8941 |
2023-10-23 12:18
|
adyfriday.vbs 288d724f6234e9a79e54451391e158fe Generic Malware Antivirus PWS KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee EXPLOIT_KIT Windows Exploit Browser Email ComputerName DNS Cryptographic key crashed |
2
http://94.156.253.236/fridayyyyyy.txt
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
3
imageupload.io(172.67.222.26) - malware 172.67.222.26 - malware
94.156.253.236 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1
|
|
16.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8942 |
2023-10-23 13:14
|
kwen.vbs 6919d3ccefbb9391a2f2a4deb3e52e70 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4082989.png
http://193.42.33.51/kngeeog.txt
|
2
wallpapercave.com(172.67.29.26) - malware 104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8943 |
2023-10-23 13:15
|
nigazxbb.vbs 4f67a35c1cef3eea2e6734e08beed57f Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4082989.png
http://193.42.33.51/nigaxb.txt
|
2
wallpapercave.com(104.22.52.71) - malware 104.22.52.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8944 |
2023-10-23 13:15
|
nicko.vbs 9693079116e9abb7ac2160191c8164af LokiBot Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
http://193.42.33.51/nix.txt
|
7
imageupload.io(172.67.222.26) - malware
api.ipify.org(104.237.62.212)
mail.industrialgh.com(68.70.164.13) 68.70.164.13 - mailcious
104.21.83.102
64.185.227.156
193.42.33.51 - malware
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 SURICATA Applayer Detect protocol only one direction ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
19.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8945 |
2023-10-23 13:24
|
nix.txt.exe c01e90db99bcc939f829a181aef2c348 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mail.industrialgh.com(68.70.164.13) api.ipify.org(104.237.62.212) 68.70.164.13 - mailcious 173.231.16.77
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
7.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8946 |
2023-10-23 15:35
|
setup.7z bf2d71ede12b007cdabbf513b081fcb7 PrivateLoader Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader |
41
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://jackantonio.top/timeSync.exe - rule_id: 37357 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://apps.identrust.com/roots/dstrootcax3.p7c http://wyattsebastian.top/e9c345fc99a4e67e.php http://45.15.156.229/api/firegate.php - rule_id: 36052 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://171.22.28.221/files/Ads.exe - rule_id: 37468 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://176.113.115.84:8080/4.php - rule_id: 34795 http://193.233.255.73/loghub/master http://193.42.32.118/api/firecom.php - rule_id: 36700 http://www.maxmind.com/geoip/v2.1/city/me http://171.22.28.213/3.exe - rule_id: 37068 http://www.google.com/ https://sun6-23.userapi.com/c235031/u52355237/docs/d21/7cb744cd40e6/crypted.bmp?extra=ijasbvJahzXSeNdqXSXLMGpGHvjz4jGBIbrjMTotAwPSDg7ZJWoTCMEgnrXhoT-UPrEIyIsw-zYLJvngWwPvMPOtEmMltl6PXIlTO5aNN0Qq0AxSs2IHuMhtvwLx9L6tHIS68UidODUbnFg9 https://db-ip.com/demo/home.php?s=175.208.134.152 https://sun6-20.userapi.com/c909518/u52355237/docs/d7/9d03fcd9d5bd/test2222.bmp?extra=Wry9QF8NRzHXFhuAyX10K2cUiDS0DTKoIRmO3Gdqy2Pqlg5wpKdUMJGOb4-PdzAqr5weQJRr6xl0yQWHUlmTdrUW1y_n1wiM2ewm5-R5m1ExpU4IOBI5iaaLryf706xSsUxP-5VzIAtPBVSa https://sun6-20.userapi.com/c237131/u52355237/docs/d23/7cd7043f8e90/New_crypt_test.bmp?extra=vYj8TsuI4Mh2GARpTfNUmOIhtAIFlk_aV6rN4fuV8RoazN2oSjvkW3gF0yYbSbvEdEIhlBKvLFNzrDhjXjuLtzBxm3t7UAjcRP6wVkJIC2mfq9v9-KN2np5vLrprxlhF01Lp6ir3imRMRJdu https://experiment.pw/setup294.exe - rule_id: 37436 https://sun6-23.userapi.com/c235131/u52355237/docs/d29/d447d9047e01/2.bmp?extra=G5NjMO4sTn6SbCFGk7CD_SOlopWCbJMwNATWfk18b8h6W5KpzIWtQpereK3vm9yQmMyGT0c1IH0TTJppN4VFVi2l828xcy6v8sK2jl4z9PQdlNlCAdF3ABRJJbdaK_NhK3WUEg1Xih3dkvYN https://api.myip.com/ https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362 https://vk.com/doc52355237_667233820?hash=ksqvnpPOTVnZUBQvgNWMHz7b34SlhrJYzyLwhjI3p2w&dl=9z5K5NGG8CQyYYjYV1UsyBwEjOrCNpWsf0ZuYRFDUpz&api=1&no_preview=1#1 https://sun6-23.userapi.com/c909518/u52355237/docs/d49/5c0d068b2eac/PL_Client.bmp?extra=b8v6B06HpzoI3tSK0mTSwwXQMXnLc3q1jWsNUxfrUhg37IPgrTLUxJuXVjoqdaD6wxqd5omwvfT1I4ifIHPUpzMI6CdiRlp1tMXpPcZQCoixxWWU54uu8GW5XHCV-7gyutSx4UrNDbW1iV20 https://dzen.ru/?yredirect=true https://vk.com/doc52355237_667205062?hash=Svqj7zCdrED1hyD81lRt9NeObuiSXNy8bJzdPsMUx1w&dl=zCXthZXeky7MxZ1PAEfvkLNfEWm2gZlF4zhzbI8exz4&api=1&no_preview=1 https://vk.com/doc52355237_667276452?hash=wkBRUPYuo43rYtxIzQc6pAfTM1sBDD9zNWcmfsnUyZk&dl=pSqUmbLaVdyliolYK30HXXznJ7HpQH0ZxzieEabZe7k&api=1&no_preview=1#zxc https://sso.passport.yandex.ru/push?uuid=33a6194a-fa11-4731-a21f-ec40a5c9dbcf&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://api.2ip.ua/geo.json https://sun6-23.userapi.com/c909228/u52355237/docs/d50/f10f18a7f79c/RisePro.bmp?extra=Xyda-uNNyJmyTQ5S8ByoXlhlokLU9vlSrjsRGgjAiDtxiqFtWK4WlDj9f-W0msD9rV2oEuDwnqK7I8iKgaM_YsJkIyFSOZrP_X0lYZZwVAEqwL_9-5UHTgq9slIJgndIgK_zQLX_bwz3QVfA https://vk.com/doc52355237_667260318?hash=5fIVbEMD7QFCeMOR3scNeKxSNfqeBg9KoduBU4Y3tID&dl=koAos1zT2zeVbUu3VEeFdVGaQOOEBZEWHNqrz2p7C1k&api=1&no_preview=1#rise https://neuralshit.net/c31ff1e4370f1f902d97430832cc5f56/7725eaa6592c80f8124e769b4e8a07f7.exe https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-23.userapi.com/c909618/u52355237/docs/d9/334aaa965d98/tmvwr.bmp?extra=8vKP1hUU8FXC9Qe8mMCGvUfa8Cp8pOwsD2JU4mCuyllGkHmKNdLdm5pJBH5n8fLgBYOEugKzlYD-S8BALhWt6cB4_4dQu6dsu8wxVcZgawhp4z7JOXKqL-PS8fMBHOwRaKXgnQ3G9H9UZ2cQ https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
84
neuralshit.net(172.67.134.35) - malware db-ip.com(104.26.4.15) jackantonio.top(37.139.129.88) - malware vanaheim.cn(45.11.27.150) - mailcious t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) - mailcious dzen.ru(62.217.160.2) api.2ip.ua(172.67.139.220) steamcommunity.com(104.76.78.101) - mailcious iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.129) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.5.15) lrefjviufewmcd.org(91.215.85.209) - malware lakuiksong.known.co.ke(146.59.70.14) - malware experiment.pw(104.21.34.37) - malware iplogger.com(148.251.234.93) - mailcious colisumy.com(181.170.86.159) - malware zexeq.com(186.13.17.220) - malware wyattsebastian.top(37.139.129.88) octocrabs.com(104.21.21.189) - mailcious yandex.ru(77.88.55.88) www.google.com(142.250.76.132) iplis.ru(148.251.234.93) - mailcious i.instagram.com(31.13.82.52) pastebin.com(104.20.67.143) - mailcious www.maxmind.com(104.18.145.235) vk.com(87.240.132.67) - mailcious sso.passport.yandex.ru(213.180.204.24) api.myip.com(104.26.9.59) 148.251.234.93 - mailcious 194.169.175.128 - mailcious 37.139.129.88 104.18.145.235 182.162.106.33 - malware 93.186.225.194 - mailcious 172.67.167.220 - malware 62.217.160.2 62.122.184.92 - mailcious 193.233.255.73 104.26.5.15 149.154.167.99 - mailcious 193.42.32.118 - mailcious 91.215.85.209 - mailcious 157.240.215.63 80.66.75.77 - mailcious 104.244.42.193 - suspicious 45.11.27.150 171.22.28.226 - malware 87.240.132.67 - mailcious 171.22.28.221 - malware 34.117.59.81 172.67.200.10 - mailcious 176.113.115.84 - mailcious 172.67.34.170 - mailcious 148.251.234.83 104.26.8.59 104.21.6.10 - malware 83.97.73.44 213.180.204.24 176.113.115.135 - mailcious 104.75.41.21 - mailcious 176.113.115.136 - mailcious 185.172.128.69 - malware 45.143.201.238 - mailcious 193.42.33.68 - malware 181.170.86.159 190.12.87.61 45.15.156.229 - mailcious 104.26.9.59 104.26.4.15 95.142.206.3 - mailcious 172.67.139.220 95.142.206.0 - mailcious 80.66.75.4 - mailcious 146.59.70.14 - malware 171.22.28.239 - mailcious 172.217.24.228 77.88.55.60 109.107.182.2 - malware 171.22.28.236 - mailcious 171.22.28.213 - malware
|
46
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious services.exe in URI ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a *.pw domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile ET INFO EXE - Served Attached HTTP ET INFO TLS Handshake Failure ET HUNTING Possible EXE Download From Suspicious TLD ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer Activity (Response) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET INFO Packed Executable Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
|
18
http://171.22.28.226/download/WWW14_64.exe http://zexeq.com/test2/get.php http://jackantonio.top/timeSync.exe http://colisumy.com/dl/build2.exe http://45.15.156.229/api/tracemap.php http://45.15.156.229/api/firegate.php http://zexeq.com/files/1/build3.exe http://171.22.28.221/files/Ads.exe http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://176.113.115.84:8080/4.php http://193.42.32.118/api/firecom.php http://171.22.28.213/3.exe https://experiment.pw/setup294.exe https://steamcommunity.com/profiles/76561199563297648 https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8947 |
2023-10-23 16:08
|
setup.7z a4e3febc2031d844ad89ed5f3ed2c206 Stealc PrivateLoader Amadey Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c powershell Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader |
57
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://gobo03fc.top/build.exe http://wyattsebastian.top/e9c345fc99a4e67e.php - rule_id: 37497 http://109.107.182.2/race/bus50.exe - rule_id: 37496 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://77.91.68.249/fuza/sus.exe http://45.15.156.229/api/firegate.php - rule_id: 36052 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://85.217.144.143/files/My2.exe - rule_id: 34643 http://apps.identrust.com/roots/dstrootcax3.p7c http://77.91.68.249/fuza/foto2552.exe http://185.172.128.69/newumma.exe - rule_id: 37499 http://jackantonio.top/timeSync.exe - rule_id: 37357 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://77.91.68.249/zoom/angi.exe http://171.22.28.221/files/Ads.exe - rule_id: 37468 http://94.142.138.131/api/firegate.php - rule_id: 32650 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://77.91.68.249/fuza/2.ps1 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://77.91.68.249/fuza/nalo.exe http://77.91.124.1/theme/index.php - rule_id: 37040 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://176.113.115.84:8080/4.php - rule_id: 34795 http://193.233.255.73/loghub/master - rule_id: 37500 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://www.maxmind.com/geoip/v2.1/city/me http://171.22.28.213/3.exe - rule_id: 37068 http://www.google.com/ https://db-ip.com/demo/home.php?s=175.208.134.152 https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783 https://diplodoka.net/16d7385732355adc773732b0327e9c0c/7a54bdb20779c4359694feaa1398dd25.exe https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397 https://experiment.pw/setup294.exe - rule_id: 37436 https://potatogoose.com/16d7385732355adc773732b0327e9c0c/baf14778c246e15550645e30ba78ce1c.exe https://sun6-23.userapi.com/c909518/u52355237/docs/d49/5c0d068b2eac/PL_Client.bmp?extra=b8v6B06HpzoI3tSK0mTSwwXQMXnLc3q1jWsNUxfrUhg37IPgrTLUxJuXVjoqdaD6wxqd5omwvfT1I4ifIHPUpzMI6CdiRlp1tMXpPcZQCoixxWWU44eu8GW5XHCV-7gyuNDh4krMD77l0Vqy https://api.myip.com/ https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362 https://sun6-20.userapi.com/c909518/u52355237/docs/d7/9d03fcd9d5bd/test2222.bmp?extra=Wry9QF8NRzHXFhuAyX10K2cUiDS0DTKoIRmO3Gdqy2Pqlg5wpKdUMJGOb4-PdzAqr5weQJRr6xl0yQWHUlmTdrUW1y_n1wiM2ewm5-R5m1ExpU4IOhw5iaaLryf706xSvx5M-MQjL18eDFOc https://sun6-23.userapi.com/c909618/u52355237/docs/d9/334aaa965d98/tmvwr.bmp?extra=8vKP1hUU8FXC9Qe8mMCGvUfa8Cp8pOwsD2JU4mCuyllGkHmKNdLdm5pJBH5n8fLgBYOEugKzlYD-S8BALhWt6cB4_4dQu6dsu8wxVcZgawhp4z7JO3yqL-PS8fMBHOwRaKfmmF-W_XhYYWdH https://sun6-23.userapi.com/c909228/u52355237/docs/d50/f10f18a7f79c/RisePro.bmp?extra=Xyda-uNNyJmyTQ5S8ByoXlhlokLU9vlSrjsRGgjAiDtxiqFtWK4WlDj9f-W0msD9rV2oEuDwnqK7I8iKgaM_YsJkIyFSOZrP_X0lYZZwVAEqwL_9-ZsHTgq9slIJgndIgavwE7f4PVOoEQjB https://dzen.ru/?yredirect=true https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://api.2ip.ua/geo.json https://sun6-23.userapi.com/c909518/u52355237/docs/d49/5c0d068b2eac/PL_Client.bmp?extra=b8v6B06HpzoI3tSK0mTSwwXQMXnLc3q1jWsNUxfrUhg37IPgrTLUxJuXVjoqdaD6wxqd5omwvfT1I4ifIHPUpzMI6CdiRlp1tMXpPcZQCoixxWWU5YWu8GW5XHCV-7gyvoe17RzAXLzj21i0 https://neuralshit.net/bd7fce869cc9dad0938390c13f85c712/7725eaa6592c80f8124e769b4e8a07f7.exe https://sun6-23.userapi.com/c235031/u52355237/docs/d21/7cb744cd40e6/crypted.bmp?extra=ijasbvJahzXSeNdqXSXLMGpGHvjz4jGBIbrjMTotAwPSDg7ZJWoTCMEgnrXhoT-UPrEIyIsw-zYLJvngWwPvMPOtEmMltl6PXIlTO5aNN0Qq0AxSsWwHuMhtvwLx9L6tGIXloB7OODUZzlM9 https://sun6-23.userapi.com/c909228/u52355237/docs/d50/f10f18a7f79c/RisePro.bmp?extra=Xyda-uNNyJmyTQ5S8ByoXlhlokLU9vlSrjsRGgjAiDtxiqFtWK4WlDj9f-W0msD9rV2oEuDwnqK7I8iKgaM_YsJkIyFSOZrP_X0lYZZwVAEqwL_9_5kHTgq9slIJgndI1KD0Q-CqPlv7RQef https://sun6-20.userapi.com/c237131/u52355237/docs/d23/7cd7043f8e90/New_crypt_test.bmp?extra=vYj8TsuI4Mh2GARpTfNUmOIhtAIFlk_aV6rN4fuV8RoazN2oSjvkW3gF0yYbSbvEdEIhlBKvLFNzrDhjXjuLtzBxm3t7UAjcRP6wVkJIC2mfq9v9-q12np5vLrprxlhFhALs6yun22McEsNj https://sso.passport.yandex.ru/push?uuid=9d27acac-cdcd-4aed-b07a-81869e366ae7&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-23.userapi.com/c235131/u52355237/docs/d29/d447d9047e01/2.bmp?extra=G5NjMO4sTn6SbCFGk7CD_SOlopWCbJMwNATWfk18b8h6W5KpzIWtQpereK3vm9yQmMyGT0c1IH0TTJppN4VFVi2l828xcy6v8sK2jl4z9PQdlNlCBd13ABRJJbdaK_NhKXaUEg0AhxvYwqFU https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
110
neuralshit.net(172.67.134.35) - malware db-ip.com(172.67.75.166) jackantonio.top(37.139.129.88) - malware dzen.ru(62.217.160.2) vanaheim.cn(45.11.27.150) - mailcious t.me(149.154.167.99) - mailcious lrefjviufewmcd.org(91.215.85.209) - malware ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) - mailcious iplogger.org(148.251.234.83) - mailcious potatogoose.com(172.67.180.173) - malware diplodoka.net(172.67.217.52) - malware api.2ip.ua(172.67.139.220) steamcommunity.com(104.76.78.101) - mailcious grabyourpizza.com(104.21.90.82) - malware laubenstein.space(45.130.41.101) - mailcious twitter.com(104.244.42.193) telegram.org(149.154.167.99) yip.su(104.21.79.77) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious octocrabs.com(172.67.200.10) - mailcious www.instagram.com(157.240.11.174) sso.passport.yandex.ru(213.180.204.24) lakuiksong.known.co.ke(146.59.70.14) - malware experiment.pw(104.21.34.37) - malware yandex.ru(5.255.255.77) net.geo.opera.com(107.167.110.211) gobo03fc.top(85.143.220.63) iplogger.com(148.251.234.93) - mailcious zexeq.com(123.213.233.131) - malware wyattsebastian.top(37.139.129.88) - mailcious api.db-ip.com(104.26.4.15) colisumy.com(187.18.108.158) - malware www.google.com(142.250.76.132) iplis.ru(148.251.234.93) - mailcious i.instagram.com(31.13.82.52) pastebin.com(104.20.68.143) - mailcious flyawayaero.net(104.21.93.225) - malware www.maxmind.com(104.18.145.235) vk.com(93.186.225.194) - mailcious api.myip.com(104.26.9.59) lycheepanel.info(172.67.187.122) - malware 148.251.234.93 - mailcious 194.169.175.128 - mailcious 37.139.129.88 - mailcious 104.18.146.235 142.250.66.132 171.22.28.213 - malware 172.67.167.220 - malware 157.240.31.63 77.91.124.1 - malware 62.122.184.92 - mailcious 193.233.255.73 - mailcious 104.26.5.15 85.217.144.143 - malware 85.143.220.63 - malware 149.154.167.99 - mailcious 104.21.65.24 61.111.58.34 - malware 104.21.34.37 - phishing 62.217.160.2 172.67.75.163 83.97.73.44 172.67.75.166 121.254.136.18 171.22.28.239 - mailcious 45.11.27.150 172.67.187.122 - malware 104.21.79.77 - phishing 171.22.28.226 - malware 87.240.132.78 - mailcious 171.22.28.221 - malware 34.117.59.81 77.91.68.249 - malware 172.67.200.10 - mailcious 176.113.115.84 - mailcious 172.67.34.170 - mailcious 148.251.234.83 104.26.8.59 104.21.6.10 - malware 45.130.41.101 - mailcious 193.42.32.118 - mailcious 176.113.115.135 - mailcious 176.113.115.136 - mailcious 185.172.128.69 - malware 109.107.182.133 77.88.55.88 80.66.75.4 - mailcious 172.67.197.174 91.215.85.209 - mailcious 169.148.95.39 45.15.156.229 - mailcious 157.240.31.174 107.167.110.216 95.142.206.3 - mailcious 195.158.3.162 45.143.201.238 - mailcious 172.67.217.52 - malware 104.21.93.225 - phishing 146.59.70.14 - malware 104.244.42.193 - suspicious 193.42.33.68 - malware 213.180.204.24 172.67.180.173 - malware 95.142.206.0 - mailcious 80.66.75.77 - mailcious 109.107.182.2 - malware 171.22.28.236 - mailcious 104.76.78.101 - mailcious 94.142.138.131 - mailcious
|
53
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET DNS Query to a *.pw domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET HUNTING Suspicious services.exe in URI ET DNS Query to a *.top domain - Likely Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Possible EXE Download From Suspicious TLD ET INFO EXE - Served Attached HTTP ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO TLS Handshake Failure ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET INFO Packed Executable Download ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO PS1 Powershell File Request ET MALWARE Redline Stealer Activity (Response) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET HUNTING Request to .TOP Domain with Minimal Headers ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
28
http://171.22.28.226/download/WWW14_64.exe http://wyattsebastian.top/e9c345fc99a4e67e.php http://109.107.182.2/race/bus50.exe http://zexeq.com/test2/get.php http://45.15.156.229/api/firegate.php http://colisumy.com/dl/build2.exe http://85.217.144.143/files/My2.exe http://185.172.128.69/newumma.exe http://jackantonio.top/timeSync.exe http://zexeq.com/files/1/build3.exe http://171.22.28.221/files/Ads.exe http://94.142.138.131/api/firegate.php http://171.22.28.226/download/Services.exe http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://77.91.124.1/theme/index.php http://45.15.156.229/api/tracemap.php http://176.113.115.84:8080/4.php http://193.233.255.73/loghub/master http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/firecom.php http://171.22.28.213/3.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe https://experiment.pw/setup294.exe https://steamcommunity.com/profiles/76561199563297648 https://pastebin.com/raw/xYhKBupz https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8948 |
2023-10-23 16:58
|
foto2552.exe 4cdb3ee7e130e01a02d7b8a7d8dae6ec Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File DLL OS Processor Check Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://193.233.255.73/loghub/master - rule_id: 37500 http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/index.php - rule_id: 37040 https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://www.google.com/favicon.ico https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywD2xgLxszRIN_7MaKSoUaoYTMvRFg50b2S5b8UluthbcUsGRE-8e1g-xdevGcqP20z4uow https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://accounts.google.com/ https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?S178ZQ https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywTlS8RSTMSloorftkjj1lY_2tWmEzy5429BwqOoerpQlAzoTk3QhoMS2hENHZmnLEtBloUjQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023002296%3A1698047601366063 https://www.youtube.com/img/desktop/supported_browsers/opera.png https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff https://fonts.googleapis.com/css?family=Roboto:400,500
|
17
ssl.gstatic.com(142.250.206.227) www.facebook.com(157.240.215.35) www.google.com(142.250.76.132) www.youtube.com(142.250.207.14) - mailcious fonts.googleapis.com(142.250.206.234) accounts.google.com(142.250.206.205) fonts.gstatic.com(142.250.207.99) 142.250.207.67 157.240.31.35 142.250.204.109 142.250.66.132 193.233.255.73 - mailcious 109.107.182.133 172.217.31.3 77.91.124.1 - malware 172.217.24.110 142.250.66.106
|
13
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.124.1/theme/index.php
|
20.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8949 |
2023-10-24 07:48
|
newmar.exe 6020dace849357f1667a1943c8db7291 Emotet Gen1 Malicious Library UPX Confuser .NET AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check icon PE64 DllRegisterServer dll MZP Format DLL VirusTotal Cryptocurrency Miner Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS crashed CoinMiner |
|
7
xmr-eu1.nanopool.org(135.125.238.108) - mailcious pastebin.com(104.20.67.143) - mailcious iplogger.com(148.251.234.93) - mailcious 148.251.234.93 - mailcious 51.68.143.81 51.15.193.130 172.67.34.170 - mailcious
|
6
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO TLS Handshake Failure ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
11.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8950 |
2023-10-24 07:48
|
snow.exe bd136d61e094dd46fae5f3fda5d18d48 LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mymobileorder.com(162.0.232.65) - mailcious api.ipify.org(64.185.227.156) 162.0.232.65 - phishing 64.185.227.156
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
14.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8951 |
2023-10-24 07:50
|
foto2552.exe 5e967436bbe28a1b2b6d4016ae7b5024 Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File DLL OS Processor Check Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://193.233.255.73/loghub/master - rule_id: 37500 http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/index.php - rule_id: 37040 https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyz5YVxzRBWdpyuUtppgdvRy2Tw194Av0LWqrv008iX9c7bZnoHLo250QAw7Iz6oyudGemXR1A https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?6-E0fA https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://accounts.google.com/ https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxQBLRrENNzDGU7Qlkoss48yKJ12ueLob1lnUSvITk9Wdk0c8W1-KA6F38Oypk5hTx5sGjsKg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S470064247%3A1698101077522125 https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://www.google.com/favicon.ico https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://www.youtube.com/img/desktop/supported_browsers/opera.png https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff https://fonts.googleapis.com/css?family=Roboto:400,500
|
18
ssl.gstatic.com(142.250.206.227) www.facebook.com(157.240.31.35) www.google.com(142.250.76.132) www.youtube.com(142.251.222.14) - mailcious fonts.googleapis.com(172.217.161.234) accounts.google.com(142.250.206.205) fonts.gstatic.com(142.250.207.99) 142.251.220.78 142.251.220.45 77.91.124.86 172.217.27.36 51.68.143.81 193.233.255.73 - mailcious 77.91.124.1 - malware 172.217.24.227 172.217.31.10 157.240.215.35 142.250.66.67
|
13
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.124.1/theme/index.php
|
20.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8952 |
2023-10-24 07:50
|
texaszx.exe 2aaebe44a0a2a7f2512f13a45a979406 PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
6
api.ipify.org(64.185.227.156) 142.251.220.78 162.0.232.65 - phishing 64.185.227.156 172.217.31.10 142.250.66.67
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8953 |
2023-10-24 09:41
|
luoves.vbs 0ce3fdcbefda30517ac10b2fdf96f426 AgentTesla Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee EXPLOIT_KIT Windows Exploit Browser Email ComputerName DNS Cryptographic key crashed |
2
http://95.214.27.121/mashilao.txt https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
|
3
imageupload.io(104.21.83.102) - malware 172.67.222.26 - malware 95.214.27.121 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
15.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8954 |
2023-10-24 10:03
|
setup.7z 4c65dedbb73fbb8d9daae8179d67082b Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Lumma Stealer DNS |
8
http://94.142.138.131/api/firegate.php - rule_id: 32650 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://dannyleagy.fun/api http://volkels.fun/api https://volkels.fun/api https://psv4.userapi.com/c909328/u52355237/docs/d47/c541f110e091/Installation.bmp?extra=UgwBGkMcfjcRXxJpAN_ASDuA0Ulq2C1OYolHMcvZH2Z240wWgFPur2bYY2ipG1c__XCmg7VaCVjAHzDdCrA1S8XNsrR_lsV0QDzjRvhM0brwyhjZhKAOz1A4_7Q9pVPYoNMU8ICt2QCICYFC https://vk.com/doc52355237_667317398?hash=Nzo9Lpy2lnkLk0e9i3sM5Q7Rmhu0skEqTijVFqSmRV4&dl=zTGHW6YEQC0elKjKTCqYaLRzYnULI1fc07ZVd4bICGH&api=1&no_preview=1 https://api.myip.com/
|
13
psv4.userapi.com(87.240.190.89) api.myip.com(172.67.75.163) ipinfo.io(34.117.59.81) dannyleagy.fun(104.21.92.100) volkels.fun(104.21.42.158) vk.com(87.240.132.67) - mailcious 104.21.92.100 - mailcious 172.67.163.133 - malware 172.67.75.163 87.240.190.89 87.240.129.133 - mailcious 94.142.138.131 - mailcious 34.117.59.81
|
6
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
2
http://94.142.138.131/api/firegate.php http://94.142.138.131/api/tracemap.php
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8955 |
2023-10-25 09:50
|
HTMLCachesClear.dOC ae797eafb49080484af9350259e7920a MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) 45.33.42.226
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Wrong direction first Data
|
|
2.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|