| 12871 |
2023-05-26 10:22
|
 Iwld.js f1ff2b591247ec783db79f060c7df292
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
7
http://214.143.82.176/ZcHk/hYiy
http://76.115.120.231/H/D2a
http://81.254.128.85/Ol/C0P
http://169.216.46.239/XE/Y
http://151.236.22.142/mQpWA8n/kxyj5
http://162.252.172.156/T3qnD/PXNuYAPR
http://158.255.213.72/W5O/TB9mkKe4Qzu
|
|
|
|
6.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12872 |
2023-05-26 10:22
|
 Iksjyqny.js ef0b4c4b31d3de1f1c786313f1f6e9bb
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
7
http://214.143.82.176/ZcHk/hYiy
http://76.115.120.231/H/D2a
http://81.254.128.85/Ol/C0P
http://169.216.46.239/XE/Y
http://151.236.22.142/mQpWA8n/kxyj5
http://162.252.172.156/T3qnD/PXNuYAPR
http://158.255.213.72/W5O/TB9mkKe4Qzu
|
|
|
|
6.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12873 |
2023-05-26 10:22
|
 Lufp.js 4d48de20c83249d87d86996c607415fd
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
7
http://214.143.82.176/ZcHk/hYiy
http://76.115.120.231/H/D2a
http://81.254.128.85/Ol/C0P
http://169.216.46.239/XE/Y
http://151.236.22.142/mQpWA8n/kxyj5
http://162.252.172.156/T3qnD/PXNuYAPR
http://158.255.213.72/W5O/TB9mkKe4Qzu
|
|
|
|
6.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12874 |
2023-05-26 09:39
|
 fotocr05.exe 73703dbc3a811109fe8f74fad8d9f0e9
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
2
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
2
83.97.73.122 - mailcious
77.91.68.62 - malware
|
5
ET MALWARE Amadey CnC Check-In
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
14.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12875 |
2023-05-26 09:36
|
 clip64.dll 547bae937be965d63f61d89e8eafb4a1
UPX Malicious Library Admin Tool (Sysinternals etc ...) OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12876 |
2023-05-26 09:34
|
 BPP.exe 4b62cded4bd964e8d53d3787e4c35e74
PWS .NET framework Admin Tool (Sysinternals etc ...) KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(173.231.16.76)
104.237.62.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12877 |
2023-05-26 09:32
|
 fotocr05.exe 180bd09c76ac2ffe9d1666a2e67014ef
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
2
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
2
83.97.73.122 - mailcious
77.91.68.62 - malware
|
5
ET MALWARE Amadey CnC Check-In
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
14.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12878 |
2023-05-26 09:32
|
 72345877550736152487.bin 34a210904bca96c8fa9e37255211463a
UPX Malicious Library OS Processor Check PE File PE32 DNS |
|
1
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12879 |
2023-05-26 09:32
|
 Medusa-2.exe 4c213248be08249f75b68d85dcdf3365
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Check memory buffers extracted unpack itself IP Check Tofsee Ransomware Browser ComputerName DNS |
|
3
api.ipify.org(104.237.62.211)
79.137.203.39
104.237.62.211
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Protocol detection skipped
|
|
5.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12880 |
2023-05-26 09:30
|
 foto495.exe e09051927ec47af8b01ec79d5548c7be
Gen1 Emotet PWS .NET framework RAT UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Confuser .NET CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
2
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
3
83.97.73.122 - mailcious
77.91.68.62 - malware
185.225.74.112
|
6
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
|
|
14.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12881 |
2023-05-26 09:30
|
 build9.exe 2c5a75b7d24847bc5d206adb5c630a18
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://163.123.142.235:61068/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
163.123.142.235
104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12882 |
2023-05-26 09:29
|
 IE_NET.exe 038cfde5d531e51f39388d24c70e34e9
Loki .NET EXE PE File PE32 LokiBot Malware download VirusTotal Malware c&c PDB Malicious Traffic Check memory Checks debugger unpack itself DNS |
1
http://185.246.220.85/fresh/five/fre.php - rule_id: 28273
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/fresh/five/fre.php
|
4.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12883 |
2023-05-26 09:18
|
 TEMP_CACHE.exe 9dae5ebee8904addaff745946ade5d9c
AgentTesla browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Remcos VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic unpack itself suspicious process Windows ComputerName DNS Cryptographic key DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
pekonomia.duckdns.org()
178.237.33.50
185.225.74.112
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
10.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12884 |
2023-05-26 09:16
|
 update 3e2fa17fe889c35fb284cd3dda93220c
OS Processor Check ZIP Format |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12885 |
2023-05-26 09:14
|
 petercodyzx.exe e466877037de62f5262670bc43e57b83
Loki_b Loki_m Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/petercody/five/fre.php
|
1
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|