1861 |
2024-07-29 13:29
|
ef.exe 94b423329b05b002507c36396870bb25 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware DNS |
|
2
142.250.196.238 142.250.71.129
|
|
|
2.2 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1862 |
2024-07-29 13:23
|
cp.exe aed4c0c1a8eddddad6e556442795f474 Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware Telegram AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check Tofsee Windows ComputerName DNS keylogger |
|
2
api.telegram.org(149.154.167.220) - mailcious 149.154.167.220 - mailcious
|
4
ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1863 |
2024-07-29 13:22
|
winiti.exe e8b4997fd647c6236e8d6a5460724cee Formbook North Korea Generic Malware Malicious Library .NET framework(MSIL) Antivirus UPX PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder suspicious TLD WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
13
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip http://www.noghteyab.com/f97t/?UX8=hkoMjg324npAs1ZBeZ8TzD/yod4wthTGeTvgOqr4Vk4zrcx6pPdRyFEwEDn18B/c37XIJfunev42iw6n9kOhHfgC7TNK8DtkFlqbOeckPp33fVEaTkv/0VMweSZvG65qVo/UWng=&_e=jxcPGi4BG http://www.zocalo-fuk.com/iczo/ http://www.zocalo-fuk.com/iczo/?UX8=JY7jtaSJ5x5vzidnjWySlw1C0GfgB4v3ywH460gVL7Ewt7sZ57bbwI6mxyJFGNyl5vwWXeVDvThdvQiyRvynE/Zjj7HkpiyOTqmD4v0kKDcwzqr276eGi6TkYHYmx5vmFqXXwms=&_e=jxcPGi4BG http://www.loangoatworld.com/8y3s/?UX8=m+e1HwtEOOeM4G5NTLK68Gp6Kwp+MY7uBR7SzEsfX5sQt5Y/60pxYxuDgYg2mwpPnMRTzCuNJ1kKNM0TTa/Wnuj7pyZLvslRvIdrySy2NFkwbRUK0Niqet6rEb5EadRpffeEIOc=&_e=jxcPGi4BG http://www.miquwawa.com/tqql/ - rule_id: 41186 http://www.loangoatworld.com/8y3s/ http://www.exporationgenius.sbs/x06k/?UX8=T/qtMR3LKa4LTbjxJENTE1gbHfbcMoDNkQwOkzuXYGM8AEnHwE1BoCD8ihzw/kVeeFO4GyYqoWqmFjylDbVKWJ6wgOd2jmN6i9pg74XS81AjK7oOmIcxjkpvsNU18Pzzy/zqp1g=&_e=jxcPGi4BG - rule_id: 41185 http://www.exporationgenius.sbs/x06k/ - rule_id: 41185 http://www.tcfreal.top/sg27/ http://www.tcfreal.top/sg27/?UX8=cpYt0YSQq6qumPKkPw6QLfXM1KObFctjUwEln5zritMpGV/+kM1tCQF1oqocoz5p4KbVgOmLQvtuRCfM7FFF+QE7cX+gmvJNP2ErFAfMZUG54lXQ6wu+5V3NDlvvWDRsBB/6vdY=&_e=jxcPGi4BG http://www.miquwawa.com/tqql/?UX8=u0XZF227Y/r9f3hnjIOG+jjSMjDg7zLaE5MpTM9c21roNqnsj5Giqo9JdiKVg3NN2RVqT0KrdJuiKB8prP8iYWfx9j8cghYBBFjwmC7Tnk8aYBcBXjkKDK2u4+7cSJR9pJqJ93M=&_e=jxcPGi4BG - rule_id: 41186 http://www.noghteyab.com/f97t/
|
13
www.noghteyab.com(46.105.190.248) www.miquwawa.com(95.169.27.235) - mailcious www.loangoatworld.com(3.33.130.190) www.exporationgenius.sbs(104.21.57.28) - mailcious www.zocalo-fuk.com(157.7.107.37) www.tcfreal.top(203.161.50.128) 104.21.57.28 - mailcious 95.169.27.235 - mailcious 3.33.130.190 - phishing 203.161.50.128 157.7.107.37 45.33.6.223 51.89.93.193
|
2
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
4
http://www.miquwawa.com/tqql/ http://www.exporationgenius.sbs/x06k/ http://www.exporationgenius.sbs/x06k/ http://www.miquwawa.com/tqql/
|
13.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1864 |
2024-07-28 14:48
|
Bin_HookShark64_2011-12-31_19.... 4f19a7e5f8225992821041d0109ffc8c AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1865 |
2024-07-28 14:18
|
Bin_HookShark64_2011-12-31_19.... 4f19a7e5f8225992821041d0109ffc8c AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
4.2 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1866 |
2024-07-28 10:53
|
random.exe 8c0430ee2841a6554d709869a81a375b RedLine stealer RedlineStealer SystemBC Gen1 Themida Packer Generic Malware Downloader UPX Malicious Library .NET framework(MSIL) Malicious Packer Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audi Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare AppData folder VMware anti-virtualization installed browsers check Tofsee Ransomware Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
8
http://185.215.113.16/Jo89Ku7d/index.php
http://185.215.113.16/inc/build.exe
http://185.215.113.16/inc/crypted.exe
http://185.215.113.16/inc/5447jsX.exe
http://185.215.113.16/inc/crypteda.exe
http://185.215.113.16/inc/25072023.exe
http://185.215.113.16/inc/pered.exe
http://185.215.113.16/inc/2020.exe
|
9
coe.com.vn(103.28.36.182) - malware
mktrex155.xyz() - malware
atlpvt.com(58.65.168.132) 185.215.113.16 - mailcious
185.215.113.9
58.65.168.132 - malware
45.33.6.223
103.28.36.182 - malware
185.215.113.67 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET HUNTING Download Request Containing Suspicious Filename - Crypted ET MALWARE Amadey Bot Activity (POST) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
17.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1867 |
2024-07-28 10:42
|
winiti.exe 1f5c95d40c06c01300f0a6592945a72d Generic Malware Malicious Library UPX PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
12
http://www.accelbusiness.net/sg0d/?LDcoL=ZFII8SVAvGzgMmVXToVI4LwsaVgSRAPMY6hEAWMgzd/rbIPLPNZ+lpDrj56GxiOWRiizuXBqoJ7dds0AusnvIdaVAlrc/osgyVUIbfwB8yhx2m5WAGulmI8my104pwb/sqeANsY=&tzW0=VCPfEuN http://www.hourglasspoise.net/5gvb/?LDcoL=/cc9D7vqfViixqGthiuMbdR5vErImywOC8ezpB4FmcTpRtjTbyPN8oLjmjUaYTUAZZsBqqPA4LzpXUrs3zKz1+bcJTGwBkjtMfI/kGKzlFznEvk/PsID24fmvZA2hoz8baldBw0=&tzW0=VCPfEuN http://www.lontos.top/ukrf/ http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip http://www.bosonserver.net/x10g/?LDcoL=AtIpZIbrclbIO3wVV4nf5MkbKr3zgThFYZcx/yn27KMXet/sCHbTSg7iXdN1LprNnU90TGJjlk60YPXU/gV8xNKsA5d5wJ0kF02lQrh6bPl2Ka0ee+60c3gL6UuubkfRvx1R8AU=&tzW0=VCPfEuN http://www.asymtos.tech/34b9/ http://www.lontos.top/ukrf/?LDcoL=F/tpX3aJNzQcZIorwbtn4XzXZf0a/CrYoWsqF027uxYn9zYWtTXD5RI4AWcWVnLyOuVjbatHjcymGXUCp/2iE/8I1+t1d0MzMQiJ/YLZDKzAaLFDJakAPmxPg9uDu26TEYHLTo4=&tzW0=VCPfEuN http://www.bosonserver.net/x10g/ http://www.accelbusiness.net/sg0d/ http://www.asymtos.tech/34b9/?LDcoL=W6RiSnxSk7sWUyAWvsuBUQf3TLDMvpVwUriP78iMWJLg9pjq2qbXoN6eJJBee+3TNvEAo0P2a/B9rNSGOSr+g5jIYLHfTFZsXGTqlaF0jUedL/CiwqWjEQX6GQUFudPhspdJ5Ls=&tzW0=VCPfEuN http://www.theiconsummit.life/6fdz/ http://www.hourglasspoise.net/5gvb/
|
12
www.hourglasspoise.net(3.33.130.190) www.theiconsummit.life(3.33.130.190) www.lontos.top(203.161.42.162) www.accelbusiness.net(3.33.130.190) www.asymtos.tech(217.160.164.240) www.bosonserver.net(195.200.3.58) 195.200.3.58 3.33.130.190 - phishing 217.160.164.240 15.197.148.33 - mailcious 203.161.42.162 45.33.6.223
|
4
ET INFO HTTP Request to a *.top domain ET INFO HTTP Request to Suspicious *.life Domain ET DNS Query to a *.top domain - Likely Hostile ET INFO Observed DNS Query to .life TLD
|
|
10.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1868 |
2024-07-28 10:40
|
random.exe 7e43d787c0813212855c05d5cc4b1752 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1869 |
2024-07-28 10:40
|
recreatednewthingswithentriene... 0a9c028203a8416be8db7371550d0fb5 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself suspicious TLD Windows Exploit DNS crashed |
14
http://104.219.239.104/80/winiti.exe
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.hourglasspoise.net/5gvb/
http://www.asymtos.tech/34b9/?_aRhhan=W6RiSnxSk7sWUyAWvsuBUQf3TLDMvpVwUriP78iMWJLg9pjq2qbXoN6eJJBee+3TNvEAo0P2a/B9rNSGOSr+g5jIYLHfTFZsXGTqlaF0jUedL/CiwqWjEQX6GQUFudPhspdJ5Ls=&my_=BkIk6xdg
http://www.accelbusiness.net/sg0d/?_aRhhan=ZFII8SVAvGzgMmVXToVI4LwsaVgSRAPMY6hEAWMgzd/rbIPLPNZ+lpDrj56GxiOWRiizuXBqoJ7dds0AusnvIdaVAlrc/osgyVUIbfwB8yhx2m5WAGulmI8my104pwb/sqeANsY=&my_=BkIk6xdg
http://www.lontos.top/ukrf/?_aRhhan=F/tpX3aJNzQcZIorwbtn4XzXZf0a/CrYoWsqF027uxYn9zYWtTXD5RI4AWcWVnLyOuVjbatHjcymGXUCp/2iE/8I1+t1d0MzMQiJ/YLZDKzAaLFDJakAPmxPg9uDu26TEYHLTo4=&my_=BkIk6xdg
http://www.asymtos.tech/34b9/
http://www.bosonserver.net/x10g/?_aRhhan=AtIpZIbrclbIO3wVV4nf5MkbKr3zgThFYZcx/yn27KMXet/sCHbTSg7iXdN1LprNnU90TGJjlk60YPXU/gV8xNKsA5d5wJ0kF02lQrh6bPl2Ka0ee+60c3gL6UuubkfRvx1R8AU=&my_=BkIk6xdg
http://www.theiconsummit.life/6fdz/?_aRhhan=Oie1FXKEyOqxuNWWyjoIb9DaNOxncG0Z1Eay2KtVdEC34I4dz//PFxK656i6sULSR99flzaSlbWC6MMpR37rak2rbcKEmCHEFn0mJCNpP5WZ+he/mmH/AJ6z3o1TiNYnnRR6Wlk=&my_=BkIk6xdg
http://www.bosonserver.net/x10g/
http://www.hourglasspoise.net/5gvb/?_aRhhan=/cc9D7vqfViixqGthiuMbdR5vErImywOC8ezpB4FmcTpRtjTbyPN8oLjmjUaYTUAZZsBqqPA4LzpXUrs3zKz1+bcJTGwBkjtMfI/kGKzlFznEvk/PsID24fmvZA2hoz8baldBw0=&my_=BkIk6xdg
http://www.accelbusiness.net/sg0d/
http://www.lontos.top/ukrf/
http://www.theiconsummit.life/6fdz/
|
13
www.hourglasspoise.net(15.197.148.33)
www.theiconsummit.life(15.197.148.33)
www.lontos.top(203.161.42.162)
www.accelbusiness.net(3.33.130.190)
www.asymtos.tech(217.160.164.240)
www.bosonserver.net(195.200.3.58) 15.197.148.33 - mailcious
3.33.130.190 - phishing
104.219.239.104 - mailcious
217.160.164.240
195.200.3.58
203.161.42.162
45.33.6.223
|
9
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO HTTP Request to a *.top domain ET INFO Observed DNS Query to .life TLD ET INFO HTTP Request to Suspicious *.life Domain ET DNS Query to a *.top domain - Likely Hostile
|
|
5.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1870 |
2024-07-28 10:36
|
Display1.exe 88696cf17417a2339b63f9452404c839 Generic Malware task schedule Malicious Library WinRAR UPX AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder WriteConsoleW ComputerName Remote Code Execution crashed |
|
|
|
|
8.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1871 |
2024-07-28 10:36
|
build_2024-07-25_20-56.exe bea49eab907af8ad2cbea9bfb807aae2 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1872 |
2024-07-28 10:34
|
dccrypt.exe 55398a65a9d1abb512e943a0d8901cb0 Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE VirusTotal Malware PDB Code Injection Check memory Checks debugger Creates executable files unpack itself WriteConsoleW Remote Code Execution crashed |
|
|
|
|
6.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1873 |
2024-07-28 10:34
|
DecryptJohn.exe c1853d1c36dc461668c9af843d07cc58 Generic Malware Malicious Library Malicious Packer UPX PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1874 |
2024-07-27 20:30
|
YesTraderRun.exe 0c95469e9ee3bc62c0678d7ae0bed71c Themida Packer Generic Malware Anti_VM PE File PE32 VirusTotal Malware |
|
|
|
|
1.4 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1875 |
2024-07-27 15:07
|
LMTS.txt.exe 3ad8cb387874a15488508bf269fd2520 Browser Login Data Stealer Generic Malware Downloader Malicious Library Malicious Packer UPX Antivirus ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Malware download Remcos VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS keylogger |
1
http://geoplugin.net/json.gp
|
8
geoplugin.net(178.237.33.50) asociatiatraditiimaria.ro(93.113.54.56) - mailcious iwarsut775laudrye2.duckdns.org(192.253.251.227) new.quranushaiqer.org.sa(34.166.62.190) - mailcious 192.253.251.227 178.237.33.50 93.113.54.56 - mailcious 34.166.62.190
|
7
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Remcos 3.x Unencrypted Checkin ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
18.4 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|