14461 |
2023-03-28 08:35
|
111.exe 6512741ded1505a7b3dc528d8a337ee5 Malicious Library PE32 PE File VirusTotal Malware PDB Check memory unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
1
|
1
SURICATA Applayer Protocol detection skipped
|
|
3.8 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14462 |
2023-03-28 08:25
|
unknown.exe 87366b4da9f888d5abf85274074d4156 RAT UPX Malicious Library OS Processor Check .NET EXE PE32 PE File suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName keylogger |
|
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14463 |
2023-03-28 08:22
|
dk.exe 4ef3bfe67588ffebb595fce72889a5ad RAT UPX AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
14
http://www.organiclifestyle.biz/u62a/?q--kx9Ef=VvqZGz3PHJbSx1QTtGtZ27JbTMCS5Ic5/4p6o7fkYDsqsQXV00C4Mjy3HEa1fsrCkNg75FGvKvR0eCFVX6t17fJz0m/poFYbzV0qA3k=&El=z7Vjn http://www.coba.dev/u62a/ http://www.starauctioneerspro.com/u62a/ http://www.marex.promo/u62a/?q--kx9Ef=HTOKBE+ideXsbClCFIZFlPYDAjUuWFn3t4knnx885+0EkjdUagvAPmmh9nOXJS6XsZrvZ1YpL3hurMR7Bu4FKovUyILBMkHn6uQL+64=&El=z7Vjn http://www.marex.promo/u62a/ http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip http://www.coba.dev/u62a/?q--kx9Ef=o8SCP/YnJ49qk75I5z3GzELHmg2Up2LUiNCn13SbmA4goaf+g+1fYa13Odsfun9rvkIDAdpJippA+Y6N0xwu8NBanTjMGd5U2PfRiS4=&El=z7Vjn http://www.kunimi.org/u62a/ http://www.kunimi.org/u62a/?q--kx9Ef=Do2YNZmdCCnGDS2WdMJQZ6ZCKAd/GRXgo7DNSK9yFY09r/FIwMWpAWGLeKjsO9QXj5EgxT/2XN8JUIdJtTBe0orCvwywWdiUJLw1V4E=&El=z7Vjn http://www.lowcome.life/u62a/ http://www.meandclementina.com/u62a/?q--kx9Ef=sEdvL1ZGkULv2A8bNXBRaRmdYx+eWL4gYtShFj4pbN8o5eHSa3QtYRl1ZjlPIya8jQvOFXB8wZUlu2C2FpqSzuYXIQNHQFur3PZxkFI=&El=z7Vjn http://www.meandclementina.com/u62a/ http://www.starauctioneerspro.com/u62a/?q--kx9Ef=xxICz6/4R5ldvKit9pQiZZ+jTsTJ1UXO3+kkY3b4PoRSc/9CGhnte6tVjQSTVfHBpnO/T6bLIQt5I4s4artxGH6TeZHS/DCwG7N4VUA=&El=z7Vjn http://www.lowcome.life/u62a/?q--kx9Ef=SpYuczb0I67O/JB79loYgv0QPNy9tmAedxSPiGXP/gajLTktWHzWDdz7w0u65687mA4BdpaJEcNqadlvkC0xWpASIIM+xKCPpUlgMWA=&El=z7Vjn
|
15
www.starauctioneerspro.com(94.23.162.163) www.lowcome.life(198.177.124.57) www.kunimi.org(219.94.129.181) www.coba.dev(46.17.173.192) www.marex.promo(91.189.114.25) www.meandclementina.com(195.110.124.133) www.organiclifestyle.biz(34.117.168.233) 46.17.173.192 34.117.168.233 - mailcious 91.189.114.25 - malware 219.94.129.181 195.110.124.133 - mailcious 54.38.220.85 - mailcious 198.177.124.57 45.33.6.223
|
4
ET INFO Observed DNS Query to .biz TLD ET INFO Observed DNS Query to .life TLD ET INFO HTTP Request to Suspicious *.life Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
8.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14464 |
2023-03-28 08:21
|
wwa.exe 53622e61772d39cd6868b89aaabb8249 RAT Gen1 email stealer Downloader UPX Malicious Packer Malicious Library Socket ScreenShot DNS Code injection PWS[m] Sniff Audio KeyLogger Escalate priviledges persistence AntiDebug AntiVM .NET EXE PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download AveMaria NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser RAT Email ComputerName DNS |
|
3
microsoft.com(20.112.52.29) 20.112.52.29 46.183.222.62
|
2
ET MALWARE Warzone RAT Response (Inbound) SURICATA Applayer Detect protocol only one direction
|
|
13.0 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14465 |
2023-03-28 08:20
|
script.ps1 ab5fc61f3bff95a184793280a69fb709 Generic Malware Antivirus powershell AutoRuns Check memory unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
https://dl.dropbox.com/s/hcng2wn7gd3f1y3/codeexe.ps1?dl=0
https://dl.dropbox.com/s/1uxmv7mp56cq1kn/bypass.ps1?dl=0
|
3
dl.dropbox.com(162.125.84.15) - malware 162.125.84.15 - malware
45.33.6.223
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14466 |
2023-03-28 08:19
|
vbc.exe e90d3ec392d44522f55a0cf054c211a9 PWS .NET framework SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.6.168) 193.122.130.0
|
5
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
|
|
13.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14467 |
2023-03-28 08:18
|
STUB.VBS acd59921a2cc83f7afa97f7170edff34 Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://dl.dropbox.com/s/3xy7k8lvkgttve6/script.ps1?dl=0
|
2
dl.dropbox.com(162.125.84.15) - malware 162.125.84.15 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14468 |
2023-03-28 08:16
|
codeexe.ps1 63d3846c74a6583c03f0b2a1f2fbce77 Generic Malware Antivirus powershell Check memory heapspray unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14469 |
2023-03-28 08:06
|
invoice#91273.js c6a07509b7612ce8000b929c058bc92a Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14470 |
2023-03-27 17:34
|
notepadp.exe 4057acbd036de09b67259254135aa554 UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14471 |
2023-03-27 17:18
|
nerino.exe 4e9932a21816959b576ac87a41855cce UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14472 |
2023-03-27 17:18
|
notepadp.exe 4057acbd036de09b67259254135aa554 UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14473 |
2023-03-27 11:27
|
Wyciek-NFZ-16-03-2023.xlsx 67126c10471b06d8a5b86d78bd6052f4 ZIP Format exploit crash unpack itself Exploit crashed |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14474 |
2023-03-27 10:57
|
t.msi a62037c1812df2774da6257f465d5b78 Gen2 Malicious Library ASPack UPX OS Processor Check CAB MSOffice File DLL PE32 PE File VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AppData folder AntiVM_Disk VM Disk Size Check ComputerName DNS |
4
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAP7r%2BFw4Evn1FZeRLt68uo%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAewQY2lHhSMMxu83rcTgyM%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTDZGCsCkDHH%2BXwJVKt4ohdOTWBUQQUy1yTroib%2FkNvVlBSAm14%2FKzhsVoCEA1e%2BQMDwigDd9%2FgTXTiCGE%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
|
8
ocsp.digicert.com(152.195.38.76) rt.teramind.co(132.226.193.252) www.teramind.co(104.22.19.138) 172.67.26.154 152.195.38.76 104.22.18.138 141.144.250.131 132.226.193.252
|
|
|
6.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14475 |
2023-03-27 10:57
|
clip64.dll 104ac57c9dda07fb60fb09f4f2a638f4 UPX Malicious Library Admin Tool (Sysinternals etc ...) OS Processor Check DLL PE32 PE File VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|