| 22951 |
2022-12-13 10:06
|
 CLEP.exe 2b3bff5880cb5d9ab44c302bd1047313
NPKI Malicious Library Malicious Packer UPX PE32 PE File VirusTotal Malware AutoRuns Creates executable files Windows utilities suspicious process AppData folder Windows ComputerName |
2
http://clipper.guru/bot/online?guid=test22-PC\test22&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e - rule_id: 23131
http://clipper.guru/bot/regex?key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e - rule_id: 23132
|
2
clipper.guru(45.159.189.115) - mailcious
45.159.189.115 - mailcious
|
1
ET USER_AGENTS Go HTTP Client User-Agent
|
2
http://clipper.guru/bot/online
http://clipper.guru/bot/regex
|
6.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22952 |
2022-12-13 10:06
|
 mp3studios_95.exe cfe181cb0be52169a6412c28c50c1c64
AgentTesla PWS[m] browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Packer Create Service DGA Socket ScreenShot DNS BitCoin Internet API Code injection Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges p Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName RCE DNS crashed |
1
https://www.icodeps.com/ - rule_id: 14280
|
4
www.icodeps.com(149.28.253.196) - mailcious
iplogger.org(148.251.234.83) - mailcious
149.28.253.196 - mailcious
148.251.234.83
|
4
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
|
1
|
10.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22953 |
2022-12-13 10:05
|
 Tastevins.exe e6e0579ee6e5aa130fcf50e5646da5f7
PWS Loki[b] Loki.m Gen1 Confuser .NET UPX Malicious Library Malicious Packer AntiDebug AntiVM PE32 .NET EXE PE File OS Processor Check DLL Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Tofsee Mars Stealer Stealer Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
6
http://142.132.236.84/update.zip - rule_id: 25033
http://142.132.236.84/update.zip
http://142.132.236.84/1909
http://142.132.236.84/ - rule_id: 25029
https://steamcommunity.com/profiles/76561199441933804 - rule_id: 24879
https://t.me/dishasta
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.110.72.183) - mailcious
142.132.236.84 - mailcious
149.154.167.99 - mailcious
23.42.123.237
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host ZIP Request
ET INFO TLS Handshake Failure
ET MALWARE Arkei/Vidar/Mars Stealer Variant
|
3
http://142.132.236.84/update.zip
http://142.132.236.84/
https://steamcommunity.com/profiles/76561199441933804
|
17.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22954 |
2022-12-13 10:04
|
 이상민.docx f64b643de2bc7c368b0a13d12c584a09
Doc XML Downloader Word 2007 file format(docx) VirusTotal Malware powershell AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files exploit crash unpack itself powershell.exe wrote suspicious process AntiVM_Disk sandbox evasion Ransom Message VM Disk Size Check Windows Exploit ComputerName DNS Cryptographic key crashed |
3
http://195.201.101.146/o19wzg.dotm - rule_id: 25248
http://195.201.101.146/
http://195.201.101.146/12341rgergg435g4tr.exe - rule_id: 25249
|
1
195.201.101.146 - malware
|
6
ET INFO Doc Requesting Remote Template (.dotm)
ET INFO Executable Download from dotted-quad Host
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://195.201.101.146/o19wzg.dotm
http://195.201.101.146/12341rgergg435g4tr.exe
|
12.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22955 |
2022-12-13 10:01
|
 DevSt.exe 97824a1a018a194220866d5548eeff95
Malicious Library Malicious Packer UPX OS Processor Check PE File PE64 Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process Ransomware Windows Browser Email ComputerName DNS crashed |
|
1
|
1
SURICATA Applayer Protocol detection skipped
|
|
9.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22956 |
2022-12-13 09:59
|
 devalt.exe fc9ea28a3c3659c4200e442d20198458
Gen2 RAT Gen1 Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File .NET EXE VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName RCE |
|
|
|
|
7.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22957 |
2022-12-13 09:58
|
 Dll%20Injector%20V1%20Full%E2%... 556084cf64aec63e0babdf10a61afaa6
Malicious Packer Socket AntiDebug AntiVM PE32 .NET EXE PE File PE64 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee crashed DoTNet |
|
2
textbin.net(148.72.177.212) - mailcious
148.72.177.212 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Pastebin-style Service (textbin .net in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22958 |
2022-12-13 09:57
|
 nulight2.1.exe ab56062f34be6231548dc9e794f20784
Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212)
64.185.227.156
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22959 |
2022-12-13 09:56
|
 DEVMin.exe 279c66b28f19a510ad6c0f155871fac3
Malicious Library PE File PE64 VirusTotal Malware |
|
|
|
|
1.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22960 |
2022-12-13 09:55
|
 limalt.exe 8468c0223b7665174d19866d33ae9731
Gen2 RAT Gen1 Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File .NET EXE VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName RCE |
|
|
|
|
7.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22961 |
2022-12-13 09:54
|
 1055716893.exe d2bad349906b711cf59df7178146abff
Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer VirusTotal Malware buffers extracted Creates executable files Browser DNS crashed |
1
http://65.21.213.208:3000/check
|
2
65.21.213.208
185.239.239.194
|
1
ET HUNTING EXE Base64 Encoded potential malware
|
|
3.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22962 |
2022-12-13 09:52
|
 LIMSt.exe b26439eb7f5e2a7f1e2dabcfa8e3a7b1
Malicious Library Malicious Packer UPX OS Processor Check PE File PE64 Browser Info Stealer VirusTotal Email Client Info Stealer Malware MachineGuid Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities suspicious process Ransomware Windows Browser Email ComputerName DNS crashed |
|
1
|
1
SURICATA Applayer Protocol detection skipped
|
|
7.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22963 |
2022-12-13 09:51
|
 LIMMin.exe d0525e69e54066d5b3764acefd16a754
Malicious Library PE File PE64 VirusTotal Malware |
|
|
|
|
1.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22964 |
2022-12-13 08:04
|
 o19wzg.dotm 03cea7c49abe78863ae2644ac77c8efb
VBA_macro Word 2007 file format(docx) VirusTotal Malware powershell AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AntiVM_Disk sandbox evasion Ransom Message VM Disk Size Check installed browsers check Windows Browser ComputerName DNS Cryptographic key |
1
http://195.201.101.146/12341rgergg435g4tr.exe
|
1
195.201.101.146 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 22965 |
2022-12-13 08:04
|
 12341rgergg435g4tr.exe df7a9a45a10c1942225eb9be257fb752
Generic Malware Antivirus PE32 PE File VirusTotal Malware AutoRuns suspicious privilege Check memory Creates shortcut AntiVM_Disk sandbox evasion Ransom Message VM Disk Size Check installed browsers check Windows Browser |
|
|
|
|
6.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|