8896 |
2023-10-16 18:35
|
Roblox_Level_4_Exploit.exe 01af0cd59dfa4e45fc8cb5d9ecbd6de3 Generic Malware PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder Tofsee ComputerName |
1
http://kenesrakishev.net/wp-admin/admin-ajax.php
|
2
kenesrakishev.net(162.213.251.134) 162.213.251.134
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8897 |
2023-10-16 18:36
|
setup-lightshot.exe 416c97ae7efb1385cf83a5fd277e68ee Generic Malware PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-load.php
|
2
kenesrakishev.net(162.213.251.134) 162.213.251.134
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8898 |
2023-10-16 18:44
|
sihost.exe 0855867efc0b10ff80a9237b8ee9ba3d .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141) 91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8899 |
2023-10-17 07:44
|
pqAlGyUFhqdKYsx.exe 991a0243b129e2086d31127247f0c630 LokiBot Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.77) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8900 |
2023-10-17 09:43
|
artwork.hta b3a69d39ea2f074e520077721b475d51 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
http://91.207.183.9:8000/main.bat
http://91.207.183.9:8000/main.exe
|
3
www2.lunapic.com(72.9.146.243) 91.207.183.9 - mailcious
72.9.146.243
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
|
10.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8901 |
2023-10-17 10:07
|
555.bat 758138cf292edc7fc200b8853a34dce3 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
http://91.207.183.9:8000/main.bat - rule_id: 37338 http://91.207.183.9:8000/artwork.hta - rule_id: 37341
|
3
www2.lunapic.com(72.9.146.243) 91.207.183.9 - mailcious 72.9.146.243
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible HTA Application Download ET INFO Dotted Quad Host HTA Request ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
2
http://91.207.183.9:8000/main.bat http://91.207.183.9:8000/artwork.hta
|
11.6 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8902 |
2023-10-17 10:12
|
test.pdf.url ff6018379580a0f672c47e2051e514fa AntiDebug AntiVM Malware download VirusTotal Malware powershell Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee RedCurl Windows Exploit DNS crashed |
1
http://91.207.183.9:8000/main.bat - rule_id: 37338
|
1
|
4
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Suspected REDCURL CnC Activity M1 ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
1
http://91.207.183.9:8000/main.bat
|
4.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8903 |
2023-10-17 10:18
|
xxx.vbs 8565f26c1e4435a5645fee07d989e418 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.53.71) - malware 104.22.52.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8904 |
2023-10-17 10:19
|
HJGHJGHJJGFile.vbs 5ccfeb1c2b9afa98577b2d633b4b1166 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.53.71) - malware 104.22.52.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8905 |
2023-10-17 10:52
|
at.hta b3a69d39ea2f074e520077721b475d51 Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
http://91.207.183.9:8000/main.bat - rule_id: 37338
|
3
www2.lunapic.com(72.9.146.243) 91.207.183.9 - mailcious 72.9.146.243
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
1
http://91.207.183.9:8000/main.bat
|
12.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8906 |
2023-10-17 16:28
|
Archive.7z 14cf80a7fd8a77c3eaed98b8ec615eb4 Stealc PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Kelihos Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS plugin |
56
http://elijahdiego.top/412a0310f85f16ad/msvcp140.dll http://elijahdiego.top/e9c345fc99a4e67e.php - rule_id: 37238 http://49.12.118.149/ http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://elijahdiego.top/412a0310f85f16ad/nss3.dll http://elijahdiego.top/412a0310f85f16ad/freebl3.dll http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://49.12.118.149/13088c19c5a97b42d0d1d9573cc9f1b8 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://194.169.175.232/autorun.exe - rule_id: 36817 http://elijahdiego.top/412a0310f85f16ad/vcruntime140.dll http://79.137.192.18/latestX.exe - rule_id: 37269 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://elijahdiego.top/412a0310f85f16ad/softokn3.dll http://elijahdiego.top/412a0310f85f16ad/sqlite3.dll http://49.12.118.149/upgrade.zip http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790 http://45.9.74.80/zinda.exe - rule_id: 37063 http://elijahdiego.top/412a0310f85f16ad/mozglue.dll http://galandskiyher5.com/downloads/toolspub2.exe - rule_id: 37268 http://171.22.28.213/3.exe - rule_id: 37068 http://94.142.138.113/api/firegate.php - rule_id: 36152 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://77.91.68.249/navi/kur90.exe - rule_id: 37069 https://vk.com/doc52355237_667021459?hash=JwfD1ZCA6QgwzFekXEx3DZwJrazNVwknSJ4vBCdj3Ys&dl=GOvejb9TzKE4gYCzHfWoYwfHsCK1bKByDgPNozGoPQ0&api=1&no_preview=1 https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc52355237_667050459?hash=NQ6HDrMciNrk8Op9e7nKqKnZP9u5xJpPRChkwNPyBm8&dl=GmBH7q7bEBk6zEfSp9MzqQBJzBwkDu0dFrhvnqw9kZX&api=1&no_preview=1#1 https://sun6-23.userapi.com/c909518/u52355237/docs/d49/74273ccf856a/PL_Client.bmp?extra=csnf916qLySdbOnPb4QM1wJpYN_KmcpQ0uEFEG_2BbxdphBM_paLXN7TqQuhyJHVsORGU7Lwfy-9qBR2zD4xszU1xUBr__claLXF0x6sHrD1ifcltJe58oDUrMaND0_8ZVYazlP3PyjpseqU https://rangeroverfan.org/499e7c149c3637ba0e1fb742ba195677/e0cbefcb1af40c7d4aff4aca26621a98.exe https://sun6-23.userapi.com/c909228/u52355237/docs/d47/e2ccee6d682c/test222.bmp?extra=U4162n5729zjzlGgVMiKIwzkJSzSn6BRN_m83VHCDSL2utwpPZDW9dRU8eEsy3wfrW9-Fnnv7vUexxvyKCeW1kRRzPKq6pr-ITEC7sbkXtFyxI0n2PV1UEvsmCo1nAB9EjpwBAPoujY85rFq https://api.myip.com/ https://steamcommunity.com/profiles/76561199563297648 https://vk.com/doc52355237_667007935?hash=kuzA3bv8gFM9aPx1xppN6S57Z5FudS8VHgMzVNpYwzD&dl=0btHZXBhsJfZuUYdw9b30BIP8DDelUCYMFbdByUZzSz&api=1&no_preview=1#redcl https://sun6-22.userapi.com/c909218/u52355237/docs/d2/f567f079ad99/RisePro.bmp?extra=83cSc7SmRJtjl8ec5OifozM_93tFy3jitg49sHNddO9i3ziQaQp3z9kjzmQmhEhbVDBaQMd-IcnziRKKHxPrBqsRJToRLDIngFoFoi58B3XLhIbZgrloTMF2bOKk1Z3Eu7sYPaYt_5og4PqN https://foxandcatbet.org/e0cbefcb1af40c7d4aff4aca26621a98.exe https://sun6-21.userapi.com/c237231/u52355237/docs/d27/97f34481b2d7/tmvwr.bmp?extra=MbgzQeRuofM3NgGPkxkb0_xwXGY1o0ISiHXbQDKdc321StSZO94IbBXMfprao9MyHL5npLe6QCtHnmMBR8O05vh1T0ga5C9dTDnASZTZANNWKwDcQ5hoDq2_RwfwvphDyBdjR1nIT5nczJep https://dzen.ru/?yredirect=true https://sun6-20.userapi.com/c909418/u52355237/docs/d49/67dc191caaa7/Bot_Clien.bmp?extra=R7Za_Su74KEChmw7p4WuJr3aQHsGFZ2niNVfSw7b_TcPR0Sh2TQRPc3x_dKUmQJGRsRS4Xg6uck9HOypT7iZguOe0t_Bgd5pRLa3KUoDL1FvFkA_0hWK1agbjgpqkyYmx7lhWSAmGHQio_uh https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11 https://sun6-22.userapi.com/c236331/u52355237/docs/d33/42ad5fd25833/red.bmp?extra=jBPpxCu8-8kHW7GkJagOOeVXeAQjqfh9RbubCoWwr1e6QBnvUiXFOpQD6-AOKdEluD9PjClWI2PdF4IE7pjgRurUidTgNX-Z5pW4fVBPn3w3ta24Al5usw3MYV0bfl8SrrAG1BgwPh-7QEH9 https://api.2ip.ua/geo.json https://sun6-23.userapi.com/c909518/u52355237/docs/d48/ec8a82716932/WWW11_32.bmp?extra=_TX1F44UV3ZALg1n2AWa4_-qKufakNhMTfVuhdspFzFQRFCYWXoMm-jfuDOI_Y1mPEIdF3QRBd-YZg3Y7R9ZqYiRxeF73Pg5AywpwdKlTdb0i9gHQl8XO2m4_9Zg9zDYpvmcVNGrm6ByCU3- https://sso.passport.yandex.ru/push?uuid=c8f6077b-5611-4c81-b623-d60b8e575442&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-23.userapi.com/c909228/u52355237/docs/d38/bd7e3c736003/d3h782af.bmp?extra=38DKfqb_w8hVm9RJN_Qn_gfteoDZJ7YQzPjblN39bGB-Bitknr4lgd3LDYR1O7LVHAF6-hZmbIGzgBwxsaZ5vMrHZr8hMpGk5u6ApIHydB_NQ8ERsGkKXcgd4qEQTxriiwoM1M8FJB4mclLk https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-21.userapi.com/c909328/u52355237/docs/d47/2d1629fb7768/crypted.bmp?extra=67ZspKd_7kut6U_BdMgPfLmi-rrOqPQZg3ry0Z3nw-UpCPBi2s6Gs3v_cRKTtjcjmYcFSwZCRNI6VHoHLKEzQGK9rCbhfCs7HFqkPSTyx8jwjYinbba-X5Bwaw38J2IoTeNUu2uqVAtoOWGQ https://neuralshit.net/499e7c149c3637ba0e1fb742ba195677/7725eaa6592c80f8124e769b4e8a07f7.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
80
rangeroverfan.org(104.21.66.240) neuralshit.net(172.67.134.35) - malware db-ip.com(104.26.4.15) jackantonio.top(45.132.1.20) - malware t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) - mailcious galandskiyher5.com(194.169.175.127) - malware dzen.ru(62.217.160.2) api.2ip.ua(104.21.65.24) steamcommunity.com(104.76.78.101) - mailcious iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.129) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious octocrabs.com(172.67.200.10) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) lakuiksong.known.co.ke(146.59.70.14) - malware yandex.ru(77.88.55.88) foxandcatbet.org(104.21.71.26) onualituyrs.org(91.215.85.209) - malware elijahdiego.top(45.132.1.20) - mailcious zexeq.com(181.170.86.159) - malware api.db-ip.com(104.26.5.15) colisumy.com(187.18.108.158) - malware api.myip.com(104.26.8.59) sun6-22.userapi.com(95.142.206.2) - mailcious www.maxmind.com(104.18.145.235) vk.com(87.240.137.164) - mailcious iplis.ru(148.251.234.93) - mailcious 148.251.234.93 - mailcious 194.169.175.128 - mailcious 104.18.145.235 182.162.106.33 - malware 93.186.225.194 - mailcious 194.169.175.127 - malware 185.225.75.171 - mailcious 45.9.74.80 - malware 62.217.160.2 208.67.104.60 - mailcious 149.154.167.99 - mailcious 104.21.65.24 211.171.233.129 172.67.75.166 172.67.75.163 175.120.254.9 - malware 91.215.85.209 - mailcious 172.67.142.109 171.22.28.226 - malware 34.117.59.81 172.67.165.223 104.21.21.189 77.88.55.60 87.240.137.164 - mailcious 148.251.234.83 104.26.8.59 79.137.192.18 - malware 172.67.134.35 - malware 193.42.32.118 - mailcious 45.132.1.20 - mailcious 185.225.74.144 - malware 194.169.175.232 - malware 94.142.138.113 - mailcious 77.91.68.249 - malware 45.15.156.229 - mailcious 104.26.9.59 104.26.4.15 49.12.118.149 95.142.206.3 - mailcious 95.142.206.2 - mailcious 95.142.206.1 - mailcious 95.142.206.0 - mailcious 146.59.70.14 - malware 104.244.42.193 - suspicious 87.240.132.78 - mailcious 213.180.204.24 104.76.78.101 - mailcious 171.22.28.213 - malware 94.142.138.131 - mailcious
|
54
ET DNS Query to a *.top domain - Likely Hostile SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious services.exe in URI ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure ET HUNTING Possible EXE Download From Suspicious TLD ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO Microsoft net.tcp Connection Initialization Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET INFO Packed Executable Download ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET INFO Dotted Quad Host ZIP Request ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Possible Kelihos.F EXE Download Common Structure
|
21
http://elijahdiego.top/e9c345fc99a4e67e.php http://171.22.28.226/download/WWW14_64.exe http://zexeq.com/test2/get.php http://45.15.156.229/api/firegate.php http://colisumy.com/dl/build2.exe http://45.15.156.229/api/tracemap.php http://194.169.175.232/autorun.exe http://79.137.192.18/latestX.exe http://zexeq.com/files/1/build3.exe http://94.142.138.113/api/tracemap.php http://171.22.28.226/download/Services.exe http://193.42.32.118/api/tracemap.php http://45.9.74.80/0bjdn2Z/index.php http://45.9.74.80/zinda.exe http://galandskiyher5.com/downloads/toolspub2.exe http://171.22.28.213/3.exe http://94.142.138.113/api/firegate.php http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/firecom.php http://77.91.68.249/navi/kur90.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8907 |
2023-10-17 16:40
|
Ermnnolfu.exe 7ba214f8174004943d83942dda0f9731 Downloader UPX PWS KeyLogger Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential Sniff Audio HTTP DNS Code injection Internet API FTP P2P AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
|
4
www.pubgh4cks.com(190.123.45.218) x1.i.lencr.org(104.76.70.102) 190.123.45.218 104.76.70.102
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8908 |
2023-10-17 16:42
|
bQGy.exe a60c2e8459387329e1dbe2d3625ee2c8 PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212) 148.72.177.212 - mailcious 182.162.106.33 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8909 |
2023-10-17 17:01
|
Setup.7z 72cbddd810e52a32ffed4a5db1faeb1d Stealc PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows RisePro Trojan DNS |
47
http://elijahdiego.top/e9c345fc99a4e67e.php - rule_id: 37238 http://49.12.118.149/ http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://45.9.74.80/zinda.exe - rule_id: 37063 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://49.12.118.149/13088c19c5a97b42d0d1d9573cc9f1b8 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://194.169.175.232/autorun.exe - rule_id: 36817 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://49.12.118.149/upgrade.zip http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790 http://171.22.28.213/3.exe - rule_id: 37068 http://94.142.138.113/api/firegate.php - rule_id: 36152 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://77.91.68.249/navi/kur90.exe - rule_id: 37069 https://vk.com/doc52355237_667021459?hash=JwfD1ZCA6QgwzFekXEx3DZwJrazNVwknSJ4vBCdj3Ys&dl=GOvejb9TzKE4gYCzHfWoYwfHsCK1bKByDgPNozGoPQ0&api=1&no_preview=1 https://sun6-23.userapi.com/c909518/u52355237/docs/d49/74273ccf856a/PL_Client.bmp?extra=csnf916qLySdbOnPb4QM1wJpYN_KmcpQ0uEFEG_2BbxdphBM_paLXN7TqQuhyJHVsORGU7Lwfy-9qBR2zD4xszU1xUBr__claLXF0x6sHrD1ifcltZ-58oDUrMaND0_8NAoeyAOgPC7otb_A https://sun6-22.userapi.com/c236331/u52355237/docs/d33/42ad5fd25833/red.bmp?extra=jBPpxCu8-8kHW7GkJagOOeVXeAQjqfh9RbubCoWwr1e6QBnvUiXFOpQD6-AOKdEluD9PjClWI2PdF4IE7pjgRurUidTgNX-Z5pW4fVBPn3w3ta24A1Zusw3MYV0bfl8SqeMNhko2PkzgFhL- https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc52355237_667050459?hash=NQ6HDrMciNrk8Op9e7nKqKnZP9u5xJpPRChkwNPyBm8&dl=GmBH7q7bEBk6zEfSp9MzqQBJzBwkDu0dFrhvnqw9kZX&api=1&no_preview=1#1 https://api.myip.com/ https://sun6-21.userapi.com/c909328/u52355237/docs/d47/2d1629fb7768/crypted.bmp?extra=67ZspKd_7kut6U_BdMgPfLmi-rrOqPQZg3ry0Z3nw-UpCPBi2s6Gs3v_cRKTtjcjmYcFSwZCRNI6VHoHLKEzQGK9rCbhfCs7HFqkPSTyx8jwjYinbL6-X5Bwaw38J2IoGL4FuWerVQxrbGCU https://neuralshit.net/e6545cb463abdbecb9cd0d283091d3c0/7725eaa6592c80f8124e769b4e8a07f7.exe https://sun6-23.userapi.com/c909228/u52355237/docs/d38/bd7e3c736003/d3h782af.bmp?extra=38DKfqb_w8hVm9RJN_Qn_gfteoDZJ7YQzPjblN39bGB-Bitknr4lgd3LDYR1O7LVHAF6-hZmbIGzgBwxsaZ5vMrHZr8hMpGk5u6ApIHydB_NQ8ERsWEKXcgd4qEQTxri2gFZgMgCJkV1Jw7n https://steamcommunity.com/profiles/76561199563297648 https://sun6-23.userapi.com/c909518/u52355237/docs/d48/ec8a82716932/WWW11_32.bmp?extra=_TX1F44UV3ZALg1n2AWa4_-qKufakNhMTfVuhdspFzFQRFCYWXoMm-jfuDOI_Y1mPEIdF3QRBd-YZg3Y7R9ZqYiRxeF73Pg5AywpwdKlTdb0i9gHQ1cXO2m4_9Zg9zDYrv7MBtSoz_V4C03z https://sun6-22.userapi.com/c909218/u52355237/docs/d2/f567f079ad99/RisePro.bmp?extra=83cSc7SmRJtjl8ec5OifozM_93tFy3jitg49sHNddO9i3ziQaQp3z9kjzmQmhEhbVDBaQMd-IcnziRKKHxPrBqsRJToRLDIngFoFoi58B3XLhIbZg7FoTMF2bOKk1Z3EuOtKP64u_ZIhsvDf https://dzen.ru/?yredirect=true https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11 https://vk.com/doc52355237_667058910?hash=gMtZhgmhgRDSfdoT60ZYuWDEkeRS7glwRzWLd8gGPSD&dl=vq3c6smk6NfdJIb3KZ7PfBwj29NEULFaVBD1Cs53UT0&api=1&no_preview=1 https://api.2ip.ua/geo.json https://vk.com/doc52355237_667007935?hash=kuzA3bv8gFM9aPx1xppN6S57Z5FudS8VHgMzVNpYwzD&dl=0btHZXBhsJfZuUYdw9b30BIP8DDelUCYMFbdByUZzSz&api=1&no_preview=1#redcl https://sso.passport.yandex.ru/push?uuid=056912ca-651d-41f9-9209-f91be412c310&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-23.userapi.com/c909228/u52355237/docs/d47/e2ccee6d682c/test222.bmp?extra=U4162n5729zjzlGgVMiKIwzkJSzSn6BRN_m83VHCDSL2utwpPZDW9dRU8eEsy3wfrW9-Fnnv7vUexxvyKCeW1kRRzPKq6pr-ITEC7sbkXtFyxI0n2f11UEvsmCo1nAB9Qjt2CAa662A847o7 https://sun6-20.userapi.com/c909418/u52355237/docs/d49/67dc191caaa7/Bot_Clien.bmp?extra=R7Za_Su74KEChmw7p4WuJr3aQHsGFZ2niNVfSw7b_TcPR0Sh2TQRPc3x_dKUmQJGRsRS4Xg6uck9HOypT7iZguOe0t_Bgd5pRLa3KUoDL1FvFkA_0x2K1agbjgpqkyYmkbhnAiFySCR08qqj https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-21.userapi.com/c237231/u52355237/docs/d27/97f34481b2d7/tmvwr.bmp?extra=MbgzQeRuofM3NgGPkxkb0_xwXGY1o0ISiHXbQDKdc321StSZO94IbBXMfprao9MyHL5npLe6QCtHnmMBR8O05vh1T0ga5C9dTDnASZTZANNWKwDcQpBoDq2_RwfwvphDmhc8RFjNE5yEk52g https://psv4.userapi.com/c909228/u52355237/docs/d30/4f54757f9387/A.bmp?extra=c6xP4In-uEely4pqMn_2h7WTf6bko6EEcEZ5TO_oQYHWln-qquXSXmTgnWqOSmK1uyFx9AhMO7GbFotOpoci3VxIKQfVzDsxHMcjzMI_gX6g6MuIB0tHGHNUjiOz0MEdtjlH6rj1rNAs9CH1 https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
75
neuralshit.net(172.67.134.35) - malware db-ip.com(104.26.4.15) jackantonio.top(45.132.1.20) - malware t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) elijahdiego.top(45.132.1.20) - mailcious yandex.ru(5.255.255.70) dzen.ru(62.217.160.2) sun6-23.userapi.com(95.142.206.3) - mailcious psv4.userapi.com(87.240.137.140) api.2ip.ua(172.67.139.220) steamcommunity.com(104.76.78.101) - mailcious iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.1) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.5.15) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) lakuiksong.known.co.ke(146.59.70.14) - malware onualituyrs.org(91.215.85.209) - malware zexeq.com(95.86.30.3) - malware octocrabs.com(172.67.200.10) - mailcious colisumy.com(190.224.203.37) - malware iplis.ru(148.251.234.93) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious www.maxmind.com(104.18.146.235) vk.com(93.186.225.194) - mailcious api.myip.com(104.26.8.59) 148.251.234.93 - mailcious 194.169.175.128 - mailcious 104.18.145.235 148.251.234.83 93.186.225.194 - mailcious 185.225.75.171 - mailcious 187.156.19.138 62.217.160.2 5.42.65.101 - mailcious 208.67.104.60 - mailcious 87.240.190.76 149.154.167.99 - mailcious 104.21.65.24 172.67.75.166 45.9.74.80 - malware 91.215.85.209 - mailcious 171.22.28.226 - malware 87.240.132.67 - mailcious 34.117.59.81 104.21.21.189 104.244.42.65 - suspicious 104.26.8.59 172.67.134.35 - malware 193.42.32.118 - mailcious 93.112.205.101 45.132.1.20 - mailcious 185.225.74.144 - malware 194.169.175.232 - malware 94.142.138.113 - mailcious 77.91.68.249 - malware 23.67.53.17 104.26.9.59 94.142.138.131 - mailcious 49.12.118.149 95.142.206.3 - mailcious 95.142.206.2 - mailcious 172.67.139.220 95.142.206.0 - mailcious 45.15.156.229 - mailcious 146.59.70.14 - malware 87.240.132.78 - mailcious 213.180.204.24 104.76.78.101 - mailcious 95.142.206.1 - mailcious 171.22.28.213 - malware 77.88.55.88
|
40
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DNS Query to a *.top domain - Likely Hostile ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE Win32/Vodkagats Loader Requesting Payload ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET INFO Packed Executable Download ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO Dotted Quad Host ZIP Request ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
19
http://elijahdiego.top/e9c345fc99a4e67e.php http://171.22.28.226/download/WWW14_64.exe http://45.9.74.80/zinda.exe http://zexeq.com/test2/get.php http://colisumy.com/dl/build2.exe http://45.15.156.229/api/tracemap.php http://194.169.175.232/autorun.exe http://45.15.156.229/api/firegate.php http://zexeq.com/files/1/build3.exe http://94.142.138.113/api/tracemap.php http://171.22.28.226/download/Services.exe http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/tracemap.php http://45.9.74.80/0bjdn2Z/index.php http://171.22.28.213/3.exe http://94.142.138.113/api/firegate.php http://193.42.32.118/api/firecom.php http://77.91.68.249/navi/kur90.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8910 |
2023-10-18 07:53
|
ezy.exe 68cf6b4b568cc8bcbfe7dc53607f0c90 LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|