2911 |
2024-06-17 14:33
|
psyzh 0fece9d4a04aae570fa8673cc1fdb912 Malicious Library UPX PE File PE32 OS Processor Check unpack itself Remote Code Execution |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2912 |
2024-06-17 14:26
|
file.rar eb8589a8b967f7be1a94b8ae4cb0a15c Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord RisePro Remote Code Execution DNS CoinMiner |
11
http://176.111.174.109/psyzh http://5.42.66.10/download/th/space.php - rule_id: 39944 http://5.42.99.177/api/crazyfish.php - rule_id: 40006 http://apps.identrust.com/roots/dstrootcax3.p7c http://94.232.45.38/eee01/eee01.exe - rule_id: 39938 http://5.42.99.177/api/twofish.php - rule_id: 40008 http://80.78.242.100/d/385135 http://5.42.66.10/download/123p.exe - rule_id: 39935 https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188 https://steamcommunity.com/profiles/76561199699680841 - rule_id: 40206 https://db-ip.com/demo/home.php?s=
|
34
db-ip.com(172.67.75.166) pool.hashvault.pro(142.202.242.45) - mailcious cdn-download.avgbrowser.com(23.199.47.133) api64.ipify.org(104.237.62.213) api.myip.com(104.26.8.59) steamcommunity.com(23.66.133.162) - mailcious lop.foxesjoy.com(104.21.66.124) - malware t.me(149.154.167.99) - mailcious ipinfo.io(34.117.186.192) cdn.discordapp.com(162.159.134.233) - malware vk.com(87.240.132.67) - mailcious iplogger.org(172.67.132.113) - mailcious 94.232.45.38 - malware 182.162.106.33 - malware 182.162.106.144 184.26.241.154 - mailcious 149.154.167.99 - mailcious 147.45.47.126 - mailcious 34.117.186.192 5.42.99.177 - mailcious 125.253.92.50 176.111.174.109 - malware 104.26.8.59 162.159.130.233 - malware 65.109.240.138 - mailcious 172.67.159.232 77.91.77.80 - malware 5.42.66.10 - malware 23.52.128.153 80.78.242.100 173.231.16.77 104.26.4.15 87.240.132.78 - mailcious 172.67.132.113
|
28
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET INFO TLS Handshake Failure ET DROP Spamhaus DROP Listed Traffic Inbound group 30 ET DROP Dshield Block Listed Source group 1 ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO Executable Download from dotted-quad Host SURICATA Applayer Mismatch protocol both directions ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET HUNTING Redirect to Discord Attachment Download ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity) SURICATA Applayer Wrong direction first Data
|
7
http://5.42.66.10/download/th/space.php http://5.42.99.177/api/crazyfish.php http://94.232.45.38/eee01/eee01.exe http://5.42.99.177/api/twofish.php http://5.42.66.10/download/123p.exe https://lop.foxesjoy.com/ssl/crt.exe https://steamcommunity.com/profiles/76561199699680841
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2913 |
2024-06-17 13:43
|
__x64___setup___x32__.zip 7e05adc41fe0d6484c3cc75893991a2f ZIP Format Malware Malicious Traffic Tofsee |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://gay-domain.com/licenseUser.php
|
3
gay-domain.com(172.67.154.227) 172.67.154.227 182.162.106.144
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2914 |
2024-06-17 13:37
|
NewKindR.exe fdafb92fc1868e533daa18f318d8e322 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself DNS |
|
1
|
|
|
3.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2915 |
2024-06-17 13:35
|
setup.exe 59f7c6aba00ac82304ed8e658ff4768f Generic Malware Malicious Library Antivirus AntiDebug AntiVM PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios suspicious process WriteConsoleW anti-virtualization Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
12.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2916 |
2024-06-17 13:34
|
servoces64.exe 540c3c9ae1b97353b49de9a216532d72 Anti_VM PE64 PE File VirusTotal Malware |
|
|
|
|
1.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2917 |
2024-06-17 13:33
|
NewLatest.exe 07101cac5b9477ba636cd8ca7b9932cb Amadey Generic Malware Malicious Packer Malicious Library UPX PE File PE32 OS Processor Check PE64 Malware download Amadey VirusTotal Cryptocurrency Miner Malware AutoRuns Malicious Traffic Creates executable files unpack itself AppData folder Windows DNS CoinMiner |
3
http://185.172.128.19/FirstZ.exe - rule_id: 39930 http://185.172.128.116/Mb3GvQs8/index.php - rule_id: 40304 http://185.172.128.116/b2c2c1.exe - rule_id: 40314
|
8
xmr-eu1.nanopool.org(162.19.224.121) - mailcious zeph-eu2.nanopool.org(51.15.61.114) - mailcious pastebin.com(172.67.19.24) - mailcious 51.15.58.224 104.20.3.235 - malware 163.172.171.111 - mailcious 185.172.128.19 - mailcious 185.172.128.116 - mailcious
|
8
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
|
3
http://185.172.128.19/FirstZ.exe http://185.172.128.116/Mb3GvQs8/index.php http://185.172.128.116/b2c2c1.exe
|
6.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2918 |
2024-06-17 13:31
|
monster.exe 3f4f5c57433724a32b7498b6a2c91bf0 Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus Anti_VM PE64 PE File DLL OS Processor Check wget ftp VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
2.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2919 |
2024-06-17 13:31
|
b2c2c1.exe f8ec725e4b969f157fd70166e73a56a3 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution DNS |
|
1
|
|
|
3.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2920 |
2024-06-17 13:29
|
setup222.exe 8677376c509f0c66d1f02c6b66d7ef90 Downloader PE64 PE File VirusTotal Malware MachineGuid Creates executable files Check virtual network interfaces Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
boredombusters.online(104.21.44.95) - mailcious 172.67.198.131 121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2921 |
2024-06-17 13:27
|
dhl.exe fc58e29974c49a329c30188f5a468e08 Generic Malware Malicious Library PE File PE32 VirusTotal Malware AutoRuns Creates executable files unpack itself suspicious process Windows |
1
http://star.sp168.tv:7744/8.77.dll
|
2
star.sp168.tv(156.241.4.189) 156.241.4.189 - mailcious
|
1
ET HUNTING Rejetto HTTP File Sever Response
|
|
5.2 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2922 |
2024-06-17 13:26
|
chrome.exe d35043ced01af08d55ec8cb5d3f368c7 Generic Malware Malicious Library UPX DllRegisterServer dll PE File PE32 OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
2.0 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2923 |
2024-06-17 11:20
|
adobe.exe 5fb6f9de46e67ad7d07418a02417aa92 UPX PE64 PE File VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
|
26 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2924 |
2024-06-17 10:26
|
s.exe b7b18619464ce06f97278c1cf029a5cb Browser Login Data Stealer Generic Malware Malicious Packer Malicious Library UPX PE File PE32 Browser Info Stealer VirusTotal Malware Browser DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 15
|
|
2.0 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2925 |
2024-06-17 10:25
|
b.exe ccd45a73d555f6a89b06924e150680e5 Malicious Packer Malicious Library UPX PE File PE32 VirusTotal Malware Windows utilities suspicious process Windows |
4
http://comprobacion-aerolineas.com:9090/status http://comprobacion-aerolineas.com:9090/output http://comprobacion-aerolineas.com:9090/getcmd http://comprobacion-aerolineas.com:9090/register
|
2
comprobacion-aerolineas.com(94.156.67.86) 94.156.67.86 - malware
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 15 ET USER_AGENTS Go HTTP Client User-Agent
|
|
2.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|