| 14116 |
2023-03-31 09:50
|
 vbc.exe d9f11abb5fbd7478a8fe993cfe8aac52
PWS .NET framework Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.hfe2wr8zdi1.cfd/ne28/?v4=5etSPIfnpGMmuxjfF4zX1DEwG/pfzOKbCBC3tJp/Txz1JPXPoilJQrSz9Nb3fnbqQV2pQYrE&nt=V48HiDzp
|
3
www.larrgestrreet.site()
www.hfe2wr8zdi1.cfd(154.213.26.30)
154.213.26.30
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14117 |
2023-03-31 09:48
|
 vbc.exe 42ece834e9aa72f3ec352f6bd42ef4d1
PWS .NET framework SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(132.226.247.73)
193.122.6.168
|
5
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
|
|
12.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14118 |
2023-03-31 09:48
|
 vbc.exe b7fe0283cdd93788a35df6f5b541dee5
PWS .NET framework .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14119 |
2023-03-31 09:47
|
 handdiy_3.exe 2644502236f017d4c97825b0d24fc434
Gen2 Trojan_PWS_Stealer Credential User Data Generic Malware UPX Malicious Library SQLite Cookie Malicious Packer Anti_VM OS Processor Check PE32 PE File PNG Format Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Checks debugger WMI Creates executable files ICMP traffic exploit crash Windows utilities suspicious process suspicious TLD WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
1
https://www.ippfinfo.top/
|
5
www.ippfinfo.top(178.18.252.110)
iplogger.org(148.251.234.83) - mailcious
148.251.234.83
185.246.220.85 - mailcious
178.18.252.110
|
5
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO TLS Handshake Failure
ET DNS Query to a *.top domain - Likely Hostile
|
|
11.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14120 |
2023-03-31 09:47
|
 vbc.exe 441aa97af8ab929af47af76962584b02
PWS .NET framework Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.dxyzcmag2020.com/ne28/?nt=7UlcrdHfjryVNLuav6biQlnb/gmvZFc382PxA7WDlNsESSGRXHNiF386U5itZs7WgqnA+czL&3f=IDKDM4yx
http://www.thegolfteeshop.co.uk/ne28/?nt=K/QquFSLCT6SHQtXqS9KZNz2E1nT41LQyHDinzr5rCYDnh7lOTnJor+/6Ao5uyam5FAZgZdS&3f=IDKDM4yx
http://www.cheerleader.social/ne28/?nt=QIBqzfyuwmd08S5Fr4cAIJuVYfBbaPfWiet8qJkSDORvSiAt06bTXOkMjqzUMWWfimWxqrUt&3f=IDKDM4yx
|
6
www.cheerleader.social(34.102.136.180)
www.dxyzcmag2020.com(192.185.34.69)
www.thegolfteeshop.co.uk(192.187.111.221)
192.185.34.69 - malware
34.102.136.180 - mailcious
63.141.242.45 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14121 |
2023-03-31 09:44
|
 vgc.exe eebdd5b69b2fbe296a4e848b6ece83e7
RAT Generic Malware Antivirus AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Windows ComputerName DNS Cryptographic key crashed |
1
http://www.kellnovaglobalfood.info/ar73/?AdpL7rd=i6BPGBhGSecaeynnAP1UBBwzioJGNNDALkJtoSYlBAMyqZ2EcpVAY4EIefV2+Ju4HrYELbkz&0pn=WHu8Jjf0PJ
|
5
www.kellnovaglobalfood.info(34.102.136.180)
www.quickhealcareltd.co.uk()
www.4652.voto()
192.3.215.60 - mailcious
34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
12.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14122 |
2023-03-31 09:44
|
 vbc.exe 339a80192eb65dd95541a88b690e54d5
Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://185.246.220.85/fresh/five/fre.php
|
1
185.246.220.85 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
|
14.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14123 |
2023-03-31 09:12
|
 j64256db567bee7.61884750.js eab588bb7d0ebf0965e94bd4cb0dd539crashed |
|
|
|
|
0.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14124 |
2023-03-31 09:11
|
 j64256db56eb8b0.38998651.js cc0bc320186db25b23c297644f697bb6unpack itself crashed |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14125 |
2023-03-30 18:58
|
 vbc.exe 291a20fef6482b753cc6e9cc3d6bc292
UPX Malicious Library PE32 PE File VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself |
|
|
|
|
3.4 |
M |
46 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14126 |
2023-03-30 16:51
|
 vbc.exe 92a24824d555bc8f4a947992d85027b0
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
26
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.avisrezervee.com/u2kb/
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
http://www.un-object.com/u2kb/ - rule_id: 28137
http://www.un-object.com/u2kb/?VZnvbqyZ=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28137
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.white-hat.uk/u2kb/?VZnvbqyZ=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28001
http://www.bitservicesltd.com/u2kb/?VZnvbqyZ=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28003
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.222ambking.org/u2kb/
http://www.thedivinerudraksha.com/u2kb/?VZnvbqyZ=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28009
http://www.thedivinerudraksha.com/u2kb/?VZnvbqyZ=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&XM=Cm-BiUYxb1EmIVMU
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.thedivinerudraksha.com/u2kb/
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.bitservicesltd.com/u2kb/
http://www.energyservicestation.com/u2kb/?VZnvbqyZ=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28005
http://www.energyservicestation.com/u2kb/?VZnvbqyZ=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&XM=Cm-BiUYxb1EmIVMU
http://www.222ambking.org/u2kb/?VZnvbqyZ=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28004
http://www.shapshit.xyz/u2kb/?VZnvbqyZ=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28008
http://www.thewildphotographer.co.uk/u2kb/?VZnvbqyZ=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28007
http://www.younrock.com/u2kb/?VZnvbqyZ=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28006
http://www.gritslab.com/u2kb/?VZnvbqyZ=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&XM=Cm-BiUYxb1EmIVMU - rule_id: 28002
http://www.younrock.com/u2kb/ - rule_id: 28006
|
24
www.thewildphotographer.co.uk(45.33.2.79) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.fclaimrewardccpointq.shop() - mailcious
www.avisrezervee.com(31.186.11.254)
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.un-object.com(192.185.17.12) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(192.187.111.219) - mailcious
45.33.2.79 - mailcious
85.187.128.34 - mailcious
78.141.192.145 - mailcious
192.185.17.12 - mailcious
31.186.11.254 - mailcious
213.145.228.111 - mailcious
63.141.242.46
94.176.104.86 - mailcious
161.97.163.8 - mailcious
45.33.6.223
199.192.30.147 - mailcious
91.195.240.94 - phishing
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
19
http://www.gritslab.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.un-object.com/u2kb/
http://www.un-object.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.white-hat.uk/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.younrock.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.younrock.com/u2kb/
|
4.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14127 |
2023-03-30 16:51
|
 vbc.exe 291a20fef6482b753cc6e9cc3d6bc292
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself DNS |
21
http://www.white-hat.uk/u2kb/?4NVW=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&cpjP-=37DlWKi5SClC - rule_id: 28001
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.energyservicestation.com/u2kb/?4NVW=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&cpjP-=37DlWKi5SClC - rule_id: 28005
http://www.thedivinerudraksha.com/u2kb/?4NVW=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&cpjP-=37DlWKi5SClC - rule_id: 28009
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.thewildphotographer.co.uk/u2kb/?4NVW=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&cpjP-=37DlWKi5SClC - rule_id: 28007
http://www.gritslab.com/u2kb/?4NVW=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&cpjP-=37DlWKi5SClC - rule_id: 28002
http://www.222ambking.org/u2kb/?4NVW=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&cpjP-=37DlWKi5SClC - rule_id: 28004
http://www.bitservicesltd.com/u2kb/?4NVW=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&cpjP-=37DlWKi5SClC - rule_id: 28003
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.younrock.com/u2kb/?4NVW=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&cpjP-=37DlWKi5SClC - rule_id: 28006
http://www.younrock.com/u2kb/?4NVW=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&cpjP-=37DlWKi5SClC
http://www.younrock.com/u2kb/ - rule_id: 28006
http://www.shapshit.xyz/u2kb/?4NVW=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&cpjP-=37DlWKi5SClC - rule_id: 28008
http://www.shapshit.xyz/u2kb/?4NVW=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&cpjP-=37DlWKi5SClC
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.222ambking.org/u2kb/
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
21
www.gritslab.com(78.141.192.145) - mailcious
www.thewildphotographer.co.uk(198.58.118.167) - mailcious
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(192.187.111.219) - mailcious
193.233.20.36 - malware
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
199.192.30.147 - mailcious
212.87.204.93 - mailcious
213.145.228.111 - mailcious
192.187.111.219 - mailcious
94.176.104.86 - mailcious
161.97.163.8 - mailcious
45.33.6.223
173.255.194.134
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.white-hat.uk/u2kb/
http://www.gritslab.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.gritslab.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.younrock.com/u2kb/
http://www.younrock.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.222ambking.org/u2kb/
|
6.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14128 |
2023-03-30 16:43
|
 lega.exe 1a5f749669d8b3a12463fdf8b7cc3f83
RedLine stealer[m] Gen1 Emotet PWS .NET framework RAT NPKI RedLine Stealer Generic Malware UPX Malicious Library Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Confuser .NET SMTP PWS[m] AntiDebug AntiVM CAB PE32 PE File OS Processor Check .N Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Browser Email ComputerName Remote Code Execution Trojan DNS Cryptographic key Software crashed Downloader |
11
http://193.233.20.36/joomla/index.php
http://193.233.20.36/lend/123dsss.exe
http://193.233.20.36/lend/Tarlatan.exe
http://193.233.20.36/lend/Gmeyad.exe
http://185.246.221.126/bins/2023.exe.exe
http://185.246.221.126/bins/w.exe
http://193.233.20.36/lend/tmpBEB8.tmp.exe
http://193.233.20.36/joomla/Plugins/cred64.dll
http://193.233.20.36/joomla/Plugins/clip64.dll
https://bitcoin.org/bin/bitcoin-core-22.0/bitcoin-22.0-win64-setup.exe
https://download.electrum.org/4.3.4/electrum-4.3.4-setup.exe
|
13
downloads.exodus.com(104.18.18.218)
bitcoin.org(172.67.40.154)
download.electrum.org(104.21.89.144)
185.246.221.126 - mailcious
193.233.20.36 - malware
176.113.115.145
172.67.40.154
212.87.204.93 - mailcious
199.115.193.116
66.42.108.195 - mailcious
172.67.160.221
45.33.6.223
104.18.19.218
|
10
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host DLL Request
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
24.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14129 |
2023-03-30 16:42
|
 clip64.dll 6a4c2f2b6e1bbce94b4d00e91e690d0d
UPX Malicious Library Admin Tool (Sysinternals etc ...) OS Processor Check DLL PE32 PE File VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14130 |
2023-03-30 16:40
|
 vbc.exe a3b0daf59ad3e6d2e465ea72ea83c4e0
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution DNS |
|
1
31.186.11.254 - mailcious
|
|
|
2.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|