| 14221 |
2023-03-27 10:42
|
 cc.exe 41eb3aa33bccbe6a18acfedaf7f93ad5
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14222 |
2023-03-27 10:42
|
 vbc.exe 03c74286887866a799f7cafdc096efda
PWS .NET framework RAT UPX PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
10
http://www.kkqqzb.xyz/a2fh/
http://www.fruitecology.com/a2fh/?LggCa3B4=HirmV0K3W8X16cPIA6CgpFp2oQQLbxP0EUyoOXJjH6Oo2gLH1gE5EmJJO1tE0kgmFicI29ZS7SJZl+PB0hquqiKbSKMHjlIfypwbQTc=&9xB=qObO_nFVUV3Q9s_
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
http://www.thezweb.com/a2fh/?LggCa3B4=ohPlRN1rGtRlq2ENH0YEDA1UceaE5ScRC2dJJXLlUzkXjZP8hqfc1Pamn8K9eI0nDacK8c7ZeK5GYMYRI15J27P9D9jBSgJvDxW15X4=&9xB=qObO_nFVUV3Q9s_
http://www.fruitecology.com/a2fh/
http://www.atamahaberleri.com/a2fh/?LggCa3B4=qcchKJfYoXX+SNysomeaXt2UPWY/FcJKOe6J/rkRQI82UqjdWxoSyFumgkLce2bhgQ1UYjQfjBP88N6FTJ0nkeTpGzUxt+uzFPein5I=&9xB=qObO_nFVUV3Q9s_
http://www.thezweb.com/a2fh/
http://www.kkqqzb.xyz/a2fh/?LggCa3B4=26Y37L3jXNG2JHI3wpaK6zCVLkrwfYXeV/30niWVu7rxeLE01wiRvGELFFHOaIrCm60YwShU1siy0NCFU9cAiPm31W1i39pBO7M5w+I=&9xB=qObO_nFVUV3Q9s_
http://www.dg-computing.com/a2fh/
http://www.dg-computing.com/a2fh/?LggCa3B4=pV97ZqUGpE+UodE0UyDCOo7MEcmaoOdfg9usDzs3w3JwZR7SMHyMKVK/lZy2YBfdLhtcCUV0G4ICDRW/J2REkgHIgwBLa2wBoIgzf5w=&9xB=qObO_nFVUV3Q9s_
|
11
www.thezweb.com(81.17.29.146)
www.dg-computing.com(45.196.84.173)
www.fruitecology.com(46.30.213.155)
www.atamahaberleri.com(185.126.216.74)
www.kkqqzb.xyz(8.209.78.136)
81.17.29.146 - mailcious
45.33.6.223
45.196.84.173
8.209.78.136
46.30.213.155 - mailcious
185.126.216.74
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14223 |
2023-03-27 10:41
|
 FRI.exe c1b465d96c0541a5dc8e95a7bfd96e15
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself suspicious TLD DNS |
10
http://www.asu4tqr.icu/poub/?URihc=hHEijVrY0zBLr3JvSJmcy3GyPiWWfZaI2s16j7nKHpxVgJKtjZbonCFGp4fNRYCDH6FUX0AO&UfrDQp=0nMpq42x5z-hI250
http://www.drzjup.space/poub/?URihc=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&UfrDQp=0nMpq42x5z-hI250 - rule_id: 23154
http://www.bekansas.com/poub/?URihc=ik78GElzcTPK51jxwI7ODOjVUTh6arreOcAO6JZZFiJW++RN8P/8RIGVM8jA8ec1Ygwfy9iv&UfrDQp=0nMpq42x5z-hI250 - rule_id: 23150
http://www.crusadia.net/poub/?URihc=BYWI1ybJrJc11tuYbuPv66f3H3Cr5zuGlkVqrCbrO2SRjMGFR+aqTisH+sImtYdY9S5ZKg1z&UfrDQp=0nMpq42x5z-hI250 - rule_id: 26529
http://www.577hcc.com/poub/?URihc=+hZRLA5mezg8QGtKPd8YzpNrIKXVB9ucHjeJAdH+TFhtM6TJX5/L40TNomU2z2juM0GLcBEZ&UfrDQp=0nMpq42x5z-hI250
http://www.peiphitan.com/poub/?URihc=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&UfrDQp=0nMpq42x5z-hI250 - rule_id: 22766
http://www.edfitzgerald.org/poub/?URihc=QVBI8lnr7lJPqe8zZjldHkvXw89c/iSzMuEXgZLKqCpuoCkUYVUB7rTOcZCo9GOBqMOIvt9n&UfrDQp=0nMpq42x5z-hI250
http://www.kcgjz.top/poub/?URihc=FfiSjh2CtBpF3CrFZO/zKMlUrmL7FaiyKpfrvTrGvt9QCH6w6Rg7EpGJxpSWT1DMVUaM39xc&UfrDQp=0nMpq42x5z-hI250
http://www.ppparadise.xyz/poub/?URihc=i6ZHXvJJgvAHiqvTYC5qSpD7hgu0rSUqSG8Zc0xosq5TTXlRT+6NyQltuj8FIZG0zF3lAY7M&UfrDQp=0nMpq42x5z-hI250
http://www.kurodamisato.com/poub/?URihc=pzUirgwcC8ZpUBJr+A0RncrQCBC5BD7ORQWA7LzWHhCGPilCbFeR5IDOxd+JD96H8p3TlQQD&UfrDQp=0nMpq42x5z-hI250 - rule_id: 23148
|
24
www.peiphitan.com(82.180.130.211) - mailcious
www.bekansas.com(154.64.92.27) - mailcious
www.ppparadise.xyz(133.167.73.73)
www.kcgjz.top(172.67.189.130)
www.naver-io.com()
www.crusadia.net(212.192.29.71) - mailcious
www.edfitzgerald.org(193.32.208.67)
www.577hcc.com(34.117.26.57)
www.asu4tqr.icu(38.85.254.111)
www.drzjup.space(172.255.33.179) - mailcious
www.kurodamisato.com(199.59.243.222) - mailcious
www.pmtj013.xyz()
www.tokendownload.space(67.21.71.208)
104.21.33.97
38.85.254.111
154.64.92.27
172.255.33.179 - mailcious
34.117.26.57 - mailcious
67.21.71.208
199.59.243.222 - mailcious
212.192.29.71 - mailcious
133.167.73.73
82.180.130.211
193.32.208.67
|
6
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET INFO DNS Query for Suspicious .icu Domain
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
5
http://www.drzjup.space/poub/
http://www.bekansas.com/poub/
http://www.crusadia.net/poub/
http://www.peiphitan.com/poub/
http://www.kurodamisato.com/poub/
|
6.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14224 |
2023-03-27 10:41
|
 Windowsfig.exe 40528a8ce542af784cb9958552f7798d
Confuser .NET .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14225 |
2023-03-27 10:39
|
 ox.exe cfc3dc40432c7d8d8f838bc20c12bf27
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14226 |
2023-03-27 10:37
|
 Nasalized.exe 4c42520a02966a874eb4fbdc0a74e208
RedLine stealer[m] PWS .NET framework RAT RedLine Stealer Confuser .NET SMTP PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
9.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14227 |
2023-03-27 10:34
|
 a.exe 1dc49de091d11dd75ff77444e1b2e286
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware crashed |
|
|
|
|
2.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14228 |
2023-03-27 10:33
|
 vbc.exe ea36e1f335ddc3b518fb817b92b2f7e9
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
20
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.shapshit.xyz/u2kb/?bFjT5HCD=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&ekW=7maB5z - rule_id: 28008
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.white-hat.uk/u2kb/?bFjT5HCD=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&ekW=7maB5z - rule_id: 28001
http://www.un-object.com/u2kb/ - rule_id: 28137
http://www.younrock.com/u2kb/ - rule_id: 28006
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.222ambking.org/u2kb/?bFjT5HCD=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&ekW=7maB5z - rule_id: 28004
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.bitservicesltd.com/u2kb/?bFjT5HCD=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&ekW=7maB5z - rule_id: 28003
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.thewildphotographer.co.uk/u2kb/?bFjT5HCD=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&ekW=7maB5z - rule_id: 28007
http://www.gritslab.com/u2kb/?bFjT5HCD=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&ekW=7maB5z - rule_id: 28002
http://www.thedivinerudraksha.com/u2kb/?bFjT5HCD=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&ekW=7maB5z - rule_id: 28009
http://www.energyservicestation.com/u2kb/?bFjT5HCD=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&ekW=7maB5z - rule_id: 28005
http://www.younrock.com/u2kb/?bFjT5HCD=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&ekW=7maB5z - rule_id: 28006
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.un-object.com/u2kb/?bFjT5HCD=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&ekW=7maB5z - rule_id: 28137
|
22
www.thewildphotographer.co.uk(45.33.23.183) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.fclaimrewardccpointq.shop() - mailcious
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.un-object.com(192.185.17.12) - mailcious
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(63.141.242.45) - mailcious
192.187.111.220 - mailcious
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
192.185.17.12 - mailcious
213.145.228.111 - mailcious
94.176.104.86 - mailcious
72.14.178.174
161.97.163.8 - mailcious
45.33.6.223
199.192.30.147 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
19
http://www.energyservicestation.com/u2kb/
http://www.gritslab.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.white-hat.uk/u2kb/
http://www.un-object.com/u2kb/
http://www.younrock.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.222ambking.org/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.gritslab.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.younrock.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.un-object.com/u2kb/
|
4.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14229 |
2023-03-27 10:32
|
 Blaubok.exe 3c62500496bfc4f35d38ddbe71be78c2
RedLine stealer[m] PWS .NET framework RAT RedLine Stealer Confuser .NET SMTP PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
199.115.193.171 - mailcious
|
|
|
10.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14230 |
2023-03-27 10:32
|
 payload.exe 67e524e151efc62a8f5d3bbf8531e70a
PE64 PE File VirusTotal Malware DNS crashed |
|
1
|
|
|
3.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14231 |
2023-03-27 10:30
|
 Sprawl.exe 7f9cc3889e95b39a93593207cc823dd2
RedLine stealer[m] PWS .NET framework RAT RedLine Stealer Confuser .NET SMTP PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
10.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14232 |
2023-03-27 10:30
|
 update.exe 93b9f5bf918b7e5de262a85214aa8fea
Generic Malware UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware Malicious Traffic unpack itself ComputerName DNS |
1
http://91.107.196.27/75e7ead3c17835de.php
|
2
91.107.196.27 - mailcious
121.254.136.27
|
|
|
4.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14233 |
2023-03-27 10:28
|
 ooo.bat 3db5b638d5142dca0d922543ce1099c0
Generic Malware Downloader Antivirus Create Service DGA Socket ScreenShot DNS Internet API Code injection PWS[m] Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges FTP Http API AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
http://54.177.246.246/t.msi
http://54.177.246.246/a.exe
|
|
|
|
4.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14234 |
2023-03-27 10:28
|
 update-pyt.exe ba6a75f0c69a7f22b526ad940c3451b4
Gen2 Generic Malware UPX Malicious Library Antivirus OS Processor Check PE32 PE File JPEG Format Malware download Amadey Malware AutoRuns Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
7
http://clients2.google.com/time/1/current?cup2key=4:1168666890&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
http://78.46.242.112/so57Nst/index.php?scr=1 - rule_id: 27654
http://91.107.196.27/75e7ead3c17835de.php
http://www.gstatic.com/generate_204
http://apps.identrust.com/roots/dstrootcax3.p7c
http://79.137.248.23/Lamb.pif.exe
http://78.46.242.112/so57Nst/index.php - rule_id: 27654
|
23
www.google.com(172.217.25.164)
www.gstatic.com(142.250.206.227)
cdn.stubdownloader.services.mozilla.com(34.120.48.173)
fonts.googleapis.com(142.250.206.202)
clients2.googleusercontent.com(172.217.25.161)
accounts.google.com(142.250.207.109)
_googlecast._tcp.local()
apis.google.com(172.217.25.174)
fonts.gstatic.com(142.250.76.131)
clientservices.googleapis.com(142.250.207.99)
78.46.242.112 - phishing
142.250.66.138
142.251.220.45
172.217.27.35
142.250.204.142
121.254.136.27
79.137.248.23 - malware
172.217.24.68
34.120.48.173
142.251.220.3
142.250.204.67
91.107.196.27 - mailcious
142.250.204.65 - mailcious
|
6
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://78.46.242.112/so57Nst/index.php
http://78.46.242.112/so57Nst/index.php
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14235 |
2023-03-27 10:28
|
 33293939193898579265.bin b3c8c890a8a14c823da4fcebb050a8d5
Gen1 UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Windows utilities WriteConsoleW Windows ComputerName crashed |
|
|
|
|
3.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|