| 17866 |
2023-05-12 17:59
|
 vbc.exe 44bd0753b6efa39826e713e4c6bc9353
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17867 |
2023-05-12 10:15
|
File_pass1234.7z 4ea64ab9cad02bd9b12703babb3aff3f
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself DNS |
|
2
|
|
|
3.0 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17868 |
2023-05-12 10:09
|
File_pass1234.7z ebffa14573bad49ce1597ebfdb1b4219
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check Tofsee Windows Trojan DNS |
17
http://94.142.138.131/api/firegate.php
http://209.250.254.249:3002/
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
https://vk.com/doc797927207_660207612?hash=FSzZrKgaoQ4kHJpBkwwrcecQ1khON4e6uLnZZ4noFRc&dl=G44TOOJSG4ZDANY:1683818285:xjgWZ6U0zK8yMG56wSqaiurXm91s5Hva9jN75V78dpc&api=1&no_preview=1#L1
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
https://sun6-20.userapi.com/c237331/u797927207/docs/d32/3b1562a610ff/AppLaunch.bmp?extra=JaJH0yubp6SiGMgQe6iQVtfr1GI70sFVas0bPqPOE1JgQPjQJeqc1JgcP7Vq06u_i8BJolccNfQmB4JVHlrkyw76zX1E9nDnBtN_Yc3_Z9h2uiwH-vXq0GCPy9mOftnGamUCUIwSIM6GaloEPQ
https://vk.com/doc797927207_659790319?hash=Yh4Zq10yI5sCv0Hozhs9Au2WzOHbviNeMCJ7fr1FFhg&dl=G44TOOJSG4ZDANY:1683130808:PeAzMOcy5CuRuNl362YRUH2t3JWVdZZHlGFYTsqzuwo&api=1&no_preview=1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc797927207_660158521?hash=CHoeq50dJohH7piMcIhWPTP8SZy13EEVPQr7nouPkeP&dl=G44TOOJSG4ZDANY:1683737741:EB7omsUVCkf03zctqWFhwJvAFNZLeHtx8gkUGk2PVDg&api=1&no_preview=1
https://sun6-21.userapi.com/c235131/u797927207/docs/d5/08764869d62d/asca1ex.bmp?extra=vqNkGdJUx9Ty6qIhbKHtHm-uvSM7pFAB70mGC-hwXtKeLLhMapHhAdWQp5Mhx3VaUG7ygp_A9SH2P8-3DGJUQZuEyrxPDUB1vgU0Ra1SDEQ6-E0IS8WQ7sWYLJoVk2tVh_Dy7Q72mppRd5Lw_A
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
https://sun6-20.userapi.com/c237231/u797927207/docs/d22/96329d1f2388/OriginalBuild.bmp?extra=wOQ0KkKvahESe2lcf4Z08mPMWxbrBrypeJGVgVKu4T7N-NXXMnRZCHlfbPtzIoPsAhYWS42eeMFfkSuWfqJygSWjaYYlF8BLVc6w7A0kxdFKuCDAlMbnzV6x3QG-8rMtL9KskuuoxyI1CIXz-A
https://vk.com/doc797927207_660166827?hash=S9d1LRpKkBqqaTTkzFYojvcJ3L3a8zzgjeJXmhRuRB8&dl=G44TOOJSG4ZDANY:1683746472:NUGgowD5mgwGUbp3JvSIkoB9wFYDzijcgoJB26mzagH&api=1&no_preview=1#orig5
|
28
db-ip.com(104.26.5.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
sun6-21.userapi.com(95.142.206.1)
ipinfo.io(34.117.59.81)
ji.uiasehgjj.com(172.67.135.176) - malware
www.maxmind.com(104.17.214.67)
sun6-20.userapi.com(95.142.206.0)
api.db-ip.com(104.26.5.15)
vk.com(87.240.132.67)
109.206.243.208 - malware
45.12.253.74 - malware
104.26.4.15
172.67.135.176 - malware
163.123.143.4 - mailcious
95.142.206.1
95.142.206.0
148.251.234.93 - mailcious
104.17.215.67
34.117.59.81
87.240.132.67
94.142.138.131 - mailcious
176.113.115.239 - malware
91.215.85.147 - malware
104.26.5.15
208.67.104.60 - mailcious
104.17.214.67
209.250.254.249
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
2
http://94.142.138.131/api/tracemap.php
http://208.67.104.60/api/tracemap.php
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17869 |
2023-05-12 10:06
|
 se1.exe 29531f95f2ffc356c67975a60effa857
PWS .NET framework RAT UPX SMTP PWS[m] KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
10.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17870 |
2023-05-12 10:02
|
File_pass1234.7z f12cefd0ab30a148d0d24f8b2db51554
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Trojan DNS |
17
http://85.208.136.10/api/firegate.php
http://209.250.254.249:3002/
http://5.181.80.133/api/tracemap.php
http://www.maxmind.com/geoip/v2.1/city/me
http://85.208.136.10/api/tracemap.php
https://vk.com/doc797927207_660207612?hash=FSzZrKgaoQ4kHJpBkwwrcecQ1khON4e6uLnZZ4noFRc&dl=G44TOOJSG4ZDANY:1683818285:xjgWZ6U0zK8yMG56wSqaiurXm91s5Hva9jN75V78dpc&api=1&no_preview=1#L1
https://sun6-20.userapi.com/c237331/u797927207/docs/d32/3b1562a610ff/AppLaunch.bmp?extra=JaJH0yubp6SiGMgQe6iQVtfr1GI70sFVas0bPqPOE1JgQPjQJeqc1JgcP7Vq06u_i8BJolccNfQmB4JVHlrkyw76zX1E9nDnBtN_Yc3_Z9h2uiwH-vfs0GCPy9mOftnGajBWUN9EdZ3VblhQOQ
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
https://vk.com/doc797927207_659790319?hash=Yh4Zq10yI5sCv0Hozhs9Au2WzOHbviNeMCJ7fr1FFhg&dl=G44TOOJSG4ZDANY:1683130808:PeAzMOcy5CuRuNl362YRUH2t3JWVdZZHlGFYTsqzuwo&api=1&no_preview=1
https://sun6-21.userapi.com/c235131/u797927207/docs/d5/08764869d62d/asca1ex.bmp?extra=vqNkGdJUx9Ty6qIhbKHtHm-uvSM7pFAB70mGC-hwXtKeLLhMapHhAdWQp5Mhx3VaUG7ygp_A9SH2P8-3DGJUQZuEyrxPDUB1vgU0Ra1SDEQ6-E0IS8eW7sWYLJoVk2tVh62ovw_1x8tWIpf3-Q
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc797927207_660158521?hash=CHoeq50dJohH7piMcIhWPTP8SZy13EEVPQr7nouPkeP&dl=G44TOOJSG4ZDANY:1683737741:EB7omsUVCkf03zctqWFhwJvAFNZLeHtx8gkUGk2PVDg&api=1&no_preview=1
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
https://sun6-20.userapi.com/c237231/u797927207/docs/d22/96329d1f2388/OriginalBuild.bmp?extra=wOQ0KkKvahESe2lcf4Z08mPMWxbrBrypeJGVgVKu4T7N-NXXMnRZCHlfbPtzIoPsAhYWS42eeMFfkSuWfqJygSWjaYYlF8BLVc6w7A0kxdFKuCDAlMThzV6x3QG-8rMtL4D6kL2rwHFhWIT1-Q
https://vk.com/doc797927207_660166827?hash=S9d1LRpKkBqqaTTkzFYojvcJ3L3a8zzgjeJXmhRuRB8&dl=G44TOOJSG4ZDANY:1683746472:NUGgowD5mgwGUbp3JvSIkoB9wFYDzijcgoJB26mzagH&api=1&no_preview=1#orig5
|
27
db-ip.com(104.26.4.15)
hugersi.com(91.215.85.147) - malware
sun6-21.userapi.com(95.142.206.1)
ipinfo.io(34.117.59.81)
ji.uiasehgjj.com(104.21.7.34) - malware
www.maxmind.com(104.17.214.67)
sun6-20.userapi.com(95.142.206.0)
api.db-ip.com(104.26.5.15)
vk.com(87.240.129.133)
109.206.243.208 - malware
45.12.253.74 - malware
104.26.4.15
95.142.206.0
172.67.135.176 - malware
163.123.143.4 - mailcious
95.142.206.1
87.240.132.78
91.215.85.147 - malware
5.181.80.133
34.117.59.81
85.208.136.10
94.131.106.196 - mailcious
176.113.115.239 - malware
104.26.5.15
94.142.138.113 - mailcious
104.17.214.67
209.250.254.249
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17871 |
2023-05-12 09:55
|
 645d8620ab56f.zip f273ad23fb6109a3d45643dc29084a86
ZIP Format Malware Malicious Traffic NetSupport |
2
http://geo.netsupportsoftware.com/location/loca.asp
http://89.22.237.94:5222/http://89.22.237.94/fakeurl.htm
|
4
geo.netsupportsoftware.com(62.172.138.67)
blahadfurtik.com(89.22.237.94) - mailcious
89.22.237.94 - mailcious
51.142.119.24
|
3
ET INFO NetSupport Remote Admin Checkin
ET INFO NetSupport Remote Admin Response
ET POLICY NetSupport GeoLocation Lookup Request
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17872 |
2023-05-12 09:43
|
 645d85f10366f.zip e5e14d83b8c78f4ef66ec2fa554ddada
ZIP Format Malware Malicious Traffic NetSupport |
2
http://geo.netsupportsoftware.com/location/loca.asp
http://89.22.237.94:5222/http://89.22.237.94/fakeurl.htm
|
4
geo.netsupportsoftware.com(62.172.138.67)
blahadfurtik.com(89.22.237.94) - mailcious
89.22.237.94 - mailcious
62.172.138.67
|
3
ET INFO NetSupport Remote Admin Checkin
ET POLICY NetSupport GeoLocation Lookup Request
ET INFO NetSupport Remote Admin Response
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17873 |
2023-05-12 09:34
|
 134.exe 7f7d127294ffc58543e0197866ba1371
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17874 |
2023-05-12 09:32
|
 newbuild.exe 41d09d5600b1b30b656d33553ac71d0d
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17875 |
2023-05-12 09:30
|
 Lrvoys.js ce6f4ba124b7e93b1133bb0ee0e7e4e1
Generic Malware Admin Tool (Sysinternals etc ...) Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://79.137.248.163/XnQd2bL/GRAI3wuk
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17876 |
2023-05-12 09:29
|
 Cnsx.js 10cb0a754ebcb9f526f7124105d1c1fc
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
http://91.193.43.98/AGvZh8C/WwzssPjfvzF
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17877 |
2023-05-12 09:28
|
 71c95442-4415-4ad2-b550-28ba52... c21947b75b1bbec904d0d954d5571fce
UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself WriteConsoleW ComputerName crashed |
|
|
|
|
7.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17878 |
2023-05-12 09:26
|
 pmZdtegi.exe 92188f68cfaf42d02c08fbf7c9b0ab94
PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17879 |
2023-05-12 09:23
|
 s.exe 61d510bf7f8a1ab8175ea3e97fce511d
UPX Malicious Library OS Processor Check PE File PE32 PDB unpack itself RCE |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17880 |
2023-05-12 09:23
|
 setup.exe c9e2ee39f9899dcbb8b51de798971892
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself RCE |
|
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|