166 |
2023-07-27 10:30
|
photo340.exe f0c28816a58f907591e5e014e049024a Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL .NET EXE PE64 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Tofsee Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
5
http://77.91.124.47/anon/an.exe http://77.91.124.47/new/fotod250.exe http://77.91.68.61/rock/index.php - rule_id: 35495 http://77.91.68.248/fuzz/raman.exe http://77.91.124.47/new/foto5566.exe
|
7
files.catbox.moe(108.181.20.35) - malware 77.91.68.61 - malware 108.181.20.35 - mailcious 77.91.124.84 - mailcious 77.91.124.47 - malware 77.91.68.248 - malware 141.94.192.217
|
19
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Possible Kelihos.F EXE Download Common Structure ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
17.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
167 |
2023-07-27 10:32
|
fotod250.exe afed523b82c39015e5e8eb6f55906537 Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware 77.91.124.84 - mailcious
|
12
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
168 |
2023-07-27 10:34
|
foto5566.exe 1608f0e5d9b277a7ba7fb25f736b8c74 Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware 77.91.124.84 - mailcious
|
11
ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
169 |
2023-07-27 10:36
|
foto5566.exe 310049edb1a276ebf198060d9cd3bc5d Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware 77.91.124.84 - mailcious
|
11
ET INFO Dotted Quad Host DLL Request ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
170 |
2023-07-27 10:40
|
an.exe 691a54b032d616e5f9303557ffd49add Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution Cryptographic key |
|
2
files.catbox.moe(108.181.20.35) - malware 108.181.20.35 - mailcious
|
2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
171 |
2023-07-30 09:05
|
new.EXE c36f10074bd560df1341aeb405b23641 Gen1 Emotet UPX Malicious Library Malicious Packer CAB PE64 PE File OS Processor Check VirusTotal Malware AutoRuns PDB Creates executable files WriteConsoleW Windows Remote Code Execution |
|
|
|
|
3.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
172 |
2023-07-31 07:42
|
Tumeg.exe e5655066c86f74f6b444f66f3222ce07 Gen1 Emotet UPX Malicious Library Antivirus CAB PE File PE32 VirusTotal Malware AutoRuns PDB Check memory Creates executable files unpack itself Windows utilities AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Remote Code Execution |
|
|
|
|
4.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
173 |
2023-08-01 08:09
|
photo443.exe e248dada31a4ae88394b5c8363218701 Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.61/rock/Plugins/cred64.dll - rule_id: 35515 http://77.91.68.61/rock/Plugins/clip64.dll - rule_id: 35516 http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware 77.91.124.156 - mailcious
|
12
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Dotted Quad Host DLL Request ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Redline Stealer Activity (Response) ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.61/rock/Plugins/cred64.dll http://77.91.68.61/rock/Plugins/clip64.dll http://77.91.68.61/rock/index.php
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
174 |
2023-08-04 09:09
|
lega.exe 253dcfc72aa745e063bc035a1e93daab Gen1 Emotet UPX Malicious Library CAB PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
|
2
45.33.6.223 77.91.124.156 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
|
11.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
175 |
2023-08-07 08:36
|
fotod250.exe 08141df58f30575861b2c703dc47c3a9 Gen1 Emotet Amadey SmokeLoader RedLine Infostealer RedLine stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer .NET framework(MSIL) Confuser .NET AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
7
http://77.91.68.1/smo/du.exe http://77.91.68.61/rock/index.php - rule_id: 35495 http://77.91.68.1/new/foto5566.exe http://77.91.68.61/rock/Plugins/clip64.dll - rule_id: 35516 http://77.91.68.1/new/fotod250.exe http://77.91.68.61/rock/Plugins/cred64.dll - rule_id: 35515 http://77.91.68.3/fuzz/faman.exe
|
4
77.91.68.61 - malware 77.91.68.3 - malware 77.91.68.1 - malware 77.91.124.156 - mailcious
|
15
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Executable Download from dotted-quad Host ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Redline Stealer Activity (Response) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
3
http://77.91.68.61/rock/index.php http://77.91.68.61/rock/Plugins/clip64.dll http://77.91.68.61/rock/Plugins/cred64.dll
|
18.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
176 |
2023-08-07 08:36
|
foto5566.exe c5f81f9b7d05d70a0a105b06fc16ce31 Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.61/rock/Plugins/cred64.dll - rule_id: 35515 http://77.91.68.61/rock/Plugins/clip64.dll - rule_id: 35516 http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware 77.91.124.156 - mailcious
|
11
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Dotted Quad Host DLL Request ET MALWARE Redline Stealer Activity (Response) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
3
http://77.91.68.61/rock/Plugins/cred64.dll http://77.91.68.61/rock/Plugins/clip64.dll http://77.91.68.61/rock/index.php
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
177 |
2023-08-08 09:16
|
foto4060.exe 154cfd11c188d2d5b6b2aef4c5b36f13 Gen1 Emotet Amadey RedLine Infostealer RedLine stealer Browser Login Data Stealer SmokeLoader UPX Malicious Library Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Confuser .NET Malicious Packer CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
8
http://193.233.254.61/loghub/master http://77.91.68.1/smo/du.exe - rule_id: 35705 http://77.91.68.61/rock/index.php - rule_id: 35495 http://77.91.68.61/rock/Plugins/clip64.dll - rule_id: 35516 http://77.91.68.1/new/fotod360.exe http://77.91.68.1/new/foto4060.exe http://77.91.68.61/rock/Plugins/cred64.dll - rule_id: 35515 http://77.91.68.3/fuzz/faman.exe - rule_id: 35706
|
5
77.91.68.61 - malware 77.91.68.3 - malware 193.233.254.61 77.91.124.156 - mailcious 77.91.68.1 - malware
|
16
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
5
http://77.91.68.1/smo/du.exe http://77.91.68.61/rock/index.php http://77.91.68.61/rock/Plugins/clip64.dll http://77.91.68.61/rock/Plugins/cred64.dll http://77.91.68.3/fuzz/faman.exe
|
17.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
178 |
2023-08-08 09:19
|
fotod360.exe de76c534160e914236dd0a7a0e9cb68f Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
4
http://77.91.68.61/rock/Plugins/cred64.dll - rule_id: 35515 http://193.233.254.61/loghub/master http://77.91.68.61/rock/Plugins/clip64.dll - rule_id: 35516 http://77.91.68.61/rock/index.php - rule_id: 35495
|
3
77.91.68.61 - malware 77.91.124.156 - mailcious 193.233.254.61
|
13
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
3
http://77.91.68.61/rock/Plugins/cred64.dll http://77.91.68.61/rock/Plugins/clip64.dll http://77.91.68.61/rock/index.php
|
16.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
179 |
2023-08-12 18:57
|
photo551.exe 16ca62cfbd303242d39ccc6084c1e6f7 Gen1 Emotet UPX Malicious Library CAB PE File PE32 AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Update Remote Code Execution |
|
|
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
180 |
2023-08-18 07:41
|
foto4055.exe 3e829ce0029df6886e3e865dc44860b0 Gen1 Emotet Malicious Library UPX PE File CAB PE32 AutoRuns PDB Check memory Creates executable files unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Remote Code Execution |
|
|
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|