| 13081 |
2023-05-22 16:19
|
 Satan_AIO.exe c8c82a0f0ee038fddb54cbf156f2e300
Malicious Library Malicious Packer VMProtect PE64 PE File VirusTotal Malware Checks debugger DNS crashed |
|
1
|
|
|
3.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13082 |
2023-05-22 16:19
|
 WindowsApp6.exe 5681f190a1d7c696efa487fa0100e96b
Formbook .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
5.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13083 |
2023-05-22 16:18
|
 jawazx.exe 0cf0d018debfce1695e34759289e31db
AgentTesla PWS .NET framework browser info stealer Google Chrome User Data Downloader Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Remcos VirusTotal Malware AutoRuns PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
45.81.243.246
178.237.33.50
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
10.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13084 |
2023-05-22 16:17
|
 xmrig32.exe cc20a54b21aac972382d5ad53f67e91b
Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.4 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13085 |
2023-05-22 09:09
|
 goat.dll 78b53767df514a3d25aed7b2befbf562
UPX Malicious Library OS Processor Check DLL PE64 PE File Checks debugger unpack itself ComputerName DNS crashed |
|
5
214.43.249.250
2.228.251.38
57.182.80.190
92.119.178.40 - mailcious
62.4.213.138
|
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13086 |
2023-05-22 09:04
|
 Updates%20Windows.exe 05ea0aa586cd127894ff0bd65566254c
Loki_b Loki_m PWS .NET framework RAT UPX Code injection PWS[m] AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Telegram AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows ComputerName DNS Cryptographic key crashed |
3
https://steamcommunity.com/profiles/76561199501059503
https://t.me/mastersbots
http://185.254.37.108/Luibkj.dll
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.200.235.107) - mailcious
149.154.167.99 - mailcious
23.37.146.163
185.254.37.108 - mailcious
|
4
ET INFO Dotted Quad Host DLL Request
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13087 |
2023-05-22 09:03
|
ilillil%23%23%23%23%23%23%23%2... f83050a49383b5c615b9a84543254f4e
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash Exploit DNS crashed Downloader |
1
http://104.234.10.91/441/vbc.exe
|
1
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13088 |
2023-05-22 09:02
|
 whiteezx.exe 2608ea96bd6424120c20e6594827f844
Formbook PWS .NET framework Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
2
http://www.kd-quilts.com/pr29/?v4=wXyY+y/V+y1/AnxM16dRfRBuxbe/Yr8e2DlPMb8DPd7MrVB1Ku0tny0zWEj61KI8d3SuNV54&nt=V48HiDzp
http://www.datings69.com/pr29/?v4=iWIxv15JsrJJkCjZ8Z2o3kuz+1NpAQWXASqKJKsuslEEMxeXMyCRxey2t2zedcxZSr3jS5XB&nt=V48HiDzp
|
4
www.datings69.com(172.67.150.74)
www.kd-quilts.com(199.115.116.43)
104.21.88.25
70.32.1.32 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13089 |
2023-05-22 08:59
|
 ne983n8sn3lks3.exe a96ac42f9ccc7d11663f2741d5dfe930
BlackMatter Ransomware PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13090 |
2023-05-22 08:57
|
 dollzx.exe c38d1fa73b3535dda6bae5e604f88143
SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(64.185.227.155)
104.237.62.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13091 |
2023-05-22 08:55
|
 vbc.exe d0e186f273092a0c6a005cd1c46555bc
Loki Loki_b Loki_m Formbook DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.85/fresh/five/fre.php - rule_id: 28273
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/fresh/five/fre.php
|
13.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13092 |
2023-05-22 08:53
|
 philipzx.exe d7ea3fda5afa8b48c063216fdbc0c1a3
RedLine stealer[m] PWS .NET framework PWS[m] Anti_VM BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.12.253.208:3030/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
45.12.253.208
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
13.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13093 |
2023-05-22 08:53
|
 vbc.exe 67600a2cf6e129d8883d76799561df02
PWS .NET framework RAT Generic Malware Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET INFO TLS Handshake Failure
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13094 |
2023-05-22 08:53
|
 Inv(05-19)Copy#18-54-15.js 89cde9b78c827ce1e542fddcdafce3a9VirusTotal Malware VBScript wscript.exe payload download unpack itself Tofsee crashed Dropper |
1
https://qaswrahc.com/wp-content/out/mn.php
|
2
qaswrahc.com(68.66.248.36) - malware
68.66.248.36 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13095 |
2023-05-22 08:51
|
 obizx.exe ac23a0048ca9e25149a3651cf9688e31
PWS .NET framework Formbook PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(173.231.16.76)
104.237.62.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|