| 9046 |
2023-11-03 18:16
|
 latestrock.exe 0bddfbdc76418c7fc877a5a11013dfee
Generic Malware NSIS Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE File PE32 .NET EXE PNG Format OS Processor Check ZIP Format JPEG Format BMP Format CHM Format DLL icon PE64 CAB MZP Format Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check Tofsee Ransomware DNS |
|
2
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
|
|
11.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9047 |
2023-11-03 18:16
|
 IGCC.exe 3e00f6658bc36989fe775244acce3cd0
LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(104.237.62.212)
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9048 |
2023-11-03 18:29
|
 Amadey.exe 5d0310efbb0ea7ead8624b0335b21b7b
Amadey RedLine stealer Browser Login Data Stealer RedlineStealer RedLine Infostealer Gen1 Emotet Generic Malware Hide_EXE Malicious Library UPX Malicious Packer .NET framework(MSIL) ScreenShot PWS Anti_VM Javascript_B Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW IP Check VM Disk Size Check human activity check installed browsers check Kelihos Tofsee Stealc Stealer Windows Update Browser ComputerName Trojan DNS Cryptographic key Software crashed Downloader |
65
http://185.196.8.176/7jshasdS/index.php?scr=1 - rule_id: 37683
http://5.182.86.30/TEST32.exe
http://185.196.8.176/7jshasdS/index.php - rule_id: 37683
http://193.233.255.73/loghub/master - rule_id: 37500
http://185.196.8.176/7jshasdS/Plugins/clip64.dll - rule_id: 37685
http://167.235.20.126/bjdm32DP/index.php - rule_id: 37786
http://167.235.20.126/bjdm32DP/index.php?scr=1 - rule_id: 37786
http://171.22.28.213/build2.exe
http://185.196.8.176/7jshasdS/Plugins/cred64.dll - rule_id: 37684
http://171.22.28.213/TEST32.exe
http://109.107.182.2/race/lom30.exe
http://77.91.124.1/theme/index.php - rule_id: 37040
https://www.google.com/favicon.ico
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Regular.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/shared/css/login.css?v=0H1th98etnSV&l=english&_cdn=cloudflare
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&load=effects,controls,slider,dragdrop
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&_cdn=cloudflare
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
https://fonts.googleapis.com/css?family=Roboto:400,500
https://fonts.gstatic.com/s/youtubesans/v22/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Bold.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Fd2aj_zaBVQV&l=english&_cdn=cloudflare
https://static-assets-prod.unrealengine.com/account-portal/static/static/js/main.10a25667.chunk.js
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=RL7hpFRFPE4A&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
https://www.youtube.com/
https://accounts.google.com/generate_204?dap48w
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Thin.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&_cdn=cloudflare
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://www.epicgames.com/id/login
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Medium.ttf?v=4.015
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://www.youtube.com/img/desktop/supported_browsers/opera.png
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=uR_4hRD_HUln&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://static-assets-prod.unrealengine.com/account-portal/static/static/js/3.520a7eda.chunk.js
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://accounts.google.com/_/bscframe
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=E78TCC6Eu4d1&l=english&_cdn=cloudflare
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywXMRymWtXksqblJvlUYJFlJpIBYOvVGbAuX2Ek1p_KKsKWal2mSwVOyZ7Kxhsq7qREHNHDmw
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
https://steamcommunity.com/openid/loginform/
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-RegularItalic.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=F9Ougyu-CyG3&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Light.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=eYJYuhv32ILn&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/css/skin_1/home.css?v=-6qQi3rZclGf&l=english&_cdn=cloudflare
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzuEIb-UEcUXM-N1dV2w2UTTKTYT6Y4L2bfCbNf3HMq8VmgW-zlcvm_lgIXTMSD6nIc8SElCQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-771307111%3A1699002903738664
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=3Pb1f2YLp788&l=english&_cdn=cloudflare
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://static-assets-prod.unrealengine.com/account-portal/static/epic-favicon-96x96.png
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/javascript/login.js?v=gYtbaAKt6bwQ&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunfWg&l=english&_cdn=cloudflare
|
41
www.paypal.com(151.101.193.21)
ssl.gstatic.com(142.250.207.99)
www.google.com(142.250.76.132)
store.steampowered.com(23.40.44.77)
steamcommunity.com(104.76.78.101) - mailcious
www.youtube.com(172.217.175.238) - mailcious
fonts.googleapis.com(142.251.222.42)
api.ipify.org(173.231.16.77)
static-assets-prod.unrealengine.com(18.64.8.108)
twitter.com(104.244.42.65)
accounts.google.com(142.250.206.205)
community.cloudflare.steamstatic.com(172.64.145.151)
fonts.gstatic.com(142.250.207.99)
www.epicgames.com(34.198.71.3)
149.40.62.171
142.250.207.99
23.40.44.77
167.235.20.126 - malware
18.64.8.109
77.91.124.1 - malware
64.185.227.156
193.233.255.73 - mailcious
104.244.42.129 - suspicious
142.250.76.132
142.251.222.42
85.209.176.171
172.64.145.151
77.91.124.86
194.169.175.118 - mailcious
194.169.175.235
185.196.9.171 - mailcious
192.229.232.89
142.250.206.205 - suspicious
142.250.207.46
171.22.28.239 - mailcious
104.76.78.101 - mailcious
5.182.86.30
185.196.8.176 - malware
54.175.89.124
109.107.182.2 - malware
171.22.28.213 - malware
|
26
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey Bot Activity (POST) M1
ET INFO Dotted Quad Host DLL Request
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey Bot Activity (POST)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO TLS Handshake Failure
|
8
http://185.196.8.176/7jshasdS/index.php
http://185.196.8.176/7jshasdS/index.php
http://193.233.255.73/loghub/master
http://185.196.8.176/7jshasdS/Plugins/clip64.dll
http://167.235.20.126/bjdm32DP/index.php
http://167.235.20.126/bjdm32DP/index.php
http://185.196.8.176/7jshasdS/Plugins/cred64.dll
http://77.91.124.1/theme/index.php
|
25.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9049 |
2023-11-04 10:53
|
 TEST32.exe 993c85b5b1c94bfa3b7f45117f567d09
Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Check memory buffers extracted IP Check installed browsers check Tofsee Ransomware Browser Email ComputerName Trojan Banking DNS |
|
3
api.ipify.org(64.185.227.156)
149.40.62.171
64.185.227.156
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Protocol detection skipped
|
|
12.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9050 |
2023-11-05 12:38
|
HTMLieBrowserHistoryIE.dOC a8bbff822a016aa570f55c4986ed8946
MS_RTF_Obfuscation_Objects RTF File doc buffers extracted exploit crash unpack itself Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious
45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9051 |
2023-11-06 09:40
|
 whesilozx.exe a117d7af8f85cacb310671b834482605
LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Software crashed keylogger |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9052 |
2023-11-06 09:41
|
 s5.exe e4c5c50d9c573109411348e4c7f79dd8
Malicious Library UPX Http API HTTP Internet API AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS |
8
http://85.209.11.204/api/files/client/s54
http://85.209.11.204/api/files/client/s51
http://85.209.11.204/ip.php
http://85.209.11.204/api/files/client/s53
http://85.209.11.204/api/files/client/s52
http://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000¶m=empty
https://script.google.com/macros/s/AKfycbzq1CWyl36rt9O8a0Zlm5Z6LRB2igbns3CkTay10UBerGZv4zl389I1MOMTE8g-CKY/exec?xfgnxfgn&stream=5&ip=175.208.134.152&slots=0000¶m=empty
https://script.googleusercontent.com/macros/echo?user_content_key=rq3I6Pvq31ESr42SRVFCcH8cBMrOvGfc9LjrAFAjXKqooXQVZnHoVSKZ49ywNUr7mn_h-t_4xp16ZbQUh0u7vYizKKleUSwSOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa0CRDStSlAiWe9EsIf9E4ZPsnymwtpgwALY3ZEKNbUPKTwCm-q5YBdK9ax9ulRNROyEZlBVHKdgUzc9XRB8G-pFIaTITfR7fJ9yLw_QwlOLh3sVTfjuTogDzV_l7Cl_ErHbadLHwSTw0RLfCUlcjW3aqDyDBdoyuR54_mWWztr2JN0ZmedBznvo&lib=MGiFI8QOoThWusP0Kv6sJRfccXc-Ar0ZC
|
5
script.google.com(142.250.206.238)
script.googleusercontent.com(142.250.206.225)
85.209.11.204
172.217.24.78
142.251.220.33
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9053 |
2023-11-06 09:43
|
 MMkNn.exe 576ea37ddee70b9062761e4bcc0c6a64
RedLine Infostealer UltraVNC Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows DNS Cryptographic key crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
transfer.sh(144.76.136.153) - malware
121.254.136.9
144.76.136.153 - mailcious
|
5
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
|
|
4.0 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9054 |
2023-11-06 09:45
|
 governorzx.exe 45ab39f2cc353535047f5a5d4e8bcbd1
LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed |
|
4
webmail.euroschool-bg.com(185.119.88.77)
api.ipify.org(173.231.16.77)
185.119.88.77 - mailcious
104.237.62.212
|
6
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
12.4 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9055 |
2023-11-06 09:51
|
 defounderzx.exe 2ed10c1ecb18c82e28180b08eb96fbc2
LokiBot .NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Discord Browser Email ComputerName DNS crashed keylogger |
1
https://discordapp.com/api/webhooks/1164197415147020358/r6DHDEdEVlubS99_mqTR2EYAvLqIPvG1AA9kVN_oApRfIgXgxydFAbvOjcrA0W4bxbuR
|
2
discordapp.com(162.159.130.233) - mailcious
162.159.129.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9056 |
2023-11-06 14:10
|
 defounderzx.exe 2ed10c1ecb18c82e28180b08eb96fbc2
AgentTesla .NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Discord Browser Email ComputerName DNS crashed keylogger |
2
https://discordapp.com/api/webhooks/1164197415147020358/r6DHDEdEVlubS99_mqTR2EYAvLqIPvG1AA9kVN_oApRfIgXgxydFAbvOjcrA0W4bxbuR - rule_id: 37996
https://discordapp.com/api/webhooks/1164197415147020358/r6DHDEdEVlubS99_mqTR2EYAvLqIPvG1AA9kVN_oApRfIgXgxydFAbvOjcrA0W4bxbuR
|
3
discordapp.com(162.159.135.233) - mailcious
185.174.174.220 - phishing
162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://discordapp.com/api/webhooks/1164197415147020358/r6DHDEdEVlubS99_mqTR2EYAvLqIPvG1AA9kVN_oApRfIgXgxydFAbvOjcrA0W4bxbuR
|
11.4 |
|
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9057 |
2023-11-06 14:17
|
 whesilozx.exe a117d7af8f85cacb310671b834482605
AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
3
cp5ua.hyperhost.ua(91.235.128.141)
162.159.134.233 - malware
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9058 |
2023-11-07 07:46
|
 Services.exe d9ce98a0b0029d26876ac86409bac27e
UPX VMProtect PE File PE32 Malware download Malware MachineGuid Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces IP Check PrivateLoader Tofsee DNS crashed |
9
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
http://94.142.138.131/api/firecom.php - rule_id: 36179
https://sso.passport.yandex.ru/push?uuid=17ee63be-a01d-4351-b836-3f7809d3449d&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://dzen.ru/?yredirect=true
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
|
24
db-ip.com(172.67.75.166)
www.maxmind.com(104.18.146.235)
ipinfo.io(34.117.59.81)
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
yandex.ru(5.255.255.70)
api.db-ip.com(104.26.4.15)
dzen.ru(62.217.160.2)
ironhost.io(104.21.57.237)
sso.passport.yandex.ru(213.180.204.24)
149.154.167.99 - mailcious
213.180.204.24
172.67.75.166
172.67.193.129
104.18.146.235
94.142.138.131 - mailcious
121.254.136.18
62.217.160.2
91.92.243.151 - mailcious
34.117.59.81
104.244.42.1 - suspicious
104.26.5.15
5.255.255.70
125.253.92.50
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO TLS Handshake Failure
|
3
http://91.92.243.151/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://94.142.138.131/api/firecom.php
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9059 |
2023-11-07 07:47
|
 arinzezx.exe 0fbfa908ef2e4abb29788d67bcc9c736
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9060 |
2023-11-07 07:53
|
 damianozx.exe 7cfd00516e3d24c4b1227d6754f0aafa
PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156)
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|