| 13381 |
2023-05-10 10:09
|
 obi.exe 07d31d6b30d2925b4664dc957f2235e9
Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.237.62.211)
173.231.16.77
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13382 |
2023-05-10 10:07
|
 httpsNccapskuh.exe fbb4b3a3458a459bb60e1c3e51f8a1f4
ScreenShot AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13383 |
2023-05-10 10:05
|
 vbc.exe a4e7abd7fda183a69db7ac1bfc9e18b1
Formbook PWS .NET framework RAT UPX ASPack Malicious Library AntiDebug AntiVM .NET EXE PE32 PE File OS Processor Check FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces Windows ComputerName DNS Cryptographic key crashed |
3
http://www.awemagineers.com/mi28/?2dp=klYpi0ca4NuEV7yYIOXH6O6a9PowS18nOoPG7DinQY9yFh6V8XagDTni8XKiOtdGmoysPfs/&CXL05P=Yt3LsxMPvJC4Vzxp
http://www.ezee-shop.com/mi28/?2dp=hsI/N8qMjdFH40eIcwHZF3DvrStWf1HyzEGYszmgjassSyjb1pOdIGnkFtIUBukg6L8U+8O+&CXL05P=Yt3LsxMPvJC4Vzxp
http://107.172.206.120/000/Jyeguvzxa.png
|
6
www.awemagineers.com(50.2.100.147)
www.mastersmp.net()
www.ezee-shop.com(104.21.87.192)
50.2.100.147
107.172.206.120 - mailcious
172.67.145.179
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13384 |
2023-05-10 10:02
|
 olotiiss.exe 3e22ae167ceabafcaa798453a48444fa
PWS .NET framework UPX SMTP KeyLogger AntiDebug AntiVM OS Processor Check .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(64.185.227.155)
173.231.16.77
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13385 |
2023-05-10 10:00
|
 Had.exe 71ae692fbca5a94d85b2a994b4426c4e
PE64 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13386 |
2023-05-10 10:00
|
 originalbuild.exe 946640d04e9bc3419f1ca9183e5da8f6
RAT Generic Malware Malicious Library Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
91.215.85.198 - mailcious
|
|
|
6.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13387 |
2023-05-10 09:17
|
워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.ln... 445e7fd6bb684420d6b8523fe0c55228
Generic Malware Downloader Antivirus Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot Hide_URL AntiDebug AntiVM HWP MSOffice File GIF Format .NET VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
https://firenzedt.com/27251
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRmTWdoZExudm9zdUExcHc_ZT1scUoweWU/root/content
|
4
cacerts.digicert.com(152.195.38.76)
api.onedrive.com(13.107.43.12) - mailcious
13.107.42.12 - malware
152.195.38.76
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13388 |
2023-05-09 19:28
|
std2.7z 8c47460fa4cce4ce9c672c5390472e03
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13389 |
2023-05-09 19:23
|
103.184.128.244_update.7z 068a57341223a3d3d024b524cd67df5e
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM SMB Traffic Potential Scan suspicious privilege Check memory Checks debugger Creates executable files ICMP traffic unpack itself DNS |
|
133
182.252.171.193
182.252.144.103
182.252.229.121
182.252.60.161
182.252.170.167
182.252.40.23
182.252.23.115
182.252.135.73
182.252.109.241
182.252.9.201
182.252.152.219
182.252.253.175
182.252.29.39
182.252.57.81
182.252.121.39
182.252.55.19
182.252.111.167
182.252.60.159
182.252.235.35
182.252.207.153
182.252.140.7
182.252.46.135
182.252.186.67
182.252.192.197
182.252.52.75
182.252.8.1
182.252.121.163
182.252.5.3
182.252.165.153
182.252.230.97
182.252.225.153
182.252.151.49
182.252.246.159
182.252.250.129
182.252.94.253
182.252.246.151
182.252.56.29
182.252.44.43
182.252.7.99
182.252.235.43
182.252.51.65
182.252.250.23
182.252.32.101
182.252.253.67
182.252.79.225
182.252.146.189
182.252.13.135
182.252.184.103
182.252.220.55
182.252.22.241
182.252.73.81
182.252.86.209
182.252.233.9
182.252.126.199
182.252.108.143
182.252.66.57
182.252.140.211
182.252.141.207
182.252.94.109
182.252.154.115
182.252.240.167
182.252.35.147
182.252.180.85
182.252.97.249
182.252.243.35
182.252.113.23
182.252.245.95
182.252.196.241
182.252.199.145
182.252.230.231
182.252.58.5
182.252.1.249
182.252.160.163
182.252.222.185
182.252.218.191
182.252.46.47
182.252.128.55
182.252.187.45
182.252.237.3
182.252.213.141
182.252.226.97
182.252.5.99
182.252.43.93
182.252.246.3
182.252.106.213
182.252.74.5
182.252.106.193
182.252.232.5
182.252.27.221
182.252.228.185
182.252.17.5
182.252.178.139
182.252.2.137
182.252.153.153
182.252.36.155
182.252.14.63
182.252.207.209
182.252.199.211
182.252.219.93
182.252.67.33
182.252.109.229
182.252.171.133
182.252.191.191
182.252.85.161
182.252.173.5
182.252.46.29
182.252.79.173
182.252.251.27
182.252.99.43
182.252.181.87
182.252.233.135
182.252.22.111
182.252.149.127
182.252.189.111
182.252.11.99
182.252.22.201
182.252.55.245
182.252.100.41
182.252.87.159
182.252.171.101
182.252.238.223
182.252.54.249
182.252.39.165
182.252.101.1
182.252.67.103
182.252.70.133
182.252.130.25
182.252.53.215
182.252.92.237
182.252.222.41
182.252.22.59
182.252.121.21
182.252.76.87
|
1
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13390 |
2023-05-09 19:14
|
103.40.123.34_update.7z f91cf94c3ba6073a885f53e8c32bfa1b
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM SMB Traffic Potential Scan suspicious privilege Check memory Checks debugger Creates executable files unpack itself DNS |
|
276
180.69.209.91
180.69.52.165
180.69.146.131
180.69.130.35
180.69.137.213
180.69.149.169
180.69.47.65
180.69.101.7
180.69.243.5
180.69.196.33
180.69.115.97
180.69.217.49
180.69.13.153
180.69.32.35
180.69.158.45
180.69.200.75
180.69.230.151
180.69.217.50
180.69.41.5
180.69.6.29
180.69.115.13
180.69.18.93
180.69.167.247
180.69.5.65
180.69.237.215
180.69.243.167
180.69.135.235
180.69.245.69
180.69.183.9
180.69.91.249
180.69.250.147
180.69.115.239
180.69.9.237
180.69.166.157
180.69.140.213
180.69.140.214
180.69.235.131
180.69.41.143
180.69.219.181
180.69.67.185
180.69.194.251
180.69.95.240
180.69.21.61
180.69.31.71
180.69.8.193
180.69.231.235
180.69.229.35
180.69.111.41
180.69.128.179
180.69.123.235
180.69.255.199
180.69.204.205
180.69.60.19
180.69.71.141
180.69.138.189
180.69.174.47
180.69.84.109
180.69.171.177
180.69.19.21
180.69.210.131
180.69.223.249
180.69.159.237
180.69.210.223
180.69.226.111
180.69.151.69
180.69.170.107
180.69.246.250
180.69.106.15
180.69.96.241
180.69.102.175
180.69.27.33
180.69.89.27
180.69.106.13
180.69.238.237
180.69.17.249
180.69.115.240
180.69.206.71
180.69.199.215
180.69.94.99
180.69.136.29
180.69.43.245
180.69.94.141
180.69.31.217
180.69.54.117
180.69.119.155
180.69.130.99
180.69.112.143
180.69.145.185
180.69.249.251
180.69.148.215
180.69.20.111
180.69.247.213
180.69.77.123
180.69.107.153
180.69.252.59
180.69.201.67
180.69.105.127
180.69.30.201
180.69.45.215
180.69.95.239
180.69.205.11
180.69.173.57
180.69.205.12
180.69.21.87
180.69.118.61
180.69.161.53
180.69.222.185
180.69.203.179
180.69.50.95
180.69.228.217
180.69.156.233
180.69.76.33
180.69.137.145
180.69.222.103
180.69.111.121
180.69.143.97
180.69.250.247
180.69.214.33
180.69.90.71
180.69.94.125
180.69.211.107
180.69.119.219
180.69.77.87
180.69.168.35
180.69.228.73
180.69.88.231
180.69.80.51
180.69.200.83
180.69.213.161
180.69.41.123
180.69.216.43
180.69.68.53
180.69.195.87
180.69.102.117
180.69.168.181
180.69.167.169
180.69.217.9
180.69.132.47
180.69.150.139
180.69.175.197
180.69.95.237
180.69.143.167
180.69.216.141
180.69.22.247
180.69.211.7
180.69.90.63
180.69.245.27
180.69.140.157
180.69.92.29
180.69.28.35
180.69.192.63
180.69.6.87
180.69.83.193
180.69.38.101
180.69.25.51
180.69.104.13
180.69.239.139
180.69.96.17
180.69.226.71
180.69.11.51
180.69.150.221
180.69.228.149
180.69.7.77
180.69.55.103
180.69.60.199
180.69.120.207
180.69.14.105
180.69.213.1
180.69.208.89
180.69.169.205
180.69.124.95
180.69.90.19
180.69.49.123
180.69.248.225
180.69.124.155
180.69.84.217
180.69.234.167
180.69.246.233
180.69.119.53
180.69.249.157
180.69.192.181
180.69.11.137
180.69.146.181
180.69.227.75
180.69.168.57
180.69.251.209
180.69.149.255
180.69.113.167
180.69.122.1
180.69.155.105
180.69.87.237
180.69.46.77
180.69.155.101
180.69.193.79
180.69.55.229
180.69.16.185
180.69.246.249
180.69.98.4
180.69.81.219
180.69.255.125
180.69.94.1
180.69.16.189
180.69.202.137
180.69.208.93
180.69.72.167
180.69.121.191
180.69.242.1
180.69.82.13
180.69.9.13
180.69.212.255
180.69.97.199
180.69.158.29
180.69.213.175
180.69.50.219
180.69.33.245
180.69.254.1
180.69.75.77
180.69.49.235
180.69.247.221
180.69.12.145
180.69.20.61
180.69.85.179
180.69.176.219
180.69.239.211
180.69.224.209
180.69.135.117
180.69.243.221
180.69.82.99
180.69.22.149
180.69.16.193
180.69.115.31
180.69.111.227
180.69.193.63
180.69.20.159
180.69.71.187
180.69.196.213
180.69.210.147
180.69.3.17
180.69.114.199
180.69.35.181
180.69.125.155
180.69.121.181
180.69.207.35
180.69.2.231
180.69.82.35
180.69.146.107
180.69.235.135
180.69.23.207
180.69.209.173
180.69.66.155
180.69.184.27
180.69.236.9
180.69.228.141
180.69.172.111
180.69.109.225
180.69.95.93
180.69.119.123
180.69.196.3
180.69.39.39
180.69.10.237
180.69.104.63
180.69.3.169
180.69.109.47
180.69.252.83
180.69.51.55
180.69.236.65
180.69.191.223
180.69.181.193
180.69.114.123
180.69.24.53
180.69.184.105
180.69.17.203
180.69.184.107
180.69.98.3
180.69.5.247
180.69.24.189
|
1
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13391 |
2023-05-09 18:59
|
update.7z c9027a96969b77612260fd952c632a54
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM SMB Traffic Potential Scan suspicious privilege Check memory Checks debugger Creates executable files unpack itself DNS |
|
131
110.253.207.67
110.253.40.71
110.253.85.137
110.253.103.107
110.253.117.57
110.253.254.231
110.253.226.149
110.253.45.105
110.253.69.147
110.253.118.125
110.253.222.39
110.253.239.27
110.253.54.69
110.253.126.15
110.253.0.205
110.253.136.179
110.253.162.25
110.253.32.3
110.253.117.43
110.253.32.187
110.253.199.83
110.253.32.185
110.253.180.27
110.253.174.139
110.253.235.143
110.253.12.41
110.253.92.191
110.253.244.3
110.253.116.33
110.253.251.149
110.253.7.201
110.253.24.49
110.253.90.123
110.253.216.133
110.253.208.175
110.253.206.135
110.253.36.205
110.253.103.7
110.253.129.141
110.253.6.237
110.253.255.129
110.253.147.249
110.253.95.93
110.253.84.33
110.253.52.175
110.253.177.175
110.253.211.83
110.253.120.121
110.253.76.99
110.253.215.51
110.253.152.135
110.253.198.69
110.253.176.79
110.253.161.179
110.253.54.29
110.253.136.7
110.253.194.171
110.253.107.75
110.253.178.179
110.253.151.163
110.253.84.177
110.253.83.67
110.253.129.205
110.253.236.153
110.253.105.111
110.253.229.47
110.253.217.167
110.253.180.233
110.253.204.103
110.253.67.85
110.253.215.131
110.253.171.143
110.253.58.27
110.253.177.187
110.253.180.79
110.253.185.11
110.253.5.177
110.253.131.35
110.253.210.213
110.253.253.141
110.253.2.13
110.253.208.225
110.253.70.11
110.253.93.159
110.253.93.141
110.253.236.125
110.253.42.77
110.253.2.35
110.253.48.191
110.253.235.107
110.253.217.241
110.253.0.69
110.253.133.229
110.253.244.123
110.253.158.247
110.253.35.85
110.253.135.209
110.253.241.217
110.253.14.129
110.253.83.81
110.253.127.39
110.253.174.13
110.253.32.163
110.253.0.141
110.253.189.119
110.253.187.133
110.253.122.179
110.253.125.237
110.253.32.153
110.253.0.79
110.253.96.67
110.253.115.25
110.253.44.15
110.253.175.175
110.253.94.143
110.253.167.217
110.253.184.67
110.253.164.121
110.253.235.13
110.253.163.255
110.253.162.45
110.253.151.119
110.253.4.171
110.253.19.39
110.253.220.17
110.253.174.111
110.253.234.243
110.253.119.51
110.253.233.27
110.253.155.171
110.253.170.157
|
1
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
|
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13392 |
2023-05-09 18:51
|
update.7z c9027a96969b77612260fd952c632a54
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13393 |
2023-05-09 18:48
|
update.7z c9027a96969b77612260fd952c632a54 |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13394 |
2023-05-09 18:45
|
 098.hta 246b0b1de71eeffbb03fa02ccf9c0621
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
crystaltea.in(192.185.110.133) - malware
192.185.110.133 - phishing
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13395 |
2023-05-09 18:33
|
%23%23%23%23%23%23%23%23%23%23... 18418b8b5e1ee58eba592c4b23abc28b
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://84.54.50.156/41/vbc.exe
|
1
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|