| 12721 |
2023-05-31 09:24
|
 smss.exe 2245ba729d9b9cb1ee2be35a736ddc41
AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD Windows DNS Cryptographic key |
17
http://www.gnhxxiazai03.com/ogeb/
http://www.nicejunq.com/ogeb/
http://www.ketocanadmqy.cloud/ogeb/?bxi74=JCW7LwLHnn7ptjGjE5oXohZmdFlQQ26ARwAmaoNxO6ijvQN7ubUT60jiWusc3p3YeBdlnORuW+NtBTBOf6MBl7CRUR/NRW0MRl+FZL4=&o8bM8Y=mC6Fz9X
http://www.nicejunq.com/ogeb/?bxi74=61GncP3LZGSS1NuGOhw0w9YAjVqrgaXoImnMpoqiHfpClz+VkHF1OaSSbCiQjyR+WlMAeIDV0LjpJ/XsdXKhboCqPvNVkna3o/MBoBk=&o8bM8Y=mC6Fz9X
http://www.drstephaniebest.com/ogeb/
http://www.leshka-toshka.online/ogeb/?bxi74=4xJFBi83yuCWQTg1R7enaC8sAI3TwmAnunqTW0cjUxnI3KAIzjWKdfadqKDZVGZvYS6fPo1uY6Pd56JHimllWTXrUXfW4LGJi0zBJhk=&o8bM8Y=mC6Fz9X
http://www.r1146.xyz/ogeb/?bxi74=hQC9FzST15eBXJ4J4T0DlrZN3V4nndOGJI8rCOq0KQaVihaPabvY2aUaE4N/PK/Cku54qUwIUhcWHwQfhhinhH5BJGjDnxoo3iDp4OU=&o8bM8Y=mC6Fz9X
http://www.ketocanadmqy.cloud/ogeb/
http://www.drstephaniebest.com/ogeb/?bxi74=+v0OuBHGG6cw5ZwrQCjmtsYbU4xaGL5HoMfXaXw9oSi2F/e6KL+7wkfrHW9mkq7nBIGbSiwCyL8lMMQd9mW+kFWaqBx5WK5Isw5ml80=&o8bM8Y=mC6Fz9X
http://www.poshkits.info/ogeb/
http://www.gnhxxiazai03.com/ogeb/?bxi74=wBih4ktWfPNsySsqn3uI1HmQOkxE78XnlLTDvxJFz8Ksfyo9cnxjh72KIWiVUUXAXHwdyJ5YpLQGYf4Z+A02Vjn9hAcAu81BvwPbwlI=&o8bM8Y=mC6Fz9X
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip
http://www.poshkits.info/ogeb/?bxi74=AqRXXMRheGbbuzNJ7gUd3ELHirevyxJNjMj6aH1i+QGnsBV8j36ZsXkdOVofclXLXJuwnJ0etyY1DKNGveWcGaTGb3YRrubSnMygGeg=&o8bM8Y=mC6Fz9X
http://www.r1146.xyz/ogeb/
http://www.leshka-toshka.online/ogeb/
http://www.fb99vn.com/ogeb/?bxi74=OXN+k+OlhXjl96bKh2NTgPCFs15ire34/TTevHac9SK8WXddN+80UbpDpODSd5z2qlIY7v82+nyluTO39li1mIxMKX8Jb/R8tbta/VI=&o8bM8Y=mC6Fz9X
http://www.fb99vn.com/ogeb/
|
18
www.r1146.xyz(104.21.44.192)
www.gnhxxiazai03.com(20.255.200.185)
www.ketocanadmqy.cloud(195.161.62.100)
www.nicejunq.com(91.195.240.123)
www.drstephaniebest.com(198.185.159.145)
www.leshka-toshka.online(194.58.112.174)
www.fb99vn.com(104.21.12.203)
www.poshkits.info(162.0.231.6)
www.pymhn.top()
20.255.200.185
91.195.240.123
162.0.231.6
194.58.112.174 - mailcious
172.67.153.64
45.33.6.223
198.185.159.144 - mailcious
195.161.62.100
104.21.44.192
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12722 |
2023-05-31 09:24
|
jijijijijjijijijijiijiji%23%23... e4ca6a35d8419838d19df794b67b0548
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://141.98.6.22/ti/mFxjD104.bin
http://45.66.230.128/214/INTERNET.exe
|
2
141.98.6.22 - malware
45.66.230.128 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12723 |
2023-05-31 09:23
|
 netTime.exe 01ec31a1ad9fed1136bd9e7f3c164ffc
Gen2 Gen1 PWS .NET framework RAT Generic Malware UPX Malicious Packer Antivirus OS Processor Check PE64 PE File VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
5.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12724 |
2023-05-31 09:21
|
 INTERNET.exe a83e6f2744a3e36adcbfe8065fb1629d
UPX Malicious Library PE File PE32 PNG Format DLL PE64 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
3.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12725 |
2023-05-31 09:20
|
 ogumbgejapxd.exe debdaacd07fee04f25870cbcaf1b09e0
Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware crashed |
|
|
|
|
1.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12726 |
2023-05-31 09:20
|
 95.214.25.234:3002 fbe308a5e648c419b03b10f911af7a4d
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12727 |
2023-05-31 09:19
|
jtjtjtjjtjtjtjjtjtjtjjtjtjjtj%... d5f1fcbea622e3a99638f18a06493af3
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
10
http://www.primertex.info/58iu/
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.mybizcampus.com/58iu/?vPBkB=n4I2gyt72ynynF6LKm+0L2L9XheF+lIDfnI0wl55O5CEHIjFwqQexYWPpCMljcFYlSBPAYnuykZe0ixggT2PNwh0vNReLujfO2/G1M0=&bN=N-XMUPS_gNJK15NB
http://www.coeyhomes.com/58iu/?vPBkB=g8AGk9052DI15ZhqRxsDKoYkNS+Lmvu67VCWOAavJHZXtgq7pnrSalZIKTWYJ+xQ4fWQe3AtxgwoAg+Ti0mG6AVL9kgueCR5f3l5kG4=&bN=N-XMUPS_gNJK15NB
http://www.mybizcampus.com/58iu/
http://www.hellohair-shop.com/58iu/
http://www.coeyhomes.com/58iu/
http://www.primertex.info/58iu/?vPBkB=h2e7CRWdoRklCyaTqB+MDb2aHZccbH/4IwvBjoUvgW8ixCfQL+JJs2gmgMgdeJEgMQU67scWasevx+7SHHcDR89wlcAkDpgCZdQJjhs=&bN=N-XMUPS_gNJK15NB
http://43.230.202.16/320/INTERNET.exe
http://www.hellohair-shop.com/58iu/?vPBkB=hR5kBTe30httiVLTb0ybHIvQwz9Kr92HtscTuFtNEeI504g0garaAdIS9g9ByQ9XC1ZMTeL7yQYb+qdQvwhCS0RkAcp6bteZ/1B4GaI=&bN=N-XMUPS_gNJK15NB
|
10
www.mybizcampus.com(74.208.236.102)
www.hellohair-shop.com(81.169.145.88)
www.coeyhomes.com(208.91.197.39)
www.primertex.info(198.177.123.198)
208.91.197.39 - mailcious
198.177.123.198
74.208.236.102
45.33.6.223
81.169.145.88 - mailcious
43.230.202.16 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12728 |
2023-05-31 09:18
|
 tg.exe da5b8144aed2113cdd7df3f3c164fb0b
UPX Malicious Library ScreenShot AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted RWX flags setting unpack itself crashed |
|
|
|
|
7.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12729 |
2023-05-31 09:15
|
 IE_NET.exe 67db8431a355d41b2fbc33bb22065990
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
1.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12730 |
2023-05-31 09:15
|
tititititiitititititi%23%23%23... 52a40a96fd119c25e2e6c945c2dd64b2
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Telegram Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
1
http://43.230.202.16/310/INTERNET.exe
|
3
api.telegram.org(149.154.167.220)
43.230.202.16 - mailcious
149.154.167.220
|
9
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12731 |
2023-05-31 09:13
|
 smss.exe c044a0d5c30ed978cc2fdde590e037ec
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
4.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12732 |
2023-05-31 09:13
|
 INTERNET.exe 6a0226121465d952589d6e5d2d2ecc4a
RAT UPX .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12733 |
2023-05-31 07:40
|
tomPayload.vbs ed9d50c49eec449622373db6959f9186
Formbook Generic Malware Antivirus PowerShell VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12734 |
2023-05-31 07:38
|
translate.res 92d994be99ea43c121ac4f4ddfacbf75
UPX Malicious Library RTF File doc OS Processor Check DLL PE File PE32 VirusTotal Malware buffers extracted RWX flags setting exploit crash AppData folder Exploit crashed |
|
|
|
|
3.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12735 |
2023-05-31 07:20
|
plugmanzx.doc bf084f461abb357afd8a709cbced50da
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS DDNS crashed |
1
http://194.180.48.59/plugmanzx.exe
|
3
jasonbourneblack.ddns.net(141.98.6.167)
194.180.48.59 - malware
141.98.6.167
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|