14686 |
2023-03-17 18:04
|
2.exe 53e1934061876c52e6fa0c9243d32d9d Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910369199362149/ASDASD.exe
|
2
cdn.discordapp.com(162.159.134.233) - malware 162.159.135.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
|
|
10.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14687 |
2023-03-17 18:02
|
3.exe 9549168790bc8b01d0c889fccb01bd73 Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910413923242034/SecurityHelath_protected.exe
|
2
cdn.discordapp.com(162.159.130.233) - malware 162.159.133.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
|
|
10.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14688 |
2023-03-17 18:02
|
68..................68........... 86fc671549dae9122a212b2d0866518d MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://34.238.244.174/68/vbc.exe
|
2
411h9gmjsf7azu3f6wf2wyv9c.lerrj0u3u7vbft4() 34.238.244.174 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE MSIL/GenKryptik.FQRH Download Request ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14689 |
2023-03-17 18:00
|
EBSMEDIA_protected.exe 97bf48e51ff002f6d9f5e778e52d8319 RAT Generic Malware task schedule Malicious Packer Antivirus AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
14.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14690 |
2023-03-17 18:00
|
1.exe e04c47828b28e33be2b5ebc75172901b Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910296319139840/RynMd_protected.exe
|
2
cdn.discordapp.com(162.159.135.233) - malware 162.159.129.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
|
|
10.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14691 |
2023-03-17 17:58
|
6.exe 210e93b80b868f6aebf712e0da9edf5b Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910457481089054/lastdc.exe
|
2
cdn.discordapp.com(162.159.135.233) - malware 162.159.129.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
|
|
10.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14692 |
2023-03-17 17:58
|
HDU3.exe 04694e5e78d0a3dcab0bfea22aa90cfe Malicious Packer PE64 PE File VirusTotal Malware Tofsee crashed DoTNet |
|
2
textbin.net(148.72.177.212) - mailcious 148.72.177.212 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Pastebin-style Service (textbin .net in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14693 |
2023-03-17 17:57
|
vbc.exe f35d8958edaab270d6c621bb96e395fc Malicious Library AntiDebug AntiVM PE64 PE File FormBook Malware download VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
18
http://www.thedivinerudraksha.com/u2kb/?zKkmw=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&toZ=xM6qAGrIAGRvmv - rule_id: 28009 http://www.gritslab.com/u2kb/ - rule_id: 28002 http://www.thewildphotographer.co.uk/u2kb/?zKkmw=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&toZ=xM6qAGrIAGRvmv - rule_id: 28007 http://www.shapshit.xyz/u2kb/ - rule_id: 28008 http://www.gritslab.com/u2kb/?zKkmw=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&toZ=xM6qAGrIAGRvmv - rule_id: 28002 http://www.energyservicestation.com/u2kb/ - rule_id: 28005 http://www.thewildphotographer.co.uk/u2kb/ - rule_id: 28007 http://www.younrock.com/u2kb/?zKkmw=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&toZ=xM6qAGrIAGRvmv - rule_id: 28006 http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip http://www.222ambking.org/u2kb/?zKkmw=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&toZ=xM6qAGrIAGRvmv - rule_id: 28004 http://www.thedivinerudraksha.com/u2kb/ - rule_id: 28009 http://www.bitservicesltd.com/u2kb/ - rule_id: 28003 http://www.white-hat.uk/u2kb/?zKkmw=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&toZ=xM6qAGrIAGRvmv - rule_id: 28001 http://www.bitservicesltd.com/u2kb/?zKkmw=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&toZ=xM6qAGrIAGRvmv - rule_id: 28003 http://www.energyservicestation.com/u2kb/?zKkmw=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&toZ=xM6qAGrIAGRvmv - rule_id: 28005 http://www.shapshit.xyz/u2kb/?zKkmw=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&toZ=xM6qAGrIAGRvmv - rule_id: 28008 http://www.222ambking.org/u2kb/ - rule_id: 28004 http://www.younrock.com/u2kb/ - rule_id: 28006
|
19
www.thewildphotographer.co.uk(45.33.18.44) - mailcious www.gritslab.com(78.141.192.145) - mailcious www.shapshit.xyz(199.192.30.147) - mailcious www.energyservicestation.com(213.145.228.111) - mailcious www.222ambking.org(91.195.240.94) - mailcious www.bitservicesltd.com(161.97.163.8) - mailcious www.thedivinerudraksha.com(85.187.128.34) - mailcious www.white-hat.uk(94.176.104.86) - mailcious www.younrock.com(63.141.242.45) - mailcious 91.195.240.94 - phishing 85.187.128.34 - mailcious 78.141.192.145 - mailcious 199.192.30.147 - mailcious 45.79.19.196 - mailcious 213.145.228.111 - mailcious 94.176.104.86 - mailcious 161.97.163.8 - mailcious 45.33.6.223 81.17.18.195 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
17
http://www.thedivinerudraksha.com/u2kb/ http://www.gritslab.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.gritslab.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.younrock.com/u2kb/ http://www.222ambking.org/u2kb/ http://www.thedivinerudraksha.com/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.white-hat.uk/u2kb/ http://www.bitservicesltd.com/u2kb/ http://www.energyservicestation.com/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.222ambking.org/u2kb/ http://www.younrock.com/u2kb/
|
8.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14694 |
2023-03-17 17:56
|
8.exe 43fb0bb43cd8878e170066a86c57b8ca Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910489320046642/enes.exe
|
2
cdn.discordapp.com(162.159.129.233) - malware 162.159.133.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
|
|
10.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14695 |
2023-03-17 17:56
|
DefenderSecurity.exe 0fbf332153113f4b0dfd105244cba305 RAT .NET EXE PE32 PE File VirusTotal Malware DNS |
|
1
|
|
|
2.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14696 |
2023-03-17 17:55
|
reycrytp.exe e5b2d160f8ba238317a89cd4ed6660b5 RAT task schedule UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check .NET EXE PE32 PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself ComputerName DNS crashed |
|
1
|
|
|
10.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14697 |
2023-03-17 17:54
|
7.exe de5666a98bc07594a7e963d1b41964e7 Generic Malware Antivirus .NET EXE PE32 PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1084910197719449733/1084910471943041124/DefenderSecurity.exe
|
2
cdn.discordapp.com(162.159.135.233) - malware 162.159.129.233 - malware
|
3
ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
|
|
10.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14698 |
2023-03-17 17:52
|
vbc.exe 0d6f619554c6de06992c444d8b3c9a74 UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB |
|
1
411h9gmjsf7azu3f6wf2wyv9c.lerrj0u3u7vbft4()
|
|
|
1.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14699 |
2023-03-17 17:51
|
ASDASD.exe 38b7f433a65cdc9b846b3bff842c3bb1 RedLine stealer[m] Malicious Packer PWS[m] BitCoin AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://52.232.8.179:37764/ https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 104.26.12.31 52.232.8.179
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
13.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14700 |
2023-03-17 17:50
|
SecurityHelath_protected.exe 1cf38074d1eec7ff196912f6b2d8c0c1 RAT Generic Malware task schedule Malicious Packer Antivirus AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
12.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|