| 12631 |
2023-06-02 09:30
|
uiuiuiuiuiuiuiuiuiuiuiu%23%23%... 64d39883417401cc3d8ea3f76d4a9a50
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
11
http://www.questionsiair.com/edd5/?Vq4=hd+MiuAM1sNgn2KKrvxGMQVkxBuY4gX7KUKmBEuP5SsY3EU+WiZtPKf+rsfA1HVltqCjvKcN1lqDkwHkFvRs61iUICR2J2/9IuvNI10=&8m=GkarpqkkiApJ
http://www.tsygy.com/edd5/?Vq4=0zWrLbrK/n/crHNT6XWbazzyOkAFlY5wAyzxNZ31JHzq7YtcKQLNKjVX8hOMaVRgTWN6phnteU41MIGUFEgpbn8hSR7tLd8nwbGBlnI=&8m=GkarpqkkiApJ
http://www.atasayjewelryiraq.com/edd5/?Vq4=jvXZqsnw1Hx/W21rUDmQzW3biwmglN1weTGDvxHKn0WnuNbYAvWZsgmLMoPDO/nbmfZHAr4HMnaky/TljtLbqoPeESkGF2B8Vywz4pI=&8m=GkarpqkkiApJ
http://www.questionsiair.com/edd5/
http://www.tsygy.com/edd5/
http://www.delectabledish.cfd/edd5/?Vq4=B2RmKfOrokGI0VMFxgvpsJcIBWM8D45hL/kILG7EqcUaTaNL/jsj7dPSy+GDoUSupUzJBMrmMK/g0HyeS/KvyJee+DSx/b1WztsuAK0=&8m=GkarpqkkiApJ
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.delectabledish.cfd/edd5/
http://www.atasayjewelryiraq.com/edd5/
http://103.167.90.55/ui/BkPIPfo50.bin
http://103.167.90.55/99/hkcmd.exe
|
11
www.questionsiair.com(45.33.20.235)
www.atasayjewelryiraq.com(84.32.84.32)
www.vnloto.tech() - mailcious
www.delectabledish.cfd(104.21.55.18)
www.tsygy.com(23.104.137.185)
23.104.137.185
84.32.84.32 - mailcious
45.79.19.196 - mailcious
104.21.55.18
45.33.6.223
103.167.90.55 - malware
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE FormBook CnC Checkin (GET)
|
|
6.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12632 |
2023-06-02 09:27
|
 Client2.jpg 3b505e72fe4fa5017eda28c54dac0c09
PWS .NET framework RAT UPX Confuser .NET OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
3.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12633 |
2023-06-02 09:27
|
iiiiiiiiiiiiiii%23%23%23%23%23... 63c35801f8976124d6d45b9290bb627e
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://194.180.48.58/web/five/fre.php - rule_id: 33853
http://107.175.113.199/311/hkcmd.exe
|
3
194.180.48.58 - mailcious
107.175.113.199 - malware
77.88.21.158
|
14
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Checkin
ET INFO Packed Executable Download
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://194.180.48.58/web/five/fre.php
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12634 |
2023-06-02 09:25
|
 M.exe cd7722e668bab8732008fc21cd5c54c8
RAT Confuser .NET SMTP PWS[m] KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware Telegram PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs IP Check Tofsee DNS DDNS keylogger |
1
http://checkip.dyndns.org/
|
4
checkip.dyndns.org(158.101.44.242)
api.telegram.org(149.154.167.220)
132.226.247.73
149.154.167.220
|
7
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
9.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12635 |
2023-06-02 09:25
|
agodzx.doc f444eefc2067791f77e8dea8336ede2e
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
2
http://194.180.48.59/agodzx.exe
https://api.ipify.org/
|
5
api.ipify.org(173.231.16.76)
smtp.yandex.com(77.88.21.158)
194.180.48.59 - malware
77.88.21.158
104.237.62.211
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12636 |
2023-06-02 09:23
|
 Nano.exe cc23b614fd8b8174dabacc2c124742ca
RAT Confuser .NET DNS AntiDebug AntiVM PE64 PE File VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself human activity check Windows DNS DDNS |
|
3
ezemnia3.ddns.net(197.210.227.232)
91.193.75.178
197.210.227.232
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
13.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12637 |
2023-06-02 09:23
|
 ga.exe 384cc4b1c3c5d9bce6eb9b1c70e2c54a
task schedule AntiDebug AntiVM PE64 PE File VirusTotal Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
|
|
9.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12638 |
2023-06-01 20:17
|
 jokerzx.exe b944726a467c77d311c32460812cabbc
Loki_b Loki_m Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://171.22.30.164/joker/five/fre.php
|
2
171.22.30.164 - mailcious
45.128.234.54
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
|
14.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12639 |
2023-06-01 20:15
|
 NEV.exe e73ae25fc0adaafd0b7e6adbdc06683f
AgentTesla browser info stealer Google Chrome User Data Downloader Confuser .NET Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger ScreenShot AntiDebug AntiVM PE64 PE File Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Browser Email ComputerName DNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
178.237.33.50
45.128.234.54
185.65.134.166
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
15.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12640 |
2023-06-01 20:15
|
 seema.exe badf16b5411ab2ec95f1dd8cdbb02d8e
Loki_b Loki_m Raccoon Stealer Gen1 Gen2 Generic Malware UPX Malicious Library Malicious Packer Socket DNS HTTP PWS[m] Http API Internet API KeyLogger ScreenShot AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files RWX flags setting unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Ransomware Windows Browser Email ComputerName Software crashed |
1
http://pcwizard.net/yz/mann/index.php
|
2
pcwizard.net(162.240.230.249)
162.240.230.249
|
2
ET MALWARE AZORult Variant.4 Checkin M2
ET MALWARE AZORult v3.2 Server Response M1
|
|
15.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12641 |
2023-06-01 19:56
|
 1.html 9b78bbb925f4d5e4fb3b19b1962674b9
Generic Malware Antivirus Hide_URL AntiDebug AntiVM Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://172.93.181.249/control/com.php?U=TEST22-PC-test22
|
1
172.93.181.249 - mailcious
|
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12642 |
2023-06-01 19:46
|
 1.html 9b78bbb925f4d5e4fb3b19b1962674b9
Generic Malware Antivirus Browser Info Stealer MachineGuid Code Injection Checks debugger exploit crash unpack itself installed browsers check Exploit Browser crashed |
|
|
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12643 |
2023-06-01 19:39
|
 zpeu.exe 9dca43cb15d97693d2de73683804c5c7
NSIS Suspicious_Script_Bin UPX Malicious Library PE File PE32 DLL .NET DLL VirusTotal Malware AppData folder |
|
|
|
|
1.0 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12644 |
2023-06-01 19:39
|
 zp.exe 849acb6881494898ff4a18a4a0fbdb43
NSIS Suspicious_Script_Bin UPX Malicious Library PE File PE32 DLL PNG Format VirusTotal Malware AppData folder |
|
|
|
|
1.2 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12645 |
2023-06-01 19:32
|
 b66ssc.dotm 9a1cac28f716d2e660f2bd6297cd560b
VBA_macro Generic Malware Antivirus UPX Malicious Library ZIP Format Word 2007 file format(docx) OS Processor Check PE File PE32 VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself powershell.exe wrote suspicious process Windows Exploit ComputerName DNS Cryptographic key crashed |
2
http://91.107.210.207/tinytask.exe - rule_id: 33911
http://91.107.210.207/tinytask.exe
|
1
|
7
ET POLICY curl User-Agent Outbound
ET INFO Executable Download from dotted-quad Host
ET HUNTING curl User-Agent to Dotted Quad
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://91.107.210.207/tinytask.exe
|
9.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|