8971 |
2023-10-25 18:27
|
File.7z 86f0e6986a754d96179b2c20d8db49b6 PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Cryptocurrency Miner Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser Trojan DNS Downloader CoinMiner |
80
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://109.107.182.2/race/bus50.exe - rule_id: 37496 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://85.217.144.143/files/townpublishing.exe http://colisumy.com/dl/build2.exe - rule_id: 31026 http://49.12.116.189/upload.zip http://85.217.144.143/files/My2.exe - rule_id: 34643 http://apps.identrust.com/roots/dstrootcax3.p7c http://185.172.128.69/newumma.exe - rule_id: 37499 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://49.12.116.189/58f391d2f33b9f5a2ddb51a3516986eb http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://171.22.28.221/files/Ads.exe - rule_id: 37468 http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://77.91.124.1/theme/index.php - rule_id: 37040 http://gons3fc.top/build.exe http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://176.113.115.84:8080/4.php - rule_id: 34795 http://193.233.255.73/loghub/master - rule_id: 37500 http://gobo04fc.top/build.exe http://94.142.138.113/api/firegate.php - rule_id: 36152 http://171.22.28.221/files/Random.exe - rule_id: 37434 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://www.maxmind.com/geoip/v2.1/city/me http://171.22.28.213/3.exe - rule_id: 37068 http://www.google.com/ https://sun6-22.userapi.com/c909328/u52355237/docs/d36/94e70066ac80/PL_Client.bmp?extra=GYu9pTC-Wl1Sg_fchSUawzC7SOJQ5mf6X2A3Lm8ZE1bmn4F7iqzq_0_-pgTnEnf4Z8ETAumkli_vcaYV1Z_ULFP_mNBGwhECBvqkXysXuH9Sz8e5J6_7zGC5Vyj2-tcbfXz3qBeXxZZmpG6k https://vk.com/doc52355237_667343838?hash=zdFRocOdJtT0IyxFdnygjsrvYEitfza6BvyL25bGpZD&dl=sHDqrRzc8uNalY3nwHHztHxEdFCN6CpN55OVgGQqijL&api=1&no_preview=1#1 https://steamcommunity.com/profiles/76561199564671869 https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397 https://accounts.google.com/generate_204?CDdS5w https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://potatogoose.com/976b26ee384bf2dcf27abfc3b8d028eb/baf14778c246e15550645e30ba78ce1c.exe https://www.google.com/favicon.ico https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://api.ip.sb/ip https://experiment.pw/setup294.exe - rule_id: 37436 https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403 https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=hjMZy0D95eSFxb%2FYE%2Fdrj5C6tndz19A2RfpDONXthx4%3D&spr=https&se=2023-10-26T09%3A35%3A45Z&rscl=x-e2eid-cd83c9d1-11ee493e-8ec461f2-562aef4b-session-3b3dacd9-31504d5f-bf9a4f83-796fb600 https://vk.com/doc52355237_667339795?hash=Vr6hZn5xlDzZsz30TpnTzHAO4DHKke3DmD4kGhoeqoH&dl=6fzaZ8xtsOzOd75auvzL1Z7h0auXHva7GD7UyQqxDDo&api=1&no_preview=1 https://sun6-22.userapi.com/c909618/u52355237/docs/d51/b8b9a3f0dc19/RisePro_0_9.bmp?extra=S_Pw_XtG5PO3pErgyMk8rmhNNVpFLN7JZFRZb7P0DQbCvb25kgrWOiITEqnQ1DrUrLRqlEiLjGGyyXplnWiQQv40Gxo9KL6bmVJWDYrct0qqfiD8S9zjDR328l71NfIg7q089wragM-LuguC https://vk.com/doc52355237_667363057?hash=EFGn7JDa1yL3d80vbqsB9WZH2w3XpT5V6LPR4VEBzc4&dl=QJPdu5Tzl9CEda3jy8BmjsTGIU8RaodEGQVRlC2jmdD&api=1&no_preview=1#all https://sun6-22.userapi.com/c909328/u52355237/docs/d39/fea02e6516ef/all.bmp?extra=1jLtQoDZlkXee5oo1ICc_9GEajaJa4WgEW2aW76jh1X4r0G8nBKsO1fC-UITCjUotA9USMbQHx2E534DFNgrHG_ven327gh2BTuXaBkk_4hLBUxns9Tv5eHEyBEemy9O9cRIt33iy9__px79 https://api.myip.com/ https://sun6-22.userapi.com/c909618/u52355237/docs/d26/cc55b2954aea/crypted.bmp?extra=xLNs08HOc2FVnDJsDb3fD8GFoFKmCU7QJz_fRbm4cuX-Ud8sbS3ZYM4raB86hLMg30wxZWxsHLUDDk07eXkgw1zAbBCXdaTfzZ9SmqURbHH51SmXU4eNGjrBU_f7Jo6Q2J1vJSYawZTYv0pt https://msdl.microsoft.com/download/symbols/index2.txt https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb https://yip.su/RNWPd.exe https://diplodoka.net/976b26ee384bf2dcf27abfc3b8d028eb/7a54bdb20779c4359694feaa1398dd25.exe https://sun6-22.userapi.com/c909518/u52355237/docs/d5/1aa2c5f38718/test23.bmp?extra=9FhCUwRY0gis9rghwSNws5CZNzCYS1cFvSzMovIC4R9pgAu6f-6BHFvxk7A3VnUhzurcljGxSjA3h1u1s_urlUUF8X-lH3axsr1NmjA9bVbhXg_8fAna1HNi9FXqmBMzfYbdJ8NBaWlajfQ7 https://vk.com/doc52355237_667363160?hash=90eo1ggSa79KsVZPaYy6x9lScec24zb12wdY8O5unQk&dl=m7LLs87D1wJQyUxzU3MK1qZzpMIcxisi2LpUtD1jlOs&api=1&no_preview=1#test22 https://dzen.ru/?yredirect=true https://sun6-23.userapi.com/c235131/u52355237/docs/d29/9072feeb59e1/2.bmp?extra=anTEO8FrVGu00Q5VjCfBzfV6wA1wHhJ4v3kJhx0qWWZQbBF7ZjM9pGJCaiS-ZPprUSRJiLz6BgcrTKyf9D1xg2NvZAKTna40r0l84UKOHs6o-eobD5J99sFFPZGpyzmim2vkG5mjF5IJtf23 https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyykJNODYDpIHqhOifsHXhwJQmK8zndb5lyvjBtQuk9jZeMf94g9TWw4WX1eVNV9XYlWLO5icg https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://sun6-22.userapi.com/c909218/u52355237/docs/d42/60d05adee2f0/WWW11_32.bmp?extra=C65rMG9a2ZLgS4-qRwSgkiSxHJ3RAaH3KFKeI6EmSeeje_84SPUwWXjC_3sPq8LlWHKSPAXwi3EVIIkD0RFllrJ7VuliWNF78K0_YqEAepb9uoFHLsXGRl9gQ5Yenv5OHgw81aIn24dCy__n https://vk.com/doc828628200_671409039?hash=0yEYLUUztkFa1eCd0vT01xEQlMXCn20q2EbUpZXcuIP&dl=Mz4XiECwpxCz6uTiBkS3szJG5kfAHZDNnQub6U5y8Do&api=1&no_preview=1 https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783 https://sun6-23.userapi.com/c909518/u52355237/docs/d59/b2220ffab81c/d432j89adg.bmp?extra=fPb2B9ko9Mhx2DzFJ1UkjS4bmg5SfYI4NNWBqcF0aiYSAU5AZdPLvdhQqhn8ujfkWsa5z86DgnzoIkQaGeBFjxxg_BisIc9O5Kwa1JhnN-RSdiZG-vmmpRjn_ZaVPz_ccs1EJjKOIIEUE1Ns https://sun6-20.userapi.com/c237231/u52355237/docs/d30/24459ebe9485/crypted.bmp?extra=G9O9Z5VhCwn1IjHZMEeC96bT7TZPJN8bQD-u_isK9maVUv8bgsaMkkehRuoCWJvCMzxY1RJKKn6oA1e40Wf5bbv_o9I-NxdvV3Mk7krC79T7DX_qSTi5qr4ZLmbvRGkLp-Bll9JOEJ1Kahsn https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywL3WvaP67WC1xBgQHpszVeSkZSzqgvgWBUNZ5eG5Ei8Y5pss0d4jN2xMG0ZtU8qv0vxabvug&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1291519739%3A1698225333762439 https://vk.com/doc52355237_667352314?hash=zEDslzmi2iqzNrxct8lDgzwviJyAQH0HNgf3d1Rmh6P&dl=fusKtwAsyn4UnIwHaxljeG8aYAZah7k5j7DwacWhYAc&api=1&no_preview=1#cryp https://sso.passport.yandex.ru/push?uuid=b4b5387a-4dc9-40ae-a50c-088ac025b446&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://vk.com/doc52355237_667345691?hash=b2GSJerzQ21MGzq3fbxSH4ZU7wFsRgdMXupM5JVGGe8&dl=CHVE21CiJhK5KnfhOr6bKYBVGnvTZozjOitXlACAFDc&api=1&no_preview=1#rise https://vk.com/doc52355237_667323207?hash=ZkIwTTYNTwNDXLt5Gs5EEchtp6n7cf7VmKRYfvfVcZc&dl=ZTGusJZiietYLrS13VtWmnhjrFLGcXrZJST1wXSwTtP&api=1&no_preview=1 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-21.userapi.com/c909218/u828628200/docs/d43/026941298ed6/a.bmp?extra=9KmCzHW6FEZN4c_hjWXF-FgWhxDqAhwzrh1sL_mdkgUFjkoB_oENhSPtaYj_XCrlpK5zdeuq4i-I9q8tGp5lrf4wvZp6ESTPthD-L5d66fICr_NCQ0Jh4CWCK83G052Fl_ju4E8t7KE5wq0g8Q https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=JmV9CYXdjSQ9qTNp1k5Pntqf0mOYcgNbYjV92kz0qm4%3D&spr=https&se=2023-10-26T09%3A12%3A04Z&rscl=x-e2eid-dfe33115-46c74920-9c682d65-9c3d827d-session-005fb60a-442d420e-a210e886-3c4ce8d3 https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716 https://vk.com/doc52355237_667299917?hash=ZBXZXgvR0VGrrHhRL8ouG0pmaOgq5CMqSVSg07KQ3kD&dl=VP4eeCrZnI7ZSJlYk7MTGWNlWtWgIwQmPzfjoXznkSD&api=1&no_preview=1#ww11 https://api.2ip.ua/geo.json https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
|
153
neuralshit.net(104.21.6.10) - malware db-ip.com(104.26.4.15) telegram.org(149.154.167.99) lakuiksong.known.co.ke(146.59.70.14) - malware vanaheim.cn(84.201.152.220) - mailcious t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) gobo04fc.top(85.143.220.63) accounts.google.com(142.250.206.205) sun6-23.userapi.com(95.142.206.3) - mailcious galandskiyher5.com(95.214.26.34) - malware potatogoose.com(104.21.35.235) - malware www.snipes.com(104.16.223.69) dzen.ru(62.217.160.2) insuport.com(69.90.162.0) api.2ip.ua(104.21.65.24) steamcommunity.com(104.75.41.21) - mailcious iplogger.org(148.251.234.83) - mailcious laubenstein.space() - mailcious jamesjordan.top() - malware twitter.com(104.244.42.129) msdl.microsoft.com(204.79.197.219) yip.su(172.67.169.89) - mailcious cdn.discordapp.com(162.159.135.233) - malware sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(172.67.75.166) server13.thestatsfiles.ru(185.82.216.96) sun6-21.userapi.com(95.142.206.1) - mailcious a8b8fc1f-3586-4658-b72f-0e583b0d00e8.uuid.thestatsfiles.ru(185.82.216.96) lrefjviufewmcd.org(91.215.85.209) - malware pool.hashvault.pro(131.153.76.130) - mailcious walkinglate.com(104.21.23.184) - malware stun2.l.google.com(74.125.197.127) diplodoka.net(172.67.217.52) - malware experiment.pw(104.21.34.37) - malware www.nakedcph.com(104.16.129.120) ssl.gstatic.com(142.250.206.227) api.ip.sb(172.67.75.172) www.sivasdescalzo.com(104.18.233.222) iplogger.com(148.251.234.93) - mailcious gons3fc.top(85.143.220.63) colisumy.com(181.170.86.159) - malware zexeq.com(123.213.233.131) - malware octocrabs.com(104.21.21.189) - mailcious vsblobprodscussu5shard58.blob.core.windows.net(20.150.70.36) vsblobprodscussu5shard10.blob.core.windows.net(20.150.70.36) yandex.ru(5.255.255.70) net.geo.opera.com(107.167.110.216) iplis.ru(148.251.234.93) - mailcious www.google.com(142.250.76.132) www.maxmind.com(104.18.145.235) sun6-22.userapi.com(95.142.206.2) - mailcious pastebin.com(104.20.67.143) - mailcious flyawayaero.net(172.67.216.81) - malware grabyourpizza.com(172.67.197.174) - malware vk.com(87.240.132.67) - mailcious sso.passport.yandex.ru(213.180.204.24) api.myip.com(104.26.8.59) lycheepanel.info(104.21.32.208) - malware 148.251.234.93 - mailcious 85.217.144.143 - malware 62.122.184.92 - mailcious 62.217.160.2 85.143.220.63 - malware 149.154.167.99 - mailcious 193.42.32.118 - mailcious 172.67.75.163 172.67.187.122 - malware 83.97.73.44 142.250.76.132 185.82.216.96 176.113.115.84 - mailcious 104.21.35.235 104.16.222.69 104.75.41.21 - mailcious 121.254.136.9 74.125.197.127 49.12.116.189 45.143.201.238 - mailcious 87.240.132.78 - mailcious 109.107.182.2 - malware 171.22.28.236 - mailcious 194.169.175.128 - mailcious 162.159.135.233 - malware 84.201.152.220 87.240.129.133 - mailcious 193.233.255.73 - mailcious 104.244.42.129 - suspicious 104.21.65.24 104.21.34.37 - phishing 171.22.28.226 - malware 87.240.132.67 - mailcious 171.22.28.221 - malware 104.26.8.59 104.21.6.10 - malware 104.18.233.222 194.169.175.233 - malware 181.170.86.159 95.142.206.3 - mailcious 95.142.206.2 - mailcious 95.142.206.1 - mailcious 95.142.206.0 - mailcious 172.67.217.52 - malware 104.21.93.225 - phishing 104.21.90.82 - malware 80.66.75.77 - mailcious 69.90.162.0 142.250.204.35 104.18.145.235 95.214.26.34 77.91.124.1 - malware 104.20.68.143 - mailcious 20.150.70.36 94.142.138.113 - mailcious 104.26.5.15 208.67.104.60 - mailcious 131.153.76.130 - mailcious 80.66.75.4 - mailcious 104.26.12.31 104.21.79.77 - phishing 77.91.124.86 176.113.115.135 - mailcious 176.113.115.136 - mailcious 185.172.128.69 - malware 45.15.156.229 - mailcious 172.67.216.81 - malware 91.215.85.209 - mailcious 107.167.110.211 172.67.139.220 146.59.70.14 - malware 104.21.23.184 - malware 104.16.128.120 123.213.233.131 172.67.167.220 - malware 5.42.65.101 - mailcious 5.255.255.70 104.20.67.143 - mailcious 213.180.204.24 142.251.130.13 20.150.79.68 34.117.59.81 104.21.21.189 148.251.234.83 185.225.75.171 - mailcious 204.79.197.219 77.232.38.234 - mailcious 23.200.75.26 104.21.32.208 - malware 172.67.197.174 23.200.75.28 104.21.78.56 - malware 91.103.252.189 - malware 171.22.28.213 - malware
|
51
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 19 SURICATA Applayer Mismatch protocol both directions ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Executable Download from dotted-quad Host ET DNS Query to a *.top domain - Likely Hostile ET HUNTING Suspicious services.exe in URI ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a *.pw domain - Likely Hostile ET INFO EXE - Served Attached HTTP ET INFO TLS Handshake Failure ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port) ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers ET HUNTING Possible EXE Download From Suspicious TLD ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET INFO Dotted Quad Host ZIP Request
|
29
http://171.22.28.226/download/WWW14_64.exe http://109.107.182.2/race/bus50.exe http://zexeq.com/test2/get.php http://colisumy.com/dl/build2.exe http://85.217.144.143/files/My2.exe http://185.172.128.69/newumma.exe http://45.15.156.229/api/firegate.php http://zexeq.com/files/1/build3.exe http://171.22.28.221/files/Ads.exe http://94.142.138.113/api/tracemap.php http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://galandskiyher5.com/downloads/toolspub1.exe http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://77.91.124.1/theme/index.php http://45.15.156.229/api/tracemap.php http://176.113.115.84:8080/4.php http://193.233.255.73/loghub/master http://94.142.138.113/api/firegate.php http://171.22.28.221/files/Random.exe http://193.42.32.118/api/firecom.php http://171.22.28.213/3.exe https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe https://experiment.pw/setup294.exe https://pastebin.com/raw/HPj0MzD6 https://pastebin.com/raw/xYhKBupz https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8972 |
2023-10-26 10:40
|
foto1661.exe 7613290b26555e6b7b16131d17331960 Amadey RedLine stealer Gen1 Emotet Generic Malware Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB OS Processor Check .NET E Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
25
http://77.91.68.249/fuza/2.ps1 - rule_id: 37524 http://77.91.68.249/fuza/2.ps1 http://193.233.255.73/loghub/master - rule_id: 37500 http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.68.249/fuza/foto1661.exe http://77.91.68.249/fuza/tus.exe http://77.91.68.249/fuza/nalo.exe - rule_id: 37525 http://77.91.68.249/fuza/nalo.exe http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/index.php - rule_id: 37040 http://77.91.124.1/theme/index.php https://accounts.google.com/generate_204?KIpSmg https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzOGFzuxGAg2e3DWgR266n9r5qQR7Zrm_rptfo9RAihsFAa9lZDZl4RK6XmLN3Nk2pDoW9bUg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-268318837%3A1698283071925212 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzpjHxpq1INlvGNncWH3u8zcoYJ7-v1sB2hwU2EY24lJvyiM2sMyf-U-uZStEXfb2_J_j288Q https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?x9IqeA https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywvEr1d-fiWqWdBLl2arLIwhz5TAKS5Ub4o4j3ERjjUOyhcbjQnhhGNhoBp7mqC14wej4Mn https://www.google.com/favicon.ico https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywLm9zKARhd3TW4v_bKsXTv35Vp7b1sZNUIHBh4-R3fXErE4ApIG4xaQw9ptWyWfEi9FpYQxg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-150941688%3A1698283074308887 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
www.youtube.com(172.217.25.174) - mailcious ssl.gstatic.com(142.250.206.227) www.facebook.com(157.240.215.35) accounts.google.com(142.250.206.205) www.google.com(142.250.76.132) 142.250.204.36 142.251.220.14 216.58.200.237 77.91.124.86 216.58.203.67 193.233.255.73 - mailcious 77.91.124.1 - malware 157.240.215.35 77.91.68.249 - malware
|
18
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO PS1 Powershell File Request ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
6
http://77.91.68.249/fuza/2.ps1 http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.68.249/fuza/nalo.exe http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/index.php
|
24.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8973 |
2023-10-26 10:41
|
HTMLIECachesBrowser.dOC a08ca8e6fd0e7002499434aa2547d160 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c http://94.156.253.236/jajajjajapapapappanananan.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware 94.156.253.236 - mailcious 104.21.45.138 - malware 23.32.56.72
|
2
ET INFO Dotted Quad Host VBS Request SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8974 |
2023-10-26 10:43
|
HTMLEVENbrowser.dOC 8ff3248ebdfa3b7dd737f7bee9b9dae6 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c http://185.254.37.174/eveningFile.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.18 185.254.37.174 - mailcious 104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8975 |
2023-10-26 13:23
|
eveningFile.vbs 088dd62ff5ed6d7e15caab5a0bb62f10 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://185.254.37.174/mohammeddroidupdatedfilebase64.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8976 |
2023-10-26 13:23
|
jajajjajapapapappanananan.vbs 7e9d44a6c4367491ad178bf62548f136 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://94.156.253.236/yeyesyesyeys.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8977 |
2023-10-26 17:12
|
HTMLcacheIEsession.dOC 55588a5b96ec028485a99a5bcd648d0e MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious 45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Wrong direction first Data
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8978 |
2023-10-26 17:14
|
updates_installer.exe 898cb4fca84ad5e7009d15b2ec04f3a6 UPX Malicious Library Http API ScreenShot Internet API AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Ransomware Lumma Stealer Windows Browser ComputerName Firmware Cryptographic key |
1
|
4
newsproks.fun(172.67.203.23) whitecatcorn.com(8.29.155.210) 172.67.203.23 8.29.155.210
|
4
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
|
15.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8979 |
2023-10-26 17:16
|
pvtHTMLbroswer.dOC 541a8be00b26a27ed851731d47a0ae31 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://185.254.37.174/privateexploiteveningFile.vbs http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
uploaddeimagens.com.br(104.21.45.138) - malware 182.162.106.32 185.254.37.174 - mailcious 104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8980 |
2023-10-26 17:20
|
privateexploiteveningFile.vbs 5dc2c5a74a18f3b1e8d24101e8bac3cc Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://185.254.37.174/mohammeddroidupdatedfilebase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8981 |
2023-10-26 17:21
|
HTMLcachesIE.vbs b70068430fab03962b3fe2d15588c894 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://192.3.64.154/windows/HTR.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 23.67.53.17
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8982 |
2023-10-26 17:22
|
VIBINVES.vbs 0b92e010b599dc8280e4ab32c1ed02ed Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://193.42.33.121/investorbase64.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 23.67.53.27
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8983 |
2023-10-27 10:13
|
obuxu.vbs 136abae59cb3eb697de1c5e20778ecd6 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://193.42.33.51/obm.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 23.32.56.80
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8984 |
2023-10-27 10:13
|
ereeeeeeeeeeeefereFile.vbs 73d2fd40cb82f20bb3d340720da666d0 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://185.254.37.174/mohammeddroidupdatedfilebase64.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 23.32.56.72
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8985 |
2023-10-27 10:54
|
bdolsx.vbs 44c457dd13efcd6622b1b6dbab5c1965VirusTotal Malware buffers extracted wscript.exe payload download Tofsee |
1
|
2
paste.ee(172.67.187.200) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|