| 12646 |
2023-06-01 19:30
|
 tinytask.exe a27b6bfb8e6aef454395cbab2bdf7cd1
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12647 |
2023-06-01 19:27
|
 1.html 9b78bbb925f4d5e4fb3b19b1962674b9
Antivirus AntiDebug AntiVM MSOffice File Code Injection exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12648 |
2023-06-01 19:03
|
 debug2.ps1 46cf994717e626f92b1f5ff690993115
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
1
http://195.123.210.154/index.php?id=&subid=NGpiUQ8D
|
1
|
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12649 |
2023-06-01 18:54
|
 dbupdater.exe e492ef9e7d6d861edf1504b28e27d2a1
RAT Antivirus PWS[m] AntiDebug AntiVM PE64 PE File Browser Info Stealer Malware download VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Collect installed applications suspicious process installed browsers check SectopRAT Windows Browser Backdoor ComputerName DNS Cryptographic key crashed |
|
2
198.37.105.166
162.55.188.246 - mailcious
|
1
ET MALWARE Arechclient2 Backdoor CnC Init
|
|
12.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12650 |
2023-06-01 18:53
|
 hkcmd.exe 9873e852255d7cf574e63a26db070fe9
Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://171.22.30.164/fred1/five/fre.php - rule_id: 33826
|
1
171.22.30.164 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://171.22.30.164/fred1/five/fre.php
|
14.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12651 |
2023-06-01 18:51
|
 wasx.exe 5d278b330412fc5f0b05a6168e4663f7
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Malware download AveMaria NetWireRC VirusTotal Malware AutoRuns MachineGuid Check memory Creates executable files unpack itself AppData folder Windows RAT ComputerName DNS DDNS |
|
2
osairus.duckdns.org(198.37.105.166) - mailcious
198.37.105.166
|
4
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
|
|
4.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12652 |
2023-06-01 18:51
|
 ventascry.exe 8a1e832674033cb7fdd73a8cf55971fd
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
mail.jewelryprototyping.it(85.234.151.49)
85.234.151.49
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12653 |
2023-06-01 18:49
|
 U2th5k1keGkDeMw.exe c31cedc1de555c98a1651123b8ed5262
PWS .NET framework AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key crashed |
|
|
|
|
9.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12654 |
2023-06-01 18:49
|
 postmon.exe 3661cbaa14b2974e5f1c228da71b3375
Generic Malware UPX Malicious Library Malicious Packer Antivirus OS Processor Check PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS Cryptographic key |
9
https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1
https://transparenciacanaa.com.br/cidadejunina/js/vendor/dd_64.exe
https://transparenciacanaa.com.br/cidadejunina/js/vendor/cc2.exe
https://transparenciacanaa.com.br/cidadejunina/js/vendor/cc3.exe
https://transparenciacanaa.com.br/cidadejunina/js/vendor/cc4.exe
https://transparenciacanaa.com.br/cidadejunina/js/vendor/cc5.exe
https://transparenciacanaa.com.br/cidadejunina/js/vendor/cc1.php
https://transparenciacanaa.com.br/cidadejunina/js/vendor/cc2.php
https://transparenciacanaa.com.br/cidadejunina/js/vendor/cc3.php
|
3
transparenciacanaa.com.br(162.214.154.198) - malware
162.214.154.198 - malware
91.228.10.173
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12655 |
2023-06-01 18:47
|
 dd.exe 6ea6237fd00b52f59dbb5ad00f11bd9d
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download AveMaria NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns MachineGuid Check memory buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Interception Windows Browser RAT Email ComputerName DNS DDNS keylogger |
|
5
killabean.duckdns.org(91.228.10.173)
www.google.com(142.250.207.100)
142.250.66.132
91.228.10.173
5.206.225.104 - malware
|
4
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
10.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12656 |
2023-06-01 18:47
|
 hkcmd.exe 3886543756ea33919998f174524fcd94
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12657 |
2023-06-01 18:45
|
 hkcmd.exe 667ee35c50d1fa03505b45d7937f97b1
Formbook Generic Malware Antivirus .NET EXE PE File PE32 VirusTotal Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
8.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12658 |
2023-06-01 18:45
|
 red.exe 0ef0b387d96b77ca009418bc15815470
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE File PE32 Browser Info Stealer RedLine FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://141.98.6.177:1334/
https://api.ip.sb/geoip
https://filebin.net/xngdjk0mz4ucyvub/Jhfykdpo.exe
|
5
filebin.net(185.47.40.36) - malware
api.ip.sb(104.26.12.31)
141.98.6.177
104.26.13.31
185.47.40.36 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response
ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound
ET INFO TLS Handshake Failure
SURICATA HTTP unable to match response to request
|
|
8.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12659 |
2023-06-01 18:43
|
iotiotiotiotiot%23%23%23%23%23... e3101de05d22e582999e4038323fc672
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://103.133.104.112/98/hkcmd.exe
http://171.22.30.164/fred1/five/fre.php - rule_id: 33826
|
2
171.22.30.164 - mailcious
103.133.104.112 - mailcious
|
12
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://171.22.30.164/fred1/five/fre.php
|
5.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12660 |
2023-06-01 18:42
|
 Fecurity.exe 5bad484faa7a3f0756ace3a182b3f258
RedLine stealer[m] UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications WriteConsoleW installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
1
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
10.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|