2086 |
2024-07-20 20:11
|
34v3vz.exe 61547b701d759958b78b75aeca77279c Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE32 OS Processor Check PE64 Malware download VirusTotal Email Client Info Stealer Malware AutoRuns Malicious Traffic WMI Creates executable files Windows utilities Checks Bios suspicious process WriteConsoleW anti-virtualization Windows Email ComputerName DNS |
3
http://185.196.10.57/ev643v4/api.php?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1898C939111C
http://185.196.10.57/ev643v4/api.php?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1898C939111C&tsk=5D9A
http://185.216.214.218/Population.exe
|
2
185.196.10.57 - malware
185.216.214.218 - mailcious
|
4
ET MALWARE ZharkBot User-Agent Observed ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
8.6 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2087 |
2024-07-20 20:10
|
g245x.exe 72cd0c2edee91a3d8e2b8a0b149ded12 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself WriteConsoleW crashed |
|
|
|
|
2.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2088 |
2024-07-20 20:08
|
ZHHR.txt.exe fa702e456caa471e2b07df76d37de539 Browser Login Data Stealer Generic Malware Downloader Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check Malware download Remcos VirusTotal Malware Malicious Traffic Check memory Windows keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) www.vandashproject.site(103.161.133.243) 178.237.33.50 103.161.133.243
|
2
ET MALWARE Remcos 3.x Unencrypted Checkin ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
3.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2089 |
2024-07-20 20:08
|
winiti.exe 9a5faf2d13c1fb4ac9aa52154c3a6dc5 AgentTesla Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed |
2
http://ip-api.com/line/?fields=hosting https://api.ipify.org/
|
4
api.ipify.org(172.67.74.152) ip-api.com(208.95.112.1) 104.26.13.205 208.95.112.1
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
|
|
14.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2090 |
2024-07-20 20:08
|
hc.hc.hc.hc.hchchchch.doc e677d8183d89a410a3ce59db5a2722d3 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
http://103.161.133.121/95095/butterburnverysweetgirleated.gIF
|
5
pastecode.dev(172.66.40.229) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious 103.161.133.121 - malware
172.66.40.229 - mailcious
207.241.232.195 - mailcious
|
3
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2091 |
2024-07-20 20:06
|
butterburnverysweetgirleated.g... 612b79418bc9dee5e9bf503df55a245c Generic Malware Antivirus PowerShell VirusTotal Malware VBScript powershell suspicious privilege Check memory Checks debugger wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg
|
4
pastecode.dev(172.66.40.229) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious 172.66.40.229 - mailcious
207.241.232.195 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2092 |
2024-07-20 20:06
|
we.we.we.we.wewewewe.doc 6f2f933c81549f01eb55e42a0d85535e MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
2
https://api.ipify.org/
http://107.172.4.179/516/winiti.exe
|
3
api.ipify.org(172.67.74.152) 104.26.13.205
107.172.4.179 - malware
|
8
ET INFO Executable Download from dotted-quad Host ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2093 |
2024-07-20 20:05
|
Files.exe 90b3832d4da1a85d18c9c515cb01780e Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2094 |
2024-07-20 20:04
|
newwork.exe 3764897fd08b8427b978fb099c091f71 Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic ICMP traffic unpack itself AppData folder Tofsee Windows DNS |
1
http://79.137.192.15/n9djvSc3x/index.php
|
5
coe.com.vn(103.28.36.182) - malware easy2buy.ae(185.199.220.53) 79.137.192.15 - malware 103.28.36.182 - malware 185.199.220.53
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO TLS Handshake Failure ET DROP Spamhaus DROP Listed Traffic Inbound group 8 ET MALWARE Amadey Bot Activity (POST)
|
|
7.0 |
|
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2095 |
2024-07-20 20:04
|
669a08aa861a2_filemanager.exe#... 71be3c01c7064efaa019e6259ccb0602 Vidar Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API Anti_VM AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199743486170 - rule_id: 41270
https://t.me/s41l0
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.66.133.162) - mailcious 149.154.167.99 - mailcious
96.7.99.225
78.46.255.249 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199743486170
|
16.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2096 |
2024-07-20 20:01
|
mimilib.dll 46e598798bdde4c72e796edcf2317b52 Malicious Packer PE File DLL PE32 VirusTotal Malware Checks debugger unpack itself crashed |
|
|
|
|
2.0 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2097 |
2024-07-20 20:01
|
mimispool.dll dab7a18b02399053ba3ff1e568789fce PE File DLL PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2098 |
2024-07-20 19:59
|
mimidrv.sys 0818699d065afcb1f397d578d3708dc2 Antivirus PE File PE32 VirusTotal Malware PDB |
|
|
|
|
1.6 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2099 |
2024-07-20 19:59
|
IEnetcache.hta f56f02858f071b420ca3e54922f00ccf Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://107.172.4.179/515/winiti.exe
|
1
|
5
ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2100 |
2024-07-20 19:58
|
psi.ps1 ff9703bcf189e4144bb277789540e1fa Generic Malware Antivirus VirusTotal Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName Cryptographic key |
1
http://www.onlinesupportforroad.com/Employee.exe
|
2
www.onlinesupportforroad.com(193.31.116.186) - mailcious 193.31.116.186 - mailcious
|
2
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
4.6 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|