| 22351 |
2022-12-13 11:53
|
has_o.txt.lnk b860a22f327bce97aa198a5e859ae20a
PWS[m] Generic Malware Downloader Create Service DGA Socket ScreenShot DNS Internet API Code injection Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges FTP Http API AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Check memory Creates shortcut RWX flags setting unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Interception DNS |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://one.microshare.cloud/5DM76xr65Glf+q+5ks1p4MNKAviAf6Kwg4s2r3W77Pc= - rule_id: 25264
https://one.microshare.cloud/5DM76xr65Glf+q+5ks1p4MNKAviAf6Kwg4s2r3W77Pc=
|
4
apps.identrust.com(23.43.165.105)
one.microshare.cloud(155.138.159.45)
155.138.159.45 - mailcious
182.162.106.33 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed DNS Query to .cloud TLD
|
1
https://one.microshare.cloud/5DM76xr65Glf+q+5ks1p4MNKAviAf6Kwg4s2r3W77Pc=
|
6.2 |
|
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22352 |
2022-12-13 10:24
|
 daemon.exe 6ef7c0cfe6202bc5f9e519d535fdc4a9
Gen1 Gen2 Malicious Library UPX Malicious Packer PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Malware RecordBreaker MachineGuid Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser DNS crashed |
9
http://179.43.142.85/
http://179.43.142.85/e88811ff2fc3931db68430b46dc315bf
http://179.43.142.85/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://179.43.142.85/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://179.43.142.85/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://179.43.142.85/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://179.43.142.85/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://179.43.142.85/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://179.43.142.85/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
|
1
|
5
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information
|
|
7.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22353 |
2022-12-13 10:20
|
 241.docx 587b90f5cf6b0776db453f4404022a98
MS_RTF_Obfuscation_Objects Word 2007 file format(docx) RTF File doc Malware download VirusTotal Malware Microsoft MachineGuid Malicious Traffic Check memory buffers extracted RWX flags setting exploit crash unpack itself AntiVM_Disk VM Disk Size Check GameoverP2P Zeus Exploit ComputerName Trojan Banking DNS crashed Downloader |
1
http://104.168.32.136/241/vbc.exe
|
1
104.168.32.136 - mailcious
|
7
ET INFO Dotted Quad Host DOC Request
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET HUNTING Microsoft Office User-Agent Requesting A Doc File
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Possible RTF File With Obfuscated Version Header
|
|
7.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22354 |
2022-12-13 10:20
|
 Trabacoli.zip f820d5e6a14718b5d77f74a664cb71db |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22355 |
2022-12-13 10:19
|
 Lega.exe 94403f8fdc2f6aab27c4b847c3f7ec36
SmokeLoader PWS Loki[b] Loki.m Generic Malware Malicious Library Malicious Packer UPX Antivirus PE32 OS Processor Check PE File PowerShell DLL JPEG Format Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows Email ComputerName RCE DNS Cryptographic key Software Downloader |
4
http://transfer.sh/get/W4XHT0/Gay.exe
http://62.204.41.13/gjend7w/index.php
http://62.204.41.13/gjend7w/index.php?scr=1
http://e-hemsire.net/data/avatars/file.exe
|
6
e-hemsire.net(46.105.79.7) - malware
transfer.sh(144.76.136.153) - malware
62.204.41.13 - malware
37.139.129.107 - malware
46.105.79.7 - malware
144.76.136.153 - mailcious
|
14
ET DROP Dshield Block Listed Source group 1
ET MALWARE Amadey CnC Check-In
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Dotted Quad Host DLL Request
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22356 |
2022-12-13 10:16
|
 ureterogram.js 05f30e6eb50a0253a559910a0327acca |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22357 |
2022-12-13 10:15
|
 mp3studios_95.exe cfe181cb0be52169a6412c28c50c1c64
AgentTesla PWS[m] browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Packer Create Service DGA Socket ScreenShot DNS BitCoin Internet API Code injection Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges p Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName RCE DNS crashed |
1
https://www.icodeps.com/ - rule_id: 14280
|
4
www.icodeps.com(149.28.253.196) - mailcious
iplogger.org(148.251.234.83) - mailcious
149.28.253.196 - mailcious
148.251.234.83
|
4
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
|
1
|
10.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22358 |
2022-12-13 10:15
|
 1rYkftS0a.exe 42ebee5400c47788993ec41139b85452
PWS .NET framework PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22359 |
2022-12-13 10:14
|
 No.002678.exe 3eea49f995524c00bedce79918ebabbd
PWS[m] PWS .NET framework Generic Malware Antivirus KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(64.185.227.156)
173.231.16.76
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22360 |
2022-12-13 10:14
|
 mp3studios_92.exe 6aa856e8e3543c832d0a6c13e64a76fa
Gen2 Trojan_PWS_Stealer Credential User Data Generic Malware Malicious Library SQLite Cookie Malicious Packer UPX Anti_VM PE32 OS Processor Check PE File PNG Format Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Checks debugger WMI Creates executable files exploit crash Windows utilities suspicious process WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName RCE DNS crashed |
1
https://www.icodeps.com/ - rule_id: 14280
|
4
www.icodeps.com(149.28.253.196) - mailcious
iplogger.org(148.251.234.83) - mailcious
149.28.253.196 - mailcious
148.251.234.83
|
4
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
|
1
|
9.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22361 |
2022-12-13 10:11
|
 file.exe 495898e8c6fd72defa11061f617f24b4
Gen2 Generic Malware Malicious Library Malicious Packer UPX Antivirus PE32 OS Processor Check PE File PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName RCE Cryptographic key |
1
https://alternativohortolandia.com.br/wp-content/config_20.ps1
|
2
alternativohortolandia.com.br(128.201.72.206) - malware
128.201.72.206 - malware
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22362 |
2022-12-13 10:11
|
 cred64.dll 66dc0761882ecbb1d06dea6f101f28a8
PWS Loki[b] Loki.m Malicious Library PE32 DLL PE File FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Malicious Traffic Check memory Checks debugger unpack itself Email RCE DNS Software crashed |
1
http://62.204.41.13/gjend7w/index.php
|
2
45.159.189.115 - mailcious
62.204.41.13 - malware
|
1
ET DROP Dshield Block Listed Source group 1
|
|
6.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22363 |
2022-12-13 10:07
|
weriiuiuetirefdguiertiudfgiiu.... 3ec71f52fa8513019b6711672666639e
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed Downloader |
1
http://104.168.32.136/241/vbc.exe
|
1
104.168.32.136 - mailcious
|
3
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22364 |
2022-12-13 10:06
|
 CLEP.exe 2b3bff5880cb5d9ab44c302bd1047313
NPKI Malicious Library Malicious Packer UPX PE32 PE File VirusTotal Malware AutoRuns Creates executable files Windows utilities suspicious process AppData folder Windows ComputerName |
2
http://clipper.guru/bot/online?guid=test22-PC\test22&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e - rule_id: 23131
http://clipper.guru/bot/regex?key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e - rule_id: 23132
|
2
clipper.guru(45.159.189.115) - mailcious
45.159.189.115 - mailcious
|
1
ET USER_AGENTS Go HTTP Client User-Agent
|
2
http://clipper.guru/bot/online
http://clipper.guru/bot/regex
|
6.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22365 |
2022-12-13 10:06
|
 mp3studios_95.exe cfe181cb0be52169a6412c28c50c1c64
AgentTesla PWS[m] browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Packer Create Service DGA Socket ScreenShot DNS BitCoin Internet API Code injection Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges p Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName RCE DNS crashed |
1
https://www.icodeps.com/ - rule_id: 14280
|
4
www.icodeps.com(149.28.253.196) - mailcious
iplogger.org(148.251.234.83) - mailcious
149.28.253.196 - mailcious
148.251.234.83
|
4
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
|
1
|
10.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|