| 14491 |
2023-03-17 07:36
|
 91.exe e309c8e66cb963033a3e8cc4b480f81d
NPKI UPX Malicious Library OS Processor Check PE64 PE File Browser Info Stealer VirusTotal Malware MachineGuid Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process Ransomware Windows Browser ComputerName DNS crashed |
|
1
|
|
|
6.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14492 |
2023-03-16 16:49
|
 c339d4dd247e4069ef221cfaf63cba... 99efa19440acb8132312136bfa7d0981
UPX Malicious Library OS Processor Check DLL PE32 PE File VirusTotal Malware |
|
|
|
|
1.6 |
|
39 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14493 |
2023-03-16 14:30
|
 file.zip 1701259e39636d400dd1f48f633c98be
ZIP Format VirusTotal Malware |
|
|
|
|
0.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14494 |
2023-03-16 13:21
|
 File_pass1234.zip 4db4161883df15ab90bd7ffba1df4910
ZIP Format Malware Malicious Traffic IP Check Tofsee DNS |
4
http://www.maxmind.com/geoip/v2.1/city/me
http://149.154.158.34/api/tracemap.php
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
|
9
api.db-ip.com(104.26.4.15)
db-ip.com(172.67.75.166)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.215.67)
172.67.75.166
149.154.158.34
104.17.215.67
34.117.59.81
104.26.5.15
|
2
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14495 |
2023-03-16 12:06
|
1603.one 3267ae8154776913b0032a6806fdb9c3VirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14496 |
2023-03-16 11:36
|
 uwp.dat 63b2b3193b0311cf4bfae3fed891adb8
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14497 |
2023-03-16 10:58
|
 Sammenstyrtningens242.vbs a75c770acab8755ebc617f8925eff3b4
Generic Malware Antivirus Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities suspicious process suspicious TLD anti-virtualization Windows ComputerName DNS Cryptographic key crashed |
2
http://5.8.8.100/signal/TpRIfutRxWlhn224.dwp
http://5.8.8.100/signal/Traverser.dwp
|
3
vossworld.ru(5.8.11.93)
5.8.8.100
5.8.11.93
|
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14498 |
2023-03-16 10:56
|
 Contactus.html 73aa630ae71d55aef8d9f2101ef3bb1a
AntiDebug AntiVM PNG Format MSOffice File JPEG Format VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
secure.sharefile.com(76.223.1.166)
13.248.193.251
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External File Sharing Service in DNS Lookup (sharefile .com)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14499 |
2023-03-16 10:54
|
 1.html 8f1f9a93892188a5fa472ff664bbf19e
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14500 |
2023-03-16 10:54
|
 vbc.exe 5fd4d5c90658e442b969384b80036b7b
UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
18
http://www.gritslab.com/u2kb/
http://www.shapshit.xyz/u2kb/
http://www.222ambking.org/u2kb/?zpWWbk=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&BUj3o3=57XzuV-XXTr
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zip
http://www.bitservicesltd.com/u2kb/?zpWWbk=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&BUj3o3=57XzuV-XXTr
http://www.energyservicestation.com/u2kb/
http://www.thewildphotographer.co.uk/u2kb/
http://www.thedivinerudraksha.com/u2kb/?zpWWbk=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&BUj3o3=57XzuV-XXTr
http://www.younrock.com/u2kb/?zpWWbk=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&BUj3o3=57XzuV-XXTr
http://www.gritslab.com/u2kb/?zpWWbk=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&BUj3o3=57XzuV-XXTr
http://www.thedivinerudraksha.com/u2kb/
http://www.white-hat.uk/u2kb/?zpWWbk=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&BUj3o3=57XzuV-XXTr
http://www.bitservicesltd.com/u2kb/
http://www.energyservicestation.com/u2kb/?zpWWbk=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&BUj3o3=57XzuV-XXTr
http://www.thewildphotographer.co.uk/u2kb/?zpWWbk=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&BUj3o3=57XzuV-XXTr
http://www.shapshit.xyz/u2kb/?zpWWbk=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&BUj3o3=57XzuV-XXTr
http://www.222ambking.org/u2kb/
http://www.younrock.com/u2kb/
|
20
www.thewildphotographer.co.uk(45.33.18.44)
www.gritslab.com(78.141.192.145)
www.fclaimrewardccpointq.shop()
www.shapshit.xyz(199.192.30.147)
www.energyservicestation.com(213.145.228.111)
www.222ambking.org(91.195.240.94)
www.bitservicesltd.com(161.97.163.8)
www.thedivinerudraksha.com(85.187.128.34)
www.white-hat.uk(94.176.104.86)
www.younrock.com(81.17.18.194)
45.33.2.79 - mailcious
85.187.128.34 - mailcious
78.141.192.145
199.192.30.147
213.145.228.111
94.176.104.86
81.17.29.146 - mailcious
161.97.163.8
45.33.6.223
91.195.240.94 - phishing
|
3
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14501 |
2023-03-16 10:51
|
1603.one 3267ae8154776913b0032a6806fdb9c3VirusTotal Malware crashed |
|
|
|
|
0.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14502 |
2023-03-16 10:49
|
 boy1start.ps1 c0aa6a02799611928896463d8c6a324d
NPKI Formbook RAT Hide_EXE Generic Malware Antivirus SMTP PWS[m] KeyLogger PDF AntiDebug AntiVM .NET EXE PE32 PE File ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW IP Check VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
7
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
http://37.139.128.83/golden.pdf
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
http://checkip.dyndns.org/
|
3
checkip.dyndns.org(132.226.8.169)
193.122.130.0
37.139.128.83
|
6
ET INFO Dotted Quad Host PDF Request
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
21.0 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14503 |
2023-03-16 10:44
|
 persis.exe 44141a0e32ba57ab5c42a7d18a3745ce
PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14504 |
2023-03-16 10:44
|
 st-start.ps1 1ee009f6414309c4c1c8db3fbd83861d
NPKI Formbook RAT Hide_EXE Generic Malware Antivirus KeyLogger PDF AntiDebug AntiVM ZIP Format .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
6
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
http://37.139.128.83/golden.pdf
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
|
1
|
1
ET INFO Dotted Quad Host PDF Request
|
|
19.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14505 |
2023-03-16 10:41
|
 vbc.exe 493798b24ab2433b6d96c2d82ade8ab8
Loki_b Loki_m RAT UPX Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/chang/five/fre.php
|
1
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|