| 14131 |
2023-03-30 16:38
|
 white.exe 89a133e7158e8bb6e2614a7c9bd7ff5d
NPKI Gen1 UPX Malicious Packer Malicious Library PE32 PE File OS Processor Check DLL Browser Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Windows Browser Email ComputerName DNS crashed |
8
http://79.137.206.15/a472d2f653c1a1f6/vcruntime140.dll
http://79.137.206.15/a472d2f653c1a1f6/sqlite3.dll
http://79.137.206.15/385785d59336a866.php
http://79.137.206.15/a472d2f653c1a1f6/nss3.dll
http://79.137.206.15/a472d2f653c1a1f6/freebl3.dll
http://79.137.206.15/a472d2f653c1a1f6/mozglue.dll
http://79.137.206.15/a472d2f653c1a1f6/softokn3.dll
http://79.137.206.15/a472d2f653c1a1f6/msvcp140.dll
|
1
|
3
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
7.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14132 |
2023-03-30 16:34
|
 xme.exe 48efad145d5274859e353e1cf8018e45
Emotet RAT AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
10
http://www.88vqq.com/lf80/?1nk=MSiiOWab7QGE4OsGqNUf0CjYIOhimWiHfwxthaTSJ8ZN7v6H0tr9Kvwqa+LjvVHLJHijakkDSyn+6AhO4AX19nbBqGYAyzw2LVFYqB4=&2R8Y=VADnZM1Y
http://www.fluttering.info/lf80/
http://www.88vqq.com/lf80/
http://www.fluttering.info/lf80/?1nk=vdUvd4KMcs02oJHOqazuyWeULNYj9ziXLbdaBklN4QZLswKe18yc7gBmli0SaeLYRqNWchuZuJZKel0zJd0sN+qba2pORzREmC/Malw=&2R8Y=VADnZM1Y
http://www.toplegalserves.com/lf80/?1nk=iIHSWm9EKbE4LjX243veP2lmBJalZgZwOGqRYCYa0bxTcNU/qsqdO599/0gGzMbmPKZM4KeyGlGsFSkFvsSSZkNMG60YCeVz3NJjEjs=&2R8Y=VADnZM1Y
http://www.carcosainvest.com/lf80/?1nk=U1AfX2eZFZv2hBCTqgPkcuANZ20kgeq2vS8gtcHKe8ZJSs3Oy12xCliJ0zonbRqHTLXay59VdXyZMRRK+Tu2D9w7yrgJnaEu4iBoGU0=&2R8Y=VADnZM1Y
http://www.fantasticserver.yachts/lf80/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.toplegalserves.com/lf80/
http://www.fantasticserver.yachts/lf80/?1nk=C+NRImNoToCD7C+RudibhX2FyNhV6QDK3DTVu5TP5j9xeLMXsFNWcyV4ZKkL/2WNJNyMWiJ/EMH3DJK+HE42s4WyueexzCKRcbRLZww=&2R8Y=VADnZM1Y
|
12
www.fantasticserver.yachts(165.22.36.197)
www.fluttering.info(198.177.124.57)
www.toplegalserves.com(208.91.197.27)
www.felco.online()
www.88vqq.com(154.94.81.137)
www.carcosainvest.com(206.54.190.30)
165.22.36.197
208.91.197.27 - mailcious
154.94.81.137
206.54.190.30
198.177.124.57 - mailcious
45.33.6.223
|
2
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14133 |
2023-03-30 16:33
|
 vbc.exe 921fba8af6c955c0fc7c8206e833bbe4
PWS .NET framework RAT Generic Malware Antivirus AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://www.scotwork.us/g2fg/?Jfy=gMiLTpy0oYEUy47EDaZJ0YPIhSGoXFYVIqBfB3cGNY39N1b0aizH0s/A9IIAdCbpZx7zYbtr&ojq4dR=RVlPiv - rule_id: 23120
|
4
www.programagubernamental.store()
www.scotwork.us(104.21.75.84) - mailcious
www.majenta.info()
172.67.217.149
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.scotwork.us/g2fg/
|
10.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14134 |
2023-03-30 16:32
|
 tmpBEB8.tmp.exe 5aa405d35131a36ce1647c6937d3e529
PWS .NET framework RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14135 |
2023-03-30 16:29
|
25.....25.............doc 2c5cf406f3e4cfa448b167751eaea73b
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://171.22.30.164/china/five/fre.php - rule_id: 28197
http://107.174.45.106/25/vbc.exe
|
2
171.22.30.164 - mailcious
107.174.45.106 - mailcious
|
16
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://171.22.30.164/china/five/fre.php
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14136 |
2023-03-30 16:17
|
 Stork.vbs 8d4e3f96fb554ff1db02b999210126d6
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities suspicious process Windows ComputerName DNS Cryptographic key crashed |
1
http://194.180.48.211/ryan/Anlae.xsn
|
1
194.180.48.211 - mailcious
|
|
|
9.0 |
M |
4 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14137 |
2023-03-30 16:03
|
 Kionectomy1.vbs 305ec8dca6e74b54c808d4796374676c
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.0 |
|
12 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14138 |
2023-03-30 09:23
|
 info.pdf a05bb251aa7a4b93f443023a6b8c8b67
PDF ZIP Format Windows utilities Windows DNS |
5
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
|
1
185.246.220.130 - malware
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14139 |
2023-03-30 09:22
|
 run.vbs 530c052db1411cc1d2a9e37da4def497
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://dl.dropbox.com/s/9r6dz0xby0ha2o0/2_INSTALL.ps1?dl=0
|
|
|
|
6.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14140 |
2023-03-30 09:21
|
 1.exe 88131cfd2cca21aba749fd591b04b45f
Generic Malware UPX Malicious Library Downloader Malicious Packer OS Processor Check PE32 PE File Remcos VirusTotal Malware Malicious Traffic Check memory Windows DNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
132.226.8.169
178.237.33.50
185.246.220.130 - malware
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.0 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14141 |
2023-03-30 09:21
|
 2.exe d606a39261a0599154ba54ec565fd602
Generic Malware UPX Malicious Library Downloader Malicious Packer OS Processor Check PE32 PE File Remcos VirusTotal Malware Malicious Traffic Check memory Windows DNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
178.237.33.50
158.101.44.242
185.246.220.130 - malware
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.0 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14142 |
2023-03-30 09:17
|
 vbc.exe a98f0fd7f830e6c6514d4b8cc9934743
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
18
http://www.energyservicestation.com/u2kb/?_1=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&A6Gb=ePIu - rule_id: 28005
http://www.younrock.com/u2kb/?_1=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&A6Gb=ePIu - rule_id: 28006
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.thewildphotographer.co.uk/u2kb/?_1=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&A6Gb=ePIu - rule_id: 28007
http://www.shapshit.xyz/u2kb/?_1=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&A6Gb=ePIu - rule_id: 28008
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.222ambking.org/u2kb/?_1=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&A6Gb=ePIu - rule_id: 28004
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.white-hat.uk/u2kb/?_1=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&A6Gb=ePIu - rule_id: 28001
http://www.bitservicesltd.com/u2kb/?_1=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&A6Gb=ePIu - rule_id: 28003
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.thedivinerudraksha.com/u2kb/?_1=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&A6Gb=ePIu - rule_id: 28009
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.gritslab.com/u2kb/?_1=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&A6Gb=ePIu - rule_id: 28002
http://www.younrock.com/u2kb/ - rule_id: 28006
|
19
www.gritslab.com(78.141.192.145) - mailcious
www.thewildphotographer.co.uk(45.56.79.23) - mailcious
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(81.17.29.149) - mailcious
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
199.192.30.147 - mailcious
213.145.228.111 - mailcious
192.187.111.219 - mailcious
94.176.104.86 - mailcious
161.97.163.8 - mailcious
45.33.6.223
45.56.79.23 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.energyservicestation.com/u2kb/
http://www.younrock.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.gritslab.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.white-hat.uk/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.gritslab.com/u2kb/
http://www.younrock.com/u2kb/
|
5.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14143 |
2023-03-30 09:16
|
 try.hta 7a8dd40f53d76872300fdba6b6429822
PWS .NET framework RAT Generic Malware Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM PowerShell .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://198.46.174.164/118/putty.exe
http://checkip.dyndns.org/
|
3
checkip.dyndns.org(193.122.130.0)
132.226.8.169
198.46.174.164 - mailcious
|
10
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET INFO Executable Download from dotted-quad Host
ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
21.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14144 |
2023-03-30 09:14
|
 putty.exe f0cbe408045d492ae41ee92ad7c39bea
PWS .NET framework RAT SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.130.0)
158.101.44.242
|
5
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
|
|
13.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14145 |
2023-03-29 23:31
|
 DvDUsSet.exe 65de52a852356f9e0aea8b43e67105f7
Confuser .NET .NET EXE PE32 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Ransomware DNS |
|
3
videoconvert-download38.xyz() - mailcious
iplogger.org(148.251.234.83) - mailcious
148.251.234.83
|
3
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
62 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|