| 13501 |
2023-05-05 07:09
|
 not allow.sample 85aa3491628f459ae49f1e2dd6f93d5d |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13502 |
2023-05-05 07:09
|
 not allow.sample 85aa3491628f459ae49f1e2dd6f93d5d |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13503 |
2023-05-05 06:59
|
{54235D70-18D0-41D4-B34B-D968F... d41d8cd98f00b204e9800998ecf8427e
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13504 |
2023-05-05 06:53
|
 WindowsUpdate.log 2cc83d93dd1dde691158cf5e9882420b
ScreenShot AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13505 |
2023-05-05 06:46
|
chatverlauf jasmin.txt ca29b214d1a9a341e9d3c82b3f5f490b
ScreenShot AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13506 |
2023-05-04 18:44
|
 vbc.exe 66d9a44a51599155c7a39a9a5a9dafa9
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB |
|
1
fshovit8qcg8uvovvtixzg2.shmxodofaguezj()
|
|
|
1.8 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13507 |
2023-05-04 18:03
|
 vbc.exe 9fe535a2512484cbf82fdb18f50fd740
RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows ComputerName |
|
2
toraxgold.com(198.46.173.139)
198.46.173.139
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13508 |
2023-05-04 18:01
|
%23%23%23%23%23%23%23%23%23%23... f51ba77ad7935cf732fc2fc5df33d75b
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://109.105.198.239/80/vbc.exe
|
3
fshovit8qcg8uvovvtixzg2.shmxodofaguezj()
109.105.198.239
185.16.38.253
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13509 |
2023-05-04 18:01
|
 Halkbank.exe 43da6da02ab057b4b4b100c727b3fc69
AgentTesla Emotet browser info stealer Generic Malware Google Chrome User Data Downloader UPX Malicious Library Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM OS Processor Check PE32 PE File Remcos VirusTotal Malware Buffer PE AutoRuns PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows Remote Code Execution DNS DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
report1.duckdns.org(185.16.38.253)
178.237.33.50
185.16.38.253
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
12.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13510 |
2023-05-04 17:59
|
%23%23%23%23%23%23%23%23%23%23... 7f8045b2c78195d846d5622d65574cf5
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed Downloader |
1
http://198.46.178.145/50/vbc.exe
|
1
198.46.178.145 - mailcious
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13511 |
2023-05-04 17:59
|
 distributive095.exe 5a2548ee26c5b3613a8096befe770a0f
CoinMiner Generic Malware UPX Malicious Library Antivirus OS Processor Check PE32 PE File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself AppData folder Windows ComputerName Cryptographic key |
5
http://iqowocguasswcmca.xyz:1775/api/client_hello
http://iqowocguasswcmca.xyz:1775/tasks/get_worker
http://iqowocguasswcmca.xyz:1775/api/client/new
http://iqowocguasswcmca.xyz:1775/tasks/collect
http://iqowocguasswcmca.xyz:1775/avast_update
|
2
iqowocguasswcmca.xyz(167.88.12.99)
167.88.12.99
|
1
ET HUNTING EXE Base64 Encoded potential malware
|
|
3.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13512 |
2023-05-04 17:56
|
%23%23%23%23%23%23%23%23%23%23... 5ee93a1d15d2d02268cf4755b7b5d7db
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://198.46.178.145/40/vbc.exe - rule_id: 31781
http://198.46.178.145/40/vbc.exe
|
1
198.46.178.145 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://198.46.178.145/40/vbc.exe
|
5.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13513 |
2023-05-04 17:36
|
rmq2.sqlite 8bd6d529d731d52f498bac4f35ebe61b
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13514 |
2023-05-04 10:07
|
notice_may.3_23377.lnk af543d8033c932f504f309c0d9760cbc
RAT Generic Malware AntiDebug AntiVM OS Processor Check GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting suspicious process Tofsee Interception |
1
https://corporacionhardsoft.com/x/file.html
|
2
corporacionhardsoft.com(192.3.201.85)
192.3.201.85
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13515 |
2023-05-04 10:05
|
 Zlfrtg.js ea9ec000cbfecab623bfe5856a13b673
Generic Malware Antivirus AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
3
http://172.86.121.196/1dLH/N732hRuGb6
http://209.97.158.104/GdLTZQ/dImZW2B8Bb
http://45.55.38.156/gUKoVsK/xb21muLALKo
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|