| 13126 |
2023-05-19 15:15
|
 2.exe 294fab1523dc3b50cbcc120e67946a5b
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware DNS |
|
1
139.196.224.137 - malware
|
|
|
3.4 |
M |
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13127 |
2023-05-19 12:29
|
http://5.34.178.166/pixel.gif d89746888da2d9510b64a9f031eaecd5
Downloader Create Service DGA Socket DNS Hijack Network Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Malware Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://5.34.178.166/favicon.ico
http://5.34.178.166/pixel.gif
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13128 |
2023-05-19 10:44
|
 96d2a306fe192ca9__e5azbew.dll dd68d626a562cf34f8051a53d16fcb89
.NET DLL DLL PE File PE32 PDB |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13129 |
2023-05-19 10:33
|
 1300.exe f3b80e952acfb2c3df34987be8b79b7a
RedLine stealer[m] PWS .NET framework Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
10.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13130 |
2023-05-19 10:31
|
phcs05_r.bin 2da5816578795be004ad5d4190276a7f
RAT AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
4.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13131 |
2023-05-19 10:31
|
 runlastrun.ps1 81424820bdf139b1fe3de3faa4e98ae6
Generic Malware Antivirus .NET DLL DLL PE File PE32 VirusTotal Malware Check memory buffers extracted Creates executable files unpack itself Windows utilities AppData folder WriteConsoleW Windows Cryptographic key crashed |
1
https://drive.google.com/uc?export=download&id=1GUfzCH1FsSSQZ_Xf8HwOLgqhsygBTnK9&confirm=t
|
|
|
|
4.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13132 |
2023-05-19 10:31
|
 runrunlastrun.vbs 9e2d09f47cc48dd3e84205376a8f9ecb
Antivirus VirusTotal Malware AutoRuns MachineGuid WMI Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
1
https://drive.google.com/uc?export=download&id=1wKzc_xz_qdqDWnIrCl3KmMpXFFKaEsG8&confirm=t
|
|
|
|
6.4 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13133 |
2023-05-19 01:22
|
 verticalScroll.xml af484e7ba504dca73f2b485c0b6ce336
AntiDebug AntiVM MSOffice File Code Injection buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
4.6 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13134 |
2023-05-18 17:49
|
FFF%23%23%23%23%23%23%23%23%23... 9ca19a2bb25f1dcc1e663820ef9903e1
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://192.227.228.120/55/vbc.exe
|
1
192.227.228.120 - malware
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13135 |
2023-05-18 17:36
|
GGG%23%23%23%23%23%23%23%23%23... 01c2fe220d602996255a3760b10a1219
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://192.227.228.120/60/vbc.exe
|
1
192.227.228.120 - malware
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13136 |
2023-05-18 15:41
|
cryptoistic.bin d41d8cd98f00b204e9800998ecf8427e
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13137 |
2023-05-18 10:48
|
 vbc.exe 59f9df6fb26fb1a5c6343a443075649b
Formbook Malicious Library PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic unpack itself DNS |
34
http://www.towfire.life/f619/?E9W=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&NC=ptGp - rule_id: 33475
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
http://www.towfire.life/f619/ - rule_id: 33475
http://www.skillfulp10.buzz/f619/?E9W=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&NC=ptGp - rule_id: 33500
http://www.skillfulp10.buzz/f619/?E9W=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&NC=ptGp
http://www.28588v.com/f619/ - rule_id: 33501
http://www.28588v.com/f619/
http://www.gospelfy.online/f619/ - rule_id: 33496
http://www.gospelfy.online/f619/
http://www.intake-tree.com/f619/?E9W=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&NC=ptGp - rule_id: 33494
http://www.intake-tree.com/f619/?E9W=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&NC=ptGp
http://www.smartinnoventions.com/f619/ - rule_id: 33493
http://www.smartinnoventions.com/f619/
http://www.gospelfy.online/f619/?E9W=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&NC=ptGp - rule_id: 33496
http://www.gospelfy.online/f619/?E9W=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&NC=ptGp
http://www.stephenwang.photography/f619/?E9W=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&NC=ptGp - rule_id: 33499
http://www.stephenwang.photography/f619/?E9W=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&NC=ptGp
http://www.skillfulp10.buzz/f619/ - rule_id: 33500
http://www.skillfulp10.buzz/f619/
http://www.stephenwang.photography/f619/ - rule_id: 33499
http://www.stephenwang.photography/f619/
http://www.sockmomma.com/f619/ - rule_id: 33498
http://www.sockmomma.com/f619/
http://www.28588v.com/f619/?E9W=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&NC=ptGp - rule_id: 33501
http://www.28588v.com/f619/?E9W=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&NC=ptGp
http://www.intake-tree.com/f619/ - rule_id: 33494
http://www.intake-tree.com/f619/
http://www.smartinnoventions.com/f619/?E9W=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&NC=ptGp - rule_id: 33493
http://www.smartinnoventions.com/f619/?E9W=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&NC=ptGp
http://www.sockmomma.com/f619/?E9W=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&NC=ptGp - rule_id: 33498
http://www.sockmomma.com/f619/?E9W=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&NC=ptGp
http://www.queenkidul.com/f619/ - rule_id: 33497
http://www.queenkidul.com/f619/
http://www.queenkidul.com/f619/?E9W=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&NC=ptGp - rule_id: 33497
|
19
www.towfire.life(67.223.117.160) - mailcious
www.stephenwang.photography(208.113.186.56) - mailcious
www.queenkidul.com(45.130.230.191) - mailcious
www.smartinnoventions.com(5.157.87.204) - mailcious
www.gospelfy.online(185.27.134.115) - mailcious
www.sockmomma.com(154.94.121.119) - mailcious
www.skillfulp10.buzz(172.67.194.173) - mailcious
www.intake-tree.com(54.91.6.89) - mailcious
www.28588v.com(137.220.202.242) - mailcious
54.196.16.164
104.21.34.8 - mailcious
208.113.186.56 - mailcious
67.223.117.160 - mailcious
185.27.134.115 - mailcious
154.94.121.119 - mailcious
137.220.202.242
45.130.230.191 - mailcious
45.33.6.223
5.157.87.204 - mailcious
|
4
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO HTTP Request to a *.buzz domain
ET MALWARE FormBook CnC Checkin (GET)
|
18
http://www.towfire.life/f619/
http://www.towfire.life/f619/
http://www.skillfulp10.buzz/f619/
http://www.28588v.com/f619/
http://www.gospelfy.online/f619/
http://www.intake-tree.com/f619/
http://www.smartinnoventions.com/f619/
http://www.gospelfy.online/f619/
http://www.stephenwang.photography/f619/
http://www.skillfulp10.buzz/f619/
http://www.stephenwang.photography/f619/
http://www.sockmomma.com/f619/
http://www.28588v.com/f619/
http://www.intake-tree.com/f619/
http://www.smartinnoventions.com/f619/
http://www.sockmomma.com/f619/
http://www.queenkidul.com/f619/
http://www.queenkidul.com/f619/
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13138 |
2023-05-18 09:58
|
 buggzx.exe d29862a821bc742d24c346287c79ca1a
Loki_b Loki_m PWS .NET framework Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/bugg/five/fre.php
|
2
137.220.225.73
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
15.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13139 |
2023-05-18 09:58
|
jjjj%23%23%23%23%23%23%23%23%2... f2af555f26393f34180a3845e92ba1cb
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
22
http://www.queenkidul.com/f619/?O7pS=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&CP-m=8c92fQNKIzrCDRX
http://www.stephenwang.photography/f619/?O7pS=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&CP-m=8c92fQNKIzrCDRX
http://www.intake-tree.com/f619/?O7pS=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&CP-m=8c92fQNKIzrCDRX
http://www.towfire.life/f619/ - rule_id: 33475
http://www.towfire.life/f619/
http://www.smartinnoventions.com/f619/?O7pS=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&CP-m=8c92fQNKIzrCDRX
http://www.28588v.com/f619/
http://www.gospelfy.online/f619/?O7pS=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&CP-m=8c92fQNKIzrCDRX
http://www.towfire.life/f619/?O7pS=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&CP-m=8c92fQNKIzrCDRX - rule_id: 33475
http://www.towfire.life/f619/?O7pS=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&CP-m=8c92fQNKIzrCDRX
http://www.gospelfy.online/f619/
http://www.stephenwang.photography/f619/
http://www.smartinnoventions.com/f619/
http://www.skillfulp10.buzz/f619/?O7pS=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&CP-m=8c92fQNKIzrCDRX
http://www.skillfulp10.buzz/f619/
http://195.201.147.116/433/vbc.exe
http://www.sockmomma.com/f619/
http://www.sockmomma.com/f619/?O7pS=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&CP-m=8c92fQNKIzrCDRX
http://www.intake-tree.com/f619/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.queenkidul.com/f619/
http://www.28588v.com/f619/?O7pS=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&CP-m=8c92fQNKIzrCDRX
|
20
www.towfire.life(67.223.117.160)
www.stephenwang.photography(208.113.186.56)
www.queenkidul.com(45.130.230.191)
www.smartinnoventions.com(5.157.87.204)
www.gospelfy.online(185.27.134.115)
www.sockmomma.com(154.94.121.119)
www.skillfulp10.buzz(104.21.34.8)
www.intake-tree.com(34.201.80.84)
www.28588v.com(137.220.225.73)
54.196.16.164
104.21.34.8
208.113.186.56
67.223.117.160
137.220.225.73
154.94.121.119
185.27.134.115 - mailcious
195.201.147.116 - mailcious
45.130.230.191
45.33.6.223
5.157.87.204 - mailcious
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO HTTP Request to Suspicious *.life Domain
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET MALWARE FormBook CnC Checkin (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to a *.buzz domain
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.towfire.life/f619/
http://www.towfire.life/f619/
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13140 |
2023-05-18 09:54
|
 papilazx.exe 589fc2b85730cb3a14c1ba64b8a4693d
PWS .NET framework Anti_VM .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|