| 8971 |
2023-10-25 18:27
|
File.7z 86f0e6986a754d96179b2c20d8db49b6
PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Cryptocurrency Miner Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser Trojan DNS Downloader CoinMiner |
80
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://109.107.182.2/race/bus50.exe - rule_id: 37496
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://85.217.144.143/files/townpublishing.exe
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://49.12.116.189/upload.zip
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.69/newumma.exe - rule_id: 37499
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://49.12.116.189/58f391d2f33b9f5a2ddb51a3516986eb
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://171.22.28.221/files/Ads.exe - rule_id: 37468
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://77.91.124.1/theme/index.php - rule_id: 37040
http://gons3fc.top/build.exe
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://176.113.115.84:8080/4.php - rule_id: 34795
http://193.233.255.73/loghub/master - rule_id: 37500
http://gobo04fc.top/build.exe
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://171.22.28.221/files/Random.exe - rule_id: 37434
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://171.22.28.213/3.exe - rule_id: 37068
http://www.google.com/
https://sun6-22.userapi.com/c909328/u52355237/docs/d36/94e70066ac80/PL_Client.bmp?extra=GYu9pTC-Wl1Sg_fchSUawzC7SOJQ5mf6X2A3Lm8ZE1bmn4F7iqzq_0_-pgTnEnf4Z8ETAumkli_vcaYV1Z_ULFP_mNBGwhECBvqkXysXuH9Sz8e5J6_7zGC5Vyj2-tcbfXz3qBeXxZZmpG6k
https://vk.com/doc52355237_667343838?hash=zdFRocOdJtT0IyxFdnygjsrvYEitfza6BvyL25bGpZD&dl=sHDqrRzc8uNalY3nwHHztHxEdFCN6CpN55OVgGQqijL&api=1&no_preview=1#1
https://steamcommunity.com/profiles/76561199564671869
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397
https://accounts.google.com/generate_204?CDdS5w
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://potatogoose.com/976b26ee384bf2dcf27abfc3b8d028eb/baf14778c246e15550645e30ba78ce1c.exe
https://www.google.com/favicon.ico
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://api.ip.sb/ip
https://experiment.pw/setup294.exe - rule_id: 37436
https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=hjMZy0D95eSFxb%2FYE%2Fdrj5C6tndz19A2RfpDONXthx4%3D&spr=https&se=2023-10-26T09%3A35%3A45Z&rscl=x-e2eid-cd83c9d1-11ee493e-8ec461f2-562aef4b-session-3b3dacd9-31504d5f-bf9a4f83-796fb600
https://vk.com/doc52355237_667339795?hash=Vr6hZn5xlDzZsz30TpnTzHAO4DHKke3DmD4kGhoeqoH&dl=6fzaZ8xtsOzOd75auvzL1Z7h0auXHva7GD7UyQqxDDo&api=1&no_preview=1
https://sun6-22.userapi.com/c909618/u52355237/docs/d51/b8b9a3f0dc19/RisePro_0_9.bmp?extra=S_Pw_XtG5PO3pErgyMk8rmhNNVpFLN7JZFRZb7P0DQbCvb25kgrWOiITEqnQ1DrUrLRqlEiLjGGyyXplnWiQQv40Gxo9KL6bmVJWDYrct0qqfiD8S9zjDR328l71NfIg7q089wragM-LuguC
https://vk.com/doc52355237_667363057?hash=EFGn7JDa1yL3d80vbqsB9WZH2w3XpT5V6LPR4VEBzc4&dl=QJPdu5Tzl9CEda3jy8BmjsTGIU8RaodEGQVRlC2jmdD&api=1&no_preview=1#all
https://sun6-22.userapi.com/c909328/u52355237/docs/d39/fea02e6516ef/all.bmp?extra=1jLtQoDZlkXee5oo1ICc_9GEajaJa4WgEW2aW76jh1X4r0G8nBKsO1fC-UITCjUotA9USMbQHx2E534DFNgrHG_ven327gh2BTuXaBkk_4hLBUxns9Tv5eHEyBEemy9O9cRIt33iy9__px79
https://api.myip.com/
https://sun6-22.userapi.com/c909618/u52355237/docs/d26/cc55b2954aea/crypted.bmp?extra=xLNs08HOc2FVnDJsDb3fD8GFoFKmCU7QJz_fRbm4cuX-Ud8sbS3ZYM4raB86hLMg30wxZWxsHLUDDk07eXkgw1zAbBCXdaTfzZ9SmqURbHH51SmXU4eNGjrBU_f7Jo6Q2J1vJSYawZTYv0pt
https://msdl.microsoft.com/download/symbols/index2.txt
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://yip.su/RNWPd.exe
https://diplodoka.net/976b26ee384bf2dcf27abfc3b8d028eb/7a54bdb20779c4359694feaa1398dd25.exe
https://sun6-22.userapi.com/c909518/u52355237/docs/d5/1aa2c5f38718/test23.bmp?extra=9FhCUwRY0gis9rghwSNws5CZNzCYS1cFvSzMovIC4R9pgAu6f-6BHFvxk7A3VnUhzurcljGxSjA3h1u1s_urlUUF8X-lH3axsr1NmjA9bVbhXg_8fAna1HNi9FXqmBMzfYbdJ8NBaWlajfQ7
https://vk.com/doc52355237_667363160?hash=90eo1ggSa79KsVZPaYy6x9lScec24zb12wdY8O5unQk&dl=m7LLs87D1wJQyUxzU3MK1qZzpMIcxisi2LpUtD1jlOs&api=1&no_preview=1#test22
https://dzen.ru/?yredirect=true
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/9072feeb59e1/2.bmp?extra=anTEO8FrVGu00Q5VjCfBzfV6wA1wHhJ4v3kJhx0qWWZQbBF7ZjM9pGJCaiS-ZPprUSRJiLz6BgcrTKyf9D1xg2NvZAKTna40r0l84UKOHs6o-eobD5J99sFFPZGpyzmim2vkG5mjF5IJtf23
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyykJNODYDpIHqhOifsHXhwJQmK8zndb5lyvjBtQuk9jZeMf94g9TWw4WX1eVNV9XYlWLO5icg
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://sun6-22.userapi.com/c909218/u52355237/docs/d42/60d05adee2f0/WWW11_32.bmp?extra=C65rMG9a2ZLgS4-qRwSgkiSxHJ3RAaH3KFKeI6EmSeeje_84SPUwWXjC_3sPq8LlWHKSPAXwi3EVIIkD0RFllrJ7VuliWNF78K0_YqEAepb9uoFHLsXGRl9gQ5Yenv5OHgw81aIn24dCy__n
https://vk.com/doc828628200_671409039?hash=0yEYLUUztkFa1eCd0vT01xEQlMXCn20q2EbUpZXcuIP&dl=Mz4XiECwpxCz6uTiBkS3szJG5kfAHZDNnQub6U5y8Do&api=1&no_preview=1
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://sun6-23.userapi.com/c909518/u52355237/docs/d59/b2220ffab81c/d432j89adg.bmp?extra=fPb2B9ko9Mhx2DzFJ1UkjS4bmg5SfYI4NNWBqcF0aiYSAU5AZdPLvdhQqhn8ujfkWsa5z86DgnzoIkQaGeBFjxxg_BisIc9O5Kwa1JhnN-RSdiZG-vmmpRjn_ZaVPz_ccs1EJjKOIIEUE1Ns
https://sun6-20.userapi.com/c237231/u52355237/docs/d30/24459ebe9485/crypted.bmp?extra=G9O9Z5VhCwn1IjHZMEeC96bT7TZPJN8bQD-u_isK9maVUv8bgsaMkkehRuoCWJvCMzxY1RJKKn6oA1e40Wf5bbv_o9I-NxdvV3Mk7krC79T7DX_qSTi5qr4ZLmbvRGkLp-Bll9JOEJ1Kahsn
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywL3WvaP67WC1xBgQHpszVeSkZSzqgvgWBUNZ5eG5Ei8Y5pss0d4jN2xMG0ZtU8qv0vxabvug&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1291519739%3A1698225333762439
https://vk.com/doc52355237_667352314?hash=zEDslzmi2iqzNrxct8lDgzwviJyAQH0HNgf3d1Rmh6P&dl=fusKtwAsyn4UnIwHaxljeG8aYAZah7k5j7DwacWhYAc&api=1&no_preview=1#cryp
https://sso.passport.yandex.ru/push?uuid=b4b5387a-4dc9-40ae-a50c-088ac025b446&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://vk.com/doc52355237_667345691?hash=b2GSJerzQ21MGzq3fbxSH4ZU7wFsRgdMXupM5JVGGe8&dl=CHVE21CiJhK5KnfhOr6bKYBVGnvTZozjOitXlACAFDc&api=1&no_preview=1#rise
https://vk.com/doc52355237_667323207?hash=ZkIwTTYNTwNDXLt5Gs5EEchtp6n7cf7VmKRYfvfVcZc&dl=ZTGusJZiietYLrS13VtWmnhjrFLGcXrZJST1wXSwTtP&api=1&no_preview=1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-21.userapi.com/c909218/u828628200/docs/d43/026941298ed6/a.bmp?extra=9KmCzHW6FEZN4c_hjWXF-FgWhxDqAhwzrh1sL_mdkgUFjkoB_oENhSPtaYj_XCrlpK5zdeuq4i-I9q8tGp5lrf4wvZp6ESTPthD-L5d66fICr_NCQ0Jh4CWCK83G052Fl_ju4E8t7KE5wq0g8Q
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=JmV9CYXdjSQ9qTNp1k5Pntqf0mOYcgNbYjV92kz0qm4%3D&spr=https&se=2023-10-26T09%3A12%3A04Z&rscl=x-e2eid-dfe33115-46c74920-9c682d65-9c3d827d-session-005fb60a-442d420e-a210e886-3c4ce8d3
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://vk.com/doc52355237_667299917?hash=ZBXZXgvR0VGrrHhRL8ouG0pmaOgq5CMqSVSg07KQ3kD&dl=VP4eeCrZnI7ZSJlYk7MTGWNlWtWgIwQmPzfjoXznkSD&api=1&no_preview=1#ww11
https://api.2ip.ua/geo.json
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
|
153
neuralshit.net(104.21.6.10) - malware
db-ip.com(104.26.4.15)
telegram.org(149.154.167.99)
lakuiksong.known.co.ke(146.59.70.14) - malware
vanaheim.cn(84.201.152.220) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
gobo04fc.top(85.143.220.63)
accounts.google.com(142.250.206.205)
sun6-23.userapi.com(95.142.206.3) - mailcious
galandskiyher5.com(95.214.26.34) - malware
potatogoose.com(104.21.35.235) - malware
www.snipes.com(104.16.223.69)
dzen.ru(62.217.160.2)
insuport.com(69.90.162.0)
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.75.41.21) - mailcious
iplogger.org(148.251.234.83) - mailcious
laubenstein.space() - mailcious
jamesjordan.top() - malware
twitter.com(104.244.42.129)
msdl.microsoft.com(204.79.197.219)
yip.su(172.67.169.89) - mailcious
cdn.discordapp.com(162.159.135.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(172.67.75.166)
server13.thestatsfiles.ru(185.82.216.96)
sun6-21.userapi.com(95.142.206.1) - mailcious
a8b8fc1f-3586-4658-b72f-0e583b0d00e8.uuid.thestatsfiles.ru(185.82.216.96)
lrefjviufewmcd.org(91.215.85.209) - malware
pool.hashvault.pro(131.153.76.130) - mailcious
walkinglate.com(104.21.23.184) - malware
stun2.l.google.com(74.125.197.127)
diplodoka.net(172.67.217.52) - malware
experiment.pw(104.21.34.37) - malware
www.nakedcph.com(104.16.129.120)
ssl.gstatic.com(142.250.206.227)
api.ip.sb(172.67.75.172)
www.sivasdescalzo.com(104.18.233.222)
iplogger.com(148.251.234.93) - mailcious
gons3fc.top(85.143.220.63)
colisumy.com(181.170.86.159) - malware
zexeq.com(123.213.233.131) - malware
octocrabs.com(104.21.21.189) - mailcious
vsblobprodscussu5shard58.blob.core.windows.net(20.150.70.36)
vsblobprodscussu5shard10.blob.core.windows.net(20.150.70.36)
yandex.ru(5.255.255.70)
net.geo.opera.com(107.167.110.216)
iplis.ru(148.251.234.93) - mailcious
www.google.com(142.250.76.132)
www.maxmind.com(104.18.145.235)
sun6-22.userapi.com(95.142.206.2) - mailcious
pastebin.com(104.20.67.143) - mailcious
flyawayaero.net(172.67.216.81) - malware
grabyourpizza.com(172.67.197.174) - malware
vk.com(87.240.132.67) - mailcious
sso.passport.yandex.ru(213.180.204.24)
api.myip.com(104.26.8.59)
lycheepanel.info(104.21.32.208) - malware
148.251.234.93 - mailcious
85.217.144.143 - malware
62.122.184.92 - mailcious
62.217.160.2
85.143.220.63 - malware
149.154.167.99 - mailcious
193.42.32.118 - mailcious
172.67.75.163
172.67.187.122 - malware
83.97.73.44
142.250.76.132
185.82.216.96
176.113.115.84 - mailcious
104.21.35.235
104.16.222.69
104.75.41.21 - mailcious
121.254.136.9
74.125.197.127
49.12.116.189
45.143.201.238 - mailcious
87.240.132.78 - mailcious
109.107.182.2 - malware
171.22.28.236 - mailcious
194.169.175.128 - mailcious
162.159.135.233 - malware
84.201.152.220
87.240.129.133 - mailcious
193.233.255.73 - mailcious
104.244.42.129 - suspicious
104.21.65.24
104.21.34.37 - phishing
171.22.28.226 - malware
87.240.132.67 - mailcious
171.22.28.221 - malware
104.26.8.59
104.21.6.10 - malware
104.18.233.222
194.169.175.233 - malware
181.170.86.159
95.142.206.3 - mailcious
95.142.206.2 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
172.67.217.52 - malware
104.21.93.225 - phishing
104.21.90.82 - malware
80.66.75.77 - mailcious
69.90.162.0
142.250.204.35
104.18.145.235
95.214.26.34
77.91.124.1 - malware
104.20.68.143 - mailcious
20.150.70.36
94.142.138.113 - mailcious
104.26.5.15
208.67.104.60 - mailcious
131.153.76.130 - mailcious
80.66.75.4 - mailcious
104.26.12.31
104.21.79.77 - phishing
77.91.124.86
176.113.115.135 - mailcious
176.113.115.136 - mailcious
185.172.128.69 - malware
45.15.156.229 - mailcious
172.67.216.81 - malware
91.215.85.209 - mailcious
107.167.110.211
172.67.139.220
146.59.70.14 - malware
104.21.23.184 - malware
104.16.128.120
123.213.233.131
172.67.167.220 - malware
5.42.65.101 - mailcious
5.255.255.70
104.20.67.143 - mailcious
213.180.204.24
142.251.130.13
20.150.79.68
34.117.59.81
104.21.21.189
148.251.234.83
185.225.75.171 - mailcious
204.79.197.219
77.232.38.234 - mailcious
23.200.75.26
104.21.32.208 - malware
172.67.197.174
23.200.75.28
104.21.78.56 - malware
91.103.252.189 - malware
171.22.28.213 - malware
|
51
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET INFO Dotted Quad Host ZIP Request
|
29
http://171.22.28.226/download/WWW14_64.exe
http://109.107.182.2/race/bus50.exe
http://zexeq.com/test2/get.php
http://colisumy.com/dl/build2.exe
http://85.217.144.143/files/My2.exe
http://185.172.128.69/newumma.exe
http://45.15.156.229/api/firegate.php
http://zexeq.com/files/1/build3.exe
http://171.22.28.221/files/Ads.exe
http://94.142.138.113/api/tracemap.php
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://galandskiyher5.com/downloads/toolspub1.exe
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://77.91.124.1/theme/index.php
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://193.233.255.73/loghub/master
http://94.142.138.113/api/firegate.php
http://171.22.28.221/files/Random.exe
http://193.42.32.118/api/firecom.php
http://171.22.28.213/3.exe
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
https://experiment.pw/setup294.exe
https://pastebin.com/raw/HPj0MzD6
https://pastebin.com/raw/xYhKBupz
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8972 |
2023-10-26 10:40
|
 foto1661.exe 7613290b26555e6b7b16131d17331960
Amadey RedLine stealer Gen1 Emotet Generic Malware Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB OS Processor Check .NET E Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
25
http://77.91.68.249/fuza/2.ps1 - rule_id: 37524
http://77.91.68.249/fuza/2.ps1
http://193.233.255.73/loghub/master - rule_id: 37500
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.68.249/fuza/foto1661.exe
http://77.91.68.249/fuza/tus.exe
http://77.91.68.249/fuza/nalo.exe - rule_id: 37525
http://77.91.68.249/fuza/nalo.exe
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/index.php - rule_id: 37040
http://77.91.124.1/theme/index.php
https://accounts.google.com/generate_204?KIpSmg
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzOGFzuxGAg2e3DWgR266n9r5qQR7Zrm_rptfo9RAihsFAa9lZDZl4RK6XmLN3Nk2pDoW9bUg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-268318837%3A1698283071925212
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzpjHxpq1INlvGNncWH3u8zcoYJ7-v1sB2hwU2EY24lJvyiM2sMyf-U-uZStEXfb2_J_j288Q
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/generate_204?x9IqeA
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywvEr1d-fiWqWdBLl2arLIwhz5TAKS5Ub4o4j3ERjjUOyhcbjQnhhGNhoBp7mqC14wej4Mn
https://www.google.com/favicon.ico
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywLm9zKARhd3TW4v_bKsXTv35Vp7b1sZNUIHBh4-R3fXErE4ApIG4xaQw9ptWyWfEi9FpYQxg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-150941688%3A1698283074308887
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
www.youtube.com(172.217.25.174) - mailcious
ssl.gstatic.com(142.250.206.227)
www.facebook.com(157.240.215.35)
accounts.google.com(142.250.206.205)
www.google.com(142.250.76.132)
142.250.204.36
142.251.220.14
216.58.200.237
77.91.124.86
216.58.203.67
193.233.255.73 - mailcious
77.91.124.1 - malware
157.240.215.35
77.91.68.249 - malware
|
18
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO PS1 Powershell File Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
6
http://77.91.68.249/fuza/2.ps1
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.68.249/fuza/nalo.exe
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/index.php
|
24.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8973 |
2023-10-26 10:41
|
 HTMLIECachesBrowser.dOC a08ca8e6fd0e7002499434aa2547d160
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.156.253.236/jajajjajapapapappanananan.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware
94.156.253.236 - mailcious
104.21.45.138 - malware
23.32.56.72
|
2
ET INFO Dotted Quad Host VBS Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8974 |
2023-10-26 10:43
|
HTMLEVENbrowser.dOC 8ff3248ebdfa3b7dd737f7bee9b9dae6
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.254.37.174/eveningFile.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.18
185.254.37.174 - mailcious
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8975 |
2023-10-26 13:23
|
eveningFile.vbs 088dd62ff5ed6d7e15caab5a0bb62f10
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://185.254.37.174/mohammeddroidupdatedfilebase64.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8976 |
2023-10-26 13:23
|
jajajjajapapapappanananan.vbs 7e9d44a6c4367491ad178bf62548f136
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://94.156.253.236/yeyesyesyeys.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8977 |
2023-10-26 17:12
|
HTMLcacheIEsession.dOC 55588a5b96ec028485a99a5bcd648d0e
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious
45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8978 |
2023-10-26 17:14
|
 updates_installer.exe 898cb4fca84ad5e7009d15b2ec04f3a6
UPX Malicious Library Http API ScreenShot Internet API AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Ransomware Lumma Stealer Windows Browser ComputerName Firmware Cryptographic key |
1
|
4
newsproks.fun(172.67.203.23)
whitecatcorn.com(8.29.155.210)
172.67.203.23
8.29.155.210
|
4
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
|
15.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8979 |
2023-10-26 17:16
|
pvtHTMLbroswer.dOC 541a8be00b26a27ed851731d47a0ae31
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://185.254.37.174/privateexploiteveningFile.vbs
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
185.254.37.174 - mailcious
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8980 |
2023-10-26 17:20
|
privateexploiteveningFile.vbs 5dc2c5a74a18f3b1e8d24101e8bac3cc
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://185.254.37.174/mohammeddroidupdatedfilebase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8981 |
2023-10-26 17:21
|
HTMLcachesIE.vbs b70068430fab03962b3fe2d15588c894
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://192.3.64.154/windows/HTR.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
23.67.53.17
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8982 |
2023-10-26 17:22
|
VIBINVES.vbs 0b92e010b599dc8280e4ab32c1ed02ed
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://193.42.33.121/investorbase64.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
23.67.53.27
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8983 |
2023-10-27 10:13
|
obuxu.vbs 136abae59cb3eb697de1c5e20778ecd6
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://193.42.33.51/obm.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
23.32.56.80
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8984 |
2023-10-27 10:13
|
ereeeeeeeeeeeefereFile.vbs 73d2fd40cb82f20bb3d340720da666d0
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://185.254.37.174/mohammeddroidupdatedfilebase64.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
23.32.56.72
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8985 |
2023-10-27 10:54
|
bdolsx.vbs 44c457dd13efcd6622b1b6dbab5c1965VirusTotal Malware buffers extracted wscript.exe payload download Tofsee |
1
|
2
paste.ee(172.67.187.200) - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|