| 1426 |
2024-08-08 14:23
|
 sahost.exe e3b7b813fdaeba4ef1d1b17bc827df20
Formbook Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
13
http://www.hourglasspoise.net/5gvb/?gkJb=/cc9D7vqfViixqGthiuMbdR5vErImywOC8ezpB4FmcTpRtjTbyPN8oLjmjUaYTUAZZsBqqPA4LzpXUrs3zKz1+bcJTGwBkjtMfI/kGKzlFznEvk/PsID24fmvZA2hoz8baldBw0=&EjQU=FuDkP7Tse-i7U - rule_id: 41514
http://www.theiconsummit.life/6fdz/ - rule_id: 41517
http://www.lontos.top/ukrf/ - rule_id: 41516
http://www.hourglasspoise.net/5gvb/ - rule_id: 41514
http://www.accelbusiness.net/sg0d/?gkJb=ZFII8SVAvGzgMmVXToVI4LwsaVgSRAPMY6hEAWMgzd/rbIPLPNZ+lpDrj56GxiOWRiizuXBqoJ7dds0AusnvIdaVAlrc/osgyVUIbfwB8yhx2m5WAGulmI8my104pwb/sqeANsY=&EjQU=FuDkP7Tse-i7U - rule_id: 41512
http://www.lontos.top/ukrf/?gkJb=F/tpX3aJNzQcZIorwbtn4XzXZf0a/CrYoWsqF027uxYn9zYWtTXD5RI4AWcWVnLyOuVjbatHjcymGXUCp/2iE/8I1+t1d0MzMQiJ/YLZDKzAaLFDJakAPmxPg9uDu26TEYHLTo4=&EjQU=FuDkP7Tse-i7U - rule_id: 41516
http://www.bosonserver.net/x10g/?gkJb=AtIpZIbrclbIO3wVV4nf5MkbKr3zgThFYZcx/yn27KMXet/sCHbTSg7iXdN1LprNnU90TGJjlk60YPXU/gV8xNKsA5d5wJ0kF02lQrh6bPl2Ka0ee+60c3gL6UuubkfRvx1R8AU=&EjQU=FuDkP7Tse-i7U - rule_id: 41513
http://www.asymtos.tech/34b9/?gkJb=W6RiSnxSk7sWUyAWvsuBUQf3TLDMvpVwUriP78iMWJLg9pjq2qbXoN6eJJBee+3TNvEAo0P2a/B9rNSGOSr+g5jIYLHfTFZsXGTqlaF0jUedL/CiwqWjEQX6GQUFudPhspdJ5Ls=&EjQU=FuDkP7Tse-i7U - rule_id: 41515
http://www.asymtos.tech/34b9/ - rule_id: 41515
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.bosonserver.net/x10g/ - rule_id: 41513
http://www.accelbusiness.net/sg0d/ - rule_id: 41512
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
|
12
www.hourglasspoise.net(15.197.148.33) - mailcious
www.theiconsummit.life(15.197.148.33) - mailcious
www.lontos.top(203.161.42.162) - mailcious
www.accelbusiness.net(15.197.148.33) - mailcious
www.asymtos.tech(217.160.164.240) - mailcious
www.bosonserver.net(195.200.3.58) - mailcious
195.200.3.58 - mailcious
3.33.130.190 - phishing
217.160.164.240 - mailcious
15.197.148.33 - mailcious
203.161.42.162 - mailcious
45.33.6.223
|
4
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .life TLD
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to Suspicious *.life Domain
|
11
http://www.hourglasspoise.net/5gvb/
http://www.theiconsummit.life/6fdz/
http://www.lontos.top/ukrf/
http://www.hourglasspoise.net/5gvb/
http://www.accelbusiness.net/sg0d/
http://www.lontos.top/ukrf/
http://www.bosonserver.net/x10g/
http://www.asymtos.tech/34b9/
http://www.asymtos.tech/34b9/
http://www.bosonserver.net/x10g/
http://www.accelbusiness.net/sg0d/
|
10.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1427 |
2024-08-08 14:11
|
 www.exe 7cab3f98a04b09bc2673f84bbccd6a63
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself sandbox evasion Tofsee ComputerName DNS |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1428 |
2024-08-08 14:09
|
 latest.exe 664cebe18c30cc4c32a4dbf0715bf864
Generic Malware Downloader Malicious Library UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check JPEG Format DllRegisterServer dll DLL VirusTotal Malware Code Injection Check memory Creates executable files AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
4.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1429 |
2024-08-08 14:09
|
 rat.exe 1db146fcedaecd4bc84186d1ad75e7ba
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
1
http://asd123123.zapto.org/
|
|
|
|
2.0 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1430 |
2024-08-08 14:07
|
 Dropper.exe 5341c5bb13ae2b2753b2fdadcf93aa51
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1431 |
2024-08-08 14:07
|
 logon.exe ceccc726e628b9592af475cc27d0a7ae
Generic Malware Malicious Library PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1432 |
2024-08-08 14:04
|
 javaw.exe f8fbe90216db05230b6a9cbf2c6cc218
Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1433 |
2024-08-08 11:25
|
 regasm.exe f74f2df998219d602185c46107329e82
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
5
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(158.101.44.242)
132.226.8.169
208.91.199.224 - mailcious
172.67.177.134
|
6
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
|
|
16.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1434 |
2024-08-08 11:22
|
 regasm.exe 62b9f8d4c98febbcd68e635c14d8d882
Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
8
api.telegram.org(149.154.167.220) - mailcious
smtp.coxenregy.com(208.91.198.143)
reallyfreegeoip.org(172.67.177.134)
checkip.dyndns.org(193.122.130.0)
193.122.6.168
208.91.199.224 - mailcious
104.21.67.152
149.154.167.220 - mailcious
|
10
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO TLS Handshake Failure
ET POLICY External IP Lookup - checkip.dyndns.org
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
SURICATA Applayer Detect protocol only one direction
|
|
14.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1435 |
2024-08-08 11:20
|
 sahost.exe c79d8b7c07b992c6aa435e4101770f99
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser SnakeKeylogger Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
7
us2.smtp.mailhostbox.com(208.91.198.143)
reallyfreegeoip.org(172.67.177.134)
checkip.dyndns.org(132.226.247.73)
208.91.199.225 - mailcious
208.91.199.224 - mailcious
158.101.44.242
104.21.67.152
|
8
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
SURICATA Applayer Detect protocol only one direction
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET MALWARE Snake Keylogger Exfil via SMTP
|
|
16.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1436 |
2024-08-08 11:20
|
 logon.exe ceccc726e628b9592af475cc27d0a7ae
Generic Malware Malicious Library PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1437 |
2024-08-08 11:18
|
 latest.exe 5d42fb68071f9f02ae6928865478e003
Generic Malware Downloader Malicious Library UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check DllRegisterServer dll JPEG Format DLL Code Injection Check memory Creates executable files AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1438 |
2024-08-08 11:18
|
 sahost.exe 99a5ba6045c45bd20f081ca3fb06a58a
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
4
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(193.122.6.168)
193.122.6.168
104.21.67.152
|
6
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1439 |
2024-08-08 11:16
|
 wahost.exe 14b98daca4a9912ad416eb7c0231cc21
Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
8
api.telegram.org(149.154.167.220) - mailcious
smtp.coxenregy.com(208.91.199.224)
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(193.122.6.168)
132.226.8.169
208.91.199.225 - mailcious
104.21.67.152
149.154.167.220 - mailcious
|
10
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET HUNTING Telegram API Domain in DNS Lookup
|
|
14.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1440 |
2024-08-08 11:16
|
 sahost.exe 3cd277b692b93cea6874d7879f1134d0
NSIS Suspicious_Script_Bin Generic Malware Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|