1 |
2024-07-04 07:36
|
injector.exe 509c110ee54d73c3398140a5eb78c45a NSIS Malicious Library UPX Confuser .NET PE File PE32 .NET EXE VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder ComputerName DNS crashed |
|
1
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 15 ET INFO Microsoft net.tcp Connection Initialization Activity
|
|
5.2 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2024-06-20 16:48
|
DamnedSetup.exe c431df16a0810e27345aa37df100a114 Gen1 NSIS Generic Malware Malicious Library UPX Antivirus Malicious Packer Obsidium protector Admin Tool (Sysinternals etc ...) Javascript_Blob Anti_VM PE File PE32 DLL OS Processor Check ftp PE64 VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder Ransom Message Ransomware |
|
|
|
|
4.8 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2024-06-10 10:10
|
loader-1001.exe 58ca6d5068fa4fed981cf5ef8a04e4d5 NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 Pow VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder Tofsee Windows ComputerName Cryptographic key crashed |
5
http://apps.identrust.com/roots/dstrootcax3.p7c https://cdn-edge-node.com/online_security_mkl.exe - rule_id: 39716 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1001 - rule_id: 39690 https://d2lvl7wmj7b91p.cloudfront.net/load/load.php?c=1001 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1001 - rule_id: 39689
|
9
d2lvl7wmj7b91p.cloudfront.net(54.230.169.96) d22hce23hy1ej9.cloudfront.net(13.225.110.70) - mailcious adblock2024.shop(104.21.43.83) - mailcious cdn-edge-node.com(104.21.11.117) - mailcious 54.230.169.11 172.67.165.254 - mailcious 121.254.136.18 13.225.110.102 172.67.176.247
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
3
https://cdn-edge-node.com/online_security_mkl.exe https://d22hce23hy1ej9.cloudfront.net/load/th.php https://d22hce23hy1ej9.cloudfront.net/load/dl.php
|
10.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2024-05-20 10:27
|
start-pub.exe 52bcb73bddd7e3b613ec7fb1367c91c1 NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 P VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
6
http://apps.identrust.com/roots/dstrootcax3.p7c http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt - rule_id: 39695 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2841&c=2841 - rule_id: 39690 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=2841 - rule_id: 39689 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=2841 - rule_id: 39689 https://d1vt2h4o64rfsv.cloudfront.net/load/load.php?c=2841&a=2841 - rule_id: 39691
|
11
d22hce23hy1ej9.cloudfront.net(13.225.110.70) - mailcious cdn-edge-node.com(104.21.11.117) - mailcious 240429000936002.mjt.kqri92.top(94.156.35.76) - mailcious d1vt2h4o64rfsv.cloudfront.net(18.244.65.223) - mailcious adblock2024.shop(172.67.176.247) - mailcious 172.67.165.254 - mailcious 18.244.65.10 - mailcious 104.21.43.83 - mailcious 13.225.110.102 182.162.106.144 179.43.158.2
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile
|
5
http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt https://d22hce23hy1ej9.cloudfront.net/load/th.php https://d22hce23hy1ej9.cloudfront.net/load/dl.php https://d22hce23hy1ej9.cloudfront.net/load/dl.php https://d1vt2h4o64rfsv.cloudfront.net/load/load.php
|
11.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2024-05-19 10:36
|
vpn-1002.exe ccb630a81a660920182d1c74b8db7519 NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 PowerS VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
7
http://apps.identrust.com/roots/dstrootcax3.p7c http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002 https://cdn-edge-node.com/online_security_mkl.exe https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002 https://d2csnxzxwctx26.cloudfront.net/load/load.php?c=1002
|
11
d22hce23hy1ej9.cloudfront.net(13.225.110.70) cdn-edge-node.com(172.67.165.254) 240429000936002.mjt.kqri92.top(94.156.35.76) d2csnxzxwctx26.cloudfront.net(18.64.13.65) adblock2024.shop(172.67.176.247) 104.21.11.117 104.21.43.83 18.64.13.155 94.156.35.76 - malware 13.225.110.102 121.254.136.9
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile
|
|
10.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2024-05-17 09:30
|
vpn-1002.exe 7282845f442c81d8f609bcc1a2853308 NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 PowerS VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
7
http://apps.identrust.com/roots/dstrootcax3.p7c http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1002 https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1002 https://cdn-edge-node.com/online_security_mkl.exe https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=458&c=1002 https://d295fdouc92v9n.cloudfront.net/load/load.php?c=1002
|
12
cdn-edge-node.com(172.67.165.254) 240429000936002.mjt.kqri92.top(94.156.35.76) d2iv78ooxaijb6.cloudfront.net(54.192.60.53) adblock2024.shop(172.67.176.247) d295fdouc92v9n.cloudfront.net(13.225.129.184) 172.67.165.254 54.192.60.39 104.21.43.83 13.225.129.128 101.42.35.39 - mailcious 179.43.158.2 121.254.136.9
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
|
12.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2024-05-03 15:39
|
loader-1000.exe d58a180c5d85448472b4e1007fae4b2a NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 PowerS VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
6
http://185.172.128.59/ISetup1.exe http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000 https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000 https://d295fdouc92v9n.cloudfront.net/load/load.php?c=1000 https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000
|
7
d2iv78ooxaijb6.cloudfront.net(54.192.60.34) d295fdouc92v9n.cloudfront.net(13.225.129.43) 240429000936002.mjt.kqri92.top(94.156.35.76) 179.43.158.2 13.225.129.43 54.192.60.34 185.172.128.59 - malware
|
9
ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 32 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO HTTP Request to a *.top domain
|
|
11.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2024-04-27 11:58
|
loader-1000.exe 705685a8deace858e7fc849471c045f3 NSIS Generic Malware Malicious Library UPX Antivirus PE File PE32 PowerShell DLL OS Processor Check VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
8
http://185.172.128.59/ISetup1.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://240216234727901.mjj.xne26.cfd/f/fvgbm0216901.txt https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456 https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000 https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444 https://d68kcn56pzfb4.cloudfront.net/load/load.php?c=1000 https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000
|
8
240216234727901.mjj.xne26.cfd(94.156.35.76) d68kcn56pzfb4.cloudfront.net(99.86.146.198) monoblocked.com(45.130.41.108) - malware 61.111.58.34 - malware 45.130.41.108 - malware 179.43.158.2 185.172.128.59 - malware 99.86.146.198
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 32 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
12.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2024-03-17 09:53
|
vbc.exe d7e7cdf137c9d5dfa8d07a6e99d40e98 Malicious Library UPX Admin Tool (Sysinternals etc ...) PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Creates executable files unpack itself AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
|
2
sempersim.su(104.237.252.28) - mailcious 104.237.252.28
|
1
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
|
10.8 |
M |
51 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2024-02-29 07:49
|
DigitalCloud.exe f09529be487a02ca6637cdafae71bbcd Emotet NSIS Generic Malware Malicious Library UPX Malicious Packer Antivirus PE File PE32 PE64 OS Processor Check DLL .NET DLL MZP Format Lnk Format GIF Format VirusTotal Malware AutoRuns Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName crashed |
1
http://www.google-analytics.com/collect
|
2
www.google-analytics.com(172.217.161.238) 142.250.66.142
|
|
|
8.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2024-01-06 10:51
|
kkm_fix_old.exe f12d41a888b7e3fd03c3c5347c6ee778 Malicious Library UPX .NET framework(MSIL) PE32 PE File DLL .NET DLL OS Processor Check PNG Format ftp .NET EXE Lnk Format GIF Format VirusTotal Malware AutoRuns Check memory Creates shortcut Creates executable files unpack itself AppData folder Windows ComputerName |
|
|
|
|
3.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2024-01-02 07:52
|
kkm_2337.exe d176d5132b461760213c52d026b04e08 Malicious Library UPX .NET framework(MSIL) Anti_VM PE32 PE File DLL .NET DLL OS Processor Check PNG Format ftp .NET EXE Lnk Format GIF Format AutoRuns Check memory Creates shortcut Creates executable files unpack itself AppData folder Windows ComputerName |
|
|
|
|
2.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2024-01-02 07:50
|
kkm_new.exe b19b78b10092d1ac185bc35faf8c6efd Malicious Library UPX .NET framework(MSIL) Anti_VM PE32 PE File DLL .NET DLL OS Processor Check PNG Format ftp .NET EXE Lnk Format GIF Format AutoRuns Check memory Creates shortcut Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS |
|
1
|
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2024-01-02 07:45
|
kkm_2245.exe 8c1279098d87e19ccc488a4b04a77e45 Malicious Library UPX .NET framework(MSIL) PE32 PE File DLL .NET DLL OS Processor Check PNG Format ftp .NET EXE Lnk Format GIF Format VirusTotal Malware AutoRuns Check memory Creates shortcut Creates executable files unpack itself AppData folder Windows ComputerName |
|
|
|
|
3.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2024-01-02 07:44
|
kkm.exe 2bd2b08ca47144328cbc68041d8714be Malicious Library UPX .NET framework(MSIL) Anti_VM PE32 PE File DLL .NET DLL OS Processor Check PNG Format Lnk Format GIF Format .NET EXE ftp VirusTotal Malware AutoRuns Check memory Creates shortcut Creates executable files unpack itself AppData folder Windows ComputerName |
|
|
|
|
3.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|