| 13741 |
2023-04-20 17:38
|
 vbc.exe 0cb1700a54841134f8b9cbd702897e82
PWS .NET framework RAT Hide_EXE AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
11
http://www.jawstraping.com/t6t4/
http://www.antifa-west.org/t6t4/?EUd=ssGDlaKvrM1Gs2+sD8JdC0DLeKE3dUnUQ6mTAZG8EY8ootQconb5U719Xwf9arvCoKYUBxAQQ/mbWT7dDEoxYepTxrisSFFRvpnacVE=&DIL=J2BnYp2ZA
http://www.tanforks.xyz/t6t4/?EUd=fX3XyOzAJM6oM04o/7g23Zy7c/HdQQcghoeFNAWsBFGOx4rN1X7qcFb4Fe0DTcTs0H0+AvSr72QhSydJENna4UFVgzP/3/gTg0f6ty0=&DIL=J2BnYp2ZA
http://www.infomysaturn.com/t6t4/
http://www.infomysaturn.com/t6t4/?EUd=J+lWmOWzRFYb6ZGDJg/c/uE65ROAxLP5sGlhcaPxy1usod+H/MjcFynVlrmwAULXY1vEuzPNHPQSWuniw4+JBk2ZSmFmkZPZ/PPuHLo=&DIL=J2BnYp2ZA
http://www.atwtjasasbdh.com/t6t4/?EUd=6X+nuai3+Gul66mjmQ28c0ZlmwwgXmcEpPDIIfk72o6E0RnRG4ylaYKqyh5Ae9yw6Vvu+qYeGcoVzp60AAD0y2SwNXIc8Uem2VD5Cms=&DIL=J2BnYp2ZA
http://www.atwtjasasbdh.com/t6t4/
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.jawstraping.com/t6t4/?EUd=XCntr2iXxRF4OzdOddE0iZuhFmxxz2UYRyIVY/3TZ+QarG+8Mk+hdkB+upmlGNbbMTHm8ylq/Cu6YgjeNTy0eEp8zKtOpX4Of63J+Iw=&DIL=J2BnYp2ZA
http://www.tanforks.xyz/t6t4/
http://www.topsecretboutiqueec.com/t6t4/
|
13
www.topsecretboutiqueec.com(92.38.150.138)
www.antifa-west.org(142.250.76.147)
www.infomysaturn.com(204.27.56.195)
www.jawstraping.com(162.240.74.72)
www.tanforks.xyz(162.0.228.125)
www.atwtjasasbdh.com(38.47.108.116)
162.0.228.125 - mailcious
38.47.108.116
45.33.6.223
162.240.74.72
172.217.25.19
92.38.150.138
204.27.56.195
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE FormBook CnC Checkin (POST) M2
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13742 |
2023-04-20 17:37
|
 vbc.exe 0455be9da54c7231fea1f2fae056f36d
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution DNS |
|
1
|
|
|
2.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13743 |
2023-04-20 17:36
|
 vbc.exe c1ddc7e96d1bdfc49881c4efb2876d8d
RAT Malicious Library AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
9
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.gritslab.com/u2kb/?rQD=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&V4DcA-=d7DTsKri - rule_id: 28002
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.222ambking.org/u2kb/?rQD=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&V4DcA-=d7DTsKri - rule_id: 28004
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.white-hat.uk/u2kb/?rQD=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&V4DcA-=d7DTsKri - rule_id: 28001
http://www.bitservicesltd.com/u2kb/?rQD=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&V4DcA-=d7DTsKri - rule_id: 28003
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
http://www.222ambking.org/u2kb/ - rule_id: 28004
|
11
www.gritslab.com(78.141.192.145) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
91.195.240.94 - phishing
78.141.192.145 - mailcious
213.145.228.111 - mailcious
94.176.104.86 - mailcious
161.97.163.8 - mailcious
45.33.6.223
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.gritslab.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.white-hat.uk/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.222ambking.org/u2kb/
|
6.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13744 |
2023-04-20 17:35
|
tram.exe 20974e780438e87cf0fab2e4c10aa72a
UPX MPRESS PE64 PE File VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13745 |
2023-04-20 17:23
|
 20230418_1735061.html 3ef259cbd9758da0bb705ab29e7ad69b
Generic Malware Browser Info Stealer MachineGuid Code Injection Checks debugger exploit crash unpack itself installed browsers check Exploit Browser crashed |
|
|
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13746 |
2023-04-20 17:08
|
##############################... 533f738ac129a1b829a11c860fa4908e
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash IP Check Tofsee Windows Gmail Exploit DNS crashed Downloader |
2
https://api.ipify.org/
http://107.175.202.201/50/vbc.exe
|
5
api.ipify.org(64.185.227.155)
smtp.gmail.com(74.125.204.108)
107.175.202.201 - malware
173.231.16.77
74.125.204.108
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA Applayer Detect protocol only one direction
|
|
5.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13747 |
2023-04-20 16:39
|
##############################... e35378796dfe5bd6db6e12178247de53
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download Malware Malicious Traffic exploit crash Windows Exploit DNS crashed Downloader |
11
http://www.jawstraping.com/t6t4/
http://www.infomysaturn.com/t6t4/
http://www.jawstraping.com/t6t4/?tgsBCfY=XCntr2iXxRF4OzdOddE0iZuhFmxxz2UYRyIVY/3TZ+QarG+8Mk+hdkB+upmlGNbbMTHm8ylq/Cu6YgjeNTy0eEp8zKtOpX4Of63J+Iw=&XpfTw=NmpJ
http://www.atwtjasasbdh.com/t6t4/
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.antifa-west.org/t6t4/?tgsBCfY=ssGDlaKvrM1Gs2+sD8JdC0DLeKE3dUnUQ6mTAZG8EY8ootQconb5U719Xwf9arvCoKYUBxAQQ/mbWT7dDEoxYepTxrisSFFRvpnacVE=&XpfTw=NmpJ
http://www.infomysaturn.com/t6t4/?tgsBCfY=J+lWmOWzRFYb6ZGDJg/c/uE65ROAxLP5sGlhcaPxy1usod+H/MjcFynVlrmwAULXY1vEuzPNHPQSWuniw4+JBk2ZSmFmkZPZ/PPuHLo=&XpfTw=NmpJ
http://www.tanforks.xyz/t6t4/
http://www.atwtjasasbdh.com/t6t4/?tgsBCfY=6X+nuai3+Gul66mjmQ28c0ZlmwwgXmcEpPDIIfk72o6E0RnRG4ylaYKqyh5Ae9yw6Vvu+qYeGcoVzp60AAD0y2SwNXIc8Uem2VD5Cms=&XpfTw=NmpJ
http://154.91.202.45/90/vbc.exe
http://www.tanforks.xyz/t6t4/?tgsBCfY=fX3XyOzAJM6oM04o/7g23Zy7c/HdQQcghoeFNAWsBFGOx4rN1X7qcFb4Fe0DTcTs0H0+AvSr72QhSydJENna4UFVgzP/3/gTg0f6ty0=&XpfTw=NmpJ
|
12
www.atwtjasasbdh.com(103.214.22.44)
www.infomysaturn.com(204.27.56.195)
www.antifa-west.org(142.250.76.147)
www.jawstraping.com(162.240.74.72)
www.tanforks.xyz(162.0.228.125)
20.239.166.104
154.91.202.45 - mailcious
142.250.204.51
162.0.228.125 - mailcious
162.240.74.72
45.33.6.223
204.27.56.195
|
10
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE FormBook CnC Checkin (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13748 |
2023-04-20 13:25
|
##############################... 0817ef065eab1d86f70a24c0100a62e2
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash IP Check Tofsee Windows Gmail Exploit DNS crashed Downloader |
2
http://107.175.202.201/60/vbc.exe
https://api.ipify.org/
|
5
api.ipify.org(104.237.62.211)
smtp.gmail.com(64.233.188.108)
107.175.202.201 - malware
173.231.16.77
64.233.188.109
|
9
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13749 |
2023-04-20 11:38
|
 gGEVTqnUyq.vbs 21bdef1fee01151e1cebefa3316a20b9
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://167.114.77.24:222/t.png
|
1
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13750 |
2023-04-20 11:29
|
 20230418_1735061.html 65c643adac6706ce4962cf3b4ad8c586
Generic Malware Browser Info Stealer MachineGuid Code Injection Checks debugger exploit crash unpack itself installed browsers check Exploit Browser crashed |
|
|
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13751 |
2023-04-20 11:27
|
Bqkz.hta 8c6959b88a7a4b5e90abc355cc0af014
Generic Malware Antivirus AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
8
https://hotellosmirtos.com/sjn/x9TKiyLLkT
https://zainco.net/OdOU/D0YU3GE
https://citytech-solutions.com/6Mh1k/JDoJb
https://nayadofoundation.org/wXaKm/F5MnHFq
https://carladvogadatributaria.com/tvnq9/eGbRBey8o7Mk
https://mrcrizquna.com/L7ccN/kUAFglmgW
https://gsscorporationltd.com/okSfj/QBoaDPRP5hF
https://erg-eg.com/ocmb/V4PjenCL
|
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13752 |
2023-04-20 11:25
|
Njguoo.hta 6d3e7575bc3016353e43b00a21c2d3eb
Generic Malware Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
8
https://citytech-solutions.com/6Mh1k/B7EHsbUXqkf
https://erg-eg.com/ocmb/tvbjS
https://carladvogadatributaria.com/tvnq9/THWkL
https://mrcrizquna.com/L7ccN/PifjJ75h3
https://hotellosmirtos.com/sjn/7yDzZW
https://nayadofoundation.org/wXaKm/EDtmGrL
https://gsscorporationltd.com/okSfj/gdOqVcscfx
https://zainco.net/OdOU/9S6oZW8
|
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13753 |
2023-04-20 11:22
|
 Complaint_Copy_798708.wsf c91431eb09675290e644c2e8a07213cdVBScript wscript.exe payload download DNS Dropper |
1
http://85.239.53.73/aO03psmvtKQU.dat
|
1
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13754 |
2023-04-20 11:22
|
invoice-1882938472_pdf.vbs ec28a8ac995eba2a726d68817ccec30bunpack itself crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13755 |
2023-04-20 11:21
|
 clip64.dll f577e9f9bb3716a1405af573fbf2afb4
UPX Admin Tool (Sysinternals etc ...) Malicious Library OS Processor Check DLL PE32 PE File VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|