| 1 |
2024-11-11 09:50
|
 ChromeSetup.exe de04168171981a90f56a126ec055ba19
Malicious Library PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
5.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2024-11-11 09:49
|
 ChromeSetup.exe de04168171981a90f56a126ec055ba19
Malicious Library PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
5.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2024-09-20 10:47
|
 66ec3528901bb_winupdate11.exe#... 4fe072b888cd64ff01d73d8b80bfcf3e
Malicious Library .NET framework(MSIL) PE File .NET EXE MSOffice File PE32 VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
3.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2024-09-19 10:33
|
 66eaadab755d2_installs.exe#ijs... 00b2660d589fe136f015a148d7f4dee0
Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2024-08-23 20:12
|
 lum_agent_online.exe d09a787b5982cf6eccd6e4bbe6290850
Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Auto service Check virtual network interfaces Tofsee Ransomware Windows ComputerName Remote Code Execution |
4
http://client-updates.lumu.io/service/update2?cup2key=1:aiyktIlMWjC_YDIJkn6k3-6XqffwkP2DaBfamURTQIA&cup2hreq=a4125a8074c9af063159ba78027272f9671c42488dea9878a9c5f20b4b7c8dc7
http://x1.i.lencr.org/
http://client-updates.lumu.io/service/update2
https://lumu-updates.s3.amazonaws.com/build/Agent/win/2203318943744/desktop_single_agent-d47545d41d.exe
|
7
client-updates.lumu.io(3.229.137.113)
x1.i.lencr.org(23.207.177.83)
lumu-updates.s3.amazonaws.com(54.231.203.249)
3.229.137.113
23.52.33.11
23.41.113.9
54.231.194.33
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2024-05-24 07:50
|
 ChromeSetup.exe fe2f9e211bfaf529c92bc28cb847da46
Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName Remote Code Execution DNS |
4
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=12:n6EyV-uvoCaVgxFxDQet4WSYiBFRf-2C5HNBwb81dao&cup2hreq=1617e93f4cc0a87c8eec0ba442964150753038fe712f2774cc7d587abbdc23fd
|
28
edgedl.me.gvt1.com(34.104.35.123)
dns.google(8.8.4.4)
www.google.com(172.217.25.164)
www.gstatic.com(172.217.25.163)
play.google.com(142.250.207.110)
r1---sn-3u-bh2ss.gvt1.com(211.114.64.12)
clients2.googleusercontent.com(172.217.161.225)
accounts.google.com(64.233.188.84)
_googlecast._tcp.local()
apis.google.com(172.217.161.238)
clientservices.googleapis.com(142.250.206.195)
108.177.125.84
172.217.25.170 - malware
211.114.64.12
172.217.27.36
142.250.206.234 - malware
142.250.204.110
142.250.76.131
172.217.161.225 - mailcious
45.33.6.223
216.58.200.228
34.104.35.123
142.250.76.142 - mailcious
142.251.222.195
172.217.24.78
172.217.24.97
172.217.27.46
172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2024-04-08 18:28
|
 c32setup.exe 67fbec9b6576f967be0c088b209232e7
UPX PE64 PE File OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2024-04-08 18:28
|
 Rokzl.exe d43f2191937f519e0ab6f9c60649c37c
.NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2024-04-08 18:28
|
 tfr.exe ad429013c23fece896d44024860b06b8
UPX PE64 PE File OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2024-02-08 08:02
|
 RUN.exe 1b8ceba270bcec714babe5a0862ef028
Generic Malware Admin Tool (Sysinternals etc ...) UPX Antivirus PE32 PE File PowerShell Malware powershell AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://193.233.132.186/a/a.png
|
1
193.233.132.186 - malware
|
1
ET HUNTING EXE Base64 Encoded potential malware
|
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2023-11-03 15:54
|
 1.exe 1819332f150048eed72a2d891390dad1
Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName Remote Code Execution DNS |
4
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
https://update.googleapis.com/service/update2?cup2key=12:fiH-rpFmRD_9K6RrmjLJh__4TUMN6H9j0EsLvPpPbKw&cup2hreq=d0876e1be58e78f6be4d5e4f2cb7dd29f25148548a5a47d58e905d10712788fc
https://update.googleapis.com/service/update2
|
27
edgedl.me.gvt1.com(34.104.35.123)
dns.google(8.8.4.4)
www.google.com(142.250.76.132)
www.gstatic.com(142.250.206.227)
r1---sn-3u-bh2ss.gvt1.com(211.114.64.12)
clients2.googleusercontent.com(142.250.206.225)
accounts.google.com(142.250.206.205)
_googlecast._tcp.local()
apis.google.com(142.250.206.238)
clientservices.googleapis.com(142.251.42.195)
142.250.207.65
216.58.203.78
211.114.64.12
172.217.175.227
142.250.204.131
142.250.206.225 - mailcious
142.250.204.110
142.250.199.68
142.250.66.99
34.104.35.123
216.58.200.227
142.250.76.138 - phishing
142.250.76.142 - mailcious
172.217.161.202 - malware
142.250.199.77
142.250.199.67
172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
8.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2023-10-19 10:21
|
 EngineChromium.exe 2f943946efaa3e446ee3cbd43a540f5b
Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE64 ftp OS Processor Check VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces |
|
|
|
|
3.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2023-10-19 09:58
|
 EngineChromium.exe 2f943946efaa3e446ee3cbd43a540f5b
Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE64 ftp OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2023-10-17 16:40
|
 Ermnnolfu.exe 7ba214f8174004943d83942dda0f9731
Downloader UPX PWS KeyLogger Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential Sniff Audio HTTP DNS Code injection Internet API FTP P2P AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
|
4
www.pubgh4cks.com(190.123.45.218)
x1.i.lencr.org(104.76.70.102)
190.123.45.218
104.76.70.102
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2023-05-06 12:18
|
 file.exe 0e4e3cdacfbe29fdc3e189e52ee8228e
Emotet RAT Themida Packer EnigmaProtector Generic Malware Malicious Packer Antivirus Anti_VM .NET EXE PE32 PE File PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check Tofsee Ransomware Windows ComputerName Remote Code Execution DNS Cryptographic key crashed CoinMiner |
6
http://62.204.41.23/o.png
http://62.204.41.23/file.png
http://62.204.41.23/r.png
http://62.204.41.23/OneDrive.png
http://62.204.41.23/dllhost.png
http://62.204.41.23/lsass.png
|
5
maper.info(148.251.234.93)
pool.hashvault.pro(142.202.242.45) - mailcious
148.251.234.93 - mailcious
62.204.41.23 - malware
125.253.92.50
|
11
ET DROP Dshield Block Listed Source group 1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING [TW] Likely Hex Executable String
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET POLICY Cryptocurrency Miner Checkin
ET POLICY IP Logger Redirect Domain in SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
20.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|