| 13621 |
2023-04-26 18:16
|
 services.exe 169457576b3c270c112f87cdfefdb688
NPKI RAT PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13622 |
2023-04-26 18:15
|
 vbc.exe fe889bf209a5e139d07c128c6d0ba877
Formbook PWS .NET framework RAT AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key crashed |
4
http://www.ahmedhussein.tech/my28/?kFQl2H=X1+ORJ0PqquAMwqRkudv2MXmW9g+6c2tmFrHnXo+N3P5UuIjhh51ghREFDJwWuIRTjSnOhJv&oX9=_0GXHXQPdFBhZ
http://www.ki-ror.se/my28/?kFQl2H=4lfbIkXHco+fuMDhz2Un+xLdCLWdE3L2wwFDQBldcMLfj96ewRmoLvxyaijxNRtmHQY8ZyKd&oX9=_0GXHXQPdFBhZ
http://www.davideal.com/my28/?kFQl2H=g8afGKt5BcK8YWBpPCZ4/pxfgmmwdPBJ2VKmtBKY2hxTlxLpEHHrWffhk8WAXZeJbBDqIDJo&oX9=_0GXHXQPdFBhZ
http://172.245.214.178/007/Dblvvr.dat
|
8
www.ahmedhussein.tech(84.32.84.32)
www.ki-ror.se(194.9.94.85)
www.immernochlustig.com()
www.davideal.com(18.119.154.66)
84.32.84.32
194.9.94.86 - mailcious
18.119.154.66 - mailcious
172.245.214.178 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13623 |
2023-04-26 18:14
|
 Hpzplthjq.exe fffbb8afb4ca73ec2063d73427c847fe
PWS .NET framework NPKI RAT Generic Malware Anti_VM Antivirus AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware powershell Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows ComputerName DNS Cryptographic key |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13624 |
2023-04-26 18:13
|
 vbc.exe e5a5bcc3b19a3ff03d5643d1691678d1
Formbook NSIS UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
18
http://www.gritslab.com/u2kb/?bN=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&vuYmv=HiDvhwDDT1tM7q - rule_id: 28002
http://www.222ambking.org/u2kb/?bN=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&vuYmv=HiDvhwDDT1tM7q - rule_id: 28004
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.shapshit.xyz/u2kb/?bN=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&vuYmv=HiDvhwDDT1tM7q - rule_id: 28008
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.white-hat.uk/u2kb/?bN=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&vuYmv=HiDvhwDDT1tM7q - rule_id: 28001
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.thedivinerudraksha.com/u2kb/?bN=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&vuYmv=HiDvhwDDT1tM7q - rule_id: 28009
http://www.bitservicesltd.com/u2kb/?bN=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&vuYmv=HiDvhwDDT1tM7q - rule_id: 28003
http://www.younrock.com/u2kb/?bN=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&vuYmv=HiDvhwDDT1tM7q - rule_id: 28006
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip
http://www.thewildphotographer.co.uk/u2kb/?bN=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&vuYmv=HiDvhwDDT1tM7q - rule_id: 28007
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.energyservicestation.com/u2kb/?bN=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&vuYmv=HiDvhwDDT1tM7q - rule_id: 28005
http://www.younrock.com/u2kb/ - rule_id: 28006
|
19
www.thewildphotographer.co.uk(45.33.30.197) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(81.17.18.195) - mailcious
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
199.192.30.147 - mailcious
213.145.228.111 - mailcious
94.176.104.86 - mailcious
96.126.123.244 - mailcious
63.141.242.43 - mailcious
161.97.163.8 - mailcious
45.33.6.223
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.gritslab.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.gritslab.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.white-hat.uk/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.younrock.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.222ambking.org/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.younrock.com/u2kb/
|
4.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13625 |
2023-04-26 18:13
|
 Nfjyejcuamv.exe acab984940bec865cd71484a347f19ef
PWS .NET framework RAT Generic Malware Antivirus AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware powershell Telegram AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
3
api.telegram.org(149.154.167.220)
5.75.134.144
149.154.167.220
|
4
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
13.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13626 |
2023-04-26 18:12
|
 v123.exe 77437c98a8d412e5d30f155b4ebb01f1
RAT PE64 PE File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13627 |
2023-04-26 18:10
|
 4496UxfTzlWPSipCNwsExWDmnyON.e... a5e6069290231f257359111967312e62
UPX Malicious Packer Malicious Library OS Processor Check PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13628 |
2023-04-26 18:08
|
%23%23%23%23%23%23%23%23%23%23... 8abfd578bb043d2795ee00c838fb9c68
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
2
http://172.245.214.178/007/Dblvvr.dat
http://172.245.214.178/24/vbc.exe
|
1
172.245.214.178 - phishing
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13629 |
2023-04-26 18:08
|
 nxmr.exe 41ab08c1955fce44bfd0c76a64d1945a
PE64 PE File VirusTotal Cryptocurrency Miner Malware Cryptocurrency DNS |
|
1
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 20
ET POLICY Cryptocurrency Miner Checkin
|
|
2.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13630 |
2023-04-26 16:27
|
 Fyeiilfzrf.dll 69b4e6d6e95ffa9081b6f85baba7bad9
Suspicious_Script_Bin |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13631 |
2023-04-26 13:24
|
UpdateCheck.bat bc34fd92d1882dc20f5472c8ff1e4070
Generic Malware Downloader UPX Antivirus Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot AntiDebug AntiVM PE32 PE File VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.0 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13632 |
2023-04-26 09:54
|
 install.exe 4e5ee4f3a7bedafc362f50ab73608ad7
PWS .NET framework NPKI RAT PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13633 |
2023-04-26 09:51
|
 services.exe 0d009ea0386e4668e4fe910f13092bf4
NPKI UPX OS Processor Check PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13634 |
2023-04-26 09:48
|
 tryme.ps1 641680e7fec9daae06d736941db655d1
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.8 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13635 |
2023-04-26 09:48
|
 reverse.exe d32a31a376731f31251a2d17ea3828bf
PE64 PE File VirusTotal Malware DNS crashed |
|
1
198.58.102.19 - mailcious
|
|
|
3.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|