226 |
2023-11-09 07:56
|
need.exe 91d5dbd8e4804912cb38e62186467068 Gen1 Emotet Malicious Library UPX PWS AntiDebug AntiVM PE File PE32 CAB OS Processor Check Browser Info Stealer Malware download Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Stealc Windows Update Browser Email ComputerName Remote Code Execution DNS crashed |
1
http://193.233.255.73/loghub/master - rule_id: 37500
|
1
193.233.255.73 - mailcious
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://193.233.255.73/loghub/master
|
16.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
227 |
2023-11-10 09:29
|
from.exe 2c1702ec1ce5fce93e682e82afe6fd91 RedLine stealer Emotet Gen1 Malicious Library UPX ScreenShot PWS AntiDebug AntiVM PE32 PE File CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://193.233.255.73/loghub/master - rule_id: 37500
|
2
193.233.255.73 - mailcious 5.42.92.51
|
6
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://193.233.255.73/loghub/master
|
17.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
228 |
2023-11-10 09:35
|
smo.exe 3fe5e1bbb296648428c4436703bd6302 RedLine stealer Emotet Gen1 Malicious Library UPX ScreenShot PWS AntiDebug AntiVM PE32 PE File CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://193.233.255.73/loghub/master - rule_id: 37500
|
2
193.233.255.73 - mailcious 5.42.92.51
|
6
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://193.233.255.73/loghub/master
|
18.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
229 |
2023-11-16 19:03
|
need.exe e622baf0198d6821fb4e1a8a23618a17 RedLine stealer Emotet Gen1 Malicious Library UPX ScreenShot PWS Socket Steal credential DNS Code injection AntiDebug AntiVM PE32 PE File CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs AntiVM_Disk sandbox evasion anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81) db-ip.com(172.67.75.166) 194.49.94.152 104.26.4.15 34.117.59.81
|
11
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
230 |
2023-11-21 08:00
|
smo.exe d117bdd49deff0dc9c560ed4a03d3a5f Emotet Gen1 Malicious Library UPX PE32 PE File CAB Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81) db-ip.com(104.26.5.15) 194.49.94.152 - mailcious 104.26.4.15 34.117.59.81
|
7
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
231 |
2023-12-07 16:40
|
line.exe fcfc4a3e70883dc993ee49241e40c393 Emotet Gen1 SmokeLoader Generic Malware Malicious Library UPX Malicious Packer PE32 PE File CAB OS Processor Check Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Remote Code Execution DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81) db-ip.com(104.26.5.15) 193.233.132.51 - mailcious 104.26.4.15 34.117.59.81
|
6
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
|
|
15.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
232 |
2023-12-27 07:49
|
foxi.exe 25be69edbd38d09faf01adfe59e39da2 Emotet Gen1 SmokeLoader EnigmaProtector Malicious Library UPX PE32 PE File CAB ZIP Format Lnk Format GIF Format DLL OS Processor Check .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk IP Check VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://ipinfo.io/widget/demo/175.208.134.152
|
4
ipinfo.io(34.117.186.192) 23.32.56.72 34.117.186.192 193.233.132.62
|
7
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
|
|
15.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
233 |
2024-01-05 07:58
|
bongo.exe 98e589da2cf91986d1e703189919dec1 RedLine stealer Emotet Gen1 Amadey RedlineStealer NSIS Generic Malware Malicious Library UPX .NET framework(MSIL) Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus ScreenShot PWS Anti_VM AntiDebug AntiVM PE32 PE File CAB .NET EXE OS Processor Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check installed browsers check Kelihos Tofsee Ransomware Stealer Windows Exploit Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
29
http://77.91.68.21/lend/YT.exe http://77.91.68.21/lend/MRK.exe http://77.91.68.21/lend/golden.exe http://77.91.68.21/lend/macheri.exe http://77.91.68.21/lend/flesh.exe http://77.91.68.21/lend/bakhtiar.exe http://185.215.113.68/theme/Plugins/cred64.dll http://77.91.68.21/mine/nocry.exe http://api.ipify.org/?format=ewf http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=seven&s=ab - rule_id: 38706 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.42.66.0/newrock.exe http://185.215.113.68/theme/Plugins/clip64.dll http://77.91.68.21/lend/pixelguy.exe http://185.215.113.68/theme/index.php https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://fonts.gstatic.com/s/youtubesans/v23/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff https://www.youtube.com/favicon.ico https://ipinfo.io/widget/demo/175.208.134.152 https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://www.youtube.com/ https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://www.youtube.com/img/desktop/supported_browsers/opera.png https://fonts.googleapis.com/css?family=Roboto:400,500
|
23
www.youtube.com(172.217.175.14) - mailcious fonts.googleapis.com(172.217.25.170) api.ipify.org(173.231.16.77) ipinfo.io(34.117.186.192) iplogger.com(104.21.76.57) - mailcious fonts.gstatic.com(172.217.25.163) 20.79.30.95 173.231.16.77 195.20.16.103 185.215.113.68 193.233.132.62 104.21.76.57 5.42.66.0 - malware 216.58.220.138 - mailcious 5.42.65.31 216.58.203.78 77.91.68.21 - malware 23.32.56.80 185.172.128.53 - malware 91.92.254.7 - mailcious 172.217.24.227 121.254.136.9 34.117.186.192
|
27
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO Microsoft net.tcp Connection Initialization Activity ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request ET MALWARE Redline Stealer Family Activity (Response) ET MALWARE Possible Kelihos.F EXE Download Common Structure ET INFO Packed Executable Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup (ipify .org) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
|
1
http://91.92.254.7/scripts/plus.php
|
26.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
234 |
2024-01-12 07:59
|
love.exe d3420ffb07677d83ab1fd50b1c45c96d Emotet Gen1 EnigmaProtector Malicious Library UPX Malicious Packer AntiDebug AntiVM PE32 PE File CAB OS Processor Check PNG Format MSOffice File JPEG Format VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee Windows Update Exploit ComputerName Remote Code Execution DNS crashed |
2
https://instagram.com/accounts/login/ https://instagram.com/accounts/login
|
3
instagram.com(157.240.215.174) www.instagram.com(157.240.215.174) 157.240.215.174
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
12.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
235 |
2024-01-12 15:58
|
love.exe d84ddf7e3d38eb30d74875aef7bdf829 Emotet Gen1 EnigmaProtector Malicious Library UPX Malicious Packer AntiDebug AntiVM PE32 PE File CAB PNG Format MSOffice File JPEG Format OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee Windows Update Exploit ComputerName Remote Code Execution DNS crashed |
2
https://instagram.com/accounts/login/ https://instagram.com/accounts/login
|
3
instagram.com(157.240.215.174) www.instagram.com(157.240.215.174) 157.240.215.174
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
12.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
236 |
2024-01-16 08:15
|
done.exe 750730cacee06f5b29188ef5050ff7ab Client SW User Data Stealer Emotet Gen1 browser info stealer EnigmaProtector Generic Malware Google Chrome User Data Downloader Malicious Library UPX Malicious Packer .NET framework(MSIL) Http API PWS Code injection Create Service Socket DGA ScreenShot Es Browser Info Stealer VirusTotal Malware AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser Remote Code Execution DNS crashed |
15
https://fbsbx.com/security/hsts-pixel.gif?c=5 https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz https://www.facebook.com/favicon.ico https://connect.facebook.net/security/hsts-pixel.gif https://www.facebook.com/login https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yJ/l/0,cross/JtVgZ46o85N.css?_nc_x=Ij3Wp8lg5Kz https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
|
8
www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 157.240.215.35 157.240.215.14
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
237 |
2024-02-04 16:41
|
npp86Installerx64.exe d8b897481e51cfab29862e8f9d5a039d Emotet Gen1 Malicious Library UPX PE32 PE File CAB VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Remote Code Execution |
|
|
|
|
4.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
238 |
2024-02-04 16:43
|
ClamAV-0.103.4.exe 27caec389aed111fc91c3531b9a6dbe1 Emotet Gen1 Hide_EXE Malicious Library UPX .NET framework(MSIL) PE File PE64 CAB PE32 .NET EXE OS Processor Check AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Remote Code Execution Cryptographic key |
|
|
|
|
4.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
239 |
2024-02-04 16:47
|
npp86Installerx64.exe d8b897481e51cfab29862e8f9d5a039d Emotet Gen1 Malicious Library UPX PE32 PE File CAB AutoRuns PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Remote Code Execution |
|
|
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
240 |
2024-02-12 17:38
|
RuntimeBroker.EXE 7e0ec75c05e1ed3fca184fbb286c011c Emotet Gen1 Generic Malware Malicious Library UPX Antivirus PE File PE64 CAB VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities WriteConsoleW Windows ComputerName Remote Code Execution Cryptographic key |
|
|
|
|
5.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|