| 2956 |
2024-06-16 10:22
|
 1019430.exe d235285e6e98fcda120673a5bd248341
Generic Malware Malicious Library PE File PE32 DNS |
|
1
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2957 |
2024-06-16 10:20
|
 services64.exe c8a50a6f1f73df72de866f6131346e69
PE64 PE File VirusTotal Malware DNS |
|
2
121.254.136.9
120.79.191.234 - malware
|
|
|
2.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2958 |
2024-06-16 10:19
|
 163.exe 8e4c0eeb469f011e6aea3dbd07106515
Generic Malware Malicious Library Downloader ASPack UPX Malicious Packer Anti_VM DllRegisterServer dll PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Creates executable files unpack itself Windows utilities AppData folder WriteConsoleW installed browsers check Windows Browser Remote Code Execution |
|
4
ddos.dnsnb8.net(44.221.84.105) - mailcious
smtp.163.com(103.129.252.45)
103.129.252.45
44.221.84.105
|
1
SURICATA Applayer Detect protocol only one direction
|
|
6.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2959 |
2024-06-16 10:18
|
 random.exe 0f2c5d3966f262c04af7eb8cbe26c78a
Amadey Gen1 RedLine stealer RedlineStealer Lumma Stealer Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) UPX Downloader Malicious Packer Antivirus .NET framework(MSIL) ScreenShot Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Chec Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Cryptocurrency Miner Malware Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder VMware anti-virtualization installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
10
http://185.172.128.116/Mb3GvQs8/index.php
http://185.172.128.116/NewLatest.exe
http://185.172.128.116/Mb3GvQs8/index.php?scr=1
http://185.172.128.116/b2c2c1.exe
http://77.91.77.81/Kiru9gu/index.php - rule_id: 40037
http://77.91.77.81/lend/monster.exe
http://185.172.128.19/FirstZ.exe - rule_id: 39930
http://apps.identrust.com/roots/dstrootcax3.p7c
http://77.91.77.81/lend/setup222.exe
http://x1.i.lencr.org/
|
17
xmr-eu1.nanopool.org(51.15.58.224) - mailcious
kmsandallapp.ru(31.31.198.35) - mailcious
x1.i.lencr.org(23.40.44.214)
pastebin.com(104.20.4.235) - mailcious
boredombusters.online(104.21.44.95)
zeph-eu2.nanopool.org(51.68.137.186) - mailcious
104.20.3.235 - malware
185.172.128.19 - mailcious
23.41.113.9
172.67.198.131
51.15.193.130
77.91.77.81 - mailcious
185.172.128.116
51.68.137.186 - mailcious
31.31.198.35 - mailcious
121.254.136.9
185.215.113.67 - mailcious
|
17
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET MALWARE Amadey Bot Activity (POST) M1
|
2
http://77.91.77.81/Kiru9gu/index.php
http://185.172.128.19/FirstZ.exe
|
20.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2960 |
2024-06-16 10:18
|
 %E9%98%B2%E5%8A%AB%E6%8C%811.0... 7f0bf23db6496335d9adf01fb50ec091
Backdoor Farfli Hide_EXE Generic Malware Malicious Library UPX PE File PE32 DLL OS Processor Check AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows DNS |
|
3
142.250.66.129
216.58.203.78
120.79.191.234 - malware
|
|
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2961 |
2024-06-16 10:16
|
 DhlServer.exe dcaab6548f0017f413d032fac6449fc1
Generic Malware Malicious Library PE File PE32 VirusTotal Malware AutoRuns Creates executable files unpack itself suspicious process Windows DNS |
1
http://gwyk.sp168.tv:7744/8.77.dll
|
3
gwyk.sp168.tv(156.241.4.189)
156.241.4.189
38.147.172.248
|
1
ET HUNTING Rejetto HTTP File Sever Response
|
|
5.8 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2962 |
2024-06-16 10:15
|
 mz64.exe 297b896dbf8d619c61fd947086fce6e8
Generic Malware Malicious Packer Malicious Library UPX PE64 PE File OS Processor Check VirusTotal Malware Check memory WriteConsoleW |
|
|
|
|
2.8 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2963 |
2024-06-16 10:13
|
 lvse.exe bcb3fe24e81f8e6989bc8005838433a0
Generic Malware Malicious Library AntiDebug AntiVM PE File PE32 PE64 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process AppData folder Windows Advertising |
|
2
star.sp168.tv(156.241.4.189)
156.241.4.189
|
|
|
9.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2964 |
2024-06-16 10:11
|
 ewwe.exe 58f8e96f834d5d882046bd503ee83b18
Malicious Packer Malicious Library UPX PE64 PE File OS Processor Check VirusTotal Malware crashed |
|
|
|
|
2.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2965 |
2024-06-16 10:09
|
 lenin.exe 93896624af562420c457d547b73dd197
Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192)
db-ip.com(172.67.75.166)
147.45.47.126 - mailcious
104.26.4.15
34.117.186.192
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2966 |
2024-06-16 10:09
|
 x86_0922_4.exe 5f53734c5153ec3dd61e2a732a2ff03f
Generic Malware Malicious Packer Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege WriteConsoleW Windows Advertising Remote Code Execution Firmware DNS crashed |
|
1
|
|
|
7.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2967 |
2024-06-16 10:07
|
 fud.exe 041f9aff555780cf8970f612fb828b4d
XWorm WebCam Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
9.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2968 |
2024-06-16 10:06
|
 360setr.exe 483fe860119307c2f9e2f7ed4caadc81
Backdoor Farfli Hide_EXE Generic Malware Malicious Library UPX PE File PE32 DLL OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows DNS |
|
1
|
|
|
8.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2969 |
2024-06-16 10:04
|
 ticket_g.exe 76a8b4d77a0aa32453fb51cab9bbf92e
Malicious Library PE File PE32 MZP Format VirusTotal Malware unpack itself Remote Code Execution DNS |
|
2
142.251.130.1
172.217.27.14
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2970 |
2024-06-16 10:04
|
 ey.exe ceb1b42233ced601bf691ffa63a305a9
Generic Malware Malicious Packer Malicious Library UPX DllRegisterServer dll PE File PE32 MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself AppData folder sandbox evasion Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
9
drive.usercontent.google.com(142.250.206.193) - mailcious
docs.google.com(172.217.161.238) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious
69.42.215.252
172.217.27.14
142.251.130.1
162.125.84.18 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|