| 17326 |
2023-06-07 13:34
|
Install_pass1234.7z 21c1b0f8d03d57065b96c639b518886d
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download VirusTotal Malware c&c suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser DNS plugin |
23
http://5.42.199.15/7381b0eb2134edfd/msvcp140.dll
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://5.42.199.15/7381b0eb2134edfd/sqlite3.dll
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://85.208.136.10/api/firegate.php - rule_id: 32663
http://5.42.199.15/14387668e1174a87.php - rule_id: 34035
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://5.42.199.15/7381b0eb2134edfd/softokn3.dll
http://5.42.199.15/7381b0eb2134edfd/nss3.dll
http://5.42.199.15/7381b0eb2134edfd/vcruntime140.dll
http://www.maxmind.com/geoip/v2.1/city/me
http://5.42.199.15/7381b0eb2134edfd/mozglue.dll
http://194.169.175.124:3002/ - rule_id: 34039
http://83.97.73.128/gallery/photo430.exe - rule_id: 34041
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://5.42.199.15/7381b0eb2134edfd/freebl3.dll
https://vk.com/doc228185173_661153352?hash=xdfz7khDaKTZuZfc6eD4kR51HKXjFRBzEoWcJb9wBhL&dl=Pr7rOMXa0zgLcM5qJA9Lq5jiCwQPKFqjLmym9agLrzz&api=1&no_preview=1
https://sun6-22.userapi.com/c235131/u228185173/docs/d18/dcefed7742fe/stcr.bmp?extra=4cMjfsrflUnXqTTqcGy751WstwtljmtnZqSkHC6RZDy1n2v9t-pL7VgO6HA-9WXpkbUJzdkxTDPBcX-hOAbII9gt79CQLL7ldZtFjYp6g0gjQIpYUrezqnYQwJROQ7WCK9Y4yNSKOrSY61YE8g
https://vk.com/doc228185173_661170695?hash=0L1uaqPVMU921w2pmJcrwQkDyu94h0wjzS3p0ld9R4D&dl=kstr1dyAL1ZXBFBl1qg66UJerdx2DZWJ9uOQs1kXZ0T&api=1&no_preview=1#str
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/fa132fba0b7e/buddha.bmp?extra=gRm798kslBaPtRgOAU2D2epFH3ralLJDqzZ37rqKiRAkxV_ocXkFtXAJpSKj_NRdFtLsl280XXYcBIyXTXGXiParMUQ3ahHzvY62RCjMY4tY-vBPNA-1yTJAtku6p8bfbfR3TR-8eYavxErefA
https://sun6-21.userapi.com/c240331/u800513317/docs/d20/47ed28b3afbb/PMp123a.bmp?extra=1mMgqmSMjVjqw0R3iI2gcBuuz3j4HzJcVCwS6ZNN2RNLYRVBKnzkbEX3B3wTBN6X_tUum6G61hOC4Wim4Ef_V6rIdysx5OFZk3o_ZAxk7zo8YiNEOrmKxi_YMgNjUlPEjLd8VxkUWVxlSLN7Cw
|
35
db-ip.com(104.26.4.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(104.21.18.146) - malware
iplogger.org(148.251.234.83) - mailcious
sun6-23.userapi.com(95.142.206.3)
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.17.215.67)
vk.com(87.240.132.78) - mailcious
api.db-ip.com(172.67.75.166)
148.251.234.93 - mailcious
104.17.215.67
83.97.73.128 - malware
91.215.85.147 - malware
87.240.129.133 - mailcious
104.26.5.15
172.67.75.166
157.254.164.98 - mailcious
34.117.59.81
172.67.182.87 - malware
148.251.234.83
45.12.253.74 - malware
5.42.199.15 - mailcious
194.169.175.124 - malware
104.17.214.67
45.15.156.229 - mailcious
104.26.4.15
147.135.231.58
163.123.143.4 - mailcious
95.142.206.1 - mailcious
95.142.206.3
85.208.136.10 - mailcious
95.142.206.2
|
31
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2
|
8
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://85.208.136.10/api/firegate.php
http://5.42.199.15/14387668e1174a87.php
http://ji.jahhaega2qq.com/m/p0aw25.exe
http://194.169.175.124:3002/
http://83.97.73.128/gallery/photo430.exe
http://85.208.136.10/api/tracemap.php
|
6.2 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17327 |
2023-06-07 13:23
|
File_pass1234.7z 5dadedcd20637db80749292fb8d55eb8
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser DNS plugin |
22
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://5.42.199.15/7381b0eb2134edfd/mozglue.dll
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://5.42.199.15/7381b0eb2134edfd/sqlite3.dll
http://83.97.73.128/gallery/photo430.exe
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://5.42.199.15/7381b0eb2134edfd/softokn3.dll
http://5.42.199.15/14387668e1174a87.php
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://5.42.199.15/7381b0eb2134edfd/msvcp140.dll
http://5.42.199.15/7381b0eb2134edfd/nss3.dll
http://5.42.199.15/7381b0eb2134edfd/vcruntime140.dll
http://www.maxmind.com/geoip/v2.1/city/me
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://5.42.199.15/7381b0eb2134edfd/freebl3.dll
https://vk.com/doc228185173_661153352?hash=xdfz7khDaKTZuZfc6eD4kR51HKXjFRBzEoWcJb9wBhL&dl=Pr7rOMXa0zgLcM5qJA9Lq5jiCwQPKFqjLmym9agLrzz&api=1&no_preview=1
https://sun6-21.userapi.com/c240331/u800513317/docs/d20/47ed28b3afbb/PMp123a.bmp?extra=1mMgqmSMjVjqw0R3iI2gcBuuz3j4HzJcVCwS6ZNN2RNLYRVBKnzkbEX3B3wTBN6X_tUum6G61hOC4Wim4Ef_V6rIdysx5OFZk3o_ZAxk7zo8YiNEOruMxi_YMgNjUlPEjLJ4UUoWDFhjTbV6Dw
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc228185173_661170695?hash=0L1uaqPVMU921w2pmJcrwQkDyu94h0wjzS3p0ld9R4D&dl=kstr1dyAL1ZXBFBl1qg66UJerdx2DZWJ9uOQs1kXZ0T&api=1&no_preview=1#str
https://sun6-22.userapi.com/c235131/u228185173/docs/d18/dcefed7742fe/stcr.bmp?extra=4cMjfsrflUnXqTTqcGy751WstwtljmtnZqSkHC6RZDy1n2v9t-pL7VgO6HA-9WXpkbUJzdkxTDPBcX-hOAbII9gt79CQLL7ldZtFjYp6g0gjQIpYUrW1qnYQwJROQ7WCK449ndiDPLfKulQEoA
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/fa132fba0b7e/buddha.bmp?extra=gRm798kslBaPtRgOAU2D2epFH3ralLJDqzZ37rqKiRAkxV_ocXkFtXAJpSKj_NRdFtLsl280XXYcBIyXTXGXiParMUQ3ahHzvY62RCjMY4tY-vBPNA2zyTJAtku6p8bfbfF4HR24eICvwk-NIg
|
34
db-ip.com(104.26.5.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(172.67.182.87) - malware
iplogger.org(148.251.234.83) - mailcious
sun6-23.userapi.com(95.142.206.3)
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.17.215.67)
vk.com(87.240.137.164) - mailcious
api.db-ip.com(104.26.5.15)
148.251.234.93 - mailcious
104.17.215.67
83.97.73.128 - malware
91.215.85.147 - malware
172.67.75.166
157.254.164.98 - mailcious
34.117.59.81
148.251.234.83
45.12.253.74 - malware
5.42.199.15
194.169.175.124 - malware
104.17.214.67
45.15.156.229 - mailcious
104.26.4.15
147.135.231.58
163.123.143.4 - mailcious
95.142.206.1 - mailcious
95.142.206.3
95.142.206.2
87.240.132.72
104.21.18.146
94.142.138.131 - mailcious
|
31
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET INFO EXE - Served Attached HTTP
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET INFO TLS Handshake Failure
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2
|
5
http://94.142.138.131/api/firegate.php
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://ji.jahhaega2qq.com/m/p0aw25.exe
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17328 |
2023-06-07 10:31
|
 003737.exe d93dd4200d1997c9b734bc2b1de77dc8
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
4
http://www.dwcmy.icu/jaux/
http://www.dwcmy.icu/jaux/?RA2Ffnn=dXzChEviWThMepFS/xxtUmXNQtBwn4KvgZ5ardr6ndysj8KT1gjetGIPwrBptW+hnPwvo+gRGgTDVleeJCFvAYnj9Conz55LaaEoVKU=&gLB=QULU5
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip
http://www.brick2theatercompany.org/jaux/?RA2Ffnn=icakqaRty6vlYpraZuLZDt8iqw6TAXaANP93WqO2tXnG28cx2yzbZzs/HE+K7qwLPazhHRQPHP7+Ft+vCQAGl34EUMiC/bZO7D7RKMw=&gLB=QULU5
|
5
www.dwcmy.icu(107.148.132.109)
www.brick2theatercompany.org(184.154.216.162)
107.148.132.109
184.154.216.162
45.33.6.223
|
4
ET INFO DNS Query for Suspicious .icu Domain
ET INFO HTTP POST Request to Suspicious *.icu domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17329 |
2023-06-07 10:27
|
 batteryacid.dat 179d4849f8d096122d05de3c7bebb4bd
UPX Malicious Library OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself crashed |
|
|
|
|
2.0 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17330 |
2023-06-07 10:05
|
 index.html e66507bcd2afe260f82a61cb981ec964
AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
https://f004.backblazeb2.com/file/QuIOMaOm/03n/June02AP.iso
|
2
f004.backblazeb2.com(149.137.128.16) - mailcious
149.137.128.16 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17331 |
2023-06-07 10:04
|
 ud8qQSCc7kEdZKzblmZWqRhCfNo79m... d5b9beaf52a8d268da46a94a6c1b1a4a
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17332 |
2023-06-07 09:42
|
 ShippingDetails.js e8150ba03200183abce718f6b028b2c3VirusTotal Malware VBScript AutoRuns WMI heapspray wscript.exe payload download Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName DNS Dropper |
1
http://jemyy.theworkpc.com:5401/Vre
|
3
jemyy.theworkpc.com(109.248.144.235)
109.248.144.235
139.177.146.165
|
|
|
10.0 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17333 |
2023-06-07 09:40
|
d35u6pvfsr5oqz.cloudfront.net_... aeba5b78f9353aba278c46c9c820265c
Generic Malware Antivirus VirusTotal Malware buffers extracted unpack itself Windows utilities WriteConsoleW Windows Cryptographic key |
|
|
|
|
3.8 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17334 |
2023-06-07 09:36
|
update.lnk eb08d873d27b94833e738f0df1d6ed26
Generic Malware Antivirus AntiDebug AntiVM GIF Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://d35u6pvfsr5oqz.cloudfront.net/fav.ico
|
|
|
|
6.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17335 |
2023-06-07 09:26
|
 INSYy.wsf 1571f34482e30885cf9ac9ef10df739b
Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://141.98.6.105:222/m.txt
http://141.98.6.105:222/r.png
|
1
|
3
ET HUNTING Terse Request for .txt - Likely Hostile
ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers
ET HUNTING [TW] Likely Hex Executable String
|
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17336 |
2023-06-07 09:18
|
 r.png.ps1 e11a08cea05e73a3949fb5f54137bf06
Hide_EXE Generic Malware Antivirus Anti_VM VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17337 |
2023-06-07 09:16
|
 194.169.175.124:3002 5e46335e018a22409430e9b58f8f90a7
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware |
|
|
|
|
1.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17338 |
2023-06-07 09:16
|
 electronics_and_connectors.pif 582bd6f5d1720c34d07ea51b37b0a15d
RAT .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17339 |
2023-06-07 09:16
|
 ebc52250faaaa0e22efe35539b006e... 85f723845b73f7791ecfc84bde974ef7
RAT .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17340 |
2023-06-07 09:01
|
 index.html e66507bcd2afe260f82a61cb981ec964
Generic Malware Browser Info Stealer MachineGuid Code Injection Checks debugger exploit crash unpack itself installed browsers check Exploit Browser crashed |
|
|
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|