| 17356 |
2023-06-05 18:02
|
 c64.exe b1e73ee6b76cdb99e5fcde09936de056
Gen2 Gen1 Emotet Generic Malware Downloader UPX Malicious Library Malicious Packer Antivirus Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot Anti VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Creates executable files unpack itself Windows utilities Auto service suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check Windows ComputerName RCE |
|
4
p.f2pool.info(124.172.232.35)
boy.f2pool.info(112.175.114.17)
124.172.232.35
112.175.114.17
|
|
|
14.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17357 |
2023-06-05 17:56
|
 iexplore.exe a3d8b7059f0a4108d38144586fd63ee0
Generic Malware UPX Antivirus Malicious Library Malicious Packer PE File PE32 PE64 OS Processor Check VirusTotal Cryptocurrency Miner Malware Cryptocurrency powershell AutoRuns suspicious privilege Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW anti-virtualization Windows ComputerName RCE crashed |
|
2
x.f2pool.info(183.111.205.12)
183.111.205.12 - malware
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
13.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17358 |
2023-06-05 17:55
|
 86.exe ff8a7fe058166ccb1d7822fa873cdca5
UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL VirusTotal Malware AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows RCE |
|
2
p.f2pool.info(124.172.232.35)
124.172.232.35
|
|
|
7.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17359 |
2023-06-05 16:51
|
 w-9.exe 2dbc44aae677e2661475da5b2a3aac2e
UPX PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
3.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17360 |
2023-06-05 16:49
|
 Setup.exe c28cc92a7c78b96bec58fa3e5398074a
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17361 |
2023-06-05 16:46
|
 G_768916.zip 53c9f14237d2ec66158868a25c2c6502
ZIP Format |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17362 |
2023-06-05 16:43
|
 DVolPro.dll 30e1d0c1941167612a1da0bb79a03be8
UPX Malicious Library DLL PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.8 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17363 |
2023-06-05 15:36
|
 51216324738.pdf e44cdb9b41b9e644d0a7366029ae9ec0
PDF Suspicious Link PDF AntiDebug AntiVM MSOffice File PNG Format JPEG Format VirusTotal Malware Code Injection RWX flags setting unpack itself Windows utilities suspicious TLD Tofsee Windows DNS |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://synerhu.ru/uplcv?utm_term=bad+boys+for+life+2020+torrent - rule_id: 33995
|
21
www.google.com(142.250.76.132)
www.gstatic.com(142.250.207.99)
fonts.googleapis.com(142.250.206.202)
a.nel.cloudflare.com(35.190.80.1)
accounts.google.com(172.217.25.173)
_googlecast._tcp.local()
apis.google.com(142.250.76.142)
fonts.gstatic.com(142.250.206.227)
synerhu.ru(172.67.198.220) - phishing
clientservices.googleapis.com(142.250.206.195)
142.251.222.202
35.190.80.1
142.251.220.4
142.250.66.131
142.250.66.142
121.254.136.27
142.250.207.77
172.67.198.220
142.251.222.195
142.250.66.67
142.250.204.99
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
|
5.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17364 |
2023-06-05 13:45
|
ririririiririririririririiriri... a411c5f01d2a3c00973839711c3ab747
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
2
http://185.246.220.85/line/five/fre.php - rule_id: 33747
http://192.3.189.133/344/hkcmd.exe
|
2
192.3.189.133 - malware
185.246.220.85 - mailcious
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/line/five/fre.php
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17365 |
2023-06-05 08:04
|
 setup.EXE 426937c153dd506951c7f40a94094c48
Gen1 Emotet PWS .NET framework RAT njRAT backdoor UPX Malicious Library CAB PE64 PE File PNG Format OS Processor Check .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder WriteConsoleW installed browsers check Tofsee Windows Browser Email ComputerName RCE DNS Cryptographic key DDNS Software crashed |
1
https://freegeoip.app/xml/
|
6
xiiiolympus.zapto.org(105.110.10.96)
freegeoip.app(172.67.160.84)
ipbase.com(99.83.231.61)
75.2.60.5 - mailcious
104.21.73.97
105.110.10.96
|
4
ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com)
ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.zapto .org
|
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17366 |
2023-06-04 17:47
|
 Sceatt.exe a1ed05e1152357a287ad4c4b4ddc300e
PWS .NET framework RAT RedLine Stealer Confuser .NET .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17367 |
2023-06-04 17:45
|
 7e8e3c8b54a3dd86e1b6afb3300169... c4b9d83a65b7a0b05d7d24d4abcb29ae
Suspicious_Script_Bin Generic Malware UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Windows Browser ComputerName RCE DNS Cryptographic key DDNS crashed |
|
2
explore.ddns.net(37.46.117.90)
37.46.117.90
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
18.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17368 |
2023-06-04 17:45
|
 foto124.exe 5179b8f5f0a4a2c88c1c9ab074f50e60
Redline Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName RCE DNS Cryptographic key Software crashed |
3
http://77.91.68.62/wings/game/Plugins/clip64.dll - rule_id: 33725
http://77.91.68.62/wings/game/Plugins/cred64.dll - rule_id: 33724
http://77.91.68.62/wings/game/index.php - rule_id: 33726
|
2
77.91.68.62 - malware
83.97.73.126 - malware
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.62/wings/game/Plugins/clip64.dll
http://77.91.68.62/wings/game/Plugins/cred64.dll
http://77.91.68.62/wings/game/index.php
|
14.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17369 |
2023-06-04 17:40
|
 a2592d.exe 3be6be65f8685715130d5be7ba9d2f50
UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows RCE Cryptographic key |
|
|
|
|
7.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17370 |
2023-06-04 17:38
|
 eee23xe.exe 19cb6550343998faee16c4f604a25f56
Loki NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://161.35.102.56/~nikol/?p=2132 - rule_id: 33642
|
2
77.91.68.62 - malware
161.35.102.56 - mailcious
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://161.35.102.56/~nikol/
|
10.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|