| 13351 |
2023-05-11 09:08
|
 Lscwklt.js 72794cef000741d517cab446ccb3b4e6
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://158.255.213.110/rQ8wEAP/fQpJet
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13352 |
2023-05-11 09:08
|
 Aqrwa.js 92fae833978ae39133e33b9c17d782ec
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13353 |
2023-05-10 18:57
|
 vbc.exe 24429aa11d39dddc2e9daec4bcba9ed0
Formbook KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Telegram PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser ComputerName DNS crashed keylogger |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13354 |
2023-05-10 18:56
|
 vbc.exe 953db0fa8e971527b18ae9abc387f7a2
Formbook KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName crashed keylogger |
|
|
|
|
9.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13355 |
2023-05-10 18:40
|
QQQQQ%23%23%23%23%23%23%23%23%... 74f63aa2d67f8c772a62b45904c46caf
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Telegram Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed Downloader |
1
http://154.12.230.59/234/vbc.exe
|
3
api.telegram.org(149.154.167.220)
154.12.230.59 - mailcious
149.154.167.220
|
11
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO TLS Handshake Failure
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13356 |
2023-05-10 18:21
|
 PO.exe c884d60fea6f63974e134023a934894a
AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
10
http://www.fala23.shop/mmf8/
http://www.xn--939ay02cwla267bba.com/mmf8/?RqS=Vv9LNpysBLG0WLBlBRJSZMWv3IcnWlWsrWSh4V4E6GINOyD1S/RY95+sdrFXJ3xMlkG1iTslBT/aUDe48iTIc8+IJ2CX5Q0kFCgQUO4=&KE1kM2=SwiR7U5fmzyW
http://www.brjyabrsma.net/mmf8/?RqS=GsFH8V9sjXEVIdNtUVr0D0L8RWPWcEYfbnM3HA1jrPkYwEZ+yk363L0UzM/fvjJ0wF0QYJkZH65h1F6NgxFu4z3MORdNRRhXcS9WhiA=&KE1kM2=SwiR7U5fmzyW
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.fala23.shop/mmf8/?RqS=mRfznawNYRsS/krrEFPr6wThTJUuK5cw5fy5hCPbah8CdmbVpFZ+KzW4nolkgPSC94ftTqgZYMY0uY3zB6JLBoQC+3vTs/P9CqKA8hc=&KE1kM2=SwiR7U5fmzyW
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.klerktehny.xyz/mmf8/?RqS=2z21UciuCXq/2Iz5BdcWi+HoAo4Xr2boH6Xy6UvmT022bBm3ObPc3AiK2OeVOGLGS6dOQdF9ws9FJPv7jihCEkfuWHrWD9ezkYy29z0=&KE1kM2=SwiR7U5fmzyW
http://www.klerktehny.xyz/mmf8/
http://www.xn--939ay02cwla267bba.com/mmf8/
http://www.brjyabrsma.net/mmf8/
|
12
www.xn--939ay02cwla267bba.com(121.254.178.253)
www.winplayewinyu.space()
www.vnloto.tech()
www.klerktehny.xyz(109.123.121.243)
www.brjyabrsma.net(62.149.128.40)
www.14-pro-max-sales.online()
www.fala23.shop(43.154.196.178)
43.154.196.178
109.123.121.243 - mailcious
62.149.128.40 - mailcious
121.254.178.253 - mailcious
45.33.6.223
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13357 |
2023-05-10 18:18
|
 build.exe c9baa6f493c047ea988df511eae16cc8
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
5.2 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13358 |
2023-05-10 18:16
|
 path 7fc09e90a6b01b4e45dfb74a398ab841
PWS .NET framework RAT UPX Malicious Library VMProtect OS Processor Check PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution DNS |
|
1
31.186.11.254 - mailcious
|
|
|
6.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13359 |
2023-05-10 18:16
|
 vbc.exe 992a0de4e5038847edbe7f400f3ccfd2
Formbook NSIS UPX Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder DNS |
21
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.un-object.com/u2kb/?z2EP7T7=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&9eJie=wZr6sXam-U6NCSL - rule_id: 28137
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.shapshit.xyz/u2kb/?z2EP7T7=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&9eJie=wZr6sXam-U6NCSL - rule_id: 28008
http://www.un-object.com/u2kb/ - rule_id: 28137
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.222ambking.org/u2kb/?z2EP7T7=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&9eJie=wZr6sXam-U6NCSL - rule_id: 28004
http://www.energyservicestation.com/u2kb/?z2EP7T7=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&9eJie=wZr6sXam-U6NCSL - rule_id: 28005
http://www.younrock.com/u2kb/?z2EP7T7=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&9eJie=wZr6sXam-U6NCSL - rule_id: 28006
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.bitservicesltd.com/u2kb/?z2EP7T7=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&9eJie=wZr6sXam-U6NCSL - rule_id: 28003
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.gritslab.com/u2kb/?z2EP7T7=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&9eJie=wZr6sXam-U6NCSL - rule_id: 28002
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.white-hat.uk/u2kb/?z2EP7T7=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&9eJie=wZr6sXam-U6NCSL - rule_id: 28001
http://www.thewildphotographer.co.uk/u2kb/?z2EP7T7=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&9eJie=wZr6sXam-U6NCSL - rule_id: 28007
http://www.thedivinerudraksha.com/u2kb/?z2EP7T7=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&9eJie=wZr6sXam-U6NCSL - rule_id: 28009
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.avisrezervee.com/u2kb/ - rule_id: 32569
http://www.younrock.com/u2kb/ - rule_id: 28006
|
25
www.thewildphotographer.co.uk(45.33.2.79) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.fclaimrewardccpointq.shop() - mailcious
www.avisrezervee.com(31.186.11.254) - mailcious
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.un-object.com(192.185.17.12) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(63.141.242.43) - mailcious
45.56.79.23 - mailcious
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
192.185.17.12 - mailcious
31.186.11.254 - mailcious
213.145.228.111 - mailcious
185.174.174.220 - phishing
192.187.111.219 - mailcious
94.176.104.86 - mailcious
161.97.163.8 - mailcious
45.33.6.223
199.192.30.147 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
20
http://www.gritslab.com/u2kb/
http://www.un-object.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.un-object.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.222ambking.org/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.younrock.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.white-hat.uk/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.avisrezervee.com/u2kb/
http://www.younrock.com/u2kb/
|
6.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13360 |
2023-05-10 18:12
|
 loki.exe 49f6547db1a057139da206876f7cac86
Generic Malware UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13361 |
2023-05-10 18:11
|
 MON_pdf.exe b1779162ee18fdff9a550e23bec9b2c4
NSIS UPX Malicious Library PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
myogessentials.com(185.174.174.220)
185.174.174.220 - phishing
|
2
ET HUNTING ZIP file exfiltration over raw TCP
SURICATA Applayer Detect protocol only one direction
|
|
7.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13362 |
2023-05-10 18:09
|
 Wed.exe f92115170bf02c0ac2f6b1e7270dcfb6
Formbook .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
2.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13363 |
2023-05-10 18:09
|
 vbc.exe 6ade942d85d1738a7d52360ca1d34080
Generic Malware UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution DNS |
|
|
|
|
3.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13364 |
2023-05-10 18:07
|
%23%23%23%23%23%23%23%23%23%23... 41e6396e3fb7c2ee5676acd85978f671
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed Downloader |
2
https://api.ipify.org/
http://192.3.202.72/R1454/vbc.exe
|
3
api.ipify.org(173.231.16.77)
192.3.202.72 - malware
104.237.62.211
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13365 |
2023-05-10 18:07
|
 aaaa.exe 852e911a70f5f4ebdf572adc36cb97f6
AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
6
camo.githubusercontent.com(185.199.111.133)
fonts.googleapis.com(142.250.207.106)
64.185.227.155
172.217.27.42
185.199.110.133 - malware
142.250.66.42
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|