| 13591 |
2023-04-28 09:07
|
 Xjpclientser40.exe ffa8c73e6d2a1a51812008ec7f31105b
PWS .NET framework NPKI RAT Generic Malware Downloader UPX Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot AntiDebug AntiVM OS Processor Check .N VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13592 |
2023-04-28 07:48
|
 payload 994bde201ba16c5e33bba7d4e6cbe3f4
Loki_b Loki_m UPX Malicious Packer Malicious Library OS Processor Check PE32 PE File Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Malicious Traffic buffers extracted unpack itself Collect installed applications installed browsers check Ransomware Browser ComputerName Remote Code Execution Firmware DNS |
1
http://82.117.255.127/c2sock
|
1
|
1
SURICATA HTTP unable to match response to request
|
|
8.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13593 |
2023-04-28 07:23
|
 d00390b7-c15a-4019-8240-7d3ab2... 116857ca1574a5a36da3bb0ddff32eac
.NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13594 |
2023-04-27 16:45
|
 Thallium.exe 8edbcdafc2b2752bb2391b62e9093218
PhysicalDrive Malicious Packer PE32 PE File VirusTotal Malware unpack itself DNS crashed |
|
1
|
|
|
2.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13595 |
2023-04-27 16:45
|
ddata.jpg.ps1 24c94559b2c3b1a22b0b8a4b6447df2d
Hide_EXE Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13596 |
2023-04-27 16:45
|
 HY.exe a8ef418e2b5195e436df90c900c28f52
AgentTesla browser info stealer Google Chrome User Data Downloader ScreenShot Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM PE64 PE File Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser Email ComputerName DNS |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
178.237.33.50
198.50.231.138
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
13.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13597 |
2023-04-27 16:44
|
 Mjmbjbvye.exe 042f6ee1428d19409c719956e83f00a8
PWS .NET framework NPKI RAT Generic Malware Antivirus AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
3
api.telegram.org(149.154.167.220)
5.75.134.144 - mailcious
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13598 |
2023-04-27 15:21
|
 host1.exe 4911f551695218389a6730f551720e5d
RAT Generic Malware task schedule Anti_VM ScreenShot AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer NetWireRC VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Checks Bios Detects VMWare Check virtual network interfaces AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check Tofsee DCRat Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
14
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&c7b752fd708acb9907ff5fceaaa3c6a8=d1nI1YGN0YmNxEWMygDNmhTZmJDZ0UGMmBjN0MjNihjMxImM3ATNmlzMhJiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W - rule_id: 31679
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&c7b752fd708acb9907ff5fceaaa3c6a8=d1nI5IDNxMjN1YWZ0MTMmJTN0EGZhlDM4UWZmhTN4UmMhNWO5IGN2ATN3IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W&9ff31bbcdffb4b2ee507e80d804540cc=d1nIiojIhBDNwYGZhZzN2Y2YxUWOjhjMjljNlRmMjlDNiF2YkNjIsISOyQTMzYTNmVGNzEjZyUDNhRWY5ADOlVmZ4UDOlJTYjlTOiRjNwUzNiojIlF2NmRzN5EWNzMmMmVTNmVTO2EzY0ITNjhTOhFGNiJmIsICMkFzMyImZ4QjN5UWZwUTN3IDNyMmM2cDNzImN4QTM4kTN1UjMlhjZiojI4UjY4IWO1ATZkJmM5gjY3I2N3QjZzgTMkRjYkJTZ4gjI7xSfiADWmlGOqlkNJNUT0E1VOtmUH1EeBpWTxcGVPxmTXl1akpmW3V1RPxmRX1EaOpnT6lFRP1mWE5UNFRkWzEEVNl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWUq50Z0UUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXS55kMjRUT1NmaNh3dT9UMVpmT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFTaiZHZzI2TKl2TptGSkBnTtl0cJlWTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI4cTMkVTM5cjMwAzNhRmZyEDOkJTM2MWY1YWZ1M2N2UDMyEDZwEWOzIiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W - rule_id: 31679
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&9ff31bbcdffb4b2ee507e80d804540cc=0VfiIiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiIzMjYkhTY3QjNlBDNxEWOykzY3YmM3EmMklDN2M2MiNjZ4UGM0MmMzIiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W - rule_id: 31679
http:///PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&c7b752fd708acb9907ff5fceaaa3c6a8=d1nI5IDNxMjN1YWZ0MTMmJTN0EGZhlDM4UWZmhTN4UmMhNWO5IGN2ATN3IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W&9ff31bbcdffb4b2ee507e80d804540cc=0VfiIiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI5IDNxMjN1YWZ0MTMmJTN0EGZhlDM4UWZmhTN4UmMhNWO5IGN2ATN3IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOisHL9JSOx4WSPpUaPlWUql1MV1WWqZ1VNpmV61kMBpnTrxGVNpmSH9UbSdkTyklMNhXTUpVeVRVTzkFVNRTWH90MnpWSzlUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGOqlkNJNUT0E1VOtmUH1EeBpWTxcGVPxmTXl1akpmW3V1RPxmRX1EaOpnT6lFRP1mWE5UNFRkWzEEVNl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clV
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM - rule_id: 31679
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&9ff31bbcdffb4b2ee507e80d804540cc=0VfiIiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI1YGN0YmNxEWMygDNmhTZmJDZ0UGMmBjN0MjNihjMxImM3ATNmlzMhJiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W - rule_id: 31679
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&9ff31bbcdffb4b2ee507e80d804540cc=QX9JSUNJiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI3QmN5MGM5MWZyUjNxMGMwUWMjJTZ0kDOycTMwUmZmFmZkljY1ITY4IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W - rule_id: 31679
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&c7b752fd708acb9907ff5fceaaa3c6a8=d1nIzkDO5EDOhRmN5YmMhZWZ4UTYzIjNjhzMjVmN0UWYmNzN3cDNxMzMxIiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W - rule_id: 31679
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&46784cd6da072d8e9a00a34d02493da5=QX9JSUml2aU1keBpXT1FkaMBTWIh1Y012Y2RGWaRnRtN2R4ZEWVZ1aUVXUupldONjY550Vh5EeGhlekNjYrVzVhhFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJB3ZaV3cYFnbzRUeiBnUXRmQClmY2x2RkBXNXFWbWdkUndmMaBHaFt0Z3F2Z0RlYuNna0AncMl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiIzMjYkhTY3QjNlBDNxEWOykzY3YmM3EmMklDN2M2MiNjZ4UGM0MmMzIiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W - rule_id: 31679
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&46784cd6da072d8e9a00a34d02493da5=QX9JyZUZTUYp1c4dVWYJUeiBjQYVWeOVUS6Z0RTtEMnRlNRhlWzh3VZhlQTFmdKNjYaBXUE9EcERGb4dkYoRmRJlmVyY1Z0ADVVBXUE9EcERGb4dkYoRmRJRXOHRWdGdUYRBXUE9EcERGb4dkYoRmRJlmVyY1ZVJTW1ZUbiBnSrNkT0s2TwY1RiNnRyY1Z0cVY1lTbVtEMnRlNRhlWzh3VZhlQ5FWdsdEV1lTbjVFcRR0TwREZsh3RihGZGlkcOhVWOZ0RkxWMrNkT0s2TwY1RiNnRyY1ZnJzYo5UbXtEMnRlNRhlWzh3VZhlQ5JWeW1mY2FzaD5ENr9EMWdkYzZkMWdWVtNmdOtmYwljMZxmUYFWTwFFRPBHRkxGeHJGakZUS6ZFSaZHaYJ1SwcGV2EFWaNHeXlFWCNlYxYVbjxGaHRmRwFFRPBHRkxGeHJGakZUS0ZlbjBjTXp1cWt2QORzaPBjVHJ2cGJjVnVVbjZnTFFmeGdkULBzZUZTUYp1c4dVWYJUaiBXOykFbShVZDBXUE9EcERGb4dkYoRmRJxmSzIGR1cVY250RkBnSrNkT0s2TwY1RiNnRyY1ZNdVY0lzRkJEcRR0TwREZsh3RihGZGlUNKNjY0pEWRtEMnRlNRhlWzh3VZhlQTpla1cVW1xWbRJiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI1YGN0YmNxEWMygDNmhTZmJDZ0UGMmBjN0MjNihjMxImM3ATNmlzMhJiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W - rule_id: 31679
http://94.131.112.154/PythonphpGeneratortemporary.php?pVr=5fKLL27qECa76t&d2903fd8b5e9625169a73c9bf16b0b7c=25907a775ae0c50e6896b3b0f4ed5546&12bb8387f02771b3530361d45f8bc47f=wMwYWY3EWO1IDOhlTMiBjZwgjZmRTZhZGN5YjMzgTYmBzY4YjMygTZ&pVr=5fKLL27qECa76t - rule_id: 31679
http://94.131.112.154/PythonphpGeneratortemporary.php?VME9I7rTlqm4N1qjsqUnmj25T=w1B5&HkN6qNcbmH=tD5yNe9ZT3DMJvUJqDLzSqZeUA59&POsft0y9e1S2=lWEXDLWDwYaSlCobeNjA&c72f30bfdace9699f08f265105715607=QYyMzYwImY4cjMjJWNzcTZ1ATY0kDZ1MzYkBDZygjM0YGNyQmZlVjZ0IjN1ITNxEDOzAjNzITO&12bb8387f02771b3530361d45f8bc47f=wYjlDMyYDO0YWMwUjNzI2YhVGM0QDZycTN2QjM0YDMlFzNyUmZmFzM&c7b752fd708acb9907ff5fceaaa3c6a8=d1nI5IDNxMjN1YWZ0MTMmJTN0EGZhlDM4UWZmhTN4UmMhNWO5IGN2ATN3IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W&9ff31bbcdffb4b2ee507e80d804540cc=0VfiIiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI5IDNxMjN1YWZ0MTMmJTN0EGZhlDM4UWZmhTN4UmMhNWO5IGN2ATN3IiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOisHL9JSOx4WSPpUaPlWUql1MV1WWqZ1VNpmV61kMBpnTrxGVNpmSH9UbSdkTyklMNhXTUpVeVRVTzkFVNRTWH90MnpWSzlUaUl2bqlEMVpmTqpkMNpmUH5EbWRlTyk0RPlmSq1EbkRVW1sGVadXS65UaadVTzsGVZRTQql1MrpmT4l0QMlGNrlkNJN0T5FlMZFTU6llerRVWqJEVZdXU6lVNBRkWtZ1VNhXRH1EenRVW3llMOBTVt5EaGdVW0Ukaal2dpl0TKl2Tpl0ROtmSX90dN1mWo50VPFTVy0EbWpXToJ1VapmUXl1aKpmW1UEVPhmWqp1MJdlTp5kaZlXWtl0cJlGVp9maJ1mTqpFbKpmWr5UbaVzZqlVaCpWTrZ0VZdXVy40MnpXW4l0RalXSE9UMJdVT1cmaNFTUE1UaKNETpRzaJZTST9EaG1mT4FEVO1GbUp1MnpnT0klaZRTWH9UMVpmW6V1VNFzaq5EMnR1T5VkaOJTSE5EaWJTTpdXaJ9kSp9UaV1WTtJFRNpXTX10dVJTWrRGVONTSq5EaadUTthGRPFTWUl1MJd0T5FkaZhXSU5UeNRUTtpkaJNXSpRVavpWSoRGROJzYU5ENrRkT1kleZ1mRE9kaGRUTrJkaNNTRy4keNRVWycGVOVTRtlVNrpnTxEFRalmSDxUa0sWS2k0UNxmVU5UaCRVWykFVNJzZUlFerRlTz00VPdXSE5keZRkTpJkeOxmRU1UeJpmTzUFRNFTWX5Ua3lWSPpUaPlWSE9kenpXTxEERNhGbql1aa1mT310RPVTUX1EaoRVWrp1RNlmWXpleF1WW3llMZxmUt1UNJpWSzlUaUl2bqlEMFpWW3V0RalGZE5UNRRlTsZEVN1mVyklerR1T3llaZ1mVH1UbORlTxkERalXUt10dNRUTzk0QMlGNrlkNJlmTopkaaJTWE5keRRlW6lVbOh3aE90aKRlTy00VaRTTEpVaGRkT4V0VNh3ZEpFMV1mToxGVOl2dpl0TKl2TpNGVOFTUH9keZpXToZERPhmR65UeFRlTtJ1RNBTUy40aKd0T5tmeNRTTqpVeF1WT00EVaNTUql0cJlGVp9maJRTQUlVaOdUT0kkeZJTUU5ENjpXWqplaZVTVU1UMRpmT3VVbONTVUlFNVd1TpxmeOhXRykFMJNETpRzaJZTSplFbGdVW0cmaZdXQUl1akpnTpJFRNhmVH50MNR1TykEVNlXSU5EaaRlT4VFRatmVX5kMF1mWpdXaJ9kSp9UaZRkToZ0VZpmR650MJ1mT310ROd3aq1UNFpmT1kERPhGZU1EaadlW0E1ROlXVq1EeRJTW5VVbJNXSpRVavpWS5lFVNhmT6lFaKRUTp50RNJTUXpFaGd0T61kaatGbU9keBpWW3lkaaNzZE1EbSpWT3F1ValmSDxUa0sWS2kUeNdXWy4UaOJTW3NGROpXSqpVMV1mW0EERalmV610dRdlT5VERPVTQq1EeNJTWsJkaOp3Yq5Ua3lWSPpUaPlWUt1EaOdUTzk1Rah3a6lVenpXW310VOdXTH9EakpWT6tmaa1mU650MVdlTwUFVPpmTqlVaGpWSzlUaUl2bqlUMJRkWs5kMZlXUU1EaGRlTykkMNp3YU9EeZpnT1kUbOJTWq5EaadkW1kFVa1mWt5EaoRlW4l0QMlGOqlkNJNUT0E1VOtmUH1EeBpWTxcGVPxmTXl1akpmW3V1RPxmRX1EaOpnT6lFRP1mWE5UNFRkWzEEVNl2cu9UaFdEZoJVRkRjVtl0cVp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWUq50Z0UUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXS55kMjRUT1NmaNh3dT9UMVpmT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFTaiZHZzI2TKl2TptGSkBnTtl0cJlWTxUkaMBTTU1UdnRUT5RzUONTRqlkNJN0YwpUelZTS5JWb1c1U3x2aJNXSp1UeRNzYsJlbJZTSTpFdG1GV5ZlMjZlSDxUaNVUV0lkaNVlTWJVVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEGM0AjZkFmN3YjZjFTZ5MGOyMWO2UGZyMWO0IWYjR2MiwiI4cTMkVTM5cjMwAzNhRmZyEDOkJTM2MWY1YWZ1M2N2UDMyEDZwEWOzIiOiUWY3YGN3kTY1MzYyYWN1YWN5YTMjRjM1MGO5EWY0ImYiwiIwQWMzIjYmhDN2kTZlBTN1cjM0IzYyYzN0MjY2gDNxgTO1UTNyUGOmJiOigTNihjY5UDMlRmYykDOidjY3cDNmNDOxQGNiRmMlhDOis3W - rule_id: 31679
https://pastebin.com/raw/Cs9EzneX - rule_id: 31680
https://pastebin.com/raw/Cs9EzneX
|
3
pastebin.com(172.67.34.170) - mailcious
94.131.112.154 - mailcious
104.20.68.143 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE DCRAT Activity (GET)
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
|
12
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
http://94.131.112.154/PythonphpGeneratortemporary.php
https://pastebin.com/raw/Cs9EzneX
|
17.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13599 |
2023-04-27 15:18
|
 system32.exe 925a33d545b81303f95076ca52264c0a
RAT AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13600 |
2023-04-27 15:00
|
https://dl-mail.ymail.com/ws/d...
AntiDebug AntiVM Code Injection unpack itself Windows utilities Tofsee Windows |
2
https://apis.mail.yahoo.com/ws/v3/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/refresh?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975
https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/raw?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&token=uDdRaaIpkxJyV0akyTfVtC7n1FhmsdJB7bDv_XH6K6bCQOXFxgkBkwEAZNsu-_QFvV_5i5_L4E4NWtq013TBfcZCGX32myhohFrRcQRPMX0YejtWOpAjLBddP6PWGYs9&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975
|
4
apis.mail.yahoo.com(119.161.5.247)
dl-mail.ymail.com(119.161.5.247)
119.161.15.251
119.161.16.11 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13601 |
2023-04-27 13:55
|
https://doc-0o-6g-docs.googleu...
Downloader Create Service DGA Socket DNS Hijack Network Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger ScreenShot AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
https://doc-0o-6g-docs.googleusercontent.com/docs/securesc/q8je6j8obm7t17jhjscstc0jat9rmj14/mhab4581jbue6lrr5gcnd7t3pu0nmt18/1682532900000/01277628057901708782/01277628057901708782/1d3IDmY4HEzBkUtGWuPqn0WQ62JC97vNX?e=download&ax=ALy03A6SFE1lixz82LXDbyTgmcL17quXBI77UnwEShSybqXHb9cFZ3EhD9vourG6U4RICdtzVk2OBY2YtkfutqwXn5oec7vhcezlhlVufinT26Il9QR1cddoZYjSYaQQ_f5kx_hSrZ5VJUCpqrtzOgIqvMx3NhtFMqtpZ0PflCJxYsL9FOf44S16yhZ6FuZ7qFRkPY4taXoD3t8eFBm9JF2h4YIoT9I_hFIyOujiOayH3NZ8JezqddLKzwtnAMsMzPHOBlMMzer1LwAf7thnXibqMpHe7jXwsy4IXQGVvPdBVsrhfki5UbIH5ZJbXrgz_IgxWOypv4nQNDly1J-XE9tYXqCu6MR9EM1Sf6QyGW37A6CdF3R9z3crn2Gdb8uDM6XUNidOWpyeAczy50p2w0Fed5Pj-K2vGGE5FeyumXUYo1q8T2sC5gz79Y8K5bQ5Yrd5YJsiTTOoQDzLgzkWjARhLRCiVHJDCmOia2HIur4bEQZwVd-i6MPwN7SxBSL0yciICqiAklisrKZDB02wzWjJNR0cAg8q9l9GTefoC57s_MHVq4KjEJEz5yeHoRWux37S3ech1vjdRQnQCqlJ9HHKpR_2Rct0zYWf5H0pHnZmpBtAOBct7hvubZuFubyhR3n1Y8Tb1xkUstOLODRO8OjI1qZRphYTbhjbBJ7LW_p2q69brfc-Ih7vvUkZzg0w2V-1ZRcxX-sSvrK19cJmQHmemEcaqCYMOApaBdj6N
|
2
doc-0o-6g-docs.googleusercontent.com(172.217.161.193) - mailcious
172.217.27.1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13602 |
2023-04-27 11:36
|
 x64.dll 679795d1f387d9a6bedda306964f7aca
UPX Downloader Malicious Library OS Processor Check DLL PE64 PE File VirusTotal Malware PDB |
|
|
|
|
1.6 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13603 |
2023-04-27 11:33
|
 x86.dll cc55779eab28eb65877eec251b731d5b
UPX Downloader Malicious Library OS Processor Check DLL PE32 PE File VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
54 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13604 |
2023-04-27 10:23
|
 doc.ps1 f5e06be9bc58695ff043f1d9465fb519
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.8 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13605 |
2023-04-27 10:05
|
 vbc.exe c61c14e016aa835ade115c4e8463b20c
NSIS UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself suspicious TLD DNS |
13
http://www.moneyflowplant.com/hjdr/
http://www.zservers.xyz/hjdr/ - rule_id: 28386
http://www.xn--pdotrychler-l8a.ch/hjdr/?gyP=viX6L1AgcIzkNKvffNzJJ+Yd0/U+wEe4YYZ25bQBQN6YyRvPjBEvK6hqMFdbfSlnHMzHqKUOr90SHQpYKy1ow0mwR1Rp7LB2XNGkbPc=&BpMI=3wJMt60D - rule_id: 28389
http://www.xn--pdotrychler-l8a.ch/hjdr/ - rule_id: 28389
http://www.howtrue.info/hjdr/?gyP=kJhn0XnRZRgnPBFsTC3RrkdNU3jL2gKJb5tjL3sD/5M7+ZJLcewBYYG+QRdPVJXXplIlf5qgAFj8zlCmH3brR5caIrNXSuF9PhWnmJU=&BpMI=3wJMt60D - rule_id: 28387
http://www.flamencovive.com/hjdr/?gyP=Q2x1/2XRNaCoEddx6sOZXLnv+KSTv7bV7HgPZNHBedwlTMxlPFbGwRMmBJS9SGXxHbGdmLM+AbQONc8TzqislaZC5YkVHeeGUBH5s5w=&BpMI=3wJMt60D
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
http://www.flamencovive.com/hjdr/
http://www.zservers.xyz/hjdr/?gyP=a/jwoO6Li4WGoMKhZK2qV7tdnllQ6mdQYsYFdFr7RisYjJd1Hm0f46xorIJmHDnVHKTR/o/1BaU+86MBDvdqY5CeL0wg/BcTjfumQVU=&BpMI=3wJMt60D - rule_id: 28386
http://www.amateurshow.online/hjdr/?gyP=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4WKSSlO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&BpMI=3wJMt60D - rule_id: 28385
http://www.howtrue.info/hjdr/ - rule_id: 28387
http://www.tugrow.top/hjdr/ - rule_id: 28388
http://www.tugrow.top/hjdr/?gyP=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6Q88r0UIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&BpMI=3wJMt60D - rule_id: 28388
|
15
www.flamencovive.com(156.254.152.147)
www.amateurshow.online(198.37.115.75) - mailcious
www.xn--pdotrychler-l8a.ch(95.130.17.35) - mailcious
www.moneyflowplant.com(62.77.152.57)
www.zservers.xyz(103.42.108.46) - mailcious
www.tugrow.top(66.29.131.66) - mailcious
www.howtrue.info(184.168.113.29) - mailcious
95.130.17.35 - mailcious
103.42.108.46 - mailcious
184.168.113.29 - mailcious
62.77.152.57
66.29.131.66 - mailcious
198.37.115.75 - mailcious
45.33.6.223
156.254.152.147
|
6
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING Request to .TOP Domain with Minimal Headers
|
9
http://www.zservers.xyz/hjdr/
http://www.xn--pdotrychler-l8a.ch/hjdr/
http://www.xn--pdotrychler-l8a.ch/hjdr/
http://www.howtrue.info/hjdr/
http://www.zservers.xyz/hjdr/
http://www.amateurshow.online/hjdr/
http://www.howtrue.info/hjdr/
http://www.tugrow.top/hjdr/
http://www.tugrow.top/hjdr/
|
4.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|