1426 |
2024-08-08 14:23
|
sahost.exe e3b7b813fdaeba4ef1d1b17bc827df20 Formbook Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
13
http://www.hourglasspoise.net/5gvb/?gkJb=/cc9D7vqfViixqGthiuMbdR5vErImywOC8ezpB4FmcTpRtjTbyPN8oLjmjUaYTUAZZsBqqPA4LzpXUrs3zKz1+bcJTGwBkjtMfI/kGKzlFznEvk/PsID24fmvZA2hoz8baldBw0=&EjQU=FuDkP7Tse-i7U - rule_id: 41514 http://www.theiconsummit.life/6fdz/ - rule_id: 41517 http://www.lontos.top/ukrf/ - rule_id: 41516 http://www.hourglasspoise.net/5gvb/ - rule_id: 41514 http://www.accelbusiness.net/sg0d/?gkJb=ZFII8SVAvGzgMmVXToVI4LwsaVgSRAPMY6hEAWMgzd/rbIPLPNZ+lpDrj56GxiOWRiizuXBqoJ7dds0AusnvIdaVAlrc/osgyVUIbfwB8yhx2m5WAGulmI8my104pwb/sqeANsY=&EjQU=FuDkP7Tse-i7U - rule_id: 41512 http://www.lontos.top/ukrf/?gkJb=F/tpX3aJNzQcZIorwbtn4XzXZf0a/CrYoWsqF027uxYn9zYWtTXD5RI4AWcWVnLyOuVjbatHjcymGXUCp/2iE/8I1+t1d0MzMQiJ/YLZDKzAaLFDJakAPmxPg9uDu26TEYHLTo4=&EjQU=FuDkP7Tse-i7U - rule_id: 41516 http://www.bosonserver.net/x10g/?gkJb=AtIpZIbrclbIO3wVV4nf5MkbKr3zgThFYZcx/yn27KMXet/sCHbTSg7iXdN1LprNnU90TGJjlk60YPXU/gV8xNKsA5d5wJ0kF02lQrh6bPl2Ka0ee+60c3gL6UuubkfRvx1R8AU=&EjQU=FuDkP7Tse-i7U - rule_id: 41513 http://www.asymtos.tech/34b9/?gkJb=W6RiSnxSk7sWUyAWvsuBUQf3TLDMvpVwUriP78iMWJLg9pjq2qbXoN6eJJBee+3TNvEAo0P2a/B9rNSGOSr+g5jIYLHfTFZsXGTqlaF0jUedL/CiwqWjEQX6GQUFudPhspdJ5Ls=&EjQU=FuDkP7Tse-i7U - rule_id: 41515 http://www.asymtos.tech/34b9/ - rule_id: 41515 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip http://www.bosonserver.net/x10g/ - rule_id: 41513 http://www.accelbusiness.net/sg0d/ - rule_id: 41512 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
|
12
www.hourglasspoise.net(15.197.148.33) - mailcious www.theiconsummit.life(15.197.148.33) - mailcious www.lontos.top(203.161.42.162) - mailcious www.accelbusiness.net(15.197.148.33) - mailcious www.asymtos.tech(217.160.164.240) - mailcious www.bosonserver.net(195.200.3.58) - mailcious 195.200.3.58 - mailcious 3.33.130.190 - phishing 217.160.164.240 - mailcious 15.197.148.33 - mailcious 203.161.42.162 - mailcious 45.33.6.223
|
4
ET INFO HTTP Request to a *.top domain ET INFO Observed DNS Query to .life TLD ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to Suspicious *.life Domain
|
11
http://www.hourglasspoise.net/5gvb/ http://www.theiconsummit.life/6fdz/ http://www.lontos.top/ukrf/ http://www.hourglasspoise.net/5gvb/ http://www.accelbusiness.net/sg0d/ http://www.lontos.top/ukrf/ http://www.bosonserver.net/x10g/ http://www.asymtos.tech/34b9/ http://www.asymtos.tech/34b9/ http://www.bosonserver.net/x10g/ http://www.accelbusiness.net/sg0d/
|
10.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1427 |
2024-08-08 14:11
|
www.exe 7cab3f98a04b09bc2673f84bbccd6a63 UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself sandbox evasion Tofsee ComputerName DNS |
|
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1428 |
2024-08-08 14:09
|
latest.exe 664cebe18c30cc4c32a4dbf0715bf864 Generic Malware Downloader Malicious Library UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check JPEG Format DllRegisterServer dll DLL VirusTotal Malware Code Injection Check memory Creates executable files AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
4.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1429 |
2024-08-08 14:09
|
rat.exe 1db146fcedaecd4bc84186d1ad75e7ba Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
1
http://asd123123.zapto.org/
|
|
|
|
2.0 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1430 |
2024-08-08 14:07
|
Dropper.exe 5341c5bb13ae2b2753b2fdadcf93aa51 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1431 |
2024-08-08 14:07
|
logon.exe ceccc726e628b9592af475cc27d0a7ae Generic Malware Malicious Library PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1432 |
2024-08-08 14:04
|
javaw.exe f8fbe90216db05230b6a9cbf2c6cc218 Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1433 |
2024-08-08 11:25
|
regasm.exe f74f2df998219d602185c46107329e82 Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
5
reallyfreegeoip.org(104.21.67.152) checkip.dyndns.org(158.101.44.242) 132.226.8.169 208.91.199.224 - mailcious 172.67.177.134
|
6
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
|
|
16.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1434 |
2024-08-08 11:22
|
regasm.exe 62b9f8d4c98febbcd68e635c14d8d882 Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
8
api.telegram.org(149.154.167.220) - mailcious smtp.coxenregy.com(208.91.198.143) reallyfreegeoip.org(172.67.177.134) checkip.dyndns.org(193.122.130.0) 193.122.6.168 208.91.199.224 - mailcious 104.21.67.152 149.154.167.220 - mailcious
|
10
ET HUNTING Telegram API Domain in DNS Lookup ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO TLS Handshake Failure ET POLICY External IP Lookup - checkip.dyndns.org ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) ET INFO 404/Snake/Matiex Keylogger Style External IP Check SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) SURICATA Applayer Detect protocol only one direction
|
|
14.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1435 |
2024-08-08 11:20
|
sahost.exe c79d8b7c07b992c6aa435e4101770f99 Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser SnakeKeylogger Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
7
us2.smtp.mailhostbox.com(208.91.198.143) reallyfreegeoip.org(172.67.177.134) checkip.dyndns.org(132.226.247.73) 208.91.199.225 - mailcious 208.91.199.224 - mailcious 158.101.44.242 104.21.67.152
|
8
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) SURICATA Applayer Detect protocol only one direction ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET MALWARE Snake Keylogger Exfil via SMTP
|
|
16.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1436 |
2024-08-08 11:20
|
logon.exe ceccc726e628b9592af475cc27d0a7ae Generic Malware Malicious Library PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1437 |
2024-08-08 11:18
|
latest.exe 5d42fb68071f9f02ae6928865478e003 Generic Malware Downloader Malicious Library UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check DllRegisterServer dll JPEG Format DLL Code Injection Check memory Creates executable files AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1438 |
2024-08-08 11:18
|
sahost.exe 99a5ba6045c45bd20f081ca3fb06a58a Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
4
reallyfreegeoip.org(104.21.67.152) checkip.dyndns.org(193.122.6.168) 193.122.6.168 104.21.67.152
|
6
ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1439 |
2024-08-08 11:16
|
wahost.exe 14b98daca4a9912ad416eb7c0231cc21 Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
8
api.telegram.org(149.154.167.220) - mailcious smtp.coxenregy.com(208.91.199.224) reallyfreegeoip.org(104.21.67.152) checkip.dyndns.org(193.122.6.168) 132.226.8.169 208.91.199.225 - mailcious 104.21.67.152 149.154.167.220 - mailcious
|
10
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI ET HUNTING Telegram API Domain in DNS Lookup
|
|
14.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1440 |
2024-08-08 11:16
|
sahost.exe 3cd277b692b93cea6874d7879f1134d0 NSIS Suspicious_Script_Bin Generic Malware Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|