| 13411 |
2023-05-09 11:01
|
 vbc.exe 34fbc7022384a5377bd9b728f7e35ee8
Generic Malware UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
49 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13412 |
2023-05-09 09:21
|
 vbc.exe 743a03da4bca80da5f49be2b77050225
Formbook NSIS UPX Malicious Library PE32 PE File DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
21
http://www.222ambking.org/u2kb/?w3khrt=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28004
http://www.thedivinerudraksha.com/u2kb/?w3khrt=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28009
http://www.gritslab.com/u2kb/?w3khrt=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28002
http://www.thewildphotographer.co.uk/u2kb/?w3khrt=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28007
http://www.un-object.com/u2kb/ - rule_id: 28137
http://www.energyservicestation.com/u2kb/?w3khrt=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28005
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.younrock.com/u2kb/?w3khrt=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28006
http://www.shapshit.xyz/u2kb/?w3khrt=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28008
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.white-hat.uk/u2kb/?w3khrt=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28001
http://www.bitservicesltd.com/u2kb/?w3khrt=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28003
http://www.un-object.com/u2kb/?w3khrt=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&aeHf2=Rv8POUV9PlxT0H_r - rule_id: 28137
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.avisrezervee.com/u2kb/
http://www.younrock.com/u2kb/ - rule_id: 28006
|
24
www.thewildphotographer.co.uk(96.126.123.244) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.fclaimrewardccpointq.shop() - mailcious
www.avisrezervee.com(31.186.11.254)
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.un-object.com(192.185.17.12) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(192.187.111.222) - mailcious
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
192.185.17.12 - mailcious
31.186.11.254 - mailcious
213.145.228.111 - mailcious
63.141.242.46
94.176.104.86 - mailcious
72.14.178.174
161.97.163.8 - mailcious
45.33.6.223
199.192.30.147 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
19
http://www.222ambking.org/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.un-object.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.younrock.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.white-hat.uk/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.un-object.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.younrock.com/u2kb/
|
5.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13413 |
2023-05-09 09:11
|
 fotocr23.exe 9a5f630ba99d3ee7e838d5c9abac233e
Gen1 Emotet PWS .NET framework RAT UltraVNC UPX Malicious Library Malicious Packer Confuser .NET CAB PE32 PE File OS Processor Check .NET EXE AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself Disables Windows Security AppData folder AntiVM_Disk VM Disk Size Check Windows Update Remote Code Execution DNS Cryptographic key crashed |
|
2
94.142.138.32
77.91.124.20 - malware
|
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13414 |
2023-05-09 09:11
|
 123.exe 2aeac863392c9a2a31058c6d5eeb4cc2
PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download VirusTotal Malware RecordBreaker PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications installed browsers check Stealer Windows Browser DNS |
9
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://94.142.138.32/
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://94.142.138.32/a51fd817c1762ffe7664b43743dd0958
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://94.142.138.32/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
|
1
|
5
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information
|
|
11.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13415 |
2023-05-09 09:11
|
 foto0174.exe 1b1b1239c10dcd01f551df6cee30d4e2
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
4
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849
http://77.91.124.20/store/games/index.php - rule_id: 32547
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
|
2
77.91.124.20 - malware
217.196.96.101 - mailcious
|
6
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.124.20/store/games/Plugins/cred64.dll
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13416 |
2023-05-09 09:09
|
 vbc.exe 34fbc7022384a5377bd9b728f7e35ee8
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13417 |
2023-05-09 09:09
|
 vbc.exe e47e3bd985effc1d1352ac832a09da14
Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://185.246.220.60/fresh2/five/fre.php
|
1
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
14.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13418 |
2023-05-09 09:05
|
 009.jpg baa51dc77e43c436c429a9131ce4b152
Malicious Library PE32 PE File VirusTotal Malware Check memory unpack itself suspicious TLD WriteConsoleW Interception Remote Code Execution |
|
1
|
|
|
3.4 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13419 |
2023-05-09 09:04
|
 zqqK.html 5144480c0b8e79a016fafcfc3d3c3aa7unpack itself crashed |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13420 |
2023-05-09 09:03
|
 instal6699_cr.exe eafe753a6fd3d7e298974135a34d565c
RedLine stealer[m] UPX Admin Tool (Sysinternals etc ...) PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
10.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13421 |
2023-05-09 09:03
|
 obi.exe f8001587bbb6e217b0f812e0e6e797d3
.NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13422 |
2023-05-09 07:27
|
http://www.google.com/profiles... 6395ac3078f4e5141fb41b72c27d5f3f
Downloader Create Service DGA Socket DNS Hijack Network Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger ScreenShot AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.google.com/profiles/102128379777508964956
https://www.google.com/favicon.ico
https://accounts.google.com/generate_204?CQdfzQ
https://profiles.google.com/browser-not-supported/?ref=/102128379777508964956
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://accounts.google.com/ServiceLogin?passive=1209600&osid=1&continue=https://currents.google.com/me?ref%3D/102128379777508964956&followup=https://currents.google.com/me?ref%3D/102128379777508964956
https://profiles.google.com/102128379777508964956
https://accounts.google.com/_/bscframe
https://currents.google.com/me?ref=/102128379777508964956
https://accounts.google.com/v3/signin/identifier?dsh=S-351430295%3A1683584467026608&continue=https%3A%2F%2Fcurrents.google.com%2Fme%3Fref%3D%2F102128379777508964956&followup=https%3A%2F%2Fcurrents.google.com%2Fme%3Fref%3D%2F102128379777508964956&ifkv=Af_xneGAwdXlM71QtApQgJX60HESyPgacMTfgO3LaftBx_eM2GnLiR-jPZE9E3TQW_mqqTCDD44X&osid=1&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin
https://accounts.google.com/InteractiveLogin?continue=https://currents.google.com/me?ref%3D/102128379777508964956&followup=https://currents.google.com/me?ref%3D/102128379777508964956&osid=1&passive=1209600&ifkv=Af_xneGJoNKj2T9U05PVsA_KSaY3oBjOnkW36Vw43Lz6UJdMM4RZiCVZttO9JzHcfrsVto9JWZGA7w
|
10
profiles.google.com(142.250.76.142)
ssl.gstatic.com(172.217.161.195)
www.google.com(142.250.206.228)
accounts.google.com(142.250.206.237)
currents.google.com(172.217.25.174)
142.251.220.78
142.250.66.110
172.217.27.13
172.217.27.35
142.250.204.68
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13423 |
2023-05-09 07:27
|
http://www.google.com/profiles... 027de6380a27d9116764f11da1b25b61
AntiDebug AntiVM MSOffice File icon VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
11
http://www.google.com/profiles/102128379777508964956
https://accounts.google.com/InteractiveLogin?continue=https://currents.google.com/me?ref%3D/102128379777508964956&followup=https://currents.google.com/me?ref%3D/102128379777508964956&osid=1&passive=1209600&ifkv=Af_xneEIrOshotgoHQt0SnZntPIX7ToJV9I8a-hvTpKW7W3c9gQ5r_tUFoV23iiRyVJdr1Kn6S7t0g
https://www.google.com/favicon.ico
https://accounts.google.com/v3/signin/identifier?dsh=S1577148976%3A1683584498722183&continue=https%3A%2F%2Fcurrents.google.com%2Fme%3Fref%3D%2F102128379777508964956&followup=https%3A%2F%2Fcurrents.google.com%2Fme%3Fref%3D%2F102128379777508964956&ifkv=Af_xneGzLOf3QE0BAdY56p2k9njpE8Nwr7HKJTy0uZ0qk14EOAfOvf3KfIVz02i8EriRQvsD-dmlLA&osid=1&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin
https://profiles.google.com/browser-not-supported/?ref=/102128379777508964956
https://accounts.google.com/generate_204?f5g_lA
https://accounts.google.com/ServiceLogin?passive=1209600&osid=1&continue=https://currents.google.com/me?ref%3D/102128379777508964956&followup=https://currents.google.com/me?ref%3D/102128379777508964956
https://profiles.google.com/102128379777508964956
https://accounts.google.com/_/bscframe
https://currents.google.com/me?ref=/102128379777508964956
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
10
profiles.google.com(142.250.76.142)
ssl.gstatic.com(172.217.161.195)
www.google.com(172.217.25.164)
accounts.google.com(142.250.206.237)
currents.google.com(172.217.25.174)
142.251.220.14
142.251.220.45
142.250.204.100
142.250.204.46
142.250.204.99
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13424 |
2023-05-09 06:50
|
http://www.google.com/profiles... faf06d1d50c4dcb652d72a25485883e8
Downloader Create Service DGA Socket DNS Hijack Network Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger ScreenShot AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.google.com/profiles/102128379777508964956
https://www.google.com/favicon.ico
https://accounts.google.com/generate_204?32gd7A
https://profiles.google.com/browser-not-supported/?ref=/102128379777508964956
https://accounts.google.com/v3/signin/identifier?dsh=S1560857253%3A1683582201539252&continue=https%3A%2F%2Fcurrents.google.com%2Fme%3Fref%3D%2F102128379777508964956&followup=https%3A%2F%2Fcurrents.google.com%2Fme%3Fref%3D%2F102128379777508964956&ifkv=Af_xneGT38AOWoAbiQxRbOgFVOaM4wGyqbs4y-uPcUtcGpmnCQimIrDB1P28LreIQtw91HIeUSc_YA&osid=1&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin
https://accounts.google.com/ServiceLogin?passive=1209600&osid=1&continue=https://currents.google.com/me?ref%3D/102128379777508964956&followup=https://currents.google.com/me?ref%3D/102128379777508964956
https://profiles.google.com/102128379777508964956
https://accounts.google.com/_/bscframe
https://currents.google.com/me?ref=/102128379777508964956
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://accounts.google.com/InteractiveLogin?continue=https://currents.google.com/me?ref%3D/102128379777508964956&followup=https://currents.google.com/me?ref%3D/102128379777508964956&osid=1&passive=1209600&ifkv=Af_xneGNJ7kcu9Uhhue22zywgr1cPQrPrDCyiNvLzH9nF8gI7xGL7lOe-nKKFo9iQQnL4198JYKM2Q
|
10
profiles.google.com(142.250.76.142)
ssl.gstatic.com(172.217.161.195)
www.google.com(172.217.25.164)
accounts.google.com(142.250.207.109)
currents.google.com(172.217.25.174)
142.250.66.67
142.250.199.78
172.217.24.238
172.217.24.237
142.251.220.4
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13425 |
2023-05-09 04:33
|
chatverlauf jasmin.txt ca29b214d1a9a341e9d3c82b3f5f490b
ScreenShot AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|