| 12601 |
2023-06-02 18:43
|
File_pass1234.7z 63e2ad5f5f1466a924b0c77048dcc60a
Redline PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealer Windows DNS |
17
http://77.91.68.62/DSC01491/fotocr06.exe - rule_id: 33774
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://85.208.136.10/api/firegate.php - rule_id: 32663
http://77.91.68.62/wings/game/index.php - rule_id: 33726
http://77.91.68.62/DSC01491/foto148.exe - rule_id: 33773
http://www.maxmind.com/geoip/v2.1/city/me
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://85.208.136.10/api/tracemap.php - rule_id: 32662
https://vk.com/doc800513317_661831941?hash=kC1U4OLCAYMUhVtMfoutYSzDrY3EsJWFVrzp6QPGPus&dl=7914u1IpemjZrAZ1e75d2G0XzBQ90WsmERXsgDjYTgL&api=1&no_preview=1
https://vk.com/doc791620691_664833875?hash=u7gA1WPz7GZN7R6AsWfNRszp1EhXac8b6J8qQmORXow&dl=ZMktHzYCzZ9XDvxi97D73YkXsVJJPzzGWy3sWU7JhpD&api=1&no_preview=1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-21.userapi.com/c240331/u800513317/docs/d20/68fdb46e6c52/PMp123a.bmp?extra=NpfI2Dmo18FSvnw9T36Up24KS6_b4xAj555TPlBXx7f1gghfzgQxuitnRimxvAErJEpvGtGIoG-YQq9vQBMSizlupZ5BBN9Y1OQO1yi9XJumXNbdQfkbjdQgwb0ahuj6CKQIfHe1nBetrUbQww
https://vk.com/doc791620691_664710492?hash=j27Vxz0stfSxJXNlzmz602vSgZ0IXBoi9ZZq9syJVkT&dl=Sw3eQffdQH4eEi2robhrPmVXjMf9ExmZT9V02woFQ2k&api=1&no_preview=1#WW1
https://sun6-23.userapi.com/c235031/u791620691/docs/d33/5cee3fee83b0/WWW1.bmp?extra=9MQFCK9sy0BlFTB0sDmDo892U3wcsqjQnbA_GeW4BLqu0c4KbVa9EBsGMmrM-FhmMiMKZ9rfwHYcXuZqLdVeGZ569kTZQFDf0i9x8EWY85Oc_HUbGDkUIAnfe6_Mfqlaw7ngI48-yWqJWkEN2Q
https://sun6-21.userapi.com/c237331/u791620691/docs/d45/31ee3e720154/cloudcosmic.bmp?extra=7z5X_rDygaQP6H7Cl38-7ZanPu_gKgnhQsLZRY0P7SEoIOS9yMw8BKCKqA4tAV0SehxJBNY1gbAR9slw-KYeFhQRbmfIN0uHZPcqXd4VaKR2ssoYGNtLN1_pk3ei4N5cLYakfcK3tEPYrXTNqA
|
32
db-ip.com(104.26.4.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(172.67.182.87) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
sun6-23.userapi.com(95.142.206.3)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.214.67)
api.db-ip.com(104.26.4.15)
iplogger.org(148.251.234.83) - mailcious
vk.com(87.240.132.72) - mailcious
148.251.234.93 - mailcious
77.91.68.62 - malware
83.97.73.128 - malware
91.215.85.147 - malware
87.240.129.133 - mailcious
104.26.5.15
83.97.73.127 - mailcious
172.67.75.166
157.254.164.98 - mailcious
34.117.59.81
172.67.182.87 - malware
148.251.234.83
45.12.253.74 - malware
95.214.25.234 - malware
104.17.214.67
45.15.156.229 - mailcious
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
85.208.136.10 - mailcious
176.113.115.239 - malware
|
18
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
|
8
http://77.91.68.62/DSC01491/fotocr06.exe
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://85.208.136.10/api/firegate.php
http://77.91.68.62/wings/game/index.php
http://77.91.68.62/DSC01491/foto148.exe
http://ji.jahhaega2qq.com/m/p0aw25.exe
http://85.208.136.10/api/tracemap.php
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12602 |
2023-06-02 18:40
|
BandicamScreenRecorder_pass123... 0dd10d786758af063a14efaff9ebf78e
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware download Malware RecordBreaker suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Tofsee Stealer Windows DNS |
34
http://91.202.5.224/rh2605.exe
http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://94.130.226.235/2033a784d8c945410d4233592ea99f71
http://94.130.226.235/
https://www.bandicam.co.kr/favicon.ico
https://www.bandicam.co.kr/downloads/
https://www.bandicam.co.kr/style.min.css?20221205
https://wcs.naver.com/m?u=https%3A%2F%2Fwww.bandicam.co.kr%2Fdownloads%2F&e=&wa=s_502950d95e2b&bt=-1&os=Win32&ln=ko&sr=1365x1024&bw=1211&bh=841&c=24&j=Y&jv=1.8&k=Y&ct=lan&cs=utf-8&tl=%25EB%25B0%2598%25EB%2594%2594%25EC%25BA%25A0%2520%25EB%25AC%25B4%25EB%25A3%258C%2520%25EB%258B%25A4%25EC%259A%25B4%25EB%25A1%259C%25EB%2593%259C%253A%2520%25EC%25BB%25B4%25ED%2593%25A8%25ED%2584%25B0%2520%25ED%2599%2594%25EB%25A9%25B4%2520%25EB%25B0%258F%2520%25EB%258F%2599%25EC%2598%2581%25EC%2583%2581%2520%25EB%2585%25B9%25ED%2599%2594%2520%25ED%2594%2584%25EB%25A1%259C%25EA%25B7%25B8%25EB%259E%25A8&vs=0.8.7&nt=1685698468990&EOU
https://www.bandicam.co.kr/img/logo_bandicam.png
https://www.bandicam.co.kr/img/menu_bg.gif
https://www.bandicam.co.kr/img/topmenuicon_bandicam.png
https://www.bandicam.co.kr/js/jquery-3.5.1.custom.min.js
https://www.bandicam.co.kr/img/icon-windows.png
https://www.bandicam.co.kr/downloads/bandicam_kor_3.gif
https://www.bandicam.co.kr/img/topmenuicon_bandicut.png
https://wcs.naver.net/wcslog.js
https://www.bandicam.co.kr/img/img_gs.gif
https://www.bandicam.co.kr/img/img_sns_btns.png
https://www.bandicam.co.kr/js/jquery-ui.custom.min.js
https://www.bandicam.co.kr/js/bootstrap-3.4.1.min.js
https://www.bandicam.co.kr/js/jquery.magnific-popup.min.js
https://www.bandicam.co.kr/magnific-popup.min.css
https://www.bandicam.co.kr/js/acecounter_cts.js
https://www.bandicam.co.kr/img/img_flags_2516_43.gif
https://www.bandicam.co.kr/img/srch-icon.png
https://www.bandicam.co.kr/js/lazysizes.min.js
https://www.bandicam.co.kr/js/bootstrap-3.3.2.min.css?20210521
https://www.googletagmanager.com/gtag/js?id=G-55QDT2Q4HQ
|
12
www.googletagmanager.com(142.250.206.200)
static.bandicam.com(151.101.194.132)
www.bandicam.co.kr(52.79.86.85)
wcs.naver.com(110.93.147.30)
wcs.naver.net(104.76.97.144)
91.202.5.224
110.93.147.30
52.79.86.85
172.217.31.8
146.75.50.132
104.75.40.20
94.130.226.235
|
15
ET INFO Executable Download from dotted-quad Host
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
ET HUNTING Possible Generic Stealer Sending a Screenshot
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12603 |
2023-06-02 18:34
|
 ddd.json.ps1 558632789032f0e8cb4f4be1c784ed08
Hide_EXE Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12604 |
2023-06-02 18:33
|
 Atm_Fradulent_Transaction_Note... 0f721b8721fcf53a2f584d1e14576222VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk VM Disk Size Check Windows ComputerName Dropper |
|
2
phhvvvvzeraphulo.gotdns.ch(185.227.82.21)
185.227.82.21
|
1
ET INFO DYNAMIC_DNS Query to a *.gotdns .ch Domain
|
|
10.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12605 |
2023-06-02 18:29
|
 647935b3df1dc.zip 2e1d77880b713f913c52773045cae78d
ZIP Format Malware Malicious Traffic NetSupport |
3
http://geo.netsupportsoftware.com/location/loca.asp
http://91.215.85.180:5222/
http://91.215.85.180/fakeurl.htm
|
4
geo.netsupportsoftware.com(62.172.138.67)
balibumba1.com(91.215.85.180) - mailcious
51.142.119.24
91.215.85.180 - mailcious
|
3
ET POLICY NetSupport GeoLocation Lookup Request
ET INFO NetSupport Remote Admin Checkin
ET INFO NetSupport Remote Admin Response
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12606 |
2023-06-02 17:50
|
 hkcmd.exe 47e139c4d15656a318c89ceab3fd3779
Loki Loki_b Loki_m Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/line/five/fre.php - rule_id: 33747
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/line/five/fre.php
|
14.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12607 |
2023-06-02 17:48
|
 hkcmd.exe a9ef402dafd9bf3e6ecad54f7a5c5cce
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/fresh/five/fre.php - rule_id: 28273
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/fresh/five/fre.php
|
13.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12608 |
2023-06-02 17:46
|
ioioioioioioioioioioio%23%23%2... b7317b332d56b95754a97d72aab04605
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash suspicious TLD Windows Exploit DNS crashed |
5
http://www.7xwithlove.com/hs95/?DFQh=FEsyfnPPa2w+7CwdFgilHyOzcmfi/nutV7R4VzlheLbxlq0f1Q/R2T+xobBm3SO35hOaA5PO&v4XxH=hDK0LDbh
http://ww1.neasamparishcouncil.co.uk/
http://www.hjcyh.top/hs95/?DFQh=veHdkKG+cnEW8XBO+RdGzKP6IcE1bFb25+rl9urMqczOpB7y3gu3kSbNkUR65Uo7B3JmwNzU&v4XxH=hDK0LDbh
http://www.neasamparishcouncil.co.uk/hs95/?DFQh=yYc+EqOdCqTl0g9C3mb2l/5tONbYjkLloFYHR7Kcv9AZpB3ZrS2JcC/VodST10LvJHaEdC22&v4XxH=hDK0LDbh
http://45.66.230.127/254/INTERNET.exe
|
11
www.7xwithlove.com(23.227.38.74)
www.dajichi.asia()
www.neasamparishcouncil.co.uk(63.141.242.46)
ww1.neasamparishcouncil.co.uk(199.59.243.223)
www.hjcyh.top(103.216.153.107)
192.187.111.222 - phishing
63.141.242.45 - mailcious
199.59.243.223
103.216.153.107
23.227.38.74 - mailcious
45.66.230.127 - malware
|
11
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.top domain - Likely Hostile
ET USER_AGENTS Suspicious User-Agent (Windows Explorer)
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
SURICATA HTTP unable to match response to request
|
|
6.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12609 |
2023-06-02 17:46
|
 grace.exe b74a27f1d2f59773c8fc41c831600fe3
Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12610 |
2023-06-02 17:42
|
 cc.exe db1d5ad95e2020413ca89f274657f3b1
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12611 |
2023-06-02 17:40
|
 hkcmd.exe 79796093d175c7811e14b67d670efdfc
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12612 |
2023-06-02 17:38
|
 2.exe 5c3837c38ccbcdd101a0f23550e68443
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12613 |
2023-06-02 17:36
|
 teambzx.exe b83d29d7b66726edbdbb823873e27a18
PWS .NET framework Formbook SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
2
http://x1.i.lencr.org/
https://api.ipify.org/
|
6
x1.i.lencr.org(104.76.70.102)
mail.grad-vodice.hr(108.179.208.47)
api.ipify.org(64.185.227.155)
108.179.208.47
104.76.70.102
104.237.62.211
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
13.4 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12614 |
2023-06-02 17:36
|
 hkcmd.exe 3ad351e8a6eff6d9405b4cab75a7a2ec
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/fresh/five/fre.php - rule_id: 28273
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/fresh/five/fre.php
|
13.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12615 |
2023-06-02 17:35
|
 sp.exe 45d50af2dab49aa0de4894a1bbff7d62
Themida Packer Generic Malware Malicious Library PE64 PE File VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|