| 2116 |
2024-07-19 13:30
|
 Adobe-PDF-Viewer.js 916b1bf69fdabd368c719a14726fda61
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://ainvestinternational.com/wp/Sleflistuiq.zip
|
2
ainvestinternational.com(172.67.133.121) - mailcious
172.67.133.121
|
|
|
7.0 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2117 |
2024-07-19 13:16
|
 #1. 프로젝트 정보 업데이트 요청사항.xlsx.lnk... 717c204b2e1443bf9a985ab39f16ac1f
Lnk Format GIF Format |
|
|
|
|
|
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2118 |
2024-07-19 13:10
|
 #2. 금융당국 요청에 따른 프로젝트 정보 확인 요청의... 05545d71b8afcc697faf751f81cf66fd
PDF |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2119 |
2024-07-19 13:09
|
 6698c0ab59e68_aerosoft.exe#men... 0891d36dd26059e8a74ada84fd9885e5
Vidar Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199743486170 - rule_id: 41270
https://t.me/s41l0
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.222.161.105) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
78.46.255.249 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199743486170
|
15.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2120 |
2024-07-19 13:06
|
 1.exe 4b0e023d1ddfc2a8166c652300375b1a
Malicious Library PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2121 |
2024-07-19 13:06
|
 do0ntworryx1.exe 177dba5455e57afe9da6cfa0dda3d61d
Anti_VM PE File PE64 VirusTotal Malware Checks debugger sandbox evasion Browser crashed |
|
|
|
|
2.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2122 |
2024-07-19 13:04
|
safe_shell.shc.exe 0b6072d47b53fa8d3f9b28b449192dcc
Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware Malicious Traffic unpack itself suspicious process DNS crashed |
1
http://47.128.226.30/code.bin
|
1
|
2
ET HUNTING Generic .bin download from Dotted Quad
ET HUNTING curl User-Agent to Dotted Quad
|
|
5.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2123 |
2024-07-19 13:04
|
 djsoftware.exe 7f81200d5a684a89dda672e85490ea30
Vidar Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199743486170 - rule_id: 41270
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(96.7.99.225) - mailcious
149.154.167.99 - mailcious
96.7.99.225
78.46.255.249 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199743486170
|
17.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2124 |
2024-07-19 13:04
|
 dew.txt.exe fa105fc59f412384d0209ea62e257305
Browser Login Data Stealer Generic Malware Downloader Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check Remcos VirusTotal Malware Malicious Traffic Check memory Windows keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
swre.remwavesw.com(141.98.10.11)
141.98.10.11 - malware
178.237.33.50
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
|
|
3.4 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2125 |
2024-07-19 13:02
|
 warsong.exe 2b40a46d4856cb9f79ecdd2d19ad74e7
Malicious Library .NET framework(MSIL) UPX ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
8.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2126 |
2024-07-19 13:01
|
 ebube.txt.exe 6945b84b9f31a66790fe9d25204e67cb
PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName |
1
https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=02g1oaMK40Aq
|
2
whatismyipaddressnow.co(104.21.71.78)
172.67.143.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2127 |
2024-07-19 13:01
|
welovedatinGloVER.gif.vbs b2450a779394d5883f1259bf7eaab12b
Generic Malware Antivirus PowerShell VirusTotal Malware VBScript powershell suspicious privilege Check memory Checks debugger wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
https://ia803405.us.archive.org/16/items/new_image_202406/new_image.jpg
|
4
pastecode.dev(172.66.43.27) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious
172.66.40.229 - mailcious
207.241.232.195 - mailcious
|
3
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2128 |
2024-07-19 13:00
|
 new_clip.exe 7cfdc2aee2ad1a7ef6f7715178aa8f93
Generic Malware Malicious Packer UPX Antivirus PE File PE32 VirusTotal Malware powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2129 |
2024-07-19 12:59
|
crosscheckworldwideharitreatme... 44d287360e5facd26cb038c5ce2f2eb7
Generic Malware Antivirus PowerShell Malware download VirusTotal Malware VBScript powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
http://198.46.176.133/Upload/vbs.jpeg - rule_id: 41176
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
3
pastecode.dev(172.66.40.229) - mailcious
172.66.40.229 - mailcious
198.46.176.133 - mailcious
|
5
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Base64 Encoded MZ In Image
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
ET MALWARE Malicious Base64 Encoded Payload In Image
|
2
http://198.46.176.133/Upload/vbs.jpeg
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2130 |
2024-07-19 12:59
|
clearpicneedflowersnadimagesfo... 0aa47a7b9d50ddc9c80c5ecbbc2f0f7b
Generic Malware Antivirus PowerShell Malware download VirusTotal Malware VBScript powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
http://198.46.176.133/Upload/vbs.jpeg - rule_id: 41176
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
3
pastecode.dev(172.66.43.27) - mailcious
172.66.43.27 - mailcious
198.46.176.133 - mailcious
|
5
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Base64 Encoded MZ In Image
ET MALWARE Malicious Base64 Encoded Payload In Image
|
2
http://198.46.176.133/Upload/vbs.jpeg
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|