UDOd2iazjyW - rule_id: 33861
http://www.r1146.xyz/ogeb/ - rule_id: 33862
http://www.nicejunq.com/ogeb/?zS=61GncP3LZGSS1NuGOhw0w9YAjVqrgaXoImnMpoqiHfpClz+VkHF1OaSSbCiQjyR+WlMAeIDV0LjpJ/XsdXKhboCqPvNVkna3o/MBoBk=&lQHIIB=UDOd2iazjyW - rule_id: 33864
http://www.fb99vn.com/ogeb/?zS=OXN+k+OlhXjl96bKh2NTgPCFs15ire34/TTevHac9SK8WXddN+80UbpDpODSd5z2qlIY7v82+nyluTO39li1mIxMKX8Jb/R8tbta/VI=&lQHIIB=UDOd2iazjyW - rule_id: 33865
http://www.fb99vn.com/ogeb/ - rule_id: 33865
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
20
www.leshka-toshka.online() - mailcious
www.gnhxxiazai03.com(20.255.200.185) - mailcious
www.ketocanadmqy.cloud(195.161.62.100) - mailcious
www.nicejunq.com(91.195.240.123) - mailcious
www.drstephaniebest.com(198.185.159.145) - mailcious
www.pymhn.top() - mailcious
www.r1146.xyz(104.21.44.192) - mailcious
www.fb99vn.com(172.67.153.64) - mailcious
www.poshkits.info(162.0.231.6) - mailcious
www.fstrainingllc.com(154.39.174.239)
84.54.50.66 - mailcious
20.255.200.185 - mailcious
198.49.23.145 - mailcious
91.195.240.123 - mailcious
162.0.231.6 - mailcious
172.67.153.64
154.39.174.239
45.33.6.223
195.161.62.100 - mailcious
104.21.44.192
|
4
ET MALWARE FormBook CnC Checkin (POST) M2
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
14
http://www.gnhxxiazai03.com/ogeb/
http://www.nicejunq.com/ogeb/
http://www.poshkits.info/ogeb/
http://www.poshkits.info/ogeb/
http://www.drstephaniebest.com/ogeb/
http://www.ketocanadmqy.cloud/ogeb/
http://www.ketocanadmqy.cloud/ogeb/
http://www.r1146.xyz/ogeb/
http://www.drstephaniebest.com/ogeb/
http://www.gnhxxiazai03.com/ogeb/
http://www.r1146.xyz/ogeb/
http://www.nicejunq.com/ogeb/
http://www.fb99vn.com/ogeb/
http://www.fb99vn.com/ogeb/
|
6.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12114 |
2023-06-20 07:43
|
 loki.exe 78c56c6fd7ed0ff5c69ec132d61e27b3
NSIS UPX Malicious Library PE File PE32 DLL GIF Format VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
4.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12115 |
2023-06-20 07:40
|
 juneowar2.1.exe ec77a84dddf6fef090dde4d2ab3a1007
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS keylogger |
|
2
ifedinma.duckdns.org(84.54.50.66)
84.54.50.66 - mailcious
|
4
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12116 |
2023-06-20 07:40
|
 chu.exe fae26093299f08bf5f0e21ae0a9b4d1e
PWS .NET framework(MSIL) Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12117 |
2023-06-20 07:38
|
 liboshed2.1.exe 4e13394b41e8d0cf8b1721aabdbfd719
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
1
http://www.cqmksw.com/sy18/?w2J=Zy+5j3JkY/5oFGK5gEpmELBKxN+VFSamS+lHIjSON5I8UbvG5ESo2ZHDPO/F7FQpS9xXmmGk&tFQt=YP4D1tE0
|
4
www.ltnmgt.com()
www.cqmksw.com(38.63.218.163)
www.speakerbluetooth.com()
38.63.218.163
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12118 |
2023-06-20 07:38
|
 checkdt.exe 67d6a918fc89a950738fdc5a9e56123b
UPX Malicious Library PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12119 |
2023-06-20 07:36
|
 EYG.exe 3d4b36f562038a18fc835188470973c7
NSIS Generic Malware UPX Malicious Library Antivirus PE File PE32 PowerShell JPEG Format VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key crashed |
|
|
|
|
8.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12120 |
2023-06-20 07:36
|
 Connector.exe e3712d22893f309738fd59d00ced152f
UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Malicious Traffic buffers extracted unpack itself Ransomware Browser Remote Code Execution crashed |
1
http://gservice-node.io/c2conf
|
2
gservice-node.io(104.26.8.139)
104.26.8.139
|
|
|
4.8 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|