| 13336 |
2023-05-11 18:48
|
 SecHorST.exe bec821cc9ca7762dd50f48d0cf4344cd
Generic Malware UPX Malicious Library OS Processor Check MZP Format PE File PE32 PE64 VirusTotal Malware Checks debugger unpack itself AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13337 |
2023-05-11 18:46
|
 HalogenSySCheck.exe 1987b8ce233909021e877ea3408ccb70
RAT .NET EXE PE File PE32 VirusTotal Malware Telegram Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName DNS crashed |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13338 |
2023-05-11 18:44
|
 frank.jpg b087d2cba334e315c16c893e0709b14c
PWS .NET framework RAT UPX Confuser .NET OS Processor Check .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
89.23.107.125 - mailcious
|
|
|
7.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13339 |
2023-05-11 18:42
|
 Build1.exe bfaa027a645e567824a10a26fb8dbefd
RAT Emotet PWS .NET framework Loki_b UPX .NET EXE PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Windows ComputerName DNS Cryptographic key |
15
http://94.142.138.111/concerts/2.php
http://94.142.138.111/concerts/13.php
http://94.142.138.111/concerts/10.php
http://ip-api.com/json/
http://94.142.138.111/concerts/9.php
http://94.142.138.111/concerts/11.php
http://94.142.138.111/concerts/8.php
http://94.142.138.111/concerts/6.php
http://94.142.138.111/concerts/4.php
http://94.142.138.111/concerts/1.php
http://94.142.138.111/concerts/12.php
http://94.142.138.111/concerts/7.php
http://94.142.138.111/concerts/5.php
http://ipwhois.app/xml/
http://94.142.138.111/concerts/3.php
|
5
ipwhois.app(103.126.138.87)
ip-api.com(208.95.112.1)
103.126.138.87
94.142.138.111 - malware
208.95.112.1
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY External IP Lookup ip-api.com
|
|
6.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13340 |
2023-05-11 18:42
|
 Build-1S.exe e695b8888af3b57f1a56961bd289463c
Emotet PWS .NET framework Loki_b RAT UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Windows ComputerName DNS Cryptographic key |
15
http://94.142.138.111/concerts/2.php
http://94.142.138.111/concerts/13.php
http://94.142.138.111/concerts/10.php
http://ip-api.com/json/
http://94.142.138.111/concerts/9.php
http://94.142.138.111/concerts/11.php
http://94.142.138.111/concerts/8.php
http://94.142.138.111/concerts/6.php
http://94.142.138.111/concerts/4.php
http://94.142.138.111/concerts/1.php
http://94.142.138.111/concerts/12.php
http://94.142.138.111/concerts/7.php
http://94.142.138.111/concerts/5.php
http://ipwhois.app/xml/
http://94.142.138.111/concerts/3.php
|
5
ipwhois.app(103.126.138.87)
ip-api.com(208.95.112.1)
103.126.138.87
94.142.138.111 - malware
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
5.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13341 |
2023-05-11 18:42
|
QQQQ%23%23%23%23%23%23%23%23%2... f908218ac1828a12fb1972d54fddf1ec
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://23.94.206.76/140/vbc.exe
|
2
162.19.139.184 - mailcious
23.94.206.76 - malware
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13342 |
2023-05-11 18:42
|
 Build2.exe 2746fd51855e750aa6b52dd72bca0cb0
RAT .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13343 |
2023-05-11 18:41
|
 AnyDesk.exe 1c6e08b5f03c0c7d1455f082b1b02c64
Gen1 Generic Malware UPX Malicious Library Antivirus Malicious Packer OS Processor Check PE File PE32 DLL Browser Info Stealer Malware download AveMaria NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Windows Browser RAT Email ComputerName DNS Cryptographic key |
|
3
microsoft.com(20.81.111.85)
20.112.52.29
190.2.142.239
|
2
ET MALWARE Warzone RAT Response (Inbound)
SURICATA Applayer Detect protocol only one direction
|
|
12.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13344 |
2023-05-11 18:40
|
 tst2.exe 092d064fa7c8b7c292462d00eb149265
Malicious Library PE64 PE File Cryptocurrency Miner Cryptocurrency DNS |
|
2
xmr.2miners.com(162.19.139.184) - mailcious
162.19.139.184 - mailcious
|
2
ET POLICY Cryptocurrency Miner Checkin
ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13345 |
2023-05-11 09:21
|
NDA_D753_May_10.wsf 8624646d76bcbcc599c9321fb06cddd1Malware VBScript Malicious Traffic WMI heapspray wscript.exe payload download ComputerName DNS Dropper |
6
http://45.155.37.101/a3hdJG9pj.dat
http://5.42.221.144/a3hdJG9pj.dat
http://91.193.16.139/a3hdJG9pj.dat
http://144.208.127.242/a3hdJG9pj.dat
http://207.148.14.105/a3hdJG9pj.dat
http://149.102.225.18/a3hdJG9pj.dat
|
6
45.155.37.101 - mailcious
144.208.127.242 - mailcious
149.102.225.18 - mailcious
91.193.16.139 - mailcious
5.42.221.144 - mailcious
207.148.14.105 - mailcious
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13346 |
2023-05-11 09:21
|
NDA_D673_May_10.wsf 883bbc5030fbf590ef98edc18c49565bMalware VBScript Malicious Traffic WMI heapspray wscript.exe payload download ComputerName DNS Dropper |
6
http://45.155.37.101/ac3Trg8kqFxJaVW.dat
http://5.42.221.144/ac3Trg8kqFxJaVW.dat
http://91.193.16.139/ac3Trg8kqFxJaVW.dat
http://144.208.127.242/ac3Trg8kqFxJaVW.dat
http://207.148.14.105/ac3Trg8kqFxJaVW.dat
http://149.102.225.18/ac3Trg8kqFxJaVW.dat
|
6
45.155.37.101 - mailcious
144.208.127.242 - mailcious
149.102.225.18 - mailcious
91.193.16.139 - mailcious
5.42.221.144 - mailcious
207.148.14.105 - mailcious
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13347 |
2023-05-11 09:16
|
 koIWDRc.exe c0578edb37d43cc63a01b287436f4e67
Generic Malware Suspicious_Script_Bin UPX Malicious Library Antivirus Anti_VM MZP Format PE File PE32 BMP Format OS Processor Check VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
6.4 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13348 |
2023-05-11 09:15
|
 photo_570.exe 9521fd6fc4a58dd4ae3c47d95eb91557
Gen1 Emotet PWS .NET framework RAT UltraVNC UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Confuser .NET CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849
http://77.91.124.20/store/games/index.php - rule_id: 32547
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
http://77.91.124.20/DSC01491/foto0174.exe
http://77.91.124.20/DSC01491/fotocr23.exe
|
2
185.161.248.75
77.91.124.20 - malware
|
6
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.124.20/store/games/Plugins/cred64.dll
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13349 |
2023-05-11 09:11
|
 i.exe 5093a300dc7623ead1d35860a6312011
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13350 |
2023-05-11 09:08
|
 Yezmtqs.js 353e7a94b3f5723043d83640fe5d85fd
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://162.252.175.224/1NoDX/jBbVYzHtqgn
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|