14476 |
2023-03-27 10:55
|
vpn-go.exe e38edcf41b7b13dc8837e030774cf083 PWS .NET framework RAT UPX Malicious Library Anti_VM Malicious Packer OS Processor Check .NET EXE PE32 PE File VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
5.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14477 |
2023-03-27 10:51
|
Lamb.pif.exe 581176025eb809b5120fd584cb9dc237 Generic Malware UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware Checks debugger unpack itself DNS |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://www.gstatic.com/generate_204 http://clients2.google.com/time/1/current?cup2key=4:3305170296&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
22
www.google.com(172.217.25.164) www.gstatic.com(172.217.25.163) cdn.stubdownloader.services.mozilla.com(34.120.48.173) fonts.googleapis.com(142.250.76.138) clients2.googleusercontent.com(172.217.25.161) accounts.google.com(142.250.207.109) _googlecast._tcp.local() apis.google.com(172.217.25.174) fonts.gstatic.com(172.217.25.163) clientservices.googleapis.com(142.250.207.99) 142.250.207.67 142.250.207.78 34.120.48.173 121.254.136.27 172.217.24.74 142.250.199.78 142.250.66.36 172.217.24.227 142.251.220.1 172.217.31.13 142.250.66.67 142.250.204.67
|
|
|
3.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14478 |
2023-03-27 10:51
|
Date2023.exe f7fd4791be2e2624b7fbb1d91ab2f539 Gen1 UPX Malicious Packer Malicious Library AntiDebug AntiVM OS Processor Check PE32 PE File DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Software |
4
http://78.47.226.24/ - rule_id: 28063
http://78.47.226.24/edit.zip - rule_id: 28062
https://steamcommunity.com/profiles/76561199486572327 - rule_id: 28064
https://t.me/zaskullz
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious 149.154.167.99 - mailcious
184.26.243.205
78.47.226.24 - mailcious
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Dotted Quad Host ZIP Request
|
3
http://78.47.226.24/ http://78.47.226.24/edit.zip https://steamcommunity.com/profiles/76561199486572327
|
15.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14479 |
2023-03-27 10:50
|
emefamstartup.ps1 b9611fdaa214df556ad6c8fc582a45f6 Formbook PWS .NET framework Hide_EXE Generic Malware Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.6.168) 158.101.44.242
|
5
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
|
|
16.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14480 |
2023-03-27 10:47
|
usa.exe f00f6596f6bf65d01cb390aebc5326f5 PWS .NET framework RAT UPX Confuser .NET OS Processor Check .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
4.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14481 |
2023-03-27 10:45
|
97.exe 571ce7de07a8e7ad2bb8abae3c625f11 UPX Malicious Library OS Processor Check PE32 PE File .NET DLL DLL VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows Cryptographic key |
|
2
windowsupdate.microsoft.com(20.72.235.82) 20.72.235.82
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14482 |
2023-03-27 10:42
|
cc.exe 41eb3aa33bccbe6a18acfedaf7f93ad5 UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14483 |
2023-03-27 10:42
|
vbc.exe 03c74286887866a799f7cafdc096efda PWS .NET framework RAT UPX PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows Cryptographic key |
10
http://www.kkqqzb.xyz/a2fh/ http://www.fruitecology.com/a2fh/?LggCa3B4=HirmV0K3W8X16cPIA6CgpFp2oQQLbxP0EUyoOXJjH6Oo2gLH1gE5EmJJO1tE0kgmFicI29ZS7SJZl+PB0hquqiKbSKMHjlIfypwbQTc=&9xB=qObO_nFVUV3Q9s_ http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip http://www.thezweb.com/a2fh/?LggCa3B4=ohPlRN1rGtRlq2ENH0YEDA1UceaE5ScRC2dJJXLlUzkXjZP8hqfc1Pamn8K9eI0nDacK8c7ZeK5GYMYRI15J27P9D9jBSgJvDxW15X4=&9xB=qObO_nFVUV3Q9s_ http://www.fruitecology.com/a2fh/ http://www.atamahaberleri.com/a2fh/?LggCa3B4=qcchKJfYoXX+SNysomeaXt2UPWY/FcJKOe6J/rkRQI82UqjdWxoSyFumgkLce2bhgQ1UYjQfjBP88N6FTJ0nkeTpGzUxt+uzFPein5I=&9xB=qObO_nFVUV3Q9s_ http://www.thezweb.com/a2fh/ http://www.kkqqzb.xyz/a2fh/?LggCa3B4=26Y37L3jXNG2JHI3wpaK6zCVLkrwfYXeV/30niWVu7rxeLE01wiRvGELFFHOaIrCm60YwShU1siy0NCFU9cAiPm31W1i39pBO7M5w+I=&9xB=qObO_nFVUV3Q9s_ http://www.dg-computing.com/a2fh/ http://www.dg-computing.com/a2fh/?LggCa3B4=pV97ZqUGpE+UodE0UyDCOo7MEcmaoOdfg9usDzs3w3JwZR7SMHyMKVK/lZy2YBfdLhtcCUV0G4ICDRW/J2REkgHIgwBLa2wBoIgzf5w=&9xB=qObO_nFVUV3Q9s_
|
11
www.thezweb.com(81.17.29.146) www.dg-computing.com(45.196.84.173) www.fruitecology.com(46.30.213.155) www.atamahaberleri.com(185.126.216.74) www.kkqqzb.xyz(8.209.78.136) 81.17.29.146 - mailcious 45.33.6.223 45.196.84.173 8.209.78.136 46.30.213.155 - mailcious 185.126.216.74
|
3
ET MALWARE FormBook CnC Checkin (POST) M2 ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14484 |
2023-03-27 10:41
|
FRI.exe c1b465d96c0541a5dc8e95a7bfd96e15 UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself suspicious TLD DNS |
10
http://www.asu4tqr.icu/poub/?URihc=hHEijVrY0zBLr3JvSJmcy3GyPiWWfZaI2s16j7nKHpxVgJKtjZbonCFGp4fNRYCDH6FUX0AO&UfrDQp=0nMpq42x5z-hI250 http://www.drzjup.space/poub/?URihc=40Bx8EyWv8P+i1Jftv0PhY/pDmItvHshlkY6DW3zkQKyS/2JCbpjIli9ng3IcYNCUXNlH95B&UfrDQp=0nMpq42x5z-hI250 - rule_id: 23154 http://www.bekansas.com/poub/?URihc=ik78GElzcTPK51jxwI7ODOjVUTh6arreOcAO6JZZFiJW++RN8P/8RIGVM8jA8ec1Ygwfy9iv&UfrDQp=0nMpq42x5z-hI250 - rule_id: 23150 http://www.crusadia.net/poub/?URihc=BYWI1ybJrJc11tuYbuPv66f3H3Cr5zuGlkVqrCbrO2SRjMGFR+aqTisH+sImtYdY9S5ZKg1z&UfrDQp=0nMpq42x5z-hI250 - rule_id: 26529 http://www.577hcc.com/poub/?URihc=+hZRLA5mezg8QGtKPd8YzpNrIKXVB9ucHjeJAdH+TFhtM6TJX5/L40TNomU2z2juM0GLcBEZ&UfrDQp=0nMpq42x5z-hI250 http://www.peiphitan.com/poub/?URihc=ATAcuLZUC31KidgcYb19mFWjhNBYfyBOUVVLHyPrp+l/4SglTnRQ0k7NA0aYiC9nx29Ko6aV&UfrDQp=0nMpq42x5z-hI250 - rule_id: 22766 http://www.edfitzgerald.org/poub/?URihc=QVBI8lnr7lJPqe8zZjldHkvXw89c/iSzMuEXgZLKqCpuoCkUYVUB7rTOcZCo9GOBqMOIvt9n&UfrDQp=0nMpq42x5z-hI250 http://www.kcgjz.top/poub/?URihc=FfiSjh2CtBpF3CrFZO/zKMlUrmL7FaiyKpfrvTrGvt9QCH6w6Rg7EpGJxpSWT1DMVUaM39xc&UfrDQp=0nMpq42x5z-hI250 http://www.ppparadise.xyz/poub/?URihc=i6ZHXvJJgvAHiqvTYC5qSpD7hgu0rSUqSG8Zc0xosq5TTXlRT+6NyQltuj8FIZG0zF3lAY7M&UfrDQp=0nMpq42x5z-hI250 http://www.kurodamisato.com/poub/?URihc=pzUirgwcC8ZpUBJr+A0RncrQCBC5BD7ORQWA7LzWHhCGPilCbFeR5IDOxd+JD96H8p3TlQQD&UfrDQp=0nMpq42x5z-hI250 - rule_id: 23148
|
24
www.peiphitan.com(82.180.130.211) - mailcious www.bekansas.com(154.64.92.27) - mailcious www.ppparadise.xyz(133.167.73.73) www.kcgjz.top(172.67.189.130) www.naver-io.com() www.crusadia.net(212.192.29.71) - mailcious www.edfitzgerald.org(193.32.208.67) www.577hcc.com(34.117.26.57) www.asu4tqr.icu(38.85.254.111) www.drzjup.space(172.255.33.179) - mailcious www.kurodamisato.com(199.59.243.222) - mailcious www.pmtj013.xyz() www.tokendownload.space(67.21.71.208) 104.21.33.97 38.85.254.111 154.64.92.27 172.255.33.179 - mailcious 34.117.26.57 - mailcious 67.21.71.208 199.59.243.222 - mailcious 212.192.29.71 - mailcious 133.167.73.73 82.180.130.211 193.32.208.67
|
6
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET) ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers ET INFO DNS Query for Suspicious .icu Domain ET HUNTING Request to .XYZ Domain with Minimal Headers
|
5
http://www.drzjup.space/poub/ http://www.bekansas.com/poub/ http://www.crusadia.net/poub/ http://www.peiphitan.com/poub/ http://www.kurodamisato.com/poub/
|
6.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14485 |
2023-03-27 10:41
|
Windowsfig.exe 40528a8ce542af784cb9958552f7798d Confuser .NET .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14486 |
2023-03-27 10:39
|
ox.exe cfc3dc40432c7d8d8f838bc20c12bf27 UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14487 |
2023-03-27 10:37
|
Nasalized.exe 4c42520a02966a874eb4fbdc0a74e208 RedLine stealer[m] PWS .NET framework RAT RedLine Stealer Confuser .NET SMTP PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
9.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14488 |
2023-03-27 10:34
|
a.exe 1dc49de091d11dd75ff77444e1b2e286 UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware crashed |
|
|
|
|
2.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14489 |
2023-03-27 10:33
|
vbc.exe ea36e1f335ddc3b518fb817b92b2f7e9 UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
20
http://www.energyservicestation.com/u2kb/ - rule_id: 28005 http://www.gritslab.com/u2kb/ - rule_id: 28002 http://www.shapshit.xyz/u2kb/?bFjT5HCD=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&ekW=7maB5z - rule_id: 28008 http://www.shapshit.xyz/u2kb/ - rule_id: 28008 http://www.white-hat.uk/u2kb/?bFjT5HCD=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&ekW=7maB5z - rule_id: 28001 http://www.un-object.com/u2kb/ - rule_id: 28137 http://www.younrock.com/u2kb/ - rule_id: 28006 http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007 http://www.222ambking.org/u2kb/?bFjT5HCD=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&ekW=7maB5z - rule_id: 28004 http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009 http://www.bitservicesltd.com/u2kb/?bFjT5HCD=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&ekW=7maB5z - rule_id: 28003 http://www.bitservicesltd.com/u2kb/ - rule_id: 28003 http://www.thewildphotographer.co.uk/u2kb/?bFjT5HCD=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&ekW=7maB5z - rule_id: 28007 http://www.gritslab.com/u2kb/?bFjT5HCD=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&ekW=7maB5z - rule_id: 28002 http://www.thedivinerudraksha.com/u2kb/?bFjT5HCD=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&ekW=7maB5z - rule_id: 28009 http://www.energyservicestation.com/u2kb/?bFjT5HCD=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&ekW=7maB5z - rule_id: 28005 http://www.younrock.com/u2kb/?bFjT5HCD=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&ekW=7maB5z - rule_id: 28006 http://www.222ambking.org/u2kb/ - rule_id: 28004 http://www.un-object.com/u2kb/?bFjT5HCD=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&ekW=7maB5z - rule_id: 28137
|
22
www.thewildphotographer.co.uk(45.33.23.183) - mailcious www.gritslab.com(78.141.192.145) - mailcious www.fclaimrewardccpointq.shop() - mailcious www.shapshit.xyz(199.192.30.147) - mailcious www.energyservicestation.com(213.145.228.111) - mailcious www.un-object.com(192.185.17.12) - mailcious www.222ambking.org(91.195.240.94) - mailcious www.bitservicesltd.com(161.97.163.8) - mailcious www.thedivinerudraksha.com(85.187.128.34) - mailcious www.white-hat.uk(94.176.104.86) - mailcious www.younrock.com(63.141.242.45) - mailcious 192.187.111.220 - mailcious 91.195.240.94 - phishing 85.187.128.34 - mailcious 78.141.192.145 - mailcious 192.185.17.12 - mailcious 213.145.228.111 - mailcious 94.176.104.86 - mailcious 72.14.178.174 161.97.163.8 - mailcious 45.33.6.223 199.192.30.147 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
19
http://www.energyservicestation.com/u2kb/ http://www.gritslab.com/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.white-hat.uk/u2kb/ http://www.un-object.com/u2kb/ http://www.younrock.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.222ambking.org/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.gritslab.com/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.younrock.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.un-object.com/u2kb/
|
4.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14490 |
2023-03-27 10:32
|
Blaubok.exe 3c62500496bfc4f35d38ddbe71be78c2 RedLine stealer[m] PWS .NET framework RAT RedLine Stealer Confuser .NET SMTP PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
199.115.193.171 - mailcious
|
|
|
10.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|