106 |
2023-04-28 09:09
|
photo_410.exe 522ae0a94eb64b2124168a956e661bc3 Gen1 Emotet PWS .NET framework RAT UPX Malicious Library Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check .NET EXE DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
5
http://193.3.19.154/store/games/index.php
http://193.3.19.154/DSC01402/foto0174.exe
http://193.3.19.154/DSC01402/foto34.exe
http://193.3.19.154/store/games/Plugins/cred64.dll
http://193.3.19.154/store/games/Plugins/clip64.dll
|
2
193.3.19.154 - malware
185.161.248.72
|
7
ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
15.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
107 |
2023-05-04 09:51
|
fotocr54.exe 6311878ae700ef484c76e9f6be5d78e4 Gen1 Emotet UPX Malicious Library Malicious Packer CAB PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.124.20/store/games/Plugins/cred64.dll
|
2
77.91.124.20 - malware
217.196.96.56
|
|
|
15.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
108 |
2023-05-08 09:32
|
photo_727.exe b2e88b522292ea5d250be091a726aa95 Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849 http://77.91.124.20/DSC01491/foto0183.exe http://77.91.124.20/store/games/index.php
|
2
77.91.124.20 - malware 217.196.96.101
|
6
ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request
|
1
http://77.91.124.20/store/games/Plugins/cred64.dll
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
109 |
2023-05-08 11:08
|
foto0183.exe 459b9ff381bf53ae74aae7bbdc5cc6b3 Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.124.20/store/games/index.php - rule_id: 32547 http://77.91.124.20/store/games/index.php http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849 http://77.91.124.20/store/games/Plugins/cred64.dll http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546 http://77.91.124.20/store/games/Plugins/clip64.dll
|
2
77.91.124.20 - 217.196.96.101 -
|
5
ET MALWARE Amadey CnC Check-In ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.124.20/store/games/index.php http://77.91.124.20/store/games/Plugins/cred64.dll http://77.91.124.20/store/games/Plugins/clip64.dll
|
16.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
110 |
2023-05-09 09:11
|
foto0174.exe 1b1b1239c10dcd01f551df6cee30d4e2 Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
4
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849 http://77.91.124.20/store/games/index.php - rule_id: 32547 http://77.91.124.20/store/games/index.php http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
|
2
77.91.124.20 - malware 217.196.96.101 - mailcious
|
6
ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.124.20/store/games/Plugins/cred64.dll http://77.91.124.20/store/games/index.php http://77.91.124.20/store/games/Plugins/clip64.dll
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
111 |
2023-05-09 09:11
|
fotocr23.exe 9a5f630ba99d3ee7e838d5c9abac233e Gen1 Emotet PWS .NET framework RAT UltraVNC UPX Malicious Library Malicious Packer Confuser .NET CAB PE32 PE File OS Processor Check .NET EXE AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself Disables Windows Security AppData folder AntiVM_Disk VM Disk Size Check Windows Update Remote Code Execution DNS Cryptographic key crashed |
|
2
94.142.138.32 77.91.124.20 - malware
|
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
112 |
2023-05-11 09:15
|
photo_570.exe 9521fd6fc4a58dd4ae3c47d95eb91557 Gen1 Emotet PWS .NET framework RAT UltraVNC UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Confuser .NET CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849
http://77.91.124.20/store/games/index.php - rule_id: 32547
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
http://77.91.124.20/DSC01491/foto0174.exe
http://77.91.124.20/DSC01491/fotocr23.exe
|
2
185.161.248.75
77.91.124.20 - malware
|
6
ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.124.20/store/games/Plugins/cred64.dll http://77.91.124.20/store/games/index.php http://77.91.124.20/store/games/Plugins/clip64.dll
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
113 |
2023-05-12 18:04
|
photo190.exe d874573195e89d1fdd72f31050cfcdc2 RedLine stealer[m] Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer SMTP PWS[m] AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
4
http://77.91.124.20/store/games/index.php - rule_id: 32547 http://77.91.124.20/store/games/index.php http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849 http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
|
2
185.161.248.75 77.91.124.20 - malware
|
6
ET MALWARE Amadey CnC Check-In ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.124.20/store/games/index.php http://77.91.124.20/store/games/Plugins/cred64.dll http://77.91.124.20/store/games/Plugins/clip64.dll
|
20.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
114 |
2023-05-14 17:08
|
lega.exe 72361b9ac961ae2ec3e94022f1ccb0a6 RedLine stealer[m] Gen1 Emotet PWS .NET framework RAT RedLine Stealer UPX Malicious Library Confuser .NET SMTP PWS[m] AntiDebug AntiVM CAB PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
|
1
185.161.248.75 - mailcious
|
|
|
14.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
115 |
2023-05-16 09:16
|
photo230.exe bd745f43c090fd7fc5aeae0ec6b48d5a RedLine stealer[m] Gen1 Emotet PWS .NET framework RAT RedLine Stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Confuser .NET SMTP Code injection HTTP PWS[m] Http API Internet API AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849 http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546 http://77.91.124.20/DSC01491/foto0174.exe - rule_id: 32623 http://77.91.124.20/DSC01491/fotocr23.exe - rule_id: 32624 http://77.91.124.20/store/games/index.php - rule_id: 32547 http://77.91.124.20/store/games/index.php
|
2
77.91.124.20 - malware 185.161.248.25 - malware
|
6
ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request
|
5
http://77.91.124.20/store/games/Plugins/cred64.dll http://77.91.124.20/store/games/Plugins/clip64.dll http://77.91.124.20/DSC01491/foto0174.exe http://77.91.124.20/DSC01491/fotocr23.exe http://77.91.124.20/store/games/index.php
|
21.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
116 |
2023-05-19 18:00
|
photo230.exe 6af5107aa062ad8f3aa8cd91491de9c1 Gen1 Emotet UPX Malicious Library CAB PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
|
1
|
|
|
11.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
117 |
2023-05-20 16:20
|
foto0195.exe 283d3a45769695434e47bbb2c98ff469 Gen1 Emotet PWS .NET framework RAT RedLine Stealer UltraVNC UPX Malicious Library Confuser .NET CAB PE File PE32 OS Processor Check .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
|
1
|
|
|
11.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
118 |
2023-05-24 10:46
|
photo660.exe 18091cc747be815a7b757e5c439df36e Gen1 Emotet PWS .NET framework RAT RedLine Stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Confuser .NET SMTP Code injection HTTP PWS[m] Http API Internet API AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
5
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546 http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849 http://77.91.124.20/DSC01491/fotocr45.exe http://77.91.124.20/store/games/index.php - rule_id: 32547 http://77.91.124.20/store/games/index.php
|
2
83.97.73.122 77.91.124.20 - malware
|
6
ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.124.20/store/games/Plugins/clip64.dll http://77.91.124.20/store/games/Plugins/cred64.dll http://77.91.124.20/store/games/index.php
|
21.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
119 |
2023-05-24 15:16
|
fotocr45.exe 45ef32456aac94be8e1bac27ed574868 Gen1 Emotet PWS .NET framework RAT RedLine Stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Confuser .NET SMTP Code injection HTTP PWS[m] Http API Internet API AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546 http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849 http://77.91.124.20/store/games/index.php - rule_id: 32547
|
2
83.97.73.122 - mailcious 77.91.124.20 - malware
|
6
ET MALWARE Amadey CnC Check-In ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.124.20/store/games/Plugins/clip64.dll http://77.91.124.20/store/games/Plugins/cred64.dll http://77.91.124.20/store/games/index.php
|
19.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
120 |
2023-05-26 09:30
|
foto495.exe e09051927ec47af8b01ec79d5548c7be Gen1 Emotet PWS .NET framework RAT UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Confuser .NET CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
2
http://77.91.68.62/wings/game/Plugins/cred64.dll http://77.91.68.62/wings/game/index.php
|
3
83.97.73.122 - mailcious 77.91.68.62 - malware 185.225.74.112
|
6
ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request
|
|
14.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|