| 14041 |
2023-04-04 17:28
|
 SystemUpdate.exe 09a29f3b529c5e9ab25a47973bb0900a
PWS .NET framework RAT Generic Malware Confuser .NET Antivirus UPX Malicious Library Malicious Packer .NET EXE PE32 PE File OS Processor Check PE64 VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Auto service powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Firmware DNS Cryptographic key |
6
https://bitbucket.org/rpoverka/zhopa/downloads/xmrig.exe - rule_id: 27006
https://bitbucket.org/rpoverka/zhopa/downloads/xmrig.exe
https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/b3a0e12f-e350-4a5c-8239-1cb38b0ef068/xmrig.exe?response-content-disposition=attachment%3B%20filename%3D%22xmrig.exe%22&AWSAccessKeyId=ASIA6KOSE3BNLA7LD4BL&Signature=g4wJ2r5h59KSahB1y4%2F8HZRLC04%3D&x-amz-security-token=FwoGZXIvYXdzECIaDBCNQm7tYWerDBrTpyK%2BAaQp%2BdNp0ydv0AG2E4AzCKx2u%2FycIejgNxF%2FuFdAIsQHNFVyhHJ4I53ZPUtoxrTWfBbx0FoMNIEAID8XfJeZjrLs%2F1M%2FT9JGTqmtNyHXC6fIXR09xBIIdB3cPxiT7EG6GW3JgLotvx%2BYGLX6CFJhPtpimlM%2F0phB45lz3WckErYh643krmXem4wwpWSzO%2FrkIzT6SJMTQojsT7g0uGUR3FAhsVewpsXzyUQsz%2BzXCv2%2F572gwwPwAnK6rE7AIgUov7evoQYyLYHe7Tu%2FESyH%2FhbUkoPA%2B7rrGq9zuCsGanjOllD7mJgQnDWKxqZ3OhiGO8W3zQ%3D%3D&Expires=1680597703
https://bitbucket.org/rpoverka/zhopa/downloads/Task24Watch.exe - rule_id: 27005
https://bitbucket.org/rpoverka/zhopa/downloads/Task24Watch.exe
https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/03f126aa-6017-4520-92a2-c8112a6addd7/Task24Watch.exe?response-content-disposition=attachment%3B%20filename%3D%22Task24Watch.exe%22&AWSAccessKeyId=ASIA6KOSE3BNP45LSYXJ&Signature=bf%2BxxfvszXPMP7jtjGo74tezGNE%3D&x-amz-security-token=FwoGZXIvYXdzECIaDJgrOS6fkzSPFivs3CK%2BAcHuj52wVNnm4rSADUNCVc5KNhqiufxNy0GncP553pr2hq7mOa8QzZLZfX7%2FNjBaQFglHP7ckxSnsLkrvLRTHFl1dVlHEcN7smhQI0KxwMpNADfae%2FaN%2FXh8bG0DnFsMySkIKQY64NOruebcwBIi83SllxN5d%2Bg6Gbm8AuLRXYcLy4Anflnyt7EzTrcJuG0a5CVCYynwqm82oyPhzx%2B0EdIebw8NtM9EOGQJOS8sWpEz5hgOXWMX9%2BpnTNnbThsosLevoQYyLbYMIdEs21wl%2BhVx%2BL5t0%2B2dBfxZ6FsudMgM3WnALV9R44nUr4Ir348oXZuTrg%3D%3D&Expires=1680597688
|
7
xmr-eu2.nanopool.org(92.222.217.165) - mailcious
bbuseruploads.s3.amazonaws.com(3.5.3.112) - malware
bitbucket.org(104.192.141.1) - malware
52.216.140.148 - malware
52.217.50.36
152.228.216.245
104.192.141.1 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
|
2
https://bitbucket.org/rpoverka/zhopa/downloads/xmrig.exe
https://bitbucket.org/rpoverka/zhopa/downloads/Task24Watch.exe
|
12.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14042 |
2023-04-04 17:27
|
 blez.exe ba6e7557d1090cc6d6091cafb984e4b5
PWS .NET framework RAT Generic Malware UPX Antivirus AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process Windows ComputerName DNS Cryptographic key |
2
http://www.lastpartyofyear.com/my28/?2d=p0ujyCWbv7tSv6pBF6BUI0s+ls/Q9V6Q3hOA/098StHlUApBIDy7sCdi2rtFVzlEPonprgU5&2d54=eT8xe2NpinJd0BI
http://192.227.183.170/mac/Yokff.png
|
4
www.9969.voto()
www.lastpartyofyear.com(34.102.136.180)
192.227.183.170 - mailcious
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.2 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14043 |
2023-04-04 17:24
|
 buildcr.exe 33a45fcbca9c96cf4d9f456d27d87820
RAT Gen2 UPX Malicious Library Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE32 PE File OS Processor Check VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
9.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14044 |
2023-04-04 17:22
|
 vbc.exe 867334824fc516494ef38ac031998877
PWS .NET framework RAT Generic Malware UPX Antivirus AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Windows ComputerName DNS Cryptographic key |
2
http://192.227.183.170/mac/Khypvvnsqb.bmp
http://www.lastpartyofyear.com/my28/?2d=p0ujyCWbv7tSv6pBF6BUI0s+ls/Q9V6Q3hOA/098StHlUApBIDy7sCdi2rtFVzlEPonprgU5&2d54=eT8xe2NpinJd0BI
|
4
www.9969.voto()
www.lastpartyofyear.com(34.102.136.180)
192.227.183.170 - mailcious
34.102.136.180 - mailcious
|
2
ET HUNTING Suspicious Terse Request for .bmp
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14045 |
2023-04-04 17:22
|
 ytsd6v.exe cc6caf2c7b27fe45d8a148e1e9af9aae
RedLine stealer[m] UPX Malicious Library AntiDebug AntiVM OS Processor Check PE32 PE File VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key crashed |
|
1
|
|
|
9.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14046 |
2023-04-04 17:20
|
 vbc.exe 8b817b79a103307dcd00a353e6bc13ac
RAT UPX AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD Windows DNS Cryptographic key |
10
http://www.zservers.xyz/hjdr/
http://www.xn--pdotrychler-l8a.ch/hjdr/
http://www.zservers.xyz/hjdr/?4DfzboWa=a/jwoO6Li4WGoMKhZK2qV7tdnllQ6mdQYsYFdFr7RisYjJd1Hm0f46xorIJmHDnVHKTR/o/1BaU+86MBDvdqY5CeL0wg/BcTjfumQVU=&P-nwqe=rBAJq-X
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.howtrue.info/hjdr/?4DfzboWa=kJhn0XnRZRgnPBFsTC3RrkdNU3jL2gKJb5tjL3sD/5M7+ZJLcewBYYG+QRdPVJXXplIlf5qgAFj8zlCmH3brR5caIrNXSuF9PhWnmJU=&P-nwqe=rBAJq-X
http://www.tugrow.top/hjdr/?4DfzboWa=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6Q88r0UIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&P-nwqe=rBAJq-X
http://www.xn--pdotrychler-l8a.ch/hjdr/?4DfzboWa=viX6L1AgcIzkNKvffNzJJ+Yd0/U+wEe4YYZ25bQBQN6YyRvPjBEvK6hqMFdbfSlnHMzHqKUOr90SHQpYKy1ow0mwR1Rp7LB2XNGkbPc=&P-nwqe=rBAJq-X
http://www.amateurshow.online/hjdr/?4DfzboWa=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4WKSSlO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&P-nwqe=rBAJq-X
http://www.howtrue.info/hjdr/
http://www.tugrow.top/hjdr/
|
12
www.amateurshow.online(198.37.115.75)
www.xn--pdotrychler-l8a.ch(95.130.17.35)
www.zservers.xyz(103.42.108.46)
www.tugrow.top(66.29.131.66)
www.howtrue.info(184.168.113.29)
95.130.17.35 - suspicious
103.42.108.46 - mailcious
184.168.113.29
192.253.237.20 - mailcious
66.29.131.66
198.37.115.75
45.33.6.223
|
6
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
9.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14047 |
2023-04-04 17:20
|
 rocketscamjesus.exe 065b5810275d9f18cb2724096f96a160
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
116.203.35.84 - mailcious
|
|
|
7.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14048 |
2023-04-04 17:19
|
 ContinentGroufs.exe 7b789842cbf26efdbe8a0c4d33a1745d
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14049 |
2023-04-04 17:18
|
 sBJ42BUkUv.exe af16c9b8a8ca0b632d9ca91a8411ec57
RedLine stealer[m] Generic Malware Downloader Malicious Library Antivirus Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot AntiDebug AntiVM PE64 P Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox suspicious process WriteConsoleW VMware anti-virtualization installed browsers check Windows Browser Advertising ComputerName DNS Cryptographic key Software crashed |
|
1
116.203.35.84 - mailcious
|
|
|
21.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14050 |
2023-04-04 17:17
|
 105.exe 7aeb5d13a8d2dacabac7a928c57cf57c
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14051 |
2023-04-04 17:15
|
 1bz7KfahvU.exe e0d2634fe2b085685f0b71e66ac91ec9
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware |
|
|
|
|
2.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14052 |
2023-04-04 17:13
|
 0002.exe 245ef358e384f40caf1c178b4825f029
Malicious Library AntiDebug AntiVM PE32 PE File VirusTotal Malware AutoRuns Code Injection Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder Windows DNS |
|
1
192.253.237.20 - mailcious
|
|
|
7.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14053 |
2023-04-04 17:13
|
 nmooul5hrjbg6.channal1.exe b8ff396f094c22492fa957fbcf2d6a94
UPX Malicious Library Malicious Packer OS Processor Check PE32 PE File VirusTotal Malware crashed |
|
|
|
|
2.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14054 |
2023-04-04 11:36
|
 tiny.php 5f202673a787a640923543a442e150ac
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
3 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14055 |
2023-04-04 10:49
|
 tiny.php 5f202673a787a640923543a442e150ac
AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
3 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|