| 14146 |
2023-03-29 18:09
|
 ppp.exe a82baff8213bd78f398420e6ed3d58aa
UPX .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
3.6 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14147 |
2023-03-29 17:50
|
 1000+FacebookSPDogs-15pc.exe 00b84d9dee2056758a6fbb07faef57d4
PWS .NET framework RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14148 |
2023-03-29 17:48
|
 cubalibre2 54a5f1bf56bb033fabafce49f03f6794
Malicious Library DLL PE32 PE File VirusTotal Malware Checks debugger RWX flags setting unpack itself ComputerName DNS |
|
1
|
1
SURICATA Applayer Wrong direction first Data
|
|
3.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14149 |
2023-03-29 17:47
|
 ppp.exe a82baff8213bd78f398420e6ed3d58aa
.NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself DNS |
16
http://www.zhn.biz/udh1/
http://www.centaura.community/udh1/
http://www.special-order.online/udh1/
http://www.azstoreatoderma.click/udh1/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.ghostdyes.net/udh1/?cUMMa5v=lj2vP+EAw0fELJNPJ5VtAcTjxQQz8hKi5d9v+h5W1hvMFJJN0lWMU8OkjsFxsGAkw0S50RNizKyMtcUDX4tgR0i1IahDyycai/CThP0=&GV=hSkJd_W
http://www.ghostdyes.net/udh1/
http://www.csrvcars.com/udh1/?cUMMa5v=XEemPPOTV26sKXQzDYMsrkGsJokzxPFPbFpU+n9uCd2chnbXsi75dkjdHRd+i/N9AgC/cMMMBBk+slWuActf4QAZvLu0iyaFuJXVPTg=&GV=hSkJd_W
http://www.olympusmix.com/udh1/?cUMMa5v=lWZk+s3blMuiGWpXy6frpU4enEwBG5gJanUH8/6Evmw4nHtx+SdA/kN+9f5N/0KA2bk6RtFa0tH8PADjgLi95JHf+wn8BjREHXSWn6U=&GV=hSkJd_W
http://www.azstoreatoderma.click/udh1/?cUMMa5v=R/kB4/0HM2tcwqvhXH4XIYj1eTxJXqndlHH19RjFed8ZhY1qAasVyZxg1ws7A7LtJYEr4634gz6I87tnmhAW+ys9K/jaGw++UPdFo8c=&GV=hSkJd_W
http://www.zhn.biz/udh1/?cUMMa5v=LfrgFpvSkJA2y41K7oV1vuuQyWHfo0uy5ufNO5HpKtxTTE0bBGpeg3SJ2RFsjNe1w4Pec63rxh4rwW+J1uIf4mhDhIMbmXY09bayaEE=&GV=hSkJd_W
http://www.wearecatalyst.app/udh1/
http://www.olympusmix.com/udh1/
http://www.wearecatalyst.app/udh1/?cUMMa5v=tt9dYLtFsKfLIIIXMfpRfs924GbOuHLcMLKVMdaTOcJrEAGIFAHeQ5Ly9YOpmT4Rz3p2Jl5Xgzq6cAPtFXnDdyfQg2kRv5Z1dRZDL3M=&GV=hSkJd_W
http://www.centaura.community/udh1/?cUMMa5v=kMKsR5rTxSYNZgWncVUlGrpLkwsOTig3tGW39qhs19NQJLtwYtRkr4H+EIRE8MUOxMFfo6MP6730mq+L8n2Tmf9vKWCdpbnfDO0cF8Q=&GV=hSkJd_W
http://www.special-order.online/udh1/?cUMMa5v=CwuBCJt94bxtc2gNtpoM3E+US0dkKMARx3Pvc7vf2LAtLU32691wJ0dQetaubb0PioG6wR7W5uX4+q4XU8z6LBF3Qfs1ipW/MdlZd78=&GV=hSkJd_W
|
19
www.azstoreatoderma.click(3.1.17.18)
www.ghostdyes.net(34.117.168.233)
www.bianchibeverage.com(104.253.54.44)
www.centaura.community(66.96.162.138)
www.olympusmix.com(198.54.117.217)
www.csrvcars.com(23.231.72.112)
www.wearecatalyst.app(216.40.34.41)
www.special-order.online(194.58.112.174)
www.zhn.biz(172.67.213.169)
18.140.6.45
198.54.117.218 - mailcious
34.117.168.233 - mailcious
23.231.72.112
216.40.34.41 - mailcious
104.253.54.44
66.96.162.138 - mailcious
45.33.6.223
172.67.213.169
194.58.112.174 - mailcious
|
2
ET INFO Observed DNS Query to .biz TLD
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14150 |
2023-03-29 17:46
|
 Spfteysaad.exe 8f3e8fa1ba9c4c10680a9135a2ab6724
PWS .NET framework RAT UPX .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14151 |
2023-03-29 17:44
|
 1.exe 05d614ae9941dc597f918230c0938d11
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14152 |
2023-03-29 17:42
|
 buildjack.exe 10f57aeea7d69c1fd26302daea446d8d
PWS .NET framework RAT .NET EXE PE32 PE File Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Telegram Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser ComputerName DNS |
1
http://ip-api.com/line?fields=query
|
4
ip-api.com(208.95.112.1)
api.telegram.org(149.154.167.220)
208.95.112.1
149.154.167.220
|
5
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
ET POLICY External IP Lookup ip-api.com
|
|
5.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14153 |
2023-03-29 17:41
|
 vbc.exe 4da41093eb4cce80c18d1e6a2391ba80
UPX Malicious Library PE32 PE File JPEG Format Browser Info Stealer Remcos VirusTotal Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser DNS keylogger |
|
3
top.not2beabused01.xyz(38.117.65.122) - mailcious
38.117.65.122 - mailcious
45.33.6.223
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
5.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14154 |
2023-03-29 17:40
|
 w.exe c200ea136a598e37eb83c8c6031b3f29
PE32 PE File VirusTotal Malware AutoRuns Creates executable files RWX flags setting unpack itself AppData folder Tofsee Windows Remote Code Execution |
2
https://bitcoin.org/bin/bitcoin-core-22.0/bitcoin-22.0-win64-setup.exe
https://download.electrum.org/4.3.4/electrum-4.3.4-setup.exe
|
6
downloads.exodus.com(104.18.19.218)
bitcoin.org(172.67.40.154)
download.electrum.org(104.21.89.144)
104.22.68.176
104.21.89.144
104.18.19.218
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14155 |
2023-03-29 17:40
|
 uy74.exe 9b5a6f627c74f828bc4e85e2e2843e0c
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14156 |
2023-03-29 17:40
|
 dy.exe 5d2a5e49ca03081b82c5aff2eed04770
.NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself DNS |
15
http://www.coba.dev/u62a/?uyJ6NZy=o8SCP/YnJ49qk75I5z3GzELHmg2Up2LUiNCn13SbmA4goaf+g+1fYa13Odsfun9rvkIDAdpJippA+Y6N0xwu8NBanTjMGd5U2PfRiS4=&GqUv=WJjJdRiak0 - rule_id: 28209
http://www.starauctioneerspro.com/u62a/?uyJ6NZy=xxICz6/4R5ldvKit9pQiZZ+jTsTJ1UXO3+kkY3b4PoRSc/9CGhnte6tVjQSTVfHBpnO/T6bLIQt5I4s4artxGH6TeZHS/DCwG7N4VUA=&GqUv=WJjJdRiak0 - rule_id: 28212
http://www.coba.dev/u62a/ - rule_id: 28209
http://www.meandclementina.com/u62a/ - rule_id: 28210
http://www.starauctioneerspro.com/u62a/ - rule_id: 28212
http://www.marex.promo/u62a/?uyJ6NZy=HTOKBE+ideXsbClCFIZFlPYDAjUuWFn3t4knnx885+0EkjdUagvAPmmh9nOXJS6XsZrvZ1YpL3hurMR7Bu4FKovUyILBMkHn6uQL+64=&GqUv=WJjJdRiak0 - rule_id: 28211
http://www.marex.promo/u62a/ - rule_id: 28211
http://www.meandclementina.com/u62a/?uyJ6NZy=sEdvL1ZGkULv2A8bNXBRaRmdYx+eWL4gYtShFj4pbN8o5eHSa3QtYRl1ZjlPIya8jQvOFXB8wZUlu2C2FpqSzuYXIQNHQFur3PZxkFI=&GqUv=WJjJdRiak0 - rule_id: 28210
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.kunimi.org/u62a/ - rule_id: 28214
http://www.lowcome.life/u62a/ - rule_id: 28213
http://www.lowcome.life/u62a/?uyJ6NZy=SpYuczb0I67O/JB79loYgv0QPNy9tmAedxSPiGXP/gajLTktWHzWDdz7w0u65687mA4BdpaJEcNqadlvkC0xWpASIIM+xKCPpUlgMWA=&GqUv=WJjJdRiak0 - rule_id: 28213
http://www.kunimi.org/u62a/?uyJ6NZy=Do2YNZmdCCnGDS2WdMJQZ6ZCKAd/GRXgo7DNSK9yFY09r/FIwMWpAWGLeKjsO9QXj5EgxT/2XN8JUIdJtTBe0orCvwywWdiUJLw1V4E=&GqUv=WJjJdRiak0 - rule_id: 28214
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.organiclifestyle.biz/u62a/?uyJ6NZy=VvqZGz3PHJbSx1QTtGtZ27JbTMCS5Ic5/4p6o7fkYDsqsQXV00C4Mjy3HEa1fsrCkNg75FGvKvR0eCFVX6t17fJz0m/poFYbzV0qA3k=&GqUv=WJjJdRiak0 - rule_id: 28208
|
15
www.coba.dev(46.17.173.192) - mailcious
www.lowcome.life(198.177.124.57) - mailcious
www.kunimi.org(219.94.129.181) - mailcious
www.starauctioneerspro.com(94.23.162.163) - mailcious
www.marex.promo(91.189.114.25) - mailcious
www.meandclementina.com(195.110.124.133) - mailcious
www.organiclifestyle.biz(34.117.168.233) - mailcious
46.17.173.192 - mailcious
34.117.168.233 - mailcious
91.189.114.25 - malware
219.94.129.181 - mailcious
195.110.124.133 - mailcious
198.177.124.57 - mailcious
45.33.6.223
94.23.162.163
|
4
ET INFO Observed DNS Query to .biz TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
|
13
http://www.coba.dev/u62a/
http://www.starauctioneerspro.com/u62a/
http://www.coba.dev/u62a/
http://www.meandclementina.com/u62a/
http://www.starauctioneerspro.com/u62a/
http://www.marex.promo/u62a/
http://www.marex.promo/u62a/
http://www.meandclementina.com/u62a/
http://www.kunimi.org/u62a/
http://www.lowcome.life/u62a/
http://www.lowcome.life/u62a/
http://www.kunimi.org/u62a/
http://www.organiclifestyle.biz/u62a/
|
5.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14157 |
2023-03-29 17:37
|
 new_9_2022.exe b626d6f8c491833f785c546389dcdbea
Generic Malware UPX Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware PDB |
|
|
|
|
1.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14158 |
2023-03-29 17:35
|
 ss.exe efd45307df4754e7facbb561fb091721
UPX Malicious Library MZP Format PE32 PE File Check memory unpack itself Remote Code Execution DNS |
|
1
|
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14159 |
2023-03-29 17:35
|
 101.exe 3aaff573f4866483b434e7a4d24f83eb
NPKI Generic Malware Themida Packer UPX Malicious Library Anti_VM OS Processor Check PE32 PE File .NET EXE icon Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Windows Exploit Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
|
1
|
|
|
14.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14160 |
2023-03-29 14:23
|
 2.1.0ff.exe bc338e23e5411697561306eabb29bd9c
Raccoon Stealer PE32 PE File VirusTotal Malware Windows crashed |
|
|
|
|
2.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|