14416 |
2023-03-29 17:40
|
uy74.exe 9b5a6f627c74f828bc4e85e2e2843e0c PWS .NET framework RAT UPX OS Processor Check .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14417 |
2023-03-29 17:40
|
dy.exe 5d2a5e49ca03081b82c5aff2eed04770 .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself DNS |
15
http://www.coba.dev/u62a/?uyJ6NZy=o8SCP/YnJ49qk75I5z3GzELHmg2Up2LUiNCn13SbmA4goaf+g+1fYa13Odsfun9rvkIDAdpJippA+Y6N0xwu8NBanTjMGd5U2PfRiS4=&GqUv=WJjJdRiak0 - rule_id: 28209 http://www.starauctioneerspro.com/u62a/?uyJ6NZy=xxICz6/4R5ldvKit9pQiZZ+jTsTJ1UXO3+kkY3b4PoRSc/9CGhnte6tVjQSTVfHBpnO/T6bLIQt5I4s4artxGH6TeZHS/DCwG7N4VUA=&GqUv=WJjJdRiak0 - rule_id: 28212 http://www.coba.dev/u62a/ - rule_id: 28209 http://www.meandclementina.com/u62a/ - rule_id: 28210 http://www.starauctioneerspro.com/u62a/ - rule_id: 28212 http://www.marex.promo/u62a/?uyJ6NZy=HTOKBE+ideXsbClCFIZFlPYDAjUuWFn3t4knnx885+0EkjdUagvAPmmh9nOXJS6XsZrvZ1YpL3hurMR7Bu4FKovUyILBMkHn6uQL+64=&GqUv=WJjJdRiak0 - rule_id: 28211 http://www.marex.promo/u62a/ - rule_id: 28211 http://www.meandclementina.com/u62a/?uyJ6NZy=sEdvL1ZGkULv2A8bNXBRaRmdYx+eWL4gYtShFj4pbN8o5eHSa3QtYRl1ZjlPIya8jQvOFXB8wZUlu2C2FpqSzuYXIQNHQFur3PZxkFI=&GqUv=WJjJdRiak0 - rule_id: 28210 http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.kunimi.org/u62a/ - rule_id: 28214 http://www.lowcome.life/u62a/ - rule_id: 28213 http://www.lowcome.life/u62a/?uyJ6NZy=SpYuczb0I67O/JB79loYgv0QPNy9tmAedxSPiGXP/gajLTktWHzWDdz7w0u65687mA4BdpaJEcNqadlvkC0xWpASIIM+xKCPpUlgMWA=&GqUv=WJjJdRiak0 - rule_id: 28213 http://www.kunimi.org/u62a/?uyJ6NZy=Do2YNZmdCCnGDS2WdMJQZ6ZCKAd/GRXgo7DNSK9yFY09r/FIwMWpAWGLeKjsO9QXj5EgxT/2XN8JUIdJtTBe0orCvwywWdiUJLw1V4E=&GqUv=WJjJdRiak0 - rule_id: 28214 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip http://www.organiclifestyle.biz/u62a/?uyJ6NZy=VvqZGz3PHJbSx1QTtGtZ27JbTMCS5Ic5/4p6o7fkYDsqsQXV00C4Mjy3HEa1fsrCkNg75FGvKvR0eCFVX6t17fJz0m/poFYbzV0qA3k=&GqUv=WJjJdRiak0 - rule_id: 28208
|
15
www.coba.dev(46.17.173.192) - mailcious www.lowcome.life(198.177.124.57) - mailcious www.kunimi.org(219.94.129.181) - mailcious www.starauctioneerspro.com(94.23.162.163) - mailcious www.marex.promo(91.189.114.25) - mailcious www.meandclementina.com(195.110.124.133) - mailcious www.organiclifestyle.biz(34.117.168.233) - mailcious 46.17.173.192 - mailcious 34.117.168.233 - mailcious 91.189.114.25 - malware 219.94.129.181 - mailcious 195.110.124.133 - mailcious 198.177.124.57 - mailcious 45.33.6.223 94.23.162.163
|
4
ET INFO Observed DNS Query to .biz TLD ET INFO HTTP Request to Suspicious *.life Domain ET INFO Observed DNS Query to .life TLD ET MALWARE FormBook CnC Checkin (GET)
|
13
http://www.coba.dev/u62a/ http://www.starauctioneerspro.com/u62a/ http://www.coba.dev/u62a/ http://www.meandclementina.com/u62a/ http://www.starauctioneerspro.com/u62a/ http://www.marex.promo/u62a/ http://www.marex.promo/u62a/ http://www.meandclementina.com/u62a/ http://www.kunimi.org/u62a/ http://www.lowcome.life/u62a/ http://www.lowcome.life/u62a/ http://www.kunimi.org/u62a/ http://www.organiclifestyle.biz/u62a/
|
5.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14418 |
2023-03-29 17:37
|
new_9_2022.exe b626d6f8c491833f785c546389dcdbea Generic Malware UPX Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware PDB |
|
|
|
|
1.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14419 |
2023-03-29 17:35
|
ss.exe efd45307df4754e7facbb561fb091721 UPX Malicious Library MZP Format PE32 PE File Check memory unpack itself Remote Code Execution DNS |
|
1
|
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14420 |
2023-03-29 17:35
|
101.exe 3aaff573f4866483b434e7a4d24f83eb NPKI Generic Malware Themida Packer UPX Malicious Library Anti_VM OS Processor Check PE32 PE File .NET EXE icon Browser Info Stealer FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Windows Exploit Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
|
1
|
|
|
14.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14421 |
2023-03-29 14:23
|
2.1.0ff.exe bc338e23e5411697561306eabb29bd9c Raccoon Stealer PE32 PE File VirusTotal Malware Windows crashed |
|
|
|
|
2.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14422 |
2023-03-29 14:11
|
2.1.0ff.exe bc338e23e5411697561306eabb29bd9c Raccoon Stealer PE32 PE File VirusTotal Malware Windows crashed |
|
|
|
|
2.0 |
M |
45 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14423 |
2023-03-29 13:41
|
XWorm.exe e5dacf4cce4083b88d8f229162800535 RAT UPX OS Processor Check .NET EXE PE32 PE File MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName DNS Cryptographic key DDNS |
|
2
koky.ddns.net(20.150.219.159) 20.150.219.159
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14424 |
2023-03-29 13:39
|
index.html 3eebb4f2eb87d262969874e1d4685717 AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
https://transfer.sh/get/1mJbdi/Taxpayer.pdf
|
2
transfer.sh(144.76.136.153) - malware 144.76.136.153 - mailcious
|
5
ET INFO TLS Handshake Failure ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14425 |
2023-03-29 13:37
|
Taxpayer.pdf af333833c285ea114b841c4e8cde282f PDF VirusTotal Malware |
1
https://transfer.sh/get/1MeR2u/XWorm.exe
|
|
|
|
1.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14426 |
2023-03-29 13:33
|
Bna-invoice#149.pdf.hta 052a2a82953e9e96c0c84caffb694e67 Generic Malware Antivirus AntiDebug AntiVM MSOffice File powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
https://529f38d0-3744-4286-b484-be860d475d25.usrfiles.com/ugd/529f38_27182d05f0a34cf98f51abce87b89dcb.txt
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
8.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14427 |
2023-03-29 13:13
|
da1942e2f5f58ee90618db1cfdbd75... 30bfba59058499f28d7f7de51d41a745 Gen1 UPX Malicious Packer PE32 PE File VirusTotal Malware Remote Code Execution |
|
|
|
|
0.6 |
|
1 |
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14428 |
2023-03-29 12:04
|
dbStr-2.map.data 9ffc9e085f430a13aed79ee745ff3084 AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
BRY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14429 |
2023-03-29 11:09
|
vbc.exe 542ef4a811e2fa45e96efe1602acd737 UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows |
3
http://www.rahilprakash.com/sa79/?T8kD=FQxM/LfEtsdNPd9lcQ3fHhWjGCP7SrZqu0I9GJfO6cOgbFH11N56o5A937py/xwkq6yJtR1f&Vnw0Z=-Z2hTbdPQ2dhN4y http://www.oliviahodges04.uk/sa79/?T8kD=3HmUkRFWstZ/xsvvXCVgYJLRrrcnJmgiwegIDeQwZYyLk7GSagwRMPBNdLuE3jtARa50r64A&Vnw0Z=-Z2hTbdPQ2dhN4y http://www.cloud-spartan.co.uk/sa79/?T8kD=jkxHAd9GAbQei4M5qdOAezShFl0g6rfkBT3I54TzQtwvhmYtcfZekS4RyxImys3XUoylJySQ&Vnw0Z=-Z2hTbdPQ2dhN4y
|
7
www.rahilprakash.com(13.248.243.5) www.oliviahodges04.uk(192.0.78.24) www.ndyc.africa() www.cloud-spartan.co.uk(35.227.197.36) 192.0.78.24 - mailcious 35.227.197.36 76.223.105.230 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14430 |
2023-03-29 11:09
|
utd.exe 7c4e7dc9b73afae121b7f83004013971 PWS .NET framework RAT UPX .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName DNS |
|
1
|
|
|
2.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|