14611 |
2023-03-21 17:26
|
Blotlg1NOUSE.vbs 78a900693c638974a061a547f55ea676 Generic Malware Antivirus Remcos VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself suspicious process suspicious TLD anti-virtualization Windows ComputerName DNS Cryptographic key crashed |
3
http://geoplugin.net/json.gp
http://109.206.240.67/xlog/Embus.sea
http://109.206.240.67/xlog/imZdjzBNviOCSMAcujoQo182.emz
|
5
geoplugin.net()
xlongactive.su(78.142.18.37) 178.237.33.50
109.206.240.67 - mailcious
78.142.18.37
|
2
ET JA3 Hash - Remcos 3.x TLS Connection ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
|
8.4 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14612 |
2023-03-21 17:25
|
Jubilets1.vbs d79593a6fb6c636a50334085b9d6018b Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14613 |
2023-03-21 13:41
|
Lst.exe 163d4e2d75f8ce6c838bab888bf9629c Gen1 UPX Malicious Library Malicious Packer Anti_VM OS Processor Check PE64 PE File DLL ZIP Format VirusTotal Malware Check memory Creates executable files unpack itself crashed |
|
|
|
|
2.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14614 |
2023-03-21 10:21
|
j6418a06081c941.29196432.js 75293cec307cbd04d23b935d9b931194crashed |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14615 |
2023-03-21 10:21
|
j6418a0613a7d18.89805382.js 2e37b17c6a51dc28a37449055a305efaunpack itself crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14616 |
2023-03-21 10:19
|
photo_004.exe 46748c64f38cbf845c1802db5b367ed2 Generic Malware UPX Malicious Library OS Processor Check PE32 PE File unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14617 |
2023-03-21 10:18
|
rw001ext.exe 0ad8d4cffac5f713a2ef3b2c72a84e29 Gen2 Generic Malware UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself |
|
|
|
|
1.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14618 |
2023-03-21 10:15
|
vbc.exe ca19b29e80779c0f9d74604b3d17940e UPX Malicious Library PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
18
http://www.gritslab.com/u2kb/ - rule_id: 28002 http://www.222ambking.org/u2kb/?M_CK7q=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&FF0d0r=D1sVN3y9bV_x-fV8 - rule_id: 28004 http://www.shapshit.xyz/u2kb/ - rule_id: 28008 http://www.thedivinerudraksha.com/u2kb/?M_CK7q=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&FF0d0r=D1sVN3y9bV_x-fV8 - rule_id: 28009 http://www.bitservicesltd.com/u2kb/?M_CK7q=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&FF0d0r=D1sVN3y9bV_x-fV8 - rule_id: 28003 http://www.energyservicestation.com/u2kb/ - rule_id: 28005 http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007 http://www.shapshit.xyz/u2kb/?M_CK7q=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&FF0d0r=D1sVN3y9bV_x-fV8 - rule_id: 28008 http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009 http://www.thewildphotographer.co.uk/u2kb/?M_CK7q=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&FF0d0r=D1sVN3y9bV_x-fV8 - rule_id: 28007 http://www.gritslab.com/u2kb/?M_CK7q=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&FF0d0r=D1sVN3y9bV_x-fV8 - rule_id: 28002 http://www.white-hat.uk/u2kb/?M_CK7q=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&FF0d0r=D1sVN3y9bV_x-fV8 - rule_id: 28001 http://www.bitservicesltd.com/u2kb/ - rule_id: 28003 http://www.younrock.com/u2kb/?M_CK7q=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&FF0d0r=D1sVN3y9bV_x-fV8 - rule_id: 28006 http://www.energyservicestation.com/u2kb/?M_CK7q=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&FF0d0r=D1sVN3y9bV_x-fV8 - rule_id: 28005 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip http://www.222ambking.org/u2kb/ - rule_id: 28004 http://www.younrock.com/u2kb/ - rule_id: 28006
|
19
www.thewildphotographer.co.uk(198.58.118.167) - mailcious www.gritslab.com(78.141.192.145) - mailcious www.shapshit.xyz(199.192.30.147) - mailcious www.energyservicestation.com(213.145.228.111) - mailcious www.222ambking.org(91.195.240.94) - mailcious www.bitservicesltd.com(161.97.163.8) - mailcious www.thedivinerudraksha.com(85.187.128.34) - mailcious www.white-hat.uk(94.176.104.86) - mailcious www.younrock.com(192.187.111.222) - mailcious 91.195.240.94 - phishing 85.187.128.34 - mailcious 78.141.192.145 - mailcious 199.192.30.147 - mailcious 213.145.228.111 - mailcious 94.176.104.86 - mailcious 81.17.29.148 - mailcious 161.97.163.8 - mailcious 45.33.6.223 173.255.194.134
|
3
ET MALWARE FormBook CnC Checkin (POST) M2 ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.gritslab.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.gritslab.com/u2kb/ http://www.white-hat.uk/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.younrock.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.younrock.com/u2kb/
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14619 |
2023-03-21 10:15
|
vbc.exe 506b8329e83dc58c82c251756ca342b7 Loki Loki_b Loki_m PWS .NET framework Hide_EXE Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/chang/five/fre.php - rule_id: 27988
|
1
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.60/chang/five/fre.php
|
13.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14620 |
2023-03-21 10:13
|
photo_004.exe 8c641e565b13fc56efdcd7658956accf Generic Malware UPX Malicious Library OS Processor Check PE32 PE File unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14621 |
2023-03-21 10:11
|
man.exe 87be1ac6122ed0c75b3af80696b9e686 PWS .NET framework Hide_EXE KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(173.231.16.76) 64.185.227.155
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14622 |
2023-03-21 10:11
|
RegSvcs.exe 5aecc5c3cb23cdf6cd97d3f8de866d2b RAT .NET DLL DLL PE32 PE File |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14623 |
2023-03-21 10:09
|
vbc.exe 5ccc064218d48040cb306d30cbd83079 RAT Generic Malware Antivirus AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process Windows ComputerName Cryptographic key |
1
http://amandamuggleton.com.au/.wp-cli/cache/Hqiogfzdx.bmp
|
2
amandamuggleton.com.au(116.0.23.217) 116.0.23.217 - suspicious
|
1
ET HUNTING Suspicious Terse Request for .bmp
|
|
11.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14624 |
2023-03-21 10:09
|
information3.txt.ps1 d05f9f87c9f7f3f31fa5993f77d0b76a Generic Malware Antivirus Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14625 |
2023-03-21 10:09
|
vbc.exe d94d4ff9589037731d7dfb4d9e582b0b PWS .NET framework RAT .NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|