| 13201 |
2023-05-16 10:35
|
 Guabsl.js 370ad852dc41b1cdd740254c7b914f89
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
2
http://109.172.45.8/fjNITpc/9MGzj
http://109.172.45.9/Leq/05qpZI6FMJD
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13202 |
2023-05-16 10:22
|
 xboyxVersionxx.txt 9e97c6197f0e42fae10fdb58559d0add
UPX Malicious Library Malicious Packer OS Processor Check DLL PE64 PE File VirusTotal Malware |
|
|
|
|
1.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13203 |
2023-05-16 09:28
|
 setup.exe f24d0ab7527f3b1e184c410115e08b7b
RAT Generic Malware UPX Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 PNG Format MSOffice File OS Processor Check MZP Format DLL JPEG Format PE64 VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
|
6
globalmanysoft.com(195.179.239.150) - malware
makemymatch.site(162.0.229.248)
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
195.179.239.150 - malware
162.0.229.248 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
9.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13204 |
2023-05-16 09:25
|
 pmrs.exe 680745c9ac98102b110edf80d89e08eb
PWS .NET framework RAT UPX OS Processor Check PE64 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces |
|
|
|
|
2.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13205 |
2023-05-16 09:22
|
 vbc.exe eb5ee53f92ace8c899dd75b9af7a3ee8
PWS .NET framework RAT .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13206 |
2023-05-16 09:20
|
 321.exe ac9b826b0329458eaad2ccb3fafcd7ff
Loki_b Loki_m Gen1 PWS .NET framework RAT Downloader UPX Malicious Library Malicious Packer Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger Scre VirusTotal Malware powershell Telegram MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AppData folder malicious URLs Tofsee ComputerName DNS |
3
http://116.203.166.139/c67d16317758867576bd28c19d9721ba
https://steamcommunity.com/profiles/76561199263069598
https://t.me/cybehost
|
6
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.74.148.253) - mailcious
116.203.166.139
149.154.167.99 - mailcious
104.88.222.199
77.91.124.20 - malware
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
9.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13207 |
2023-05-16 09:20
|
YYYY%23%23%23%23%23%23%23%23%2... 2b52e3645953f9c89870ecf02cf7c0c5
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
1
http://geoplugin.net/json.gp
|
5
geoplugin.net(178.237.33.50)
pops.mastercoa.co(184.75.223.195)
104.234.10.91 - malware
178.237.33.50
184.75.223.195
|
7
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13208 |
2023-05-16 09:18
|
 vbc.exe 5be2f10437a6105706e880b53b89544a
AgentTesla browser info stealer Google Chrome User Data Downloader UPX Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Remcos Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
pops.mastercoa.co(184.75.223.195)
178.237.33.50
184.75.223.195
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13209 |
2023-05-16 09:17
|
 OAK%20FURNITURE%20UK%20APPLIAN... e537a6993f1e0bad5e05ecdb7afae6bf
PDF |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13210 |
2023-05-16 09:16
|
 photo230.exe bd745f43c090fd7fc5aeae0ec6b48d5a
RedLine stealer[m] Gen1 Emotet PWS .NET framework RAT RedLine Stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Confuser .NET SMTP Code injection HTTP PWS[m] Http API Internet API AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
http://77.91.124.20/DSC01491/foto0174.exe - rule_id: 32623
http://77.91.124.20/DSC01491/fotocr23.exe - rule_id: 32624
http://77.91.124.20/store/games/index.php - rule_id: 32547
http://77.91.124.20/store/games/index.php
|
2
77.91.124.20 - malware
185.161.248.25 - malware
|
6
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
|
5
http://77.91.124.20/store/games/Plugins/cred64.dll
http://77.91.124.20/store/games/Plugins/clip64.dll
http://77.91.124.20/DSC01491/foto0174.exe
http://77.91.124.20/DSC01491/fotocr23.exe
http://77.91.124.20/store/games/index.php
|
21.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13211 |
2023-05-16 09:15
|
 sesilezx.exe dbeab62690e3177cd56f64428bf23c87
PWS .NET framework RAT .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13212 |
2023-05-16 09:13
|
 f3.ps1 89e4c4555657c3cb10655bcfa51ab471
Generic Malware Antivirus PowerShell VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://keiding.net/comnart.php
|
|
|
|
5.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13213 |
2023-05-16 09:11
|
 f1.ps1 7d6225d08a267f6ff0fcb4ca7245c7cd
Generic Malware Antivirus PowerShell VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://193.233.233.92/index.php
|
|
|
|
5.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13214 |
2023-05-16 09:10
|
 1230.exe 019cba45c206e0f3606dfb4382d054b1
RedlineRecordBreaker Gen1 Gen2 UPX Malicious Library VMProtect Malicious Packer PE File PE32 JPEG Format OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Malware RecordBreaker MachineGuid Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser DNS |
9
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://185.181.10.208/ - rule_id: 28118
http://185.181.10.208/38d7d699697c9781f72fa487b05c8044
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
|
1
|
5
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information
|
1
|
7.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13215 |
2023-05-16 09:09
|
 f2.ps1 835bda23af56396c8ec4699742300bdf
Generic Malware Antivirus PowerShell powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://kenmillsengineering.com/rockuo.php
|
|
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|