| 14311 |
2023-03-23 13:25
|
 Firefox1.exe 77d8ff584c4a6be6e927107aa7aa813b
Malicious Library PE32 PE File VirusTotal Malware PDB Check memory unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
1
|
1
SURICATA Applayer Protocol detection skipped
|
|
3.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14312 |
2023-03-23 13:24
|
 vbc.exe 92be4d14e97f691d1a23454035deca30
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
22
http://www.un-object.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007
http://www.younrock.com/u2kb/?vYIDU5HY=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&uq=qG4LADbMk - rule_id: 28006
http://www.thewildphotographer.co.uk/u2kb/?vYIDU5HY=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&uq=qG4LADbMk - rule_id: 28007
http://www.222ambking.org/u2kb/ - rule_id: 28004
http://www.younrock.com/u2kb/ - rule_id: 28006
http://www.shapshit.xyz/u2kb/?vYIDU5HY=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&uq=qG4LADbMk - rule_id: 28008
http://www.gritslab.com/u2kb/ - rule_id: 28002
http://www.222ambking.org/u2kb/?vYIDU5HY=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&uq=qG4LADbMk - rule_id: 28004
http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009
http://www.bitservicesltd.com/u2kb/?vYIDU5HY=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&uq=qG4LADbMk - rule_id: 28003
http://www.energyservicestation.com/u2kb/?vYIDU5HY=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&uq=qG4LADbMk - rule_id: 28005
http://www.thedivinerudraksha.com/u2kb/?vYIDU5HY=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&uq=qG4LADbMk - rule_id: 28009
http://www.bitservicesltd.com/u2kb/ - rule_id: 28003
http://www.white-hat.uk/u2kb/?vYIDU5HY=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&uq=qG4LADbMk - rule_id: 28001
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip
http://www.avisrezervee.com/u2kb/
http://www.shapshit.xyz/u2kb/ - rule_id: 28008
http://www.avisrezervee.com/u2kb/?vYIDU5HY=Nu51DycidcThoi6HkGUnEqF2p/VUHSNCO5CXk0BEdmcXpSXgg1RqTlXk86f8MRtZRxUedaYGJ7PZrk0hQ2YUaALzgSFDdx3OJyeNMnM=&uq=qG4LADbMk
http://www.gritslab.com/u2kb/?vYIDU5HY=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&uq=qG4LADbMk - rule_id: 28002
http://www.energyservicestation.com/u2kb/ - rule_id: 28005
http://www.un-object.com/u2kb/?vYIDU5HY=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&uq=qG4LADbMk
|
24
www.thewildphotographer.co.uk(45.33.18.44) - mailcious
www.gritslab.com(78.141.192.145) - mailcious
www.fclaimrewardccpointq.shop() - mailcious
www.avisrezervee.com(31.186.11.254)
www.shapshit.xyz(199.192.30.147) - mailcious
www.energyservicestation.com(213.145.228.111) - mailcious
www.un-object.com(192.185.17.12)
www.222ambking.org(91.195.240.94) - mailcious
www.bitservicesltd.com(161.97.163.8) - mailcious
www.thedivinerudraksha.com(85.187.128.34) - mailcious
www.white-hat.uk(94.176.104.86) - mailcious
www.younrock.com(81.17.29.147) - mailcious
91.195.240.94 - phishing
85.187.128.34 - mailcious
78.141.192.145 - mailcious
192.185.17.12
31.186.11.254 - mailcious
213.145.228.111 - mailcious
94.176.104.86 - mailcious
96.126.123.244 - mailcious
161.97.163.8 - mailcious
45.33.6.223
81.17.18.194 - mailcious
199.192.30.147 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.thewildphotographer.co.uk/u2kb/
http://www.younrock.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.222ambking.org/u2kb/
http://www.younrock.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.gritslab.com/u2kb/
http://www.222ambking.org/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.energyservicestation.com/u2kb/
http://www.thedivinerudraksha.com/u2kb/
http://www.bitservicesltd.com/u2kb/
http://www.white-hat.uk/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.gritslab.com/u2kb/
http://www.energyservicestation.com/u2kb/
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14313 |
2023-03-23 13:23
|
 vbc.exe 047f4584d2662d20bbb4c7b48cb1523a
PWS .NET framework RAT Hide_EXE SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.237.62.211)
64.185.227.155
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14314 |
2023-03-23 13:20
|
 unknown.exe ab2185234d407de7d8d03041e7c3a488
RAT UPX Malicious Library Antivirus OS Processor Check .NET EXE PE32 PE File suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName keylogger |
|
|
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14315 |
2023-03-23 13:19
|
 vbc.exe d4908996778bfe1127a10b8db2741e88
PWS .NET framework RAT Generic Malware UPX OS Processor Check .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName DNS |
|
1
31.186.11.254 - mailcious
|
|
|
3.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14316 |
2023-03-23 13:19
|
 vbc.exe ca62a1b8f19765c9dab034741c463aed
UPX Malicious Library PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Check memory Creates executable files unpack itself AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
1
208.67.105.148 - mailcious
|
|
|
8.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14317 |
2023-03-23 13:16
|
 Downloader.exe 75d45ac139ac9630ef44d1952e574633
PE32 PE File Malware download VirusTotal Malware AutoRuns Malicious Traffic Creates executable files RWX flags setting AppData folder Windows Remote Code Execution DNS Downloader |
2
http://193.42.33.216/clip.exe
http://193.42.33.216/myp.exe
|
1
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
|
|
5.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14318 |
2023-03-23 13:15
|
 529f38_9aa2021e548e4d6ea92f285... cd265d216aa729b1051f8631185f3520
ZIP Format Word 2007 file format(docx) VirusTotal Malware unpack itself Tofsee |
2
https://urlcallinghta6.blogspot.com/atom.xml - rule_id: 28108
https://urlcallinghta6.blogspot.com/
|
4
files.catbox.moe(107.160.74.134) - malware
urlcallinghta6.blogspot.com(142.250.76.129) - mailcious
107.160.74.134 - malware
142.250.207.65
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
|
1
https://urlcallinghta6.blogspot.com/atom.xml
|
2.2 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14319 |
2023-03-23 13:14
|
 svchost.exe a8a106555b9e1f92569d623c66ee8c12
UPX Malicious Library Malicious Packer OS Processor Check PE32 PE File VirusTotal Malware DNS |
|
1
212.87.204.93 - mailcious
|
|
|
3.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14320 |
2023-03-23 13:13
|
 rocheleb4.1.exe 78a95a8cb18e37d6565520be5e8013c4
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.carolinacastro.uk/bn26/?w0G=hJDTMYE2GEFk2vLkfbgsg1PPurnvpoPYEW+56x2KxKDBxbbX/o7VJ0uzxLcMBINsrcDMERzF&tFQh=YP7HHZXh
http://www.fi-fo.info/bn26/?w0G=zLbyHLYi6v09mtb3xR1opysuBFPlogT6kV6VwmZI0vQJ3NIgqeyf7kz0UTs98NZB7j5VMGR4&tFQh=YP7HHZXh
http://www.draanabellrojas.com/bn26/?w0G=ESz42sT8rW+LnCOJPKI1BJmLgCAvIFLMdXoy7GKn7503Ilkw0GN90OeerSesb3Sbb4UaqWko&tFQh=YP7HHZXh
|
8
www.carolinacastro.uk(198.49.23.144)
www.fi-fo.info(217.70.184.50)
www.draanabellrojas.com(50.116.93.86)
www.learningworldtech.com(54.89.140.129)
198.49.23.144 - mailcious
50.116.93.86
54.89.140.129
217.70.184.50 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14321 |
2023-03-23 13:12
|
 vil.exe bc8579d75cae5223ed53f34e037b2eaa
PWS .NET framework RAT Hide_EXE SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14322 |
2023-03-23 13:10
|
 buil.exe 495ce8bc963f4b0d156e4b7e5ed97ed4
PWS .NET framework RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14323 |
2023-03-23 13:10
|
 clip.exe 8d3942d2bfaf962a1177aee8d08ca079
PE32 PE File VirusTotal Malware Telegram AutoRuns MachineGuid buffers extracted Check virtual network interfaces Windows DNS |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
2
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
4.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14324 |
2023-03-23 13:08
|
 world.exe f8e0e6946af017037e8bb4d5455d4e99
PWS .NET framework RAT UPX Confuser .NET OS Processor Check .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
6.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14325 |
2023-03-23 13:07
|
 LowesDistillery.exe f0a2d9e0876b2de2d5f5b7936a299e9f
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|