| 12616 |
2023-06-02 17:34
|
 DIV.exe 3037a91071720c71bf5cc9456a6417d1
Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12617 |
2023-06-02 15:27
|
 hkcmd.exe ddfffbdbb97818dc43696266e7a1335d
AgentTesla browser info stealer Google Chrome User Data Downloader Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Remcos VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process Windows ComputerName DNS Cryptographic key DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
pekonomia.duckdns.org(185.225.74.112) - mailcious
178.237.33.50
185.225.74.112 - mailcious
|
3
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12618 |
2023-06-02 15:02
|
 3D8207E1CE6762FF10DB118BEE3BD9... 3d8207e1ce6762ff10db118bee3bd99b
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12619 |
2023-06-02 11:15
|
 ar.exe fb08d5b98542effd996cf4dd0e388666
Confuser .NET SMTP PWS[m] KeyLogger AntiDebug AntiVM PE64 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
4
checkip.dyndns.org(193.122.130.0)
api.telegram.org(149.154.167.220)
132.226.247.73
149.154.167.220
|
7
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
|
|
12.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12620 |
2023-06-02 11:13
|
 ARR.exe 87bf7cbcaad9c9d42226765a9a00123b
RAT Confuser .NET SMTP PWS[m] KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware Telegram PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check Tofsee DNS DDNS keylogger |
1
http://checkip.dyndns.org/
|
5
checkip.dyndns.org(193.122.6.168)
api.telegram.org(149.154.167.220)
77.88.21.158
158.101.44.242
149.154.167.220
|
7
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
9.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12621 |
2023-06-02 11:13
|
 smss.exe 1b76b48ed5ab267ec90e78ad7aadacee
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
1
|
4
api.ipify.org(173.231.16.76)
smtp.yandex.com(77.88.21.158)
77.88.21.158
104.237.62.211
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
12.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12622 |
2023-06-02 11:12
|
 R.exe 75e536684503b069e3f8782abee90845
RAT Confuser .NET AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
11
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.bluhenhalfte.xyz/p9ao/?seGgFJ=vRFPeW+a5eWj78d95ZChSzUnWBErJOu6BL+rqrQuXzoLgBIyf+8wG4E0yzEkSL259muf+heCu3SYFxv43Rue+P6JisHwLR8+s0aKyro=&6v=LtYV7f8p2kiE
http://www.windmarkdijital.xyz/p9ao/?seGgFJ=+bmephAqYj2sPehVYG+6vylNZ9xTD57k0www/64WlyporzTS/DQK9Cj9E45l2PnpvASrzBKQ+MTFYh98/e7cSFktWy6uJymQpJPkUO8=&6v=LtYV7f8p2kiE
http://www.windmarkdijital.xyz/p9ao/
http://www.g2g2sport.xyz/p9ao/?seGgFJ=XT67LxJVileSUZubvPnUPegaTgZ/6jQtKal3VjDKoEwa5II03LuvqSNChaRu2iUoBEt/Y1rs6QWzksNnW/YxdPu4ukuWTQMQOAWrwp4=&6v=LtYV7f8p2kiE
http://www.g2g2sport.xyz/p9ao/
http://www.suzheng22.top/p9ao/
http://www.solarwachstum.com/p9ao/
http://www.bluhenhalfte.xyz/p9ao/
http://www.suzheng22.top/p9ao/?seGgFJ=UF1gbyBA2KpG8m0Rm9ehbXR0zJmaFb1dyUpi9VFZIpYgOTVtiTl0F+cTQPY8C/xJkCHyK8gaxezu3hN4hseR4mpCn7WT9y60MQraZ8Q=&6v=LtYV7f8p2kiE
http://www.solarwachstum.com/p9ao/?seGgFJ=CRBGmlvLKSdWYJTLFdYUqNcl5XacT7p2l/bsj7rBz10wHnkWrMrpIEuQZVcc3zXzkIzXuCRWtiUMrr5dZy1sHRpRgJUYDyiz+Rr4X1g=&6v=LtYV7f8p2kiE
|
11
www.bluhenhalfte.xyz(109.123.121.243)
www.suzheng22.top(172.67.162.131)
www.solarwachstum.com(89.31.143.1)
www.g2g2sport.xyz(198.54.117.211)
www.windmarkdijital.xyz(85.159.66.93)
109.123.121.243 - mailcious
85.159.66.93 - mailcious
89.31.143.1 - mailcious
198.54.117.212 - mailcious
104.21.42.144
45.33.6.223
|
6
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12623 |
2023-06-02 11:11
|
 agodzx.exe c000b09471d65a78c865ef626a7f82e2
PWS .NET framework Formbook SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
4
api.ipify.org(173.231.16.76)
smtp.yandex.com(77.88.21.158)
64.185.227.155
77.88.21.158
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12624 |
2023-06-02 11:11
|
 D.exe 7233778f2b64f9e0cf54a3a15ff91bb2
RAT Confuser .NET AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
19
http://www.tarolstroy.store/6huu/?OqPR=En7LCrBqRDvhnDHpczrHWaIedYbeAgZr6OxVyCrdWihd6XEAizhpO0j/kkT3E0Ail4lmu+00ROJTwCbrXgrUq/0FdQ7yD2DHgTmcEH4=&Yln=M4DXTK1SNj
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
http://www.0096061.com/6huu/
http://www.14zhibo.work/6huu/
http://www.kp69f.top/6huu/
http://www.terrenoscampestres.com/6huu/?OqPR=vPEZFS80w83TR1ISai5AEG4cZjK/Z0sPVYJxvP0qkrafDKWjEP7E989Tf/65iA6Wv6B2G+FeAz/F94bTMl2+G2T5U6uSTMLdr8gHGso=&Yln=M4DXTK1SNj
http://www.lancele.com/6huu/
http://www.ticimmo.com/6huu/
http://www.lancele.com/6huu/?OqPR=lkPChsOgbmG6IllhHTLtf7ULj1acQ37do+96zoOFU1wEZ7Q3pDLdySJi8tX/LksgKKJ2zleSV8oD4OY5SI7MA2q2BuCSDDIq7z8yKSo=&Yln=M4DXTK1SNj
http://www.14zhibo.work/6huu/?OqPR=DY82kxx300f8Ik70WvLdREOGU4sx5WmLPZ3/q1TGOtAA9/Gzsd9nceuxwkKKmb1RPsemirf5O/kWho3f6FGpO5KONInBcJ6F+ssJurA=&Yln=M4DXTK1SNj
http://www.0096061.com/6huu/?OqPR=cmX/07TqI3ZVBqSk8R867+hdp8bVOoL06AzKIpvdRFeyAj6hvaaJUHhkQ/toAIcVWWdRQEgjpGpGrDxsMG4sQneWN+dP3qrEhepv/3Q=&Yln=M4DXTK1SNj
http://www.solarwachstum.com/6huu/?OqPR=w02mQAblJWbyIo6ozgnxrIUPRxqR4gn//aKR4b4C2qQSYqcw3Vi29oLFIvtOIeXnZF+XC4+RsLS3HuGm7zRt9dlAuIsc4gbzWXQ9ldM=&Yln=M4DXTK1SNj
http://www.tarolstroy.store/6huu/
http://www.terrenoscampestres.com/6huu/
http://www.kp69f.top/6huu/?OqPR=c/0CEmjcp1qhbjrBdr7qFpTEdTMNmdGL+2G3nk26J8C5sXkvdYxGabdoDx2ERzE1q79WMkYCDIvd6DDSGqF5RzVKrD1kqEcaGqxbLU4=&Yln=M4DXTK1SNj
http://www.ticimmo.com/6huu/?OqPR=TigSyFlwP0RNpBbhC/rdMwC8b/Qg/Ivp2etxz330Y/wAN2mEJT4yMf4cHTRgrqo8FsDkyKZ/RDxnb9SkkKZ8CLMuGFsv81COs/EjZGo=&Yln=M4DXTK1SNj
http://www.qfx88.com/6huu/
http://www.qfx88.com/6huu/?OqPR=ai4Hj7VNL/eal8v50vngd1esaVL80O28AVhmObBuZqCvkNevFGLtvLG4llGxYwRMqic01nY12J0ERo7jbuO1GzAlXIwPB2kWrkts/2A=&Yln=M4DXTK1SNj
http://www.solarwachstum.com/6huu/
|
19
www.tarolstroy.store(91.106.207.17)
www.14zhibo.work(43.154.196.178)
www.kp69f.top(34.149.198.43)
www.solarwachstum.com(89.31.143.1)
www.ticimmo.com(217.26.48.101)
www.qfx88.com(120.48.139.92)
www.terrenoscampestres.com(109.106.251.102)
www.lancele.com(38.239.160.233)
www.0096061.com(154.55.172.139)
43.154.196.178 - mailcious
38.239.160.233
154.55.172.139
109.106.251.102
120.48.139.92
89.31.143.1 - mailcious
217.26.48.101 - mailcious
45.33.6.223
34.120.55.112
91.106.207.17 - malware
|
6
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to Suspicious *.work Domain
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .work TLD
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
8.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12625 |
2023-06-02 11:09
|
 second.dll 82414dead2dfee972e3943c9e26738bc
DLL PE File PE32 VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12626 |
2023-06-02 11:07
|
 hkcmd.exe 7e8983aa9183cc264d567f19d5bfe022
Loki Loki_b Loki_m Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/fresh/five/fre.php - rule_id: 28273
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/fresh/five/fre.php
|
13.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12627 |
2023-06-02 11:07
|
HKL.vbs d21fa8f92d5215bf0dcaa7b777d76ee9
Formbook Generic Malware Antivirus PowerShell VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.4 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12628 |
2023-06-02 11:04
|
iiiiiiiiiiiiiiiiiiiiiiii%23%23... 8504482b2c616c2052d6ed9656344162
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS DDNS crashed |
2
http://geoplugin.net/json.gp
http://45.66.230.127/32/hkcmd.exe
|
5
geoplugin.net(178.237.33.50)
pekonomia.duckdns.org(185.225.74.112) - mailcious
178.237.33.50
45.66.230.127 - malware
185.225.74.112 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12629 |
2023-06-02 09:33
|
ziziziziiziziziizizizizi%23%23... f18154ad38c526af21cafa86c6188011
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://103.167.90.55/100/hkcmd.exe
|
2
45.33.6.223
103.167.90.55 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12630 |
2023-06-02 09:31
|
 hkcmd.exe ed61febcba66f166082b96a553f2cb33
UPX Malicious Library PE File PE32 PNG Format DLL PE64 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
3.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|