14521 |
2023-03-24 18:17
|
20............................... 3d64a167c2f313bac10c89b3d591be13 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting |
|
|
|
|
2.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14522 |
2023-03-24 18:15
|
1.vbs 0302835269c55903e8af7326a27ca898 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.8 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14523 |
2023-03-24 18:15
|
vbc.exe 1207e0b55db1b38405c49fc57209fc38 PWS .NET framework RAT UPX .NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS crashed |
|
1
|
|
|
3.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14524 |
2023-03-24 18:13
|
vbc.exe 1651e40eaf343b2e9ceaea5f1aef2fae NPKI RAT UPX PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14525 |
2023-03-24 18:12
|
huilang.exe f1ec2cf6256a7c8543586065a07da47a UPX PE32 PE File Malware download VirusTotal Open Directory Malware AutoRuns Malicious Traffic Check memory Creates executable files RWX flags setting AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check Windows Exploit Browser DNS |
|
1
|
8
ET INFO Executable Download from dotted-quad Host ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP
|
|
9.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14526 |
2023-03-24 18:12
|
creal.exe 2120b49043ad53c0a73cbf60bc110f8e Gen1 Emotet Generic Malware UPX Malicious Library Anti_VM Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE64 PE File DLL ZIP Format VirusTotal Malware Check memory Creates executable files |
|
|
|
|
2.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14527 |
2023-03-24 18:11
|
vbc.exe 52960f977b511bb88664a0177320a26a PWS .NET framework RAT Generic Malware Antivirus .NET EXE PE32 PE File VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14528 |
2023-03-24 18:10
|
1.vbs 8207f9bb21566a55e65885d18172fe00 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.8 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14529 |
2023-03-24 18:09
|
98.exe 719082dcc3c017e5b675c8b9ec74b6a1 RedLine stealer[m] UPX Malicious Library AntiDebug AntiVM OS Processor Check PE32 PE File Browser Info Stealer FTP Client Info Stealer Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Collect installed applications AntiVM_Disk IP Check VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
|
3
pastebin.com(104.20.67.143) - mailcious ip-api.com(208.95.112.1) 51.210.161.21
|
|
|
12.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14530 |
2023-03-24 17:51
|
ndt5tk.exe 9ce5895cf7087cd578519a76e9eadb7c UPX Malicious Library PWS[m] AntiDebug AntiVM OS Processor Check PE32 PE File VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself ComputerName crashed |
|
|
|
|
7.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14531 |
2023-03-24 11:31
|
svchost.exe 8ec922c7a58a8701ab481b7be9644536 Gen2 Gen1 UPX Malicious Packer PE64 PE File PDB Remote Code Execution |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14532 |
2023-03-24 09:47
|
vbc.exe b9e1bfbf09491bfb164214ce2618acb7 UPX Malicious Library PE32 PE File VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
22
http://www.white-hat.uk/u2kb/?79FhHqw=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&LXnA_A=9E8yrtswxhM - rule_id: 28001 http://www.un-object.com/u2kb/ - rule_id: 28137 http://www.avisrezervee.com/u2kb/?79FhHqw=Nu51DycidcThoi6HkGUnEqF2p/VUHSNCO5CXk0BEdmcXpSXgg1RqTlXk86f8MRtZRxUedaYGJ7PZrk0hQ2YUaALzgSFDdx3OJyeNMnM=&LXnA_A=9E8yrtswxhM http://www.thewildphotographer.co.uk/u2kb/?79FhHqw=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&LXnA_A=9E8yrtswxhM - rule_id: 28007 http://www.222ambking.org/u2kb/ - rule_id: 28004 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip http://www.gritslab.com/u2kb/ - rule_id: 28002 http://www.un-object.com/u2kb/?79FhHqw=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&LXnA_A=9E8yrtswxhM - rule_id: 28137 http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009 http://www.avisrezervee.com/u2kb/ http://www.thedivinerudraksha.com/u2kb/?79FhHqw=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&LXnA_A=9E8yrtswxhM - rule_id: 28009 http://www.younrock.com/u2kb/ - rule_id: 28006 http://www.energyservicestation.com/u2kb/?79FhHqw=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&LXnA_A=9E8yrtswxhM - rule_id: 28005 http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007 http://www.bitservicesltd.com/u2kb/ - rule_id: 28003 http://www.bitservicesltd.com/u2kb/?79FhHqw=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&LXnA_A=9E8yrtswxhM - rule_id: 28003 http://www.shapshit.xyz/u2kb/ - rule_id: 28008 http://www.gritslab.com/u2kb/?79FhHqw=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&LXnA_A=9E8yrtswxhM - rule_id: 28002 http://www.222ambking.org/u2kb/?79FhHqw=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&LXnA_A=9E8yrtswxhM - rule_id: 28004 http://www.shapshit.xyz/u2kb/?79FhHqw=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&LXnA_A=9E8yrtswxhM - rule_id: 28008 http://www.younrock.com/u2kb/?79FhHqw=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&LXnA_A=9E8yrtswxhM - rule_id: 28006 http://www.energyservicestation.com/u2kb/ - rule_id: 28005
|
24
www.thewildphotographer.co.uk(72.14.185.43) - mailcious www.gritslab.com(78.141.192.145) - mailcious www.fclaimrewardccpointq.shop() - mailcious www.avisrezervee.com(31.186.11.254) www.shapshit.xyz(199.192.30.147) - mailcious www.energyservicestation.com(213.145.228.111) - mailcious www.un-object.com(192.185.17.12) - mailcious www.222ambking.org(91.195.240.94) - mailcious www.bitservicesltd.com(161.97.163.8) - mailcious www.thedivinerudraksha.com(85.187.128.34) - mailcious www.white-hat.uk(94.176.104.86) - mailcious www.younrock.com(192.187.111.222) - mailcious 91.195.240.94 - phishing 85.187.128.34 - mailcious 78.141.192.145 - mailcious 192.185.17.12 - mailcious 45.79.19.196 - mailcious 31.186.11.254 - mailcious 213.145.228.111 - mailcious 81.17.29.149 - mailcious 94.176.104.86 - mailcious 161.97.163.8 - mailcious 45.33.6.223 199.192.30.147 - mailcious
|
1
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
19
http://www.white-hat.uk/u2kb/ http://www.un-object.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.222ambking.org/u2kb/ http://www.gritslab.com/u2kb/ http://www.un-object.com/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.younrock.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.gritslab.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.younrock.com/u2kb/ http://www.energyservicestation.com/u2kb/
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14533 |
2023-03-24 09:46
|
vx9.txt.ps1 bbd04ea795c2f48efea24040f42730e6 Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14534 |
2023-03-24 09:45
|
WinLoad.exe 12a45205a6da702e56b6a07cbe162445 Gen2 Gen1 Generic Malware UPX Malicious Library Anti_VM OS Processor Check PE64 PE File VirusTotal Malware Creates executable files DNS crashed |
|
3
37.230.138.66 - mailcious 142.250.66.36 37.230.138.123 - mailcious
|
|
|
2.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14535 |
2023-03-24 09:45
|
writer.bat 1e30daa4770b00c2e624e8a615e80282 Downloader Create Service DGA Socket ScreenShot DNS Internet API Code injection PWS[m] Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges FTP Http API AntiDebug AntiVM powershell Windows utilities suspicious process WriteConsoleW Windows Trojan DNS DDNS DoTNet |
6
http://g57hitr9atw9jkky5p2.ddns.net/ncat/libssl-3.dll http://g57hitr9atw9jkky5p2.ddns.net/ncat/libssh2.dll http://g57hitr9atw9jkky5p2.ddns.net/ncat/getprivshell.ps1 http://g57hitr9atw9jkky5p2.ddns.net/ncat/vcruntime140.dll http://g57hitr9atw9jkky5p2.ddns.net/ncat/svchost.exe http://g57hitr9atw9jkky5p2.ddns.net/ncat/libcrypto-3.dll
|
2
g57hitr9atw9jkky5p2.ddns.net(66.228.37.7) - malware 66.228.37.7 - mailcious
|
6
ET POLICY DNS Query to DynDNS Domain *.ddns .net ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain ET INFO PS1 Powershell File Request ET HUNTING Generic Powershell Launching Hidden Window ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|