| 13531 |
2023-05-03 09:59
|
 index.html.ps1 d5ab587aaa4bf24d17ab42179b798b10
Generic Malware Antivirus PowerShell Malware download VirusTotal Malware powershell Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
http://mockbin.org/bin/e8bfd045-2b14-4afc-9372-b723f7d76918
http://run.mocky.io/v3/acea62da-ca05-46d1-bb80-0b036af7467c
|
4
mockbin.org(172.64.162.25)
run.mocky.io(185.42.117.108) - mailcious
185.42.117.108 - mailcious
172.64.162.25
|
3
ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
ET HUNTING Suspicious Possible Process Dump in POST body
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
|
|
10.0 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13532 |
2023-05-03 09:55
|
C897.wsf 0bcf775ec79da95d6651eae432150277VBScript WMI heapspray wscript.exe payload download Tofsee ComputerName Dropper |
4
https://tridayaonline.com/rf7H/1203
https://abragest.com/yKmmLBY/170
https://puntoproduction.com/87bacDu/1704
https://demosites.live/zAjzkL/200
|
8
abragest.com(192.185.79.168)
demosites.live(108.167.180.121)
puntoproduction.com(162.241.194.193)
tridayaonline.com(103.41.206.174)
108.167.180.121
162.241.194.193
192.185.79.168
103.41.206.174
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13533 |
2023-05-03 09:55
|
C713.wsf ad4bcd97e9014f9f76b05d5db8b1e273VBScript WMI heapspray wscript.exe payload download ICMP traffic Tofsee ComputerName Dropper |
4
https://tridayaonline.com/rf7H/1203
https://puntoproduction.com/87bacDu/1704
https://abragest.com/yKmmLBY/170
https://demosites.live/zAjzkL/200
|
8
puntoproduction.com(162.241.194.193)
abragest.com(192.185.79.168)
tridayaonline.com(103.41.206.174)
demosites.live(108.167.180.121)
108.167.180.121
162.241.194.193
192.185.79.168
103.41.206.174
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13534 |
2023-05-03 09:44
|
 vbc.exe f9fbfee491440e919bf3ee8df7f415aa
.NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13535 |
2023-05-03 09:42
|
 sc64.dll 4c09e8e3a1d837f125ea9f9c0c2c5380
SystemBC Malicious Packer Antivirus DLL PE64 PE File VirusTotal Malware Checks debugger unpack itself DNS |
|
2
65.21.119.52
104.21.96.152 - malware
|
|
|
2.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13536 |
2023-05-03 09:40
|
 v1.exe 1c87be3086b35f72e87666036310df86
RAT Generic Malware UPX Malicious Library OS Processor Check PE64 PE File VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
3.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13537 |
2023-05-03 09:38
|
 vbc.exe 5bc95f5d8d3bf878098d8527bc679545
Formbook PWS .NET framework RAT UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
1
http://www.fli.group/ks01/?nPnpM8=1EfQ0SVXos7sLdVncSxTg7GUfvRN4m+VNvNBYPmAJ9xpwJKYkIfU72FqX1K4zwn3vLUKf7fu&Lh0l=ZTdp62D0f
|
3
www.hallmarkcontractors.africa()
www.fli.group(34.102.136.180)
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13538 |
2023-05-03 09:38
|
%23%23%23%23%23%23%23%23%23%23... 4666ed7dbe4480fa15249382b4d8a296
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://75.127.7.184/46/vbc.exe
|
2
65.21.119.52
75.127.7.184 - malware
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13539 |
2023-05-03 09:37
|
 am.exe c23d62c9166ae248fe9fe078328182f9
RAT SystemBC UPX Malicious Packer Malicious Library Antivirus OS Processor Check PE32 PE File .NET EXE DLL PE64 JPEG Format Malware download Amadey VirusTotal Malware AutoRuns PDB Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS |
6
http://tadogem.com/dF30Hn4m/index.php?scr=1
http://tadogem.com/dF30Hn4m/index.php
http://tadogem.com/dF30Hn4m/Plugins/cred64.dll
http://tadogem.com/dF30Hn4m/Plugins/clip64.dll
https://nftday.art/rundll32.exe
https://nftday.art/sc64.dll
|
5
nftday.art(172.67.151.248) - malware
tadogem.com(172.67.183.249) - malware
65.21.119.52
104.21.32.126
104.21.96.152 - malware
|
2
ET MALWARE Amadey CnC Check-In
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13540 |
2023-05-03 09:35
|
%23%23%23%23%23%23%23%23%23%23... bdff5c8782a221578cb25c9a8c076ff3
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
1
http://198.46.178.145/40/vbc.exe
|
1
198.46.178.145 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13541 |
2023-05-03 09:33
|
%23%23%23%23%23%23%23%23%23%23... fc01e8909cd645434c82378c485c6aa7
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://www.eyelid.life/ks01/?2d=8rShw7wJxEptaFTQff8lMyjLWyKzmaTsdR/zpHphK8l0c9xMUYXECCyCH9CJ9wojd8KKPGKf&CXaDf=fTCLVPZpt04TEV7
http://185.225.74.77/000000_____/vbc.exe
|
4
www.thenergy.africa()
www.eyelid.life(118.27.125.222)
118.27.125.222
185.225.74.77 - malware
|
9
ET INFO Observed DNS Query to .life TLD
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO HTTP Request to Suspicious *.life Domain
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13542 |
2023-05-03 09:33
|
 Setup2.exe c80864ec4f40c15a4589d19a1e6cd3ca
RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger RWX flags setting unpack itself crashed |
|
|
|
|
3.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13543 |
2023-05-03 09:31
|
 v1.exe 2d1952dc0776774b3d9366412a44de4d
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware Buffer PE PDB Checks debugger buffers extracted unpack itself sandbox evasion ComputerName |
|
1
akncteplcvwufmhwurtde4eunbsher5.noqycpnanw01gd0x()
|
|
|
4.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13544 |
2023-05-03 09:31
|
 rundll32.exe 1d81057710dc737ffee88f7f8b0ef90c
RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger RWX flags setting unpack itself DNS crashed |
|
1
|
|
|
3.2 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13545 |
2023-05-03 09:29
|
 vbc.exe 407a4475933399d86b822c4ed5a6393b
PWS .NET framework Generic Malware Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
13.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|