14746 |
2023-03-16 10:58
|
Sammenstyrtningens242.vbs a75c770acab8755ebc617f8925eff3b4 Generic Malware Antivirus Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities suspicious process suspicious TLD anti-virtualization Windows ComputerName DNS Cryptographic key crashed |
2
http://5.8.8.100/signal/TpRIfutRxWlhn224.dwp http://5.8.8.100/signal/Traverser.dwp
|
3
vossworld.ru(5.8.11.93) 5.8.8.100 5.8.11.93
|
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14747 |
2023-03-16 10:56
|
Contactus.html 73aa630ae71d55aef8d9f2101ef3bb1a AntiDebug AntiVM PNG Format MSOffice File JPEG Format VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
secure.sharefile.com(76.223.1.166) 13.248.193.251
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External File Sharing Service in DNS Lookup (sharefile .com) ET INFO TLS Handshake Failure
|
|
4.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14748 |
2023-03-16 10:54
|
1.html 8f1f9a93892188a5fa472ff664bbf19e AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14749 |
2023-03-16 10:54
|
vbc.exe 5fd4d5c90658e442b969384b80036b7b UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
18
http://www.gritslab.com/u2kb/ http://www.shapshit.xyz/u2kb/ http://www.222ambking.org/u2kb/?zpWWbk=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&BUj3o3=57XzuV-XXTr http://www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zip http://www.bitservicesltd.com/u2kb/?zpWWbk=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&BUj3o3=57XzuV-XXTr http://www.energyservicestation.com/u2kb/ http://www.thewildphotographer.co.uk/u2kb/ http://www.thedivinerudraksha.com/u2kb/?zpWWbk=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&BUj3o3=57XzuV-XXTr http://www.younrock.com/u2kb/?zpWWbk=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&BUj3o3=57XzuV-XXTr http://www.gritslab.com/u2kb/?zpWWbk=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&BUj3o3=57XzuV-XXTr http://www.thedivinerudraksha.com/u2kb/ http://www.white-hat.uk/u2kb/?zpWWbk=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&BUj3o3=57XzuV-XXTr http://www.bitservicesltd.com/u2kb/ http://www.energyservicestation.com/u2kb/?zpWWbk=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&BUj3o3=57XzuV-XXTr http://www.thewildphotographer.co.uk/u2kb/?zpWWbk=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&BUj3o3=57XzuV-XXTr http://www.shapshit.xyz/u2kb/?zpWWbk=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&BUj3o3=57XzuV-XXTr http://www.222ambking.org/u2kb/ http://www.younrock.com/u2kb/
|
20
www.thewildphotographer.co.uk(45.33.18.44) www.gritslab.com(78.141.192.145) www.fclaimrewardccpointq.shop() www.shapshit.xyz(199.192.30.147) www.energyservicestation.com(213.145.228.111) www.222ambking.org(91.195.240.94) www.bitservicesltd.com(161.97.163.8) www.thedivinerudraksha.com(85.187.128.34) www.white-hat.uk(94.176.104.86) www.younrock.com(81.17.18.194) 45.33.2.79 - mailcious 85.187.128.34 - mailcious 78.141.192.145 199.192.30.147 213.145.228.111 94.176.104.86 81.17.29.146 - mailcious 161.97.163.8 45.33.6.223 91.195.240.94 - phishing
|
3
ET MALWARE FormBook CnC Checkin (POST) M2 ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14750 |
2023-03-16 10:51
|
1603.one 3267ae8154776913b0032a6806fdb9c3VirusTotal Malware crashed |
|
|
|
|
0.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14751 |
2023-03-16 10:49
|
boy1start.ps1 c0aa6a02799611928896463d8c6a324d NPKI Formbook RAT Hide_EXE Generic Malware Antivirus SMTP PWS[m] KeyLogger PDF AntiDebug AntiVM .NET EXE PE32 PE File ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW IP Check VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
7
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip http://37.139.128.83/golden.pdf http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip http://checkip.dyndns.org/
|
3
checkip.dyndns.org(132.226.8.169) 193.122.130.0 37.139.128.83
|
6
ET INFO Dotted Quad Host PDF Request ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
21.0 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14752 |
2023-03-16 10:44
|
persis.exe 44141a0e32ba57ab5c42a7d18a3745ce PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14753 |
2023-03-16 10:44
|
st-start.ps1 1ee009f6414309c4c1c8db3fbd83861d NPKI Formbook RAT Hide_EXE Generic Malware Antivirus KeyLogger PDF AntiDebug AntiVM ZIP Format .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
6
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip http://37.139.128.83/golden.pdf http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
|
1
|
1
ET INFO Dotted Quad Host PDF Request
|
|
19.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14754 |
2023-03-16 10:41
|
vbc.exe 493798b24ab2433b6d96c2d82ade8ab8 Loki_b Loki_m RAT UPX Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/chang/five/fre.php
|
1
185.246.220.60 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
13.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14755 |
2023-03-16 10:38
|
pankotro3.1.exe 8c8ee58eacb110d5598f723ecd7e948c UPX Malicious Library Malicious Packer PE32 PE File VirusTotal Malware AutoRuns Check memory Creates executable files ICMP traffic unpack itself AppData folder Windows DNS DDNS |
|
2
omerlan.duckdns.org(193.56.29.112) 193.56.29.112
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
6.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14756 |
2023-03-16 10:36
|
.win32.exe c1360cce1de01199925aade09545577d UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14757 |
2023-03-16 10:34
|
vbc.exe 0e8ee45f8cf246835f8db619516ad340 RAT Generic Malware UPX Antivirus SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(173.231.16.76) 104.237.62.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14758 |
2023-03-16 10:32
|
2-1_2023-03-14_23-04.exe 097d8371eea941a8f7191509d8dc1b69 UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14759 |
2023-03-16 10:31
|
parmashdy3.1.exe bdfb2c5a346d6684824b78499b36b88d UPX Malicious Library PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself suspicious TLD |
4
http://www.hatterascharters.com/s26y/?xVJtG4Th=cvNALa4IK27Ro6rtXOeXYUfpmrm3HoImnwXbSTSK6JETCyzPBx85LajqaSCh8zKc7b3z2v0K&1bw=L6Adp0nXjfjLdR2p - rule_id: 27524 http://www.thereallifeguild.app/s26y/?xVJtG4Th=ztcHOa7slkLvMVmIwFVD+MxqaM7ohUfwpwKohan9eDFMAOiKstevJtoFNxACBjZ48g0ugAFk&1bw=L6Adp0nXjfjLdR2p http://www.drain-pipe-cleaning-81784.com/s26y/?xVJtG4Th=xifof8+AcnXYXdMQ3P6+Gp6nTFK1K7BHbiRnlOZOb5nZkb3/gR0wuwfXLP1X2cmFaGUzIp/v&1bw=L6Adp0nXjfjLdR2p http://www.nikol-beauty.ru/s26y/?xVJtG4Th=zNa4SwDr0KBpy31l5KYIDaXbaS4SRxFhmO4CadMaCoCUEqg240jhfCVWHeE/FLPBCdnN9g63&1bw=L6Adp0nXjfjLdR2p
|
8
www.nikol-beauty.ru(31.184.217.9) www.hatterascharters.com(154.85.239.101) - mailcious www.drain-pipe-cleaning-81784.com(104.247.82.91) www.thereallifeguild.app(91.184.0.100) 91.184.0.100 - mailcious 31.184.217.9 154.85.239.101 - mailcious 104.247.82.91
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.hatterascharters.com/s26y/
|
4.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14760 |
2023-03-16 10:29
|
Hack Bold Italic Nerd Font Com... 715b054e75bfe030884f63623b3715e7 AntiDebug AntiVM Check memory unpack itself |
|
|
|
|
1.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|