14551 |
2023-03-23 18:31
|
cipher.exe a1a1af51bcab4d2f25637f6aa32ab493 RAT UPX OS Processor Check .NET EXE PE32 PE File VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI ICMP traffic unpack itself Check virtual network interfaces IP Check Tofsee Windows Discord ComputerName DNS |
2
http://ip-api.com/csv/?fields=status,query https://discord.com/api/webhooks/1056590206893051904/2ybdaA7zXHVKpVJNM5j-1a4lW_FhpBXMYcNGIJpTvJx-GQGX3887N8vX1I_ea-w62qoK
|
6
localbeheaders.mcgo.io(108.16.60.193) discord.com(162.159.137.232) - mailcious ip-api.com(208.95.112.1) 162.159.137.232 - mailcious 208.95.112.1 108.16.60.193
|
4
ET INFO Observed Discord Domain in DNS Lookup (discord .com) ET INFO Observed Discord Domain (discord .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
|
8.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14552 |
2023-03-23 18:30
|
fotocr.exe 86b64b82769fd641a3664ee102cd2f60 UPX Malicious Library OS Processor Check PE32 PE File PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14553 |
2023-03-23 18:29
|
ConPtyShell.exe ce43d05a16369e03f1ee9e997bce44f6 RAT UPX Malicious Packer Antivirus .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14554 |
2023-03-23 18:28
|
NRATNew.exe ca6a4db4964f4475bed525178ad92f0c RAT Malicious Packer .NET EXE PE32 PE File GIF Format VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder Windows ComputerName Cryptographic key keylogger |
|
2
localbeheaders.mcgo.io(108.16.60.193) 108.16.60.193
|
|
|
7.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14555 |
2023-03-23 18:27
|
creal.exe 2120b49043ad53c0a73cbf60bc110f8e Gen1 Emotet Generic Malware UPX Malicious Library Anti_VM Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE64 PE File DLL ZIP Format VirusTotal Malware Check memory Creates executable files |
|
|
|
|
2.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14556 |
2023-03-23 18:27
|
nettaskcipher.exe 64557121d459383777f4c4f5c611e59b RAT Generic Malware UPX Antivirus OS Processor Check .NET EXE PE32 PE File VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key |
2
http://ip-api.com/csv/?fields=status,query https://pastebin.com/raw/fB4ZyQEn
|
6
0.tcp.eu.ngrok.io(3.125.102.39) pastebin.com(104.20.67.143) - mailcious ip-api.com(208.95.112.1) 208.95.112.1 3.125.102.39 172.67.34.170 - mailcious
|
3
ET INFO DNS Query to a *.ngrok domain (ngrok.io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
|
10.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14557 |
2023-03-23 18:25
|
g02.exe 9f488e91936c3e39d4c8d9923d067cf6 PWS .NET framework RAT UPX .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14558 |
2023-03-23 18:24
|
rumf61h.exe 0fba69e599437eb61d2abc86569621be RedLine stealer[m] UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
10.0 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14559 |
2023-03-23 15:26
|
Pass_1234_Setup.rar 37262ca3a1d563877f4324ee75b6facb PWS[m] KeyLogger Escalate priviledges AntiDebug AntiVM Malware download Malware RecordBreaker suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Stealer Windows DNS |
10
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll http://185.181.10.208/ http://185.181.10.208/26556a0c2e4bbf69b06c173ce1681609 http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll http://185.181.10.208/8e0966e25decf295f67dfe9904e292d5 http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
|
1
|
5
ET MALWARE Win32/RecordBreaker CnC Checkin M1 ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Possible Generic Stealer Sending System Information
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14560 |
2023-03-23 13:30
|
vbc.exe d26e9a9ca834081f9decb5cdb0c10065 PWS .NET framework RAT Generic Malware Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(193.122.6.168) 193.122.130.0
|
5
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
15.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14561 |
2023-03-23 13:27
|
19............................... 8be240ea9814810a1c8a8754595b28b5 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash IP Check Windows Exploit DNS DDNS crashed keylogger Downloader |
2
http://checkip.dyndns.org/
http://104.168.46.107/219/vbc.exe
|
4
checkip.dyndns.org(193.122.130.0) 1.12.242.71 - malware
158.101.44.242
104.168.46.107 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host ET MALWARE MSIL/GenKryptik.FQRH Download Request ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
|
|
5.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14562 |
2023-03-23 13:25
|
Firefox1.exe 77d8ff584c4a6be6e927107aa7aa813b Malicious Library PE32 PE File VirusTotal Malware PDB Check memory unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
1
|
1
SURICATA Applayer Protocol detection skipped
|
|
3.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14563 |
2023-03-23 13:24
|
vbc.exe 92be4d14e97f691d1a23454035deca30 UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
22
http://www.un-object.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007 http://www.younrock.com/u2kb/?vYIDU5HY=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&uq=qG4LADbMk - rule_id: 28006 http://www.thewildphotographer.co.uk/u2kb/?vYIDU5HY=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&uq=qG4LADbMk - rule_id: 28007 http://www.222ambking.org/u2kb/ - rule_id: 28004 http://www.younrock.com/u2kb/ - rule_id: 28006 http://www.shapshit.xyz/u2kb/?vYIDU5HY=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&uq=qG4LADbMk - rule_id: 28008 http://www.gritslab.com/u2kb/ - rule_id: 28002 http://www.222ambking.org/u2kb/?vYIDU5HY=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&uq=qG4LADbMk - rule_id: 28004 http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009 http://www.bitservicesltd.com/u2kb/?vYIDU5HY=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&uq=qG4LADbMk - rule_id: 28003 http://www.energyservicestation.com/u2kb/?vYIDU5HY=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&uq=qG4LADbMk - rule_id: 28005 http://www.thedivinerudraksha.com/u2kb/?vYIDU5HY=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&uq=qG4LADbMk - rule_id: 28009 http://www.bitservicesltd.com/u2kb/ - rule_id: 28003 http://www.white-hat.uk/u2kb/?vYIDU5HY=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&uq=qG4LADbMk - rule_id: 28001 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip http://www.avisrezervee.com/u2kb/ http://www.shapshit.xyz/u2kb/ - rule_id: 28008 http://www.avisrezervee.com/u2kb/?vYIDU5HY=Nu51DycidcThoi6HkGUnEqF2p/VUHSNCO5CXk0BEdmcXpSXgg1RqTlXk86f8MRtZRxUedaYGJ7PZrk0hQ2YUaALzgSFDdx3OJyeNMnM=&uq=qG4LADbMk http://www.gritslab.com/u2kb/?vYIDU5HY=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&uq=qG4LADbMk - rule_id: 28002 http://www.energyservicestation.com/u2kb/ - rule_id: 28005 http://www.un-object.com/u2kb/?vYIDU5HY=pRDkJdNDOVoQCU+9NmsXxtV7Hl5B2fjCZpxzdvjpnmqfDHzh6n+FRjrKmvNay2X+ZHc+W0Q0dfC9yhNaGgRfmUucMWCv4S2l11PhWJ0=&uq=qG4LADbMk
|
24
www.thewildphotographer.co.uk(45.33.18.44) - mailcious www.gritslab.com(78.141.192.145) - mailcious www.fclaimrewardccpointq.shop() - mailcious www.avisrezervee.com(31.186.11.254) www.shapshit.xyz(199.192.30.147) - mailcious www.energyservicestation.com(213.145.228.111) - mailcious www.un-object.com(192.185.17.12) www.222ambking.org(91.195.240.94) - mailcious www.bitservicesltd.com(161.97.163.8) - mailcious www.thedivinerudraksha.com(85.187.128.34) - mailcious www.white-hat.uk(94.176.104.86) - mailcious www.younrock.com(81.17.29.147) - mailcious 91.195.240.94 - phishing 85.187.128.34 - mailcious 78.141.192.145 - mailcious 192.185.17.12 31.186.11.254 - mailcious 213.145.228.111 - mailcious 94.176.104.86 - mailcious 96.126.123.244 - mailcious 161.97.163.8 - mailcious 45.33.6.223 81.17.18.194 - mailcious 199.192.30.147 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.thewildphotographer.co.uk/u2kb/ http://www.younrock.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.222ambking.org/u2kb/ http://www.younrock.com/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.gritslab.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.white-hat.uk/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.gritslab.com/u2kb/ http://www.energyservicestation.com/u2kb/
|
4.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14564 |
2023-03-23 13:23
|
vbc.exe 047f4584d2662d20bbb4c7b48cb1523a PWS .NET framework RAT Hide_EXE SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.237.62.211) 64.185.227.155
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14565 |
2023-03-23 13:20
|
unknown.exe ab2185234d407de7d8d03041e7c3a488 RAT UPX Malicious Library Antivirus OS Processor Check .NET EXE PE32 PE File suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName keylogger |
|
|
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|