14401 |
2023-03-30 09:21
|
1.exe 88131cfd2cca21aba749fd591b04b45f Generic Malware UPX Malicious Library Downloader Malicious Packer OS Processor Check PE32 PE File Remcos VirusTotal Malware Malicious Traffic Check memory Windows DNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) 132.226.8.169 178.237.33.50 185.246.220.130 - malware
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.0 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14402 |
2023-03-30 09:21
|
2.exe d606a39261a0599154ba54ec565fd602 Generic Malware UPX Malicious Library Downloader Malicious Packer OS Processor Check PE32 PE File Remcos VirusTotal Malware Malicious Traffic Check memory Windows DNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) 178.237.33.50 158.101.44.242 185.246.220.130 - malware
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.0 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14403 |
2023-03-30 09:17
|
vbc.exe a98f0fd7f830e6c6514d4b8cc9934743 UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
18
http://www.energyservicestation.com/u2kb/?_1=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&A6Gb=ePIu - rule_id: 28005 http://www.younrock.com/u2kb/?_1=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&A6Gb=ePIu - rule_id: 28006 http://www.shapshit.xyz/u2kb/ - rule_id: 28008 http://www.thewildphotographer.co.uk/u2kb/?_1=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&A6Gb=ePIu - rule_id: 28007 http://www.shapshit.xyz/u2kb/?_1=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&A6Gb=ePIu - rule_id: 28008 http://www.gritslab.com/u2kb/ - rule_id: 28002 http://www.222ambking.org/u2kb/?_1=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&A6Gb=ePIu - rule_id: 28004 http://www.energyservicestation.com/u2kb/ - rule_id: 28005 http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007 http://www.white-hat.uk/u2kb/?_1=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&A6Gb=ePIu - rule_id: 28001 http://www.bitservicesltd.com/u2kb/?_1=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&A6Gb=ePIu - rule_id: 28003 http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009 http://www.bitservicesltd.com/u2kb/ - rule_id: 28003 http://www.thedivinerudraksha.com/u2kb/?_1=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&A6Gb=ePIu - rule_id: 28009 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip http://www.222ambking.org/u2kb/ - rule_id: 28004 http://www.gritslab.com/u2kb/?_1=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&A6Gb=ePIu - rule_id: 28002 http://www.younrock.com/u2kb/ - rule_id: 28006
|
19
www.gritslab.com(78.141.192.145) - mailcious www.thewildphotographer.co.uk(45.56.79.23) - mailcious www.shapshit.xyz(199.192.30.147) - mailcious www.energyservicestation.com(213.145.228.111) - mailcious www.222ambking.org(91.195.240.94) - mailcious www.bitservicesltd.com(161.97.163.8) - mailcious www.thedivinerudraksha.com(85.187.128.34) - mailcious www.white-hat.uk(94.176.104.86) - mailcious www.younrock.com(81.17.29.149) - mailcious 91.195.240.94 - phishing 85.187.128.34 - mailcious 78.141.192.145 - mailcious 199.192.30.147 - mailcious 213.145.228.111 - mailcious 192.187.111.219 - mailcious 94.176.104.86 - mailcious 161.97.163.8 - mailcious 45.33.6.223 45.56.79.23 - mailcious
|
3
ET MALWARE FormBook CnC Checkin (POST) M2 ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.energyservicestation.com/u2kb/ http://www.younrock.com/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.gritslab.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.white-hat.uk/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.gritslab.com/u2kb/ http://www.younrock.com/u2kb/
|
5.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14404 |
2023-03-30 09:16
|
try.hta 7a8dd40f53d76872300fdba6b6429822 PWS .NET framework RAT Generic Malware Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM PowerShell .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://198.46.174.164/118/putty.exe http://checkip.dyndns.org/
|
3
checkip.dyndns.org(193.122.130.0) 132.226.8.169 198.46.174.164 - mailcious
|
10
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET INFO Executable Download from dotted-quad Host ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
21.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14405 |
2023-03-30 09:14
|
putty.exe f0cbe408045d492ae41ee92ad7c39bea PWS .NET framework RAT SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.130.0) 158.101.44.242
|
5
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
|
|
13.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14406 |
2023-03-29 23:31
|
DvDUsSet.exe 65de52a852356f9e0aea8b43e67105f7 Confuser .NET .NET EXE PE32 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Ransomware DNS |
|
3
videoconvert-download38.xyz() - mailcious iplogger.org(148.251.234.83) - mailcious 148.251.234.83
|
3
ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
62 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14407 |
2023-03-29 18:09
|
ppp.exe a82baff8213bd78f398420e6ed3d58aa UPX .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
3.6 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14408 |
2023-03-29 17:50
|
1000+FacebookSPDogs-15pc.exe 00b84d9dee2056758a6fbb07faef57d4 PWS .NET framework RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14409 |
2023-03-29 17:48
|
cubalibre2 54a5f1bf56bb033fabafce49f03f6794 Malicious Library DLL PE32 PE File VirusTotal Malware Checks debugger RWX flags setting unpack itself ComputerName DNS |
|
1
|
1
SURICATA Applayer Wrong direction first Data
|
|
3.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14410 |
2023-03-29 17:47
|
ppp.exe a82baff8213bd78f398420e6ed3d58aa .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself DNS |
16
http://www.zhn.biz/udh1/ http://www.centaura.community/udh1/ http://www.special-order.online/udh1/ http://www.azstoreatoderma.click/udh1/ http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip http://www.ghostdyes.net/udh1/?cUMMa5v=lj2vP+EAw0fELJNPJ5VtAcTjxQQz8hKi5d9v+h5W1hvMFJJN0lWMU8OkjsFxsGAkw0S50RNizKyMtcUDX4tgR0i1IahDyycai/CThP0=&GV=hSkJd_W http://www.ghostdyes.net/udh1/ http://www.csrvcars.com/udh1/?cUMMa5v=XEemPPOTV26sKXQzDYMsrkGsJokzxPFPbFpU+n9uCd2chnbXsi75dkjdHRd+i/N9AgC/cMMMBBk+slWuActf4QAZvLu0iyaFuJXVPTg=&GV=hSkJd_W http://www.olympusmix.com/udh1/?cUMMa5v=lWZk+s3blMuiGWpXy6frpU4enEwBG5gJanUH8/6Evmw4nHtx+SdA/kN+9f5N/0KA2bk6RtFa0tH8PADjgLi95JHf+wn8BjREHXSWn6U=&GV=hSkJd_W http://www.azstoreatoderma.click/udh1/?cUMMa5v=R/kB4/0HM2tcwqvhXH4XIYj1eTxJXqndlHH19RjFed8ZhY1qAasVyZxg1ws7A7LtJYEr4634gz6I87tnmhAW+ys9K/jaGw++UPdFo8c=&GV=hSkJd_W http://www.zhn.biz/udh1/?cUMMa5v=LfrgFpvSkJA2y41K7oV1vuuQyWHfo0uy5ufNO5HpKtxTTE0bBGpeg3SJ2RFsjNe1w4Pec63rxh4rwW+J1uIf4mhDhIMbmXY09bayaEE=&GV=hSkJd_W http://www.wearecatalyst.app/udh1/ http://www.olympusmix.com/udh1/ http://www.wearecatalyst.app/udh1/?cUMMa5v=tt9dYLtFsKfLIIIXMfpRfs924GbOuHLcMLKVMdaTOcJrEAGIFAHeQ5Ly9YOpmT4Rz3p2Jl5Xgzq6cAPtFXnDdyfQg2kRv5Z1dRZDL3M=&GV=hSkJd_W http://www.centaura.community/udh1/?cUMMa5v=kMKsR5rTxSYNZgWncVUlGrpLkwsOTig3tGW39qhs19NQJLtwYtRkr4H+EIRE8MUOxMFfo6MP6730mq+L8n2Tmf9vKWCdpbnfDO0cF8Q=&GV=hSkJd_W http://www.special-order.online/udh1/?cUMMa5v=CwuBCJt94bxtc2gNtpoM3E+US0dkKMARx3Pvc7vf2LAtLU32691wJ0dQetaubb0PioG6wR7W5uX4+q4XU8z6LBF3Qfs1ipW/MdlZd78=&GV=hSkJd_W
|
19
www.azstoreatoderma.click(3.1.17.18) www.ghostdyes.net(34.117.168.233) www.bianchibeverage.com(104.253.54.44) www.centaura.community(66.96.162.138) www.olympusmix.com(198.54.117.217) www.csrvcars.com(23.231.72.112) www.wearecatalyst.app(216.40.34.41) www.special-order.online(194.58.112.174) www.zhn.biz(172.67.213.169) 18.140.6.45 198.54.117.218 - mailcious 34.117.168.233 - mailcious 23.231.72.112 216.40.34.41 - mailcious 104.253.54.44 66.96.162.138 - mailcious 45.33.6.223 172.67.213.169 194.58.112.174 - mailcious
|
2
ET INFO Observed DNS Query to .biz TLD ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14411 |
2023-03-29 17:46
|
Spfteysaad.exe 8f3e8fa1ba9c4c10680a9135a2ab6724 PWS .NET framework RAT UPX .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14412 |
2023-03-29 17:44
|
1.exe 05d614ae9941dc597f918230c0938d11 UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14413 |
2023-03-29 17:42
|
buildjack.exe 10f57aeea7d69c1fd26302daea446d8d PWS .NET framework RAT .NET EXE PE32 PE File Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Telegram Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser ComputerName DNS |
1
http://ip-api.com/line?fields=query
|
4
ip-api.com(208.95.112.1) api.telegram.org(149.154.167.220) 208.95.112.1 149.154.167.220
|
5
ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup ET POLICY External IP Lookup ip-api.com
|
|
5.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14414 |
2023-03-29 17:41
|
vbc.exe 4da41093eb4cce80c18d1e6a2391ba80 UPX Malicious Library PE32 PE File JPEG Format Browser Info Stealer Remcos VirusTotal Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser DNS keylogger |
|
3
top.not2beabused01.xyz(38.117.65.122) - mailcious 38.117.65.122 - mailcious 45.33.6.223
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
5.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14415 |
2023-03-29 17:40
|
w.exe c200ea136a598e37eb83c8c6031b3f29 PE32 PE File VirusTotal Malware AutoRuns Creates executable files RWX flags setting unpack itself AppData folder Tofsee Windows Remote Code Execution |
2
https://bitcoin.org/bin/bitcoin-core-22.0/bitcoin-22.0-win64-setup.exe https://download.electrum.org/4.3.4/electrum-4.3.4-setup.exe
|
6
downloads.exodus.com(104.18.19.218) bitcoin.org(172.67.40.154) download.electrum.org(104.21.89.144) 104.22.68.176 104.21.89.144 104.18.19.218
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|