1 |
2024-02-15 09:46
|
wind.exe b90269607f4fb112d0bcfb146576fe38 Client SW User Data Stealer browser info stealer EnigmaProtector Generic Malware Google Chrome User Data Downloader Malicious Library UPX Malicious Packer Http API PWS Code injection Create Service Socket DGA ScreenShot Escalate priviledges Steal cre Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
14
http://185.215.113.46/cost/fu.exe - rule_id: 39367 http://185.215.113.46/cost/ladas.exe - rule_id: 39368 http://185.215.113.46/mine/plaza.exe - rule_id: 39369 http://185.215.113.46/cost/niks.exe - rule_id: 39371 http://185.215.113.46/cost/well.exe - rule_id: 39372 https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjwftU_bB1sMaTlb3zHmgeLUxOvE3NRVIbH13Cdaf4UxzsM5vj5Kr9e5f1SfcEXCbO5Aq-oz&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1040619497%3A1707956810198242 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?GVpjLA https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjz5KcbSMzSNRWNsiZwlToozbNJjg6xYEE64XqgKoXbW7uKEjYkbaXkAVunSOvmBTe4Ob9og
|
12
ipinfo.io(34.117.186.192) ssl.gstatic.com(172.217.161.195) db-ip.com(104.26.5.15) accounts.google.com(64.233.187.84) www.google.com(142.250.76.132) 142.250.66.100 104.26.4.15 34.117.186.192 142.250.204.131 193.233.132.62 - mailcious 142.251.170.84 185.215.113.46 - malware
|
13
ET MALWARE RisePro TCP Heartbeat Packet ET DROP Spamhaus DROP Listed Traffic Inbound group 22 ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Packed Executable Download
|
5
http://185.215.113.46/cost/fu.exe http://185.215.113.46/cost/ladas.exe http://185.215.113.46/mine/plaza.exe http://185.215.113.46/cost/niks.exe http://185.215.113.46/cost/well.exe
|
26.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2024-02-12 19:56
|
ladas.exe 739edbbab87a6cad0eb66d08be2696af Client SW User Data Stealer browser info stealer Generic Malware EnigmaProtector Google Chrome User Data Downloader UPX Malicious Library Malicious Packer Http API PWS Code injection Create Service Socket DGA ScreenShot Escalate priviledges Steal credenti Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
12
http://185.215.113.46/cost/fu.exe http://185.215.113.46/mine/plaza.exe http://185.215.113.46/cost/niks.exe https://www.google.com/favicon.ico https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjwA1-kRaPT_dZZDZoJmkifpaIHjYeCH2uyjVOPZzBeQTIPs2-rXV1O7wvsVeyRtn9hFpFOA https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjwWbpcYPbnzxRyof0aPo-RAcAGFFV_MACWhDcngdRXVHimVyq_H1LsEGU1JGGT81YGV0UYR&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S419733581%3A1707734263129506 https://accounts.google.com/generate_204?qKjkmA https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
12
ipinfo.io(34.117.186.192) ssl.gstatic.com(142.250.206.195) db-ip.com(172.67.75.166) accounts.google.com(74.125.23.84) www.google.com(172.217.161.228) 142.250.157.84 34.117.186.192 193.233.132.62 - mailcious 216.58.203.67 185.215.113.46 - malware 104.26.5.15 142.251.220.4
|
14
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET DROP Spamhaus DROP Listed Traffic Inbound group 22 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Packed Executable Download ET MALWARE [ANY.RUN] RisePro TCP (External IP)
|
|
28.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2024-02-07 18:40
|
rega.exe bb615fb229575e6df006c102ff561991 UPX PE32 PE File Malware download VirusTotal Malware AutoRuns MachineGuid Checks debugger unpack itself Windows utilities Checks Bios Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization IP Check Tofsee Windows RisePro ComputerName DNS crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) 172.67.75.166 34.117.186.192 193.233.132.62 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
10.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2024-02-07 09:46
|
ladas.exe 3abeb1a3fd51f3ab844411ae46be1f6a UPX PE32 PE File Malware download Malware AutoRuns MachineGuid Checks debugger unpack itself Windows utilities Checks Bios Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) www.maxmind.com(104.18.145.235) 104.26.5.15 193.233.132.62 - mailcious 34.117.186.192 104.18.145.235
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
9.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2024-02-07 08:04
|
dota.exe 55d576e8935a7702827a39bc68efe1f2 UPX Malicious Library Malicious Packer Code injection Anti_VM AntiDebug AntiVM PE32 PE File OS Processor Check .NET EXE ZIP Format MSOffice File Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
14
http://193.233.132.167/mine/plaza.exe http://193.233.132.167/cost/ladas.exe http://193.233.132.167/cost/fu.exe http://193.233.132.167/mine/amert.exe http://193.233.132.167/cost/niks.exe https://accounts.google.com/generate_204?vaNutg https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp2tXrDNF07qnnoEdbmteVa4w4rbQwmOnAQ65V14BzEkVcXdT45wRe3bVKQELSd7Pe3cLjsU6Q&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S2080674855%3A1707260325383767 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp1Yk7oJQEMTwRhZIQ2MwDV2k0_RdfORfu-WhsS7x4sijDYDxSnNNq4rowtuR9DquAgt3rfkSQ https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
12
ipinfo.io(34.117.186.192) ssl.gstatic.com(142.250.76.131) db-ip.com(104.26.5.15) accounts.google.com(64.233.188.84) www.google.com(172.217.161.228) 142.250.157.84 104.26.4.15 34.117.186.192 193.233.132.62 - mailcious 172.217.24.227 193.233.132.167 - malware 216.58.203.68
|
13
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Packed Executable Download
|
|
26.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2024-02-05 07:47
|
dota.exe efc03ba934fc40778b5ad928025b9ba3 Themida Packer Malicious Library UPX Malicious Packer Anti_VM AntiDebug AntiVM PE32 PE File MSOffice File OS Processor Check ZIP Format .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
13
http://109.107.182.3/cost/niks.exe - rule_id: 39168 http://109.107.182.3/cost/fu.exe http://www.maxmind.com/geoip/v2.1/city/me http://109.107.182.3/cost/vinu.exe - rule_id: 39178 https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?yc322w https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp1ZKKpOCIP9ZhPVdQk16OHjygMq5RScsY2K_tbWFUe9lSpTfcKeSmk4WaOW_cKsaxe28G9q&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1693574939%3A1707086594246543 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0cbcYDHZ0LNWjCdxhBl1JZbfzpWSMZ2RZiwEgp20MHlmXJ63zEd0mcXRVhE5CQ3iLdzPzZ
|
14
db-ip.com(172.67.75.166) www.google.com(142.250.206.228) ssl.gstatic.com(172.217.25.163) ipinfo.io(34.117.186.192) accounts.google.com(64.233.188.84) www.maxmind.com(104.18.145.235) 172.67.75.166 104.18.146.235 34.117.186.192 172.217.25.4 - suspicious 193.233.132.62 - mailcious 142.251.220.35 109.107.182.3 - mailcious 74.125.23.84
|
13
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Packed Executable Download
|
2
http://109.107.182.3/cost/niks.exe http://109.107.182.3/cost/vinu.exe
|
23.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2024-02-04 17:18
|
ladas.exe 131e1852763515da84f38dc27d08d2e2 RedLine Infostealer RedlineStealer RedLine stealer Amadey UltraVNC NSIS Themida Packer Admin Tool (Sysinternals etc ...) Malicious Library UPX .NET framework(MSIL) Malicious Packer Anti_VM AntiDebug AntiVM PE32 PE File ZIP Format OS Processor Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Update Exploit Browser RisePro Email ComputerName Trojan DNS Cryptographic key Software crashed Downloader CoinMiner |
23
http://109.107.182.3/lego/redline1234.exe - rule_id: 39165 http://185.172.128.127/syncUpd.exe - rule_id: 39250 http://109.107.182.3/lego/sadsadsadsa.exe - rule_id: 39166 http://109.107.182.3/cost/niks.exe - rule_id: 39168 http://109.107.182.3/lego/alex.exe - rule_id: 39110 http://109.107.182.3/lego/moto.exe - rule_id: 39111 http://185.172.128.90/cpa/ping.php?substr=nine&s=ab - rule_id: 38981 http://193.233.132.167/lend/crpta.exe http://185.215.113.68/mine/amers.exe - rule_id: 39177 http://109.107.182.3/cost/vinu.exe - rule_id: 39178 http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://www.maxmind.com/geoip/v2.1/city/me http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp1vihYdYMcK55SVnfSt1kcjem1J9N7YxPBCjIHuYctGuYRJkwP6IDQz6oqA4fxY2JBTPdd18Q https://accounts.google.com/generate_204?C8dR5A https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp3ZbinaYxU-gAnigtL1sC_NpjpOsF80BMSg-2AP5uNb6ghGt73hnRU04PcovA8yfmi1Yo-ozw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1611222706%3A1707034193384724 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
27
db-ip.com(104.26.5.15) pool.hashvault.pro(131.153.76.130) - mailcious www.google.com(172.217.161.228) ssl.gstatic.com(142.250.196.99) ipinfo.io(34.117.186.192) accounts.google.com(64.233.188.84) www.maxmind.com(104.18.145.235) 94.156.67.230 - mailcious 104.18.146.235 131.153.76.130 - mailcious 185.215.113.68 - malware 5.42.64.33 - mailcious 172.67.75.166 34.117.186.192 172.217.25.4 - suspicious 142.250.66.35 65.109.90.47 - mailcious 185.172.128.90 - mailcious 185.172.128.19 - mailcious 125.253.92.50 185.172.128.127 - malware 193.233.132.62 - mailcious 45.15.156.209 - mailcious 92.222.212.74 142.251.8.84 193.233.132.167 - malware 109.107.182.3 - mailcious
|
27
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RisePro CnC Activity (Inbound) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 22 ET INFO Packed Executable Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET POLICY Cryptocurrency Miner Checkin ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET MALWARE Single char EXE direct download likely trojan (multiple families)
|
12
http://109.107.182.3/lego/redline1234.exe http://185.172.128.127/syncUpd.exe http://109.107.182.3/lego/sadsadsadsa.exe http://109.107.182.3/cost/niks.exe http://109.107.182.3/lego/alex.exe http://109.107.182.3/lego/moto.exe http://185.172.128.90/cpa/ping.php http://185.215.113.68/mine/amers.exe http://109.107.182.3/cost/vinu.exe http://185.215.113.68/theme/Plugins/clip64.dll http://185.215.113.68/theme/Plugins/cred64.dll http://185.215.113.68/theme/index.php
|
28.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2024-01-31 15:52
|
1234pixxxx.exe e2695d45520fe4058a6df4dff94b51e9 Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format PNG Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory buffers extracted Collect installed applications AntiVM_Disk anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 65.109.90.47 172.67.75.166 34.117.186.192
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
8.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2024-01-29 08:09
|
lada.exe 68536fff9f64f007745e2fc88467856e Anti_VM PE32 PE File Malware download Malware AutoRuns MachineGuid Checks debugger unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) www.maxmind.com(104.18.145.235) 172.67.75.166 34.117.186.192 104.18.145.235 193.233.132.62 - mailcious
|
4
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2024-01-26 09:13
|
rost.exe 03135ee6d7c5c029982e63d36d368267 Themida Packer Malicious Packer UPX PE32 PE File Malware download VirusTotal Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) www.maxmind.com(104.18.145.235) 172.67.75.166 34.117.186.192 104.18.145.235 193.233.132.62 - mailcious
|
4
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2024-01-26 09:11
|
rost.exe 2f9214f932a930a4cdff2b48a3a8eded RedLine stealer Amadey RedLine Infostealer RedlineStealer UltraVNC Generic Malware NSIS Hide_EXE Malicious Packer Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) .NET framework(MSIL) ScreenShot PWS Anti_VM AntiDebug AntiVM PE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Update Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
28
http://109.107.182.3/cost/niks.exe http://109.107.182.3/lego/MRK.exe http://109.107.182.3/lego/alex.exe - rule_id: 39110 http://109.107.182.3/lego/moto.exe - rule_id: 39111 http://109.107.182.3/lego/rdx1122.exe - rule_id: 39118 http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://109.107.182.3/cost/networa.exe http://185.215.113.68/mine/stan.exe - rule_id: 39114 http://109.107.182.3/lego/installs.exe http://109.107.182.3/lego/crypted.exe - rule_id: 39115 http://109.107.182.3/cost/ko.exe http://185.215.113.68/mine/amers.exe http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981 http://109.107.182.3/cost/vinu.exe http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://185.172.128.109/syncUpd.exe - rule_id: 39052 http://185.172.128.19/latestrocki.exe - rule_id: 39054 http://109.107.182.3/lego/2024.exe - rule_id: 39120 http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp1cKQEpRqzJgd1mJyXaQDg8g6EPaDZyF3Iq1LCz13B1O_GRb-DpHv1Q3bMHBt1iGhMePExXmg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-435268675%3A1706227291300357 https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?Gfi3rg https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3H8r8UWuhQ6m2JhTn_UJWtMXXOP18B2sMD6q0yM1EirdCpLoeYafxU7OnBJOlDJRzgLznF https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
22
db-ip.com(172.67.75.166) pool.hashvault.pro(142.202.242.43) - mailcious www.google.com(142.250.76.132) ssl.gstatic.com(142.250.76.131) ipinfo.io(34.117.186.192) accounts.google.com(142.250.157.84) 94.156.67.230 195.20.16.103 - mailcious 5.42.64.33 - mailcious 104.26.4.15 185.215.113.68 - malware 185.172.128.19 - mailcious 141.95.211.148 - mailcious 142.251.170.84 142.250.66.36 216.58.203.67 193.233.132.62 - mailcious 185.172.128.90 - mailcious 34.117.186.192 185.172.128.109 - malware 109.107.182.3 - mailcious 125.253.92.50
|
25
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Family Activity (Response) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET HUNTING Download Request Containing Suspicious Filename - Crypted
|
12
http://109.107.182.3/lego/alex.exe http://109.107.182.3/lego/moto.exe http://109.107.182.3/lego/rdx1122.exe http://185.215.113.68/theme/Plugins/cred64.dll http://185.215.113.68/mine/stan.exe http://109.107.182.3/lego/crypted.exe http://185.172.128.90/cpa/ping.php http://185.215.113.68/theme/Plugins/clip64.dll http://185.172.128.109/syncUpd.exe http://185.172.128.19/latestrocki.exe http://109.107.182.3/lego/2024.exe http://185.215.113.68/theme/index.php
|
32.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2024-01-25 09:20
|
stan.exe 04301ab0e3daa0be320a90c29059f088 Client SW User Data Stealer RedLine stealer RedLine Infostealer RedlineStealer Amadey browser info stealer Themida Packer UltraVNC Generic Malware NSIS Hide_EXE Google Chrome User Data Downloader Malicious Packer Malicious Library UPX .NET frame Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Update Exploit Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader |
20
http://109.107.182.3/cost/networ.exe - rule_id: 39053 http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://185.215.113.68/mine/amer.exe - rule_id: 39024 http://109.107.182.3/cost/nika.exe - rule_id: 39037 http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981 http://109.107.182.3/cost/go.exe - rule_id: 39025 http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://109.107.182.3/cost/vimu.exe - rule_id: 39038 http://185.172.128.19/latestrocki.exe - rule_id: 39054 http://apps.identrust.com/roots/dstrootcax3.p7c http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://accounts.google.com/generate_204?QWfFag https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3437MpdLqeJXXmnjo86ElWj-h7hAFZEOqRy5ULnXiPzkWs5AxnDO0Ovl-mxK_rlOLCFHwf https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp3vDgA9dYQaukba9RXlX2wDMY1M-AxrCojfMZ91Il_gwrJz-Ee78hH-C5Y4mLG_WvowvhkPKQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1963367809%3A1706140574270777
|
22
db-ip.com(104.26.4.15) www.google.com(172.217.161.228) ssl.gstatic.com(142.250.76.131) ipinfo.io(34.117.186.192) i.alie3ksgaa.com(154.92.15.189) - mailcious accounts.google.com(64.233.188.84) 142.250.204.36 195.20.16.103 - mailcious 104.26.4.15 185.215.113.68 - malware 5.42.64.33 - mailcious 185.172.128.19 - mailcious 141.95.211.148 - mailcious 34.117.186.192 185.172.128.90 - mailcious 61.111.58.35 - malware 193.233.132.62 - mailcious 154.92.15.189 - mailcious 142.251.220.35 80.79.4.61 - mailcious 109.107.182.3 - mailcious 64.233.188.84
|
22
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET HUNTING Download Request Containing Suspicious Filename - Crypted
|
|
30.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2024-01-24 08:00
|
StealerClient_Cpp_1_4.exe 43cfdf73b4175c4eb9611116f46ecaf5 Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2024-01-23 08:04
|
face.exe b367a4da8177d0be7638599aad1caa9b Amadey Generic Malware NSIS Malicious Packer Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE32 PE File PNG Format OS Processor Check DLL .NET EXE ZIP Format MZP Format JPEG Format BMP Format CHM Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
19
http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951
http://109.107.182.3/cost/vimu.exe - rule_id: 39038
http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948
http://109.107.182.3/cost/nika.exe - rule_id: 39037
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981
http://109.107.182.3/cost/go.exe - rule_id: 39025
http://185.215.113.68/mine/amer.exe - rule_id: 39024
http://185.215.113.68/theme/index.php - rule_id: 38935
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp19ppAsRv2o6lyozUloXtl2vtHTQ_Z5hQtp6-dWz_Yb_d5Sog8ygYecStquNLy1xgWdXfMz&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-955853393%3A1705964159222861
https://www.google.com/favicon.ico
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://db-ip.com/demo/home.php?s=175.208.134.152
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/generate_204?dNjB8g
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0prvDtaojbUs_fFiN9b9CD7hkEJ1nHDhTfd9vIUqM3YxyI4uMpGixUZhaFGRKzHsJvSPCU
https://i.alie3ksgaa.com/sta/imagd.jpg
|
23
db-ip.com(104.26.4.15)
www.google.com(142.250.76.132)
ssl.gstatic.com(142.250.207.99)
www.fleefight.it(94.177.48.37) - malware
ipinfo.io(34.117.186.192)
i.alie3ksgaa.com(154.92.15.189) - mailcious
accounts.google.com(64.233.188.84) 193.233.132.62 - mailcious
216.58.200.227
94.177.48.37 - malware
87.251.77.166 - mailcious
104.26.4.15
173.194.174.84
185.215.113.68 - malware
185.172.128.19 - mailcious
185.172.128.90 - mailcious
34.117.186.192
142.251.220.68
61.111.58.35 - malware
185.172.128.53 - malware
154.92.15.189 - mailcious
185.172.128.109 - malware
109.107.182.3 - mailcious
|
19
ET MALWARE [ANY.RUN] RisePro TCP (Token) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Amadey Bot Activity (POST) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
|
8
http://185.215.113.68/theme/Plugins/clip64.dll http://109.107.182.3/cost/vimu.exe http://185.215.113.68/theme/Plugins/cred64.dll http://109.107.182.3/cost/nika.exe http://185.172.128.90/cpa/ping.php http://109.107.182.3/cost/go.exe http://185.215.113.68/mine/amer.exe http://185.215.113.68/theme/index.php
|
25.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2024-01-22 12:45
|
RisePro_1.4_oCtFry7ogY0hng063r... 1c8918482b9cd613ba75ab7a16463e18 Generic Malware Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format PNG Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) 104.26.5.15 91.208.127.168 34.117.186.192
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
13.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|