| 14446 |
2023-03-17 17:56
|
 8.exe 43fb0bb43cd8878e170066a86c57b8ca
Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910489320046642/enes.exe
|
2
cdn.discordapp.com(162.159.129.233) - malware
162.159.133.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
|
|
10.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14447 |
2023-03-17 17:56
|
 DefenderSecurity.exe 0fbf332153113f4b0dfd105244cba305
RAT .NET EXE PE32 PE File VirusTotal Malware DNS |
|
1
|
|
|
2.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14448 |
2023-03-17 17:55
|
 reycrytp.exe e5b2d160f8ba238317a89cd4ed6660b5
RAT task schedule UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself ComputerName DNS crashed |
|
1
|
|
|
10.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14449 |
2023-03-17 17:54
|
 7.exe de5666a98bc07594a7e963d1b41964e7
Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910471943041124/DefenderSecurity.exe
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.129.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
|
|
10.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14450 |
2023-03-17 17:52
|
 vbc.exe 0d6f619554c6de06992c444d8b3c9a74
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB |
|
1
411h9gmjsf7azu3f6wf2wyv9c.lerrj0u3u7vbft4()
|
|
|
1.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14451 |
2023-03-17 17:51
|
 ASDASD.exe 38b7f433a65cdc9b846b3bff842c3bb1
RedLine stealer[m] Malicious Packer PWS[m] BitCoin AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://52.232.8.179:37764/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
52.232.8.179
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
13.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14452 |
2023-03-17 17:50
|
 SecurityHelath_protected.exe 1cf38074d1eec7ff196912f6b2d8c0c1
RAT Generic Malware task schedule Malicious Packer Antivirus AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
12.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14453 |
2023-03-17 17:50
|
 9.exe 865f56a97781bcde44902cfe823d2f92
Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910568147791993/ascrypt.exe
|
2
cdn.discordapp.com(162.159.134.233) - malware
162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14454 |
2023-03-17 17:39
|
 enes.exe 843bab6d9df36499a5880621c9fd1cd8
RAT North Korea Generic Malware task schedule UPX Antivirus ScreenShot PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File GIF Format VirusTotal Malware Buffer PE AutoRuns PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows ComputerName DNS |
|
1
|
|
|
12.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14455 |
2023-03-17 17:37
|
 10.exe ae120eba5b9a92de898ed5533151d400
Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084911030079074446/liliandorker.exe
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.129.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14456 |
2023-03-17 17:36
|
 vbc.exe 52566f0ff46e8a99d07c8d4cb46b3ee8
PWS .NET framework RAT Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(64.185.227.155)
64.185.227.155
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14457 |
2023-03-17 17:34
|
 RynMd_protected.exe d953ad5e538ade271c362c18b153a210
RAT Generic Malware Downloader task schedule Malicious Packer Antivirus Create Service DGA Socket ScreenShot DNS Internet API Code injection PWS[m] Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges FTP Http API AntiDebug AntiVM .NET EXE VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
13.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14458 |
2023-03-17 17:34
|
Bpznb.msi c39fec313f716b37b80ccf946ef5cc83
RAT Malicious Library OS Processor Check CAB MSOffice File VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName DNS |
8
http://193.233.20.145/d27b1d581e3729a6.php
http://193.233.20.145/5710029e9331c3e2/nss3.dll
http://193.233.20.145/5710029e9331c3e2/freebl3.dll
http://193.233.20.145/5710029e9331c3e2/msvcp140.dll
http://193.233.20.145/5710029e9331c3e2/softokn3.dll
http://193.233.20.145/5710029e9331c3e2/sqlite3.dll
http://193.233.20.145/5710029e9331c3e2/vcruntime140.dll
http://193.233.20.145/5710029e9331c3e2/mozglue.dll
|
1
|
3
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
4.0 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14459 |
2023-03-17 17:32
|
 5.exe 3051107beffacf17a9b28d8328477485
Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910444952703026/reycrytp.exe
|
2
cdn.discordapp.com(162.159.133.233) - malware
162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14460 |
2023-03-17 16:31
|
 vbc.exe 52566f0ff46e8a99d07c8d4cb46b3ee8
PWS .NET framework RAT Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(64.185.227.155)
104.237.62.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.8 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|