| 13156 |
2023-05-18 09:28
|
 Pzbrjg.js d52732ffa135c7c2cc206f066a095102
Generic Malware Admin Tool (Sysinternals etc ...) Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://162.252.172.54/9GQ5A8/KDsYoZsM
|
|
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13157 |
2023-05-18 09:28
|
 Fyhri.js 106d2d43f2f14aedca98a851814b6619
Generic Malware Admin Tool (Sysinternals etc ...) Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://158.255.213.181/miR/cjiLPpIT
|
|
|
|
6.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13158 |
2023-05-18 09:09
|
 secret_conversations.json 478b6a33ffb676add90e557000508d0a
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13159 |
2023-05-17 18:45
|
 download.dotx 7dc2e663d849526f6aca2e62f8eb0cc8
ZIP Format Word 2007 file format(docx) |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13160 |
2023-05-17 18:21
|
 TYV6YAYWOPEKI61Y.docx 7dc2e663d849526f6aca2e62f8eb0cc8
ZIP Format Word 2007 file format(docx) |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13161 |
2023-05-17 17:37
|
File_pass1234.7z 9148c9857f5d04b32829a649dda2f9bb
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee DNS |
6
http://5.181.80.133/api/tracemap.php - rule_id: 32661
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://www.maxmind.com/geoip/v2.1/city/me
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
|
12
api.db-ip.com(104.26.4.15)
db-ip.com(104.26.5.15)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.215.67)
104.26.4.15
5.181.80.133 - mailcious
85.208.136.10 - mailcious
94.131.106.196 - mailcious
34.117.59.81
104.26.5.15
208.67.104.60 - mailcious
104.17.214.67
|
2
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
http://5.181.80.133/api/tracemap.php
http://85.208.136.10/api/tracemap.php
http://208.67.104.60/api/tracemap.php
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13162 |
2023-05-17 17:34
|
 itzdarth_crypted%281%29.exe 37c966c35a3a7e31650e555624b25455
PE File PE32 VirusTotal Malware suspicious privilege Checks debugger WMI unpack itself Windows utilities suspicious process Windows ComputerName Software crashed |
|
|
|
|
6.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13163 |
2023-05-17 17:33
|
 123.exe de27e688202b4fc37b916962b4060c67
Loki_b Loki_m Gen1 UPX Malicious Library Malicious Packer Code injection AntiDebug AntiVM .NET EXE PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Tofsee Browser Email ComputerName DNS Software |
5
http://116.203.166.139/da3b70a6d41764717ff479f0edd50071
http://116.203.166.139/ - rule_id: 32755
http://116.203.166.139/config.zip
https://steamcommunity.com/profiles/76561199263069598 - rule_id: 32753
https://t.me/cybehost
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(184.30.190.183) - mailcious
116.203.166.139 - mailcious
149.154.167.99 - mailcious
23.34.107.26
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
|
2
http://116.203.166.139/
https://steamcommunity.com/profiles/76561199263069598
|
16.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13164 |
2023-05-17 17:32
|
 Uni.bat 6dc2a6dc1065e6407d580c08594267b8
Downloader Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot Anti_VM AntiDebug AntiVM suspicious privilege Check memory Checks debugger heapspray Creates shortcut unpack itself Windows utilities WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13165 |
2023-05-17 09:52
|
 w.vbs 9e6396c0f6372ad9dabf49ac46c37b19Malware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS DDNS Dropper |
1
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(103.47.144.68) - mailcious
103.47.144.68
|
4
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13166 |
2023-05-17 09:50
|
 w.vbs 9e6396c0f6372ad9dabf49ac46c37b19Malware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS DDNS Dropper |
1
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(103.47.144.68) - mailcious
103.47.144.68
|
4
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13167 |
2023-05-17 09:34
|
 csrsv.exe 13c6b003e4cd8319299a50a51e14a222
Ave Maria WARZONE RAT UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE File PE32 JPEG Format DLL PE64 Malware download Amadey VirusTotal Malware AutoRuns PDB Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Windows Browser ComputerName DNS crashed |
2
http://95.214.26.53/J84hHFuefh2/index.php?scr=1
http://95.214.26.53/J84hHFuefh2/index.php
|
1
|
4
ET MALWARE Amadey CnC Check-In
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
9.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13168 |
2023-05-17 09:34
|
 AtomLdr.dll 513eecac1e602be2a404f1d70719dffb
DLL PE64 PE File VirusTotal Malware Checks debugger |
|
|
|
|
1.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13169 |
2023-05-17 09:28
|
 MSPlayer.ps1 1df2d060ffe4c74396b26c9295769ffd
Generic Malware Antivirus Check memory unpack itself |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13170 |
2023-05-17 09:23
|
 doc.pdf 9a95e059d574d4c3bdd26627308e22b6
PDF ZIP Format Windows utilities Windows |
5
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|