| 13996 |
2023-04-20 23:21
|
 5F3E84AE-45EF-4856-A65F-8595C0... 915fdbd6c8acde570bc3f845be59df0c
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13997 |
2023-04-20 21:37
|
 microsoft.office.smartlookup.s... 6b641f0499f31fa07001adf331bb415d
Anti_VM crashed |
|
|
|
|
0.2 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13998 |
2023-04-20 21:29
|
 microsoft.office.smartlookup.s... 6b641f0499f31fa07001adf331bb415d
Anti_VM crashed |
|
|
|
|
0.2 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13999 |
2023-04-20 18:49
|
 blessed.exe 901454073fbc77ac0854e0d7b9d37214
PWS .NET framework Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(173.231.16.77)
173.231.16.77
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14000 |
2023-04-20 18:47
|
 haddd.exe 295d168271a2ac16dd17c7b5113876e9
Loki_b Loki_m RAT Generic Malware Malicious Library Code injection AntiDebug AntiVM PE64 PE File DLL VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Advertising Cryptographic key crashed |
|
|
|
|
10.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14001 |
2023-04-20 17:42
|
 vbc.exe f742053cbdcec12c128fa08914285311
RAT Malicious Library AntiDebug AntiVM PE64 PE File VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows Cryptographic key |
18
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.bitservicesltd.com/u2kb/?zT=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&DcmN_=UH29gni5kTv7LF - rule_id: 28003
http://www.222ambking.org/u2kb/?zT=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&DcmN_=UH29gni5kTv7LF - rule_id: 28004
http://www.younrock.com/u2kb/?zT=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&DcmN_=UH29gni5kTv7LF - rule_id: 28006
http://www.gritslab.com/u2kb/?zT=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&DcmN_=UH29gni5kTv7LF - rule_id: 28002
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.shapshit.xyz/u2kb/?zT=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&DcmN_=UH29gni5kTv7LF - rule_id: 28008
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3260000.zip
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.thewildphotographer.co.uk/u2kb/?zT=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&DcmN_=UH29gni5kTv7LF - rule_id: 28007
http://www.energyservicestation.com/u2kb/?zT=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&DcmN_=UH29gni5kTv7LF - rule_id: 28005
http://www.thedivinerudraksha.com/u2kb/?zT=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&DcmN_=UH29gni5kTv7LF - rule_id: 28009
http://www.white-hat.uk/u2kb/?zT=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&DcmN_=UH29gni5kTv7LF - rule_id: 28001
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.younrock.com/u2kb/ - rule_id: 28006
|
19
www.thewildphotographer.co.uk(96.126.123.244) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(81.17.18.196) - mailcious
192.187.111.222 - phishing
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
199.192.30.147 - mailcious
213.145.228.111 - mailcious
94.176.104.86 - mailcious
72.14.178.174
161.97.163.8 - mailcious
45.33.6.223
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.gritslab.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.younrock.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.white-hat.uk/u2kb/
http://www.222ambking.org/u2kb/
http://www.younrock.com/u2kb/
|
9.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14002 |
2023-04-20 17:40
|
 vbc.exe 6242a5f710c22a75e71aa48b4e195e6d
UPX Malicious Library PE32 PE File Formbook FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
18
http://www.thedivinerudraksha.com/u2kb/?Ul=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&Zort=BWokrMw18vT - rule_id: 28009
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.energyservicestation.com/u2kb/?Ul=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&Zort=BWokrMw18vT - rule_id: 28005
http://www.bitservicesltd.com/u2kb/?Ul=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&Zort=BWokrMw18vT - rule_id: 28003
http://www.222ambking.org/u2kb/?Ul=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&Zort=BWokrMw18vT - rule_id: 28004
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.gritslab.com/u2kb/?Ul=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&Zort=BWokrMw18vT - rule_id: 28002
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.thewildphotographer.co.uk/u2kb/?Ul=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&Zort=BWokrMw18vT - rule_id: 28007
http://www.shapshit.xyz/u2kb/?Ul=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&Zort=BWokrMw18vT - rule_id: 28008
http://www.white-hat.uk/u2kb/?Ul=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&Zort=BWokrMw18vT - rule_id: 28001
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.younrock.com/u2kb/?Ul=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&Zort=BWokrMw18vT - rule_id: 28006
http://www.younrock.com/u2kb/ - rule_id: 28006
|
19
www.thewildphotographer.co.uk(45.79.19.196) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(81.17.18.196) - mailcious
192.187.111.222 - phishing
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
199.192.30.147 - mailcious
213.145.228.111 - mailcious
94.176.104.86 - mailcious
161.97.163.8 - mailcious
45.33.6.223
45.56.79.23 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.thedivinerudraksha.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.gritslab.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.white-hat.uk/u2kb/
http://www.222ambking.org/u2kb/
http://www.younrock.com/u2kb/
http://www.younrock.com/u2kb/
|
5.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14003 |
2023-04-20 17:38
|
 vbc.exe 0cb1700a54841134f8b9cbd702897e82
PWS .NET framework RAT Hide_EXE AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
11
http://www.jawstraping.com/t6t4/
http://www.antifa-west.org/t6t4/?EUd=ssGDlaKvrM1Gs2+sD8JdC0DLeKE3dUnUQ6mTAZG8EY8ootQconb5U719Xwf9arvCoKYUBxAQQ/mbWT7dDEoxYepTxrisSFFRvpnacVE=&DIL=J2BnYp2ZA
http://www.tanforks.xyz/t6t4/?EUd=fX3XyOzAJM6oM04o/7g23Zy7c/HdQQcghoeFNAWsBFGOx4rN1X7qcFb4Fe0DTcTs0H0+AvSr72QhSydJENna4UFVgzP/3/gTg0f6ty0=&DIL=J2BnYp2ZA
http://www.infomysaturn.com/t6t4/
http://www.infomysaturn.com/t6t4/?EUd=J+lWmOWzRFYb6ZGDJg/c/uE65ROAxLP5sGlhcaPxy1usod+H/MjcFynVlrmwAULXY1vEuzPNHPQSWuniw4+JBk2ZSmFmkZPZ/PPuHLo=&DIL=J2BnYp2ZA
http://www.atwtjasasbdh.com/t6t4/?EUd=6X+nuai3+Gul66mjmQ28c0ZlmwwgXmcEpPDIIfk72o6E0RnRG4ylaYKqyh5Ae9yw6Vvu+qYeGcoVzp60AAD0y2SwNXIc8Uem2VD5Cms=&DIL=J2BnYp2ZA
http://www.atwtjasasbdh.com/t6t4/
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.jawstraping.com/t6t4/?EUd=XCntr2iXxRF4OzdOddE0iZuhFmxxz2UYRyIVY/3TZ+QarG+8Mk+hdkB+upmlGNbbMTHm8ylq/Cu6YgjeNTy0eEp8zKtOpX4Of63J+Iw=&DIL=J2BnYp2ZA
http://www.tanforks.xyz/t6t4/
http://www.topsecretboutiqueec.com/t6t4/
|
13
www.topsecretboutiqueec.com(92.38.150.138)
www.antifa-west.org(142.250.76.147)
www.infomysaturn.com(204.27.56.195)
www.jawstraping.com(162.240.74.72)
www.tanforks.xyz(162.0.228.125)
www.atwtjasasbdh.com(38.47.108.116)
162.0.228.125 - mailcious
38.47.108.116
45.33.6.223
162.240.74.72
172.217.25.19
92.38.150.138
204.27.56.195
|
3
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE FormBook CnC Checkin (POST) M2
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
7.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14004 |
2023-04-20 17:37
|
 vbc.exe 0455be9da54c7231fea1f2fae056f36d
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution DNS |
|
1
|
|
|
2.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14005 |
2023-04-20 17:36
|
 vbc.exe c1ddc7e96d1bdfc49881c4efb2876d8d
RAT Malicious Library AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
9
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.gritslab.com/u2kb/?rQD=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&V4DcA-=d7DTsKri - rule_id: 28002
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.222ambking.org/u2kb/?rQD=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&V4DcA-=d7DTsKri - rule_id: 28004
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.white-hat.uk/u2kb/?rQD=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&V4DcA-=d7DTsKri - rule_id: 28001
http://www.bitservicesltd.com/u2kb/?rQD=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&V4DcA-=d7DTsKri - rule_id: 28003
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
http://www.222ambking.org/u2kb/ - rule_id: 28004
|
11
www.gritslab.com(78.141.192.145) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
91.195.240.94 - phishing
78.141.192.145 - mailcious
213.145.228.111 - mailcious
94.176.104.86 - mailcious
161.97.163.8 - mailcious
45.33.6.223
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
8
http://www.gritslab.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.white-hat.uk/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.222ambking.org/u2kb/
|
6.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14006 |
2023-04-20 17:35
|
tram.exe 20974e780438e87cf0fab2e4c10aa72a
UPX MPRESS PE64 PE File VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14007 |
2023-04-20 17:23
|
 20230418_1735061.html 3ef259cbd9758da0bb705ab29e7ad69b
Generic Malware Browser Info Stealer MachineGuid Code Injection Checks debugger exploit crash unpack itself installed browsers check Exploit Browser crashed |
|
|
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14008 |
2023-04-20 17:08
|
##############################... 533f738ac129a1b829a11c860fa4908e
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash IP Check Tofsee Windows Gmail Exploit DNS crashed Downloader |
2
https://api.ipify.org/
http://107.175.202.201/50/vbc.exe
|
5
api.ipify.org(64.185.227.155)
smtp.gmail.com(74.125.204.108)
107.175.202.201 - malware
173.231.16.77
74.125.204.108
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA Applayer Detect protocol only one direction
|
|
5.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14009 |
2023-04-20 16:39
|
##############################... e35378796dfe5bd6db6e12178247de53
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download Malware Malicious Traffic exploit crash Windows Exploit DNS crashed Downloader |
11
http://www.jawstraping.com/t6t4/
http://www.infomysaturn.com/t6t4/
http://www.jawstraping.com/t6t4/?tgsBCfY=XCntr2iXxRF4OzdOddE0iZuhFmxxz2UYRyIVY/3TZ+QarG+8Mk+hdkB+upmlGNbbMTHm8ylq/Cu6YgjeNTy0eEp8zKtOpX4Of63J+Iw=&XpfTw=NmpJ
http://www.atwtjasasbdh.com/t6t4/
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.antifa-west.org/t6t4/?tgsBCfY=ssGDlaKvrM1Gs2+sD8JdC0DLeKE3dUnUQ6mTAZG8EY8ootQconb5U719Xwf9arvCoKYUBxAQQ/mbWT7dDEoxYepTxrisSFFRvpnacVE=&XpfTw=NmpJ
http://www.infomysaturn.com/t6t4/?tgsBCfY=J+lWmOWzRFYb6ZGDJg/c/uE65ROAxLP5sGlhcaPxy1usod+H/MjcFynVlrmwAULXY1vEuzPNHPQSWuniw4+JBk2ZSmFmkZPZ/PPuHLo=&XpfTw=NmpJ
http://www.tanforks.xyz/t6t4/
http://www.atwtjasasbdh.com/t6t4/?tgsBCfY=6X+nuai3+Gul66mjmQ28c0ZlmwwgXmcEpPDIIfk72o6E0RnRG4ylaYKqyh5Ae9yw6Vvu+qYeGcoVzp60AAD0y2SwNXIc8Uem2VD5Cms=&XpfTw=NmpJ
http://154.91.202.45/90/vbc.exe
http://www.tanforks.xyz/t6t4/?tgsBCfY=fX3XyOzAJM6oM04o/7g23Zy7c/HdQQcghoeFNAWsBFGOx4rN1X7qcFb4Fe0DTcTs0H0+AvSr72QhSydJENna4UFVgzP/3/gTg0f6ty0=&XpfTw=NmpJ
|
12
www.atwtjasasbdh.com(103.214.22.44)
www.infomysaturn.com(204.27.56.195)
www.antifa-west.org(142.250.76.147)
www.jawstraping.com(162.240.74.72)
www.tanforks.xyz(162.0.228.125)
20.239.166.104
154.91.202.45 - mailcious
142.250.204.51
162.0.228.125 - mailcious
162.240.74.72
45.33.6.223
204.27.56.195
|
10
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE FormBook CnC Checkin (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14010 |
2023-04-20 13:25
|
##############################... 0817ef065eab1d86f70a24c0100a62e2
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash IP Check Tofsee Windows Gmail Exploit DNS crashed Downloader |
2
http://107.175.202.201/60/vbc.exe
https://api.ipify.org/
|
5
api.ipify.org(104.237.62.211)
smtp.gmail.com(64.233.188.108)
107.175.202.201 - malware
173.231.16.77
64.233.188.109
|
9
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|