2956 |
2024-06-16 10:22
|
1019430.exe d235285e6e98fcda120673a5bd248341 Generic Malware Malicious Library PE File PE32 DNS |
|
1
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2957 |
2024-06-16 10:20
|
services64.exe c8a50a6f1f73df72de866f6131346e69 PE64 PE File VirusTotal Malware DNS |
|
2
121.254.136.9 120.79.191.234 - malware
|
|
|
2.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2958 |
2024-06-16 10:19
|
163.exe 8e4c0eeb469f011e6aea3dbd07106515 Generic Malware Malicious Library Downloader ASPack UPX Malicious Packer Anti_VM DllRegisterServer dll PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Creates executable files unpack itself Windows utilities AppData folder WriteConsoleW installed browsers check Windows Browser Remote Code Execution |
|
4
ddos.dnsnb8.net(44.221.84.105) - mailcious smtp.163.com(103.129.252.45) 103.129.252.45 44.221.84.105
|
1
SURICATA Applayer Detect protocol only one direction
|
|
6.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2959 |
2024-06-16 10:18
|
random.exe 0f2c5d3966f262c04af7eb8cbe26c78a Amadey Gen1 RedLine stealer RedlineStealer Lumma Stealer Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) UPX Downloader Malicious Packer Antivirus .NET framework(MSIL) ScreenShot Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Chec Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Cryptocurrency Miner Malware Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder VMware anti-virtualization installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
10
http://185.172.128.116/Mb3GvQs8/index.php http://185.172.128.116/NewLatest.exe http://185.172.128.116/Mb3GvQs8/index.php?scr=1 http://185.172.128.116/b2c2c1.exe http://77.91.77.81/Kiru9gu/index.php - rule_id: 40037 http://77.91.77.81/lend/monster.exe http://185.172.128.19/FirstZ.exe - rule_id: 39930 http://apps.identrust.com/roots/dstrootcax3.p7c http://77.91.77.81/lend/setup222.exe http://x1.i.lencr.org/
|
17
xmr-eu1.nanopool.org(51.15.58.224) - mailcious kmsandallapp.ru(31.31.198.35) - mailcious x1.i.lencr.org(23.40.44.214) pastebin.com(104.20.4.235) - mailcious boredombusters.online(104.21.44.95) zeph-eu2.nanopool.org(51.68.137.186) - mailcious 104.20.3.235 - malware 185.172.128.19 - mailcious 23.41.113.9 172.67.198.131 51.15.193.130 77.91.77.81 - mailcious 185.172.128.116 51.68.137.186 - mailcious 31.31.198.35 - mailcious 121.254.136.9 185.215.113.67 - mailcious
|
17
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET MALWARE Amadey Bot Activity (POST) M1
|
2
http://77.91.77.81/Kiru9gu/index.php http://185.172.128.19/FirstZ.exe
|
20.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2960 |
2024-06-16 10:18
|
%E9%98%B2%E5%8A%AB%E6%8C%811.0... 7f0bf23db6496335d9adf01fb50ec091 Backdoor Farfli Hide_EXE Generic Malware Malicious Library UPX PE File PE32 DLL OS Processor Check AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows DNS |
|
3
142.250.66.129 216.58.203.78 120.79.191.234 - malware
|
|
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2961 |
2024-06-16 10:16
|
DhlServer.exe dcaab6548f0017f413d032fac6449fc1 Generic Malware Malicious Library PE File PE32 VirusTotal Malware AutoRuns Creates executable files unpack itself suspicious process Windows DNS |
1
http://gwyk.sp168.tv:7744/8.77.dll
|
3
gwyk.sp168.tv(156.241.4.189) 156.241.4.189 38.147.172.248
|
1
ET HUNTING Rejetto HTTP File Sever Response
|
|
5.8 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2962 |
2024-06-16 10:15
|
mz64.exe 297b896dbf8d619c61fd947086fce6e8 Generic Malware Malicious Packer Malicious Library UPX PE64 PE File OS Processor Check VirusTotal Malware Check memory WriteConsoleW |
|
|
|
|
2.8 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2963 |
2024-06-16 10:13
|
lvse.exe bcb3fe24e81f8e6989bc8005838433a0 Generic Malware Malicious Library AntiDebug AntiVM PE File PE32 PE64 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process AppData folder Windows Advertising |
|
2
star.sp168.tv(156.241.4.189) 156.241.4.189
|
|
|
9.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2964 |
2024-06-16 10:11
|
ewwe.exe 58f8e96f834d5d882046bd503ee83b18 Malicious Packer Malicious Library UPX PE64 PE File OS Processor Check VirusTotal Malware crashed |
|
|
|
|
2.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2965 |
2024-06-16 10:09
|
lenin.exe 93896624af562420c457d547b73dd197 Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 147.45.47.126 - mailcious 104.26.4.15 34.117.186.192
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2966 |
2024-06-16 10:09
|
x86_0922_4.exe 5f53734c5153ec3dd61e2a732a2ff03f Generic Malware Malicious Packer Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege WriteConsoleW Windows Advertising Remote Code Execution Firmware DNS crashed |
|
1
|
|
|
7.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2967 |
2024-06-16 10:07
|
fud.exe 041f9aff555780cf8970f612fb828b4d XWorm WebCam Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
9.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2968 |
2024-06-16 10:06
|
360setr.exe 483fe860119307c2f9e2f7ed4caadc81 Backdoor Farfli Hide_EXE Generic Malware Malicious Library UPX PE File PE32 DLL OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows DNS |
|
1
|
|
|
8.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2969 |
2024-06-16 10:04
|
ticket_g.exe 76a8b4d77a0aa32453fb51cab9bbf92e Malicious Library PE File PE32 MZP Format VirusTotal Malware unpack itself Remote Code Execution DNS |
|
2
142.251.130.1 172.217.27.14
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2970 |
2024-06-16 10:04
|
ey.exe ceb1b42233ced601bf691ffa63a305a9 Generic Malware Malicious Packer Malicious Library UPX DllRegisterServer dll PE File PE32 MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself AppData folder sandbox evasion Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
9
drive.usercontent.google.com(142.250.206.193) - mailcious docs.google.com(172.217.161.238) - mailcious xred.mooo.com() - mailcious freedns.afraid.org(69.42.215.252) www.dropbox.com(162.125.84.18) - mailcious 69.42.215.252 172.217.27.14 142.251.130.1 162.125.84.18 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|