14536 |
2023-03-24 09:44
|
1.exe 7429ee8b83fcbb48fe5b383a6235ac1d UPX Malicious Library MZP Format PE32 PE File VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces Tofsee Windows |
8
http://s3.eu-central-1.wasabisys.com/delice/delice-prov/poweroff.exe http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies - rule_id: 23046 https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://s3.eu-central-1.wasabisys.com/delice/delice-purify/hand-emHqRHrKsna22Rea.exe https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe - rule_id: 23052 https://www.google.com/ https://connectini.net/S2S/Disc/Disc.php?ezok=flabs2&tesla=6 - rule_id: 7620 https://s3.eu-central-1.wasabisys.com/delice/delice-purify/up-do-dat-emHqRHrKsna22Rea.exe
|
12
n8w5.c12.e2-1.dev() - malware wewewe.s3.eu-central-1.amazonaws.com(52.219.170.150) - mailcious www.google.com(172.217.25.164) 360devtracking.com(37.230.138.66) - mailcious s3.eu-central-1.wasabisys.com(130.117.252.29) - malware connectini.net(37.230.138.123) - mailcious 130.117.252.29 - malware 52.219.140.125 130.117.252.31 142.250.66.36 37.230.138.123 - mailcious 37.230.138.66 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP
|
4
http://360devtracking.com/ezzcbmueaa4iwhvb/fmovies https://connectini.net/Series/SuperNitouDisc.php https://wewewe.s3.eu-central-1.amazonaws.com/WeUninstalled.exe https://connectini.net/S2S/Disc/Disc.php
|
6.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14537 |
2023-03-24 09:39
|
LitPay.exe 3951f8ad7e0e7682fc0d9d13c9a503c5 Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Remote Code Execution Cryptographic key crashed |
|
|
|
|
4.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14538 |
2023-03-24 09:39
|
vvd.exe ddae367e828d169834f7261f3cba74d2 PWS .NET framework RAT UPX .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName DNS |
|
1
|
|
|
2.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14539 |
2023-03-24 09:37
|
vbc.exe 7ff571e8d43bdefd4fb9ca3177dfbc7e PWS .NET framework RAT Generic Malware Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
12.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14540 |
2023-03-24 09:37
|
vbc.exe 953f34884877d4946480bb967d355f69 PWS .NET framework RAT AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
10
http://www.kkqqzb.xyz/a2fh/ http://www.fruitecology.com/a2fh/ http://www.thezweb.com/a2fh/ http://www.fruitecology.com/a2fh/?4L5CL=HirmV0K3W8X16cPIA6CgpFp2oQQLbxP0EUyoOXJjH6Oo2gLH1gE5EmJJO1tE0kgmFicI29ZS7SJZl+PB0hquqiKbSKMHjlIfypwbQTc=&VNz=9fBchlPzp http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip http://www.atamahaberleri.com/a2fh/?4L5CL=qcchKJfYoXX+SNysomeaXt2UPWY/FcJKOe6J/rkRQI82UqjdWxoSyFumgkLce2bhgQ1UYjQfjBP88N6FTJ0nkeTpGzUxt+uzFPein5I=&VNz=9fBchlPzp http://www.dg-computing.com/a2fh/?4L5CL=pV97ZqUGpE+UodE0UyDCOo7MEcmaoOdfg9usDzs3w3JwZR7SMHyMKVK/lZy2YBfdLhtcCUV0G4ICDRW/J2REkgHIgwBLa2wBoIgzf5w=&VNz=9fBchlPzp http://www.kkqqzb.xyz/a2fh/?4L5CL=26Y37L3jXNG2JHI3wpaK6zCVLkrwfYXeV/30niWVu7rxeLE01wiRvGELFFHOaIrCm60YwShU1siy0NCFU9cAiPm31W1i39pBO7M5w+I=&VNz=9fBchlPzp http://www.dg-computing.com/a2fh/ http://www.thezweb.com/a2fh/?4L5CL=ohPlRN1rGtRlq2ENH0YEDA1UceaE5ScRC2dJJXLlUzkXjZP8hqfc1Pamn8K9eI0nDacK8c7ZeK5GYMYRI15J27P9D9jBSgJvDxW15X4=&VNz=9fBchlPzp
|
11
www.thezweb.com(63.141.242.43) www.dg-computing.com(38.238.131.233) www.fruitecology.com(46.30.213.155) www.atamahaberleri.com(185.126.216.74) www.kkqqzb.xyz(172.67.174.28) 172.67.174.28 38.238.131.233 63.141.242.43 - mailcious 45.33.6.223 46.30.213.155 - mailcious 185.126.216.74
|
3
ET MALWARE FormBook CnC Checkin (POST) M2 ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
8.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14541 |
2023-03-24 09:37
|
85............................... c3e8b482ed3986690fcdc9cbab9a0b7f MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
|
1
172.245.123.109 - malware
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE MSIL/GenKryptik.FQRH Download Request ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14542 |
2023-03-24 09:34
|
vbc.exe 8301d3d1a602b5aa7e72a57fb20d1a57 PWS .NET framework RAT UPX .NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14543 |
2023-03-24 09:34
|
b.pif 424811420bb77c6b2aeee8fd5fd651e0 PWS .NET framework RAT Generic Malware Antivirus SMTP PWS[m] KeyLogger PDF AntiDebug AntiVM .NET EXE PE32 PE File ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW IP Check VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
7
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip http://37.139.128.83/golden.pdf - rule_id: 27987 http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip http://checkip.dyndns.org/
|
3
checkip.dyndns.org(193.122.6.168) 193.122.6.168 37.139.128.83 - mailcious
|
6
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain ET INFO Dotted Quad Host PDF Request
|
1
http://37.139.128.83/golden.pdf
|
20.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14544 |
2023-03-24 09:34
|
1.vbs 670a6c9ab0f89a768738fe10a8b06982 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.8 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14545 |
2023-03-24 08:41
|
presetbodyqualitydebris.hbaked... 3627dcbbcd0be2ce4f53d3e05c77d9eb AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14546 |
2023-03-23 18:47
|
INV.exe d826f8c8edb9b4eea8ee18fa75572490 UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself suspicious TLD DNS |
24
http://www.gitmart.top/hubr/?QCFrH7=8LIoJqXtzQoTeM3tSIRjdvK/wvVoI+eZdkhCTWtrmHUI4YaQHcTCw+vN7fasUs/Q0cHIvjOlVkHozVI89gTByPzeHUA52gVSRwAL/jY=&RbcWz=XTYFdv http://www.kahinghk.com/hubr/?QCFrH7=KA2zyijBF8x3Kgke2P+iKCtl6t6cGVl80Cc65JTye6QbcFhOuDw4y56CfsJy2MXD5dQvnaW1nqx7b9Z6wt4S6QZG6sghwLw0rVDMOz0=&RbcWz=XTYFdv http://www.guochaochao.com/hubr/?QCFrH7=vfnS7kNQ7lGkZwLtMQL9ZqfKyBscb+bEwFm+1uJubApJ6Q5hDNwLUi92Ea3pDCl5aGqTGhnnOe/pMNEIN7harbO0q3jSNOA5A+i+70k=&RbcWz=XTYFdv http://www.kahinghk.com/hubr/ http://www.celestinshipping.org/hubr/ http://www.hbslwhcb.com/hubr/?QCFrH7=5E10n45PC8vNB5pZtNj2sXLK8uWSY44i7aDcSA40kUAwhBPRaI2LrW2xciaMt4VcY7NLJleQuynhqBK73YwksAZi1WQgViquW1DW70o=&RbcWz=XTYFdv http://www.guochaochao.com/hubr/ http://www.mtgu.net/hubr/?QCFrH7=BYsUt3owDFJM7GVfuQIWnXwMgDGHBsC/I/b9ZUSfYrqeSV4owQnpPIjIy5UP/vTtTt2F54HHRXV+MLyWN1XqqGr/sjv3aXZqNOI2ujY=&RbcWz=XTYFdv http://www.bankmobile.online/hubr/?QCFrH7=AqcQf51FHOgh7P9E+wpuxnHpBgBzwI/msQRQ0Dyz8q0S90nTnG8ByyoMHYn461jaf1OBwwUC6quuS4TuPkl+q34PRRmwUjUeIaKK3gY=&RbcWz=XTYFdv http://www.bankmobile.online/hubr/ http://www.auto-sparepart.com/hubr/?QCFrH7=shp9tHQK/I+jiDz9HZEHJbj1KzHSlPA6IKLbVtcuxb+Os6cPDAiYF95XnY/LnjHwM9ayWNJXkgFRKo9FtI2zAKU8dQudTiqe32jNO5U=&RbcWz=XTYFdv http://www.airductshopdk.com/hubr/?QCFrH7=IY6ZMgtXttJgF5cV0sWllCOUaHDATDBCnZNtq8QNvWCyBBYDnskeOxikfpX38PnG5T3Zxr6jgxyRUZdALpyeaupJP3sUL1Dl98sUeiQ=&RbcWz=XTYFdv http://www.hbslwhcb.com/hubr/ http://www.celestinshipping.org/hubr/?QCFrH7=Vfw1tXj75Mnbbr9waYgxlQ7QagSBA5wKBGGly+Su2Nf6tIgktwqqKgDHr8woq6O0Z5sp1IK/HWsht85Es+CPzw2fwmYXFsAsraj4FMw=&RbcWz=XTYFdv http://www.asonsrestaurantbar.co.uk/hubr/ http://www.callceylon-infinity.com/hubr/?QCFrH7=QGWktfIAtu18+t6NQORxBTtvzjo+nFqh7PlIya0sAjXty+UNsna0QAVZJMoUGZhtBucAVwHYc/82s4klU8XEeQDHowb765v/cfPxxLM=&RbcWz=XTYFdv http://www.betting.style/hubr/ http://www.betting.style/hubr/?QCFrH7=Igos4DvGYSTYudzWMt6YfvTMrgMRYd/c9vPdAr65R47dBdgzYQRIJWYhFBMjFdvBBv9IJDMtFMntT2Xn4QfH4WErd6ncw9Si7XBW0k4=&RbcWz=XTYFdv http://www.airductshopdk.com/hubr/ http://www.mtgu.net/hubr/ http://www.gitmart.top/hubr/ http://www.auto-sparepart.com/hubr/ http://www.asonsrestaurantbar.co.uk/hubr/?QCFrH7=LhIi+kEWCIVSy/fPx6ZU7zxwa0K9qbQ4Avh4ugI75RiAcqy+P9f/TzxibnAgVXMDuzt86sgVXJJMNA/faZ0hFKKpQbAodEvnYLncODA=&RbcWz=XTYFdv http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
|
25
www.mtgu.net(165.140.71.65) www.celestinshipping.org(74.220.199.6) www.guochaochao.com(23.27.78.200) www.asonsrestaurantbar.co.uk(63.141.242.43) www.auto-sparepart.com(13.248.243.5) www.kahinghk.com(148.66.54.130) www.hbslwhcb.com(103.146.179.136) www.betting.style(64.190.63.111) www.airductshopdk.com(23.228.123.194) www.bankmobile.online(185.104.28.238) www.callceylon-infinity.com(217.160.0.91) www.gitmart.top(199.192.28.110) 23.27.78.200 185.104.28.238 - mailcious 103.146.179.136 76.223.105.230 - mailcious 64.190.63.111 - mailcious 74.220.199.6 - mailcious 192.187.111.219 - mailcious 148.66.54.130 217.160.0.91 45.33.6.223 23.228.123.194 199.192.28.110 165.140.71.65
|
4
ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
4.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14547 |
2023-03-23 18:45
|
ss47.exe 44d59cf2b7e4700b703e95eaa7fdbdc7 UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File Browser Info Stealer VirusTotal Malware PDB MachineGuid Malicious Traffic buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Remote Code Execution |
5
http://bz.bbbeioaag.com/sts/bimage.jpg http://count.iiagjaggg.com/check/safe http://www.facebook.com/check/?sid=1251809&key=0dcaeaf81593814fe2ahttps://www.facebook.com/d06851037 https://www.facebook.com/ads/manager/account_settings/account_billing https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing
|
6
bz.bbbeioaag.com(45.136.113.107) www.facebook.com(157.240.31.35) count.iiagjaggg.com(45.66.159.179) 45.136.113.107 31.13.82.36 45.66.159.179
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Double User-Agent (User-Agent User-Agent)
|
|
5.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14548 |
2023-03-23 18:39
|
ComPlusMethone.exe cf52142e72a8cae6f9f667b19d098459 PWS .NET framework RAT Anti_VM Malicious Packer .NET EXE PE32 PE File VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
4.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14549 |
2023-03-23 18:39
|
NetSySCLI.exe 367030209dfe9a7f1631b8edad37cfa3 PE64 PE File VirusTotal Malware DNS |
|
1
|
|
|
3.0 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14550 |
2023-03-23 18:33
|
A1.exe f45a24c4f95ebc9c77e61344b65872f2 RAT UPX OS Processor Check .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
172.67.34.170 - mailcious
|
|
|
2.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|