| 1846 |
2024-07-29 13:52
|
 163.exe c5d0790f653d7922b4723bdd6737f3a7
Generic Malware Malicious Library ASPack UPX DllRegisterServer dll PE File PE32 MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself Windows utilities AppData folder Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
7
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
|
11
www.dropbox.com(162.125.80.18) - mailcious
drive.usercontent.google.com(142.250.206.193) - mailcious
freedns.afraid.org(69.42.215.252)
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
smtp.163.com(103.129.252.45)
103.129.252.45
162.125.80.18 - mailcious
142.250.196.238
69.42.215.252
142.250.71.225
|
3
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
8.8 |
M |
69 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1847 |
2024-07-29 13:51
|
 svhostc.exe ae3dd2f4488753b690ca17d555147aba
Malicious Library UPX Http API HTTP Internet API AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Telegram AutoRuns Code Injection Checks debugger buffers extracted unpack itself Tofsee Windows ComputerName DNS |
|
2
api.telegram.org(149.154.167.220) - mailcious
149.154.167.220 - mailcious
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
8.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1848 |
2024-07-29 13:51
|
 Ref_BA0929399122_pdf.js 117bc3a7fa3309e3f443ea02c267f1d4VirusTotal Malware VBScript AutoRuns suspicious privilege buffers extracted wscript.exe payload download Creates shortcut Creates executable files unpack itself Windows utilities sandbox evasion installed browsers check Tofsee Windows Browser ComputerName Dropper |
2
https://ddfcbb9325637bcdeff.mxttbszhh1.free.hr/oauth/pdf/Monetary_Funding_Sheet_2024.pdf
https://ddfcbb9325637bcdeff.mxttbszhh1.free.hr/oauth/pdf/Monetary_Funding_Sheet_2024.js
|
2
ddfcbb9325637bcdeff.mxttbszhh1.free.hr(104.21.5.141) - mailcious
172.67.154.165 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1849 |
2024-07-29 13:49
|
 ngrok.exe f02b8dabd9612d56140b7b435f70424b
Malicious Library Malicious Packer UPX PE File ftp PE64 wget OS Processor Check VirusTotal Malware wscript.exe payload download unpack itself Check virtual network interfaces crashed |
1
http://secure.globalsign.com/cacert/codesigningrootr45.crt
|
2
secure.globalsign.com(104.18.21.226)
146.75.50.133
|
|
|
3.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1850 |
2024-07-29 13:47
|
 test1.exe 97de4bc04461280f11316077a41083e0
Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1851 |
2024-07-29 13:46
|
 CBS_applcation_details_0726020... 117bc3a7fa3309e3f443ea02c267f1d4VirusTotal Malware VBScript AutoRuns suspicious privilege buffers extracted wscript.exe payload download Creates shortcut Creates executable files unpack itself Windows utilities sandbox evasion installed browsers check Tofsee Windows Browser ComputerName Dropper |
2
https://ddfcbb9325637bcdeff.mxttbszhh1.free.hr/oauth/pdf/Monetary_Funding_Sheet_2024.pdf
https://ddfcbb9325637bcdeff.mxttbszhh1.free.hr/oauth/pdf/Monetary_Funding_Sheet_2024.js
|
2
ddfcbb9325637bcdeff.mxttbszhh1.free.hr(172.67.154.165) - mailcious
172.67.154.165 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1852 |
2024-07-29 13:45
|
 main.exe e3e1f7fa42dd68f410bb885f0aefe5e3
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1853 |
2024-07-29 13:42
|
 clip64.dll 7d257e3bb8441810561e09092162df73
Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://185.215.113.101/g99kdj4vsA/index.php
|
1
185.215.113.101 - malware
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
|
3.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1854 |
2024-07-29 13:42
|
 random.exe a45cd34dab56ce2f61232c79a750374d
RedLine stealer Generic Malware EnigmaProtector UPX Malicious Library Code injection Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Amadey VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Checks Bios Detects VMWare AppData folder malicious URLs VMware anti-virtualization human activity check installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName DNS crashed |
3
http://185.215.113.19/Vi9leo/index.php
http://185.215.113.16/stealc/random.exe
http://185.215.113.16/well/random.exe
|
4
crash-reports.mozilla.com(34.49.45.138)
34.49.45.138
185.215.113.16 - mailcious
185.215.113.19 - malware
|
8
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Packed Executable Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
18.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1855 |
2024-07-29 13:39
|
 wd.exe d65f5982c1f1f2967fdd91b7f21a5696
Generic Malware Malicious Library Malicious Packer ASPack UPX DllRegisterServer dll PE File PE32 MZP Format OS Processor Check DLL JPEG Format VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself AppData folder sandbox evasion Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
9
drive.usercontent.google.com(142.250.206.193) - mailcious
docs.google.com(172.217.161.238) - mailcious
www.dropbox.com(162.125.80.18) - mailcious
freedns.afraid.org(69.42.215.252)
xred.mooo.com() - mailcious
69.42.215.252
142.250.197.65
162.125.80.18 - mailcious
142.250.76.14
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
8.2 |
M |
70 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1856 |
2024-07-29 13:38
|
 sa.exe b78d38577f3a1ba9178e7fab5e5bddf6
Antivirus UPX PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName DNS keylogger |
|
2
142.250.197.65
142.250.76.14
|
|
|
6.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1857 |
2024-07-29 13:38
|
 3-1.exe 3482f7d0b7c1a3eeca3874bc9a1397ce
Generic Malware Malicious Library ASPack UPX Malicious Packer Socket ScreenShot Escalate priviledges PWS SMTP SSL DNS Dynamic Dns Internet API persistence KeyLogger AntiDebug AntiVM DllRegisterServer dll PE File PE32 MZP Format OS Processor Check JPEG For VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities AppData folder malicious URLs sandbox evasion Tofsee Windows Browser Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
13
www.dropbox.com(162.125.80.18) - mailcious
drive.usercontent.google.com(142.250.206.193) - mailcious
freedns.afraid.org(69.42.215.252)
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
smtp.163.com(103.129.252.45)
103.129.252.45
162.125.80.18 - mailcious
142.250.71.129
142.250.196.238
38.147.172.248 - mailcious
45.33.6.223
69.42.215.252
|
3
SURICATA Applayer Detect protocol only one direction
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
69 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1858 |
2024-07-29 13:36
|
 beyondtransfer.exe 99f875d6395b7697228e9cbc8533fdc7
.NET framework(MSIL) PE File .NET EXE PE32 Malware download VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows ComputerName DNS |
1
http://193.233.203.218/creative/Fpdvdr.mp4
|
1
193.233.203.218 - malware
|
4
ET MALWARE PE EXE or DLL Windows file download disguised as ASCII
ET MALWARE PE EXE or DLL Windows file download Text M2
ET HUNTING [TW] Likely Hex Executable String
ET SHELLCODE Common 0a0a0a0a Heap Spray String
|
|
5.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1859 |
2024-07-29 13:34
|
 win10.exe 7fa42ffc17069589fd85c3ea2b46a57c
Generic Malware Malicious Library Malicious Packer UPX DllRegisterServer dll PE File PE32 MZP Format OS Processor Check DLL JPEG Format VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
10
drive.usercontent.google.com(142.250.206.193) - mailcious
docs.google.com(142.250.76.142) - mailcious
www.dropbox.com(162.125.80.18) - mailcious
freedns.afraid.org(69.42.215.252)
xred.mooo.com() - mailcious
162.125.80.18 - mailcious
38.147.172.248 - mailcious
69.42.215.252
172.217.31.14
142.251.222.193
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
68 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1860 |
2024-07-29 13:32
|
 cred.dll d696e4ee5dac5d3e4b5073359224fcdc
Generic Malware Malicious Library UPX Antivirus PE File DLL PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process sandbox evasion installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://185.215.113.101/g99kdj4vsA/index.php
|
3
185.215.113.101 - malware
172.217.31.14
142.251.222.193
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
|
10.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|