| 14281 |
2023-03-24 09:46
|
 vx9.txt.ps1 bbd04ea795c2f48efea24040f42730e6
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14282 |
2023-03-24 09:45
|
 WinLoad.exe 12a45205a6da702e56b6a07cbe162445
Gen2 Gen1 Generic Malware UPX Malicious Library Anti_VM OS Processor Check PE64 PE File VirusTotal Malware Creates executable files DNS crashed |
|
3
37.230.138.66 - mailcious
142.250.66.36
37.230.138.123 - mailcious
|
|
|
2.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14283 |
2023-03-24 09:45
|
writer.bat 1e30daa4770b00c2e624e8a615e80282
Downloader Create Service DGA Socket ScreenShot DNS Internet API Code injection PWS[m] Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges FTP Http API AntiDebug AntiVM powershell Windows utilities suspicious process WriteConsoleW Windows Trojan DNS DDNS DoTNet |
6
http://g57hitr9atw9jkky5p2.ddns.net/ncat/libssl-3.dll
http://g57hitr9atw9jkky5p2.ddns.net/ncat/libssh2.dll
http://g57hitr9atw9jkky5p2.ddns.net/ncat/getprivshell.ps1
http://g57hitr9atw9jkky5p2.ddns.net/ncat/vcruntime140.dll
http://g57hitr9atw9jkky5p2.ddns.net/ncat/svchost.exe
http://g57hitr9atw9jkky5p2.ddns.net/ncat/libcrypto-3.dll
|
2
g57hitr9atw9jkky5p2.ddns.net(66.228.37.7) - malware
66.228.37.7 - mailcious
|
6
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
ET INFO PS1 Powershell File Request
ET HUNTING Generic Powershell Launching Hidden Window
ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14284 |
2023-03-24 09:44
|
 1.exe 7429ee8b83fcbb48fe5b383a6235ac1d
UPX Malicious Library MZP Format PE32 PE File VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces Tofsee Windows |
8
http://s3.eu-central-1.wasabisys.com/delice/delice-prov/poweroff.exe
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://s3.eu-central-1.wasabisys.com/delice/delice-purify/hand-emHqRHrKsna22Rea.exe
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052
https://www.google.com/
https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=6 - rule_id: 7620
https://s3.eu-central-1.wasabisys.com/delice/delice-purify/up-do-dat-emHqRHrKsna22Rea.exe
|
12
n8w5.c12.e2-1.dev() - malware
wewewe.s3.eu-central-1.amazonaws.com(52.219.170.150) - mailcious
www.google.com(172.217.25.164)
360devtracking.com(37.230.138.66) - mailcious
s3.eu-central-1.wasabisys.com(130.117.252.29) - malware
connectini.net(37.230.138.123) - mailcious
130.117.252.29 - malware
52.219.140.125
130.117.252.31
142.250.66.36
37.230.138.123 - mailcious
37.230.138.66 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
4
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies
https://connectini.net/Series/SuperNitouDisc.php
https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe
https://connectini.net/S2S/Disc/Disc.php
|
6.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14285 |
2023-03-24 09:39
|
 LitPay.exe 3951f8ad7e0e7682fc0d9d13c9a503c5
Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Remote Code Execution Cryptographic key crashed |
|
|
|
|
4.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14286 |
2023-03-24 09:39
|
 vvd.exe ddae367e828d169834f7261f3cba74d2
PWS .NET framework RAT UPX .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName DNS |
|
1
|
|
|
2.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14287 |
2023-03-24 09:37
|
 vbc.exe 7ff571e8d43bdefd4fb9ca3177dfbc7e
PWS .NET framework RAT Generic Malware Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14288 |
2023-03-24 09:37
|
 vbc.exe 953f34884877d4946480bb967d355f69
PWS .NET framework RAT AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
10
http://www.kkqqzb.xyz/a2fh/
http://www.fruitecology.com/a2fh/
http://www.thezweb.com/a2fh/
http://www.fruitecology.com/a2fh/?4L5CL=HirmV0K3W8X16cPIA6CgpFp2oQQLbxP0EUyoOXJjH6Oo2gLH1gE5EmJJO1tE0kgmFicI29ZS7SJZl+PB0hquqiKbSKMHjlIfypwbQTc=&VNz=9fBchlPzp
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.atamahaberleri.com/a2fh/?4L5CL=qcchKJfYoXX+SNysomeaXt2UPWY/FcJKOe6J/rkRQI82UqjdWxoSyFumgkLce2bhgQ1UYjQfjBP88N6FTJ0nkeTpGzUxt+uzFPein5I=&VNz=9fBchlPzp
http://www.dg-computing.com/a2fh/?4L5CL=pV97ZqUGpE+UodE0UyDCOo7MEcmaoOdfg9usDzs3w3JwZR7SMHyMKVK/lZy2YBfdLhtcCUV0G4ICDRW/J2REkgHIgwBLa2wBoIgzf5w=&VNz=9fBchlPzp
http://www.kkqqzb.xyz/a2fh/?4L5CL=26Y37L3jXNG2JHI3wpaK6zCVLkrwfYXeV/30niWVu7rxeLE01wiRvGELFFHOaIrCm60YwShU1siy0NCFU9cAiPm31W1i39pBO7M5w+I=&VNz=9fBchlPzp
http://www.dg-computing.com/a2fh/
http://www.thezweb.com/a2fh/?4L5CL=ohPlRN1rGtRlq2ENH0YEDA1UceaE5ScRC2dJJXLlUzkXjZP8hqfc1Pamn8K9eI0nDacK8c7ZeK5GYMYRI15J27P9D9jBSgJvDxW15X4=&VNz=9fBchlPzp
|
11
www.thezweb.com(63.141.242.43)
www.dg-computing.com(38.238.131.233)
www.fruitecology.com(46.30.213.155)
www.atamahaberleri.com(185.126.216.74)
www.kkqqzb.xyz(172.67.174.28)
172.67.174.28
38.238.131.233
63.141.242.43 - mailcious
45.33.6.223
46.30.213.155 - mailcious
185.126.216.74
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14289 |
2023-03-24 09:37
|
85............................... c3e8b482ed3986690fcdc9cbab9a0b7f
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
|
1
172.245.123.109 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14290 |
2023-03-24 09:34
|
 vbc.exe 8301d3d1a602b5aa7e72a57fb20d1a57
PWS .NET framework RAT UPX .NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14291 |
2023-03-24 09:34
|
 b.pif 424811420bb77c6b2aeee8fd5fd651e0
PWS .NET framework RAT Generic Malware Antivirus SMTP PWS[m] KeyLogger PDF AntiDebug AntiVM .NET EXE PE32 PE File ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW IP Check VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
7
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
http://37.139.128.83/golden.pdf - rule_id: 27987
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
http://checkip.dyndns.org/
|
3
checkip.dyndns.org(193.122.6.168)
193.122.6.168
37.139.128.83 - mailcious
|
6
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
ET INFO Dotted Quad Host PDF Request
|
1
http://37.139.128.83/golden.pdf
|
20.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14292 |
2023-03-24 09:34
|
 1.vbs 670a6c9ab0f89a768738fe10a8b06982
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.8 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14293 |
2023-03-24 08:41
|
presetbodyqualitydebris.hbaked... 3627dcbbcd0be2ce4f53d3e05c77d9eb
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14294 |
2023-03-23 18:47
|
 INV.exe d826f8c8edb9b4eea8ee18fa75572490
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself suspicious TLD DNS |
24
http://www.gitmart.top/hubr/?QCFrH7=8LIoJqXtzQoTeM3tSIRjdvK/wvVoI+eZdkhCTWtrmHUI4YaQHcTCw+vN7fasUs/Q0cHIvjOlVkHozVI89gTByPzeHUA52gVSRwAL/jY=&RbcWz=XTYFdv
http://www.kahinghk.com/hubr/?QCFrH7=KA2zyijBF8x3Kgke2P+iKCtl6t6cGVl80Cc65JTye6QbcFhOuDw4y56CfsJy2MXD5dQvnaW1nqx7b9Z6wt4S6QZG6sghwLw0rVDMOz0=&RbcWz=XTYFdv
http://www.guochaochao.com/hubr/?QCFrH7=vfnS7kNQ7lGkZwLtMQL9ZqfKyBscb+bEwFm+1uJubApJ6Q5hDNwLUi92Ea3pDCl5aGqTGhnnOe/pMNEIN7harbO0q3jSNOA5A+i+70k=&RbcWz=XTYFdv
http://www.kahinghk.com/hubr/
http://www.celestinshipping.org/hubr/
http://www.hbslwhcb.com/hubr/?QCFrH7=5E10n45PC8vNB5pZtNj2sXLK8uWSY44i7aDcSA40kUAwhBPRaI2LrW2xciaMt4VcY7NLJleQuynhqBK73YwksAZi1WQgViquW1DW70o=&RbcWz=XTYFdv
http://www.guochaochao.com/hubr/
http://www.mtgu.net/hubr/?QCFrH7=BYsUt3owDFJM7GVfuQIWnXwMgDGHBsC/I/b9ZUSfYrqeSV4owQnpPIjIy5UP/vTtTt2F54HHRXV+MLyWN1XqqGr/sjv3aXZqNOI2ujY=&RbcWz=XTYFdv
http://www.bankmobile.online/hubr/?QCFrH7=AqcQf51FHOgh7P9E+wpuxnHpBgBzwI/msQRQ0Dyz8q0S90nTnG8ByyoMHYn461jaf1OBwwUC6quuS4TuPkl+q34PRRmwUjUeIaKK3gY=&RbcWz=XTYFdv
http://www.bankmobile.online/hubr/
http://www.auto-sparepart.com/hubr/?QCFrH7=shp9tHQK/I+jiDz9HZEHJbj1KzHSlPA6IKLbVtcuxb+Os6cPDAiYF95XnY/LnjHwM9ayWNJXkgFRKo9FtI2zAKU8dQudTiqe32jNO5U=&RbcWz=XTYFdv
http://www.airductshopdk.com/hubr/?QCFrH7=IY6ZMgtXttJgF5cV0sWllCOUaHDATDBCnZNtq8QNvWCyBBYDnskeOxikfpX38PnG5T3Zxr6jgxyRUZdALpyeaupJP3sUL1Dl98sUeiQ=&RbcWz=XTYFdv
http://www.hbslwhcb.com/hubr/
http://www.celestinshipping.org/hubr/?QCFrH7=Vfw1tXj75Mnbbr9waYgxlQ7QagSBA5wKBGGly+Su2Nf6tIgktwqqKgDHr8woq6O0Z5sp1IK/HWsht85Es+CPzw2fwmYXFsAsraj4FMw=&RbcWz=XTYFdv
http://www.asonsrestaurantbar.co.uk/hubr/
http://www.callceylon-infinity.com/hubr/?QCFrH7=QGWktfIAtu18+t6NQORxBTtvzjo+nFqh7PlIya0sAjXty+UNsna0QAVZJMoUGZhtBucAVwHYc/82s4klU8XEeQDHowb765v/cfPxxLM=&RbcWz=XTYFdv
http://www.betting.style/hubr/
http://www.betting.style/hubr/?QCFrH7=Igos4DvGYSTYudzWMt6YfvTMrgMRYd/c9vPdAr65R47dBdgzYQRIJWYhFBMjFdvBBv9IJDMtFMntT2Xn4QfH4WErd6ncw9Si7XBW0k4=&RbcWz=XTYFdv
http://www.airductshopdk.com/hubr/
http://www.mtgu.net/hubr/
http://www.gitmart.top/hubr/
http://www.auto-sparepart.com/hubr/
http://www.asonsrestaurantbar.co.uk/hubr/?QCFrH7=LhIi+kEWCIVSy/fPx6ZU7zxwa0K9qbQ4Avh4ugI75RiAcqy+P9f/TzxibnAgVXMDuzt86sgVXJJMNA/faZ0hFKKpQbAodEvnYLncODA=&RbcWz=XTYFdv
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
|
25
www.mtgu.net(165.140.71.65)
www.celestinshipping.org(74.220.199.6)
www.guochaochao.com(23.27.78.200)
www.asonsrestaurantbar.co.uk(63.141.242.43)
www.auto-sparepart.com(13.248.243.5)
www.kahinghk.com(148.66.54.130)
www.hbslwhcb.com(103.146.179.136)
www.betting.style(64.190.63.111)
www.airductshopdk.com(23.228.123.194)
www.bankmobile.online(185.104.28.238)
www.callceylon-infinity.com(217.160.0.91)
www.gitmart.top(199.192.28.110)
23.27.78.200
185.104.28.238 - mailcious
103.146.179.136
76.223.105.230 - mailcious
64.190.63.111 - mailcious
74.220.199.6 - mailcious
192.187.111.219 - mailcious
148.66.54.130
217.160.0.91
45.33.6.223
23.228.123.194
199.192.28.110
165.140.71.65
|
4
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
4.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14295 |
2023-03-23 18:45
|
 ss47.exe 44d59cf2b7e4700b703e95eaa7fdbdc7
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File Browser Info Stealer VirusTotal Malware PDB MachineGuid Malicious Traffic buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Remote Code Execution |
5
http://bz.bbbeioaag.com/sts/bimage.jpg
http://count.iiagjaggg.com/check/safe
http://www.facebook.com/check/?sid=1251809&key=0dcaeaf81593814fe2ahttps://www.facebook.com/d06851037
https://www.facebook.com/ads/manager/account_settings/account_billing
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
|
6
bz.bbbeioaag.com(45.136.113.107)
www.facebook.com(157.240.31.35)
count.iiagjaggg.com(45.66.159.179)
45.136.113.107
31.13.82.36
45.66.159.179
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Double User-Agent (User-Agent User-Agent)
|
|
5.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|