2971 |
2024-06-16 10:04
|
newbild.exe f9fc06f0cc64b6a700eda6fd6d816df3 PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2972 |
2024-06-16 10:02
|
random.exe 8f7aaf6053a152035540f30992647b10 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger exploit crash installed browsers check Exploit Browser crashed |
|
|
|
|
4.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2973 |
2024-06-16 10:02
|
appst.exe f05da219bf720502ed4a9d17c7bbcb65 Generic Malware Malicious Library UPX PE64 PE File VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.0 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2974 |
2024-06-16 10:00
|
x86_0923_1.exe 95996d628e7f15ed7290902c879aa81b Generic Malware Malicious Packer Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege sandbox evasion WriteConsoleW Windows Advertising Remote Code Execution Firmware DNS crashed |
|
1
|
|
|
7.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2975 |
2024-06-16 09:59
|
%E5%A4%A7JJ.exe d436dc7faa63db35b10524ac82ab7631 Generic Malware Malicious Library Downloader ASPack UPX Malicious Packer Anti_VM DllRegisterServer dll PE File PE32 OS Processor Check VirusTotal Malware Creates executable files ICMP traffic unpack itself Windows utilities AppData folder WriteConsoleW installed browsers check Windows Browser Remote Code Execution |
|
4
ddos.dnsnb8.net(44.221.84.105) - mailcious smtp.163.com(103.129.252.45) 103.129.252.45 44.221.84.105
|
1
SURICATA Applayer Detect protocol only one direction
|
|
6.8 |
M |
68 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2976 |
2024-06-16 09:58
|
sc.exe 1c7ce77089b1bc88099485ff0c30a928 Malicious Packer Malicious Library UPX PE64 PE File |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2977 |
2024-06-16 09:56
|
8989.exe 7d8056785948284e8f6b89004886c936 Backdoor Farfli Hide_EXE Generic Malware Malicious Library UPX PE File PE32 DLL OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows DNS |
|
1
|
|
|
7.8 |
M |
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2978 |
2024-06-16 09:55
|
999999.exe 2b6bdd0a18e76a5df3a867a49f951125 Backdoor Farfli Hide_EXE Generic Malware Malicious Library UPX PE File PE32 DLL OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows DNS |
|
1
|
|
|
7.2 |
M |
69 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2979 |
2024-06-15 08:30
|
amadka.exe 5a12fd39ea2482c5ef29e1ca1fe5c083 Amadey Gen1 RedLine stealer RedlineStealer Lumma Stealer Generic Malware Themida Packer Malicious Library UPX Downloader Malicious Packer Antivirus .NET framework(MSIL) ScreenShot Http API PWS Code injection Anti_VM AntiDebug AntiVM PE File PE32 P Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Cryptocurrency Miner Malware powershell Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD WriteConsoleW VMware anti-virtualization IP Check human activity check installed browsers check Tofsee Stealer Windows Exploit Browser RisePro ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
12
http://185.172.128.19/b2c2c1.exe http://185.172.128.19/NewKindR.exe http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300 http://77.91.77.81/Kiru9gu/index.php - rule_id: 40037 http://147.45.47.155/ku4Nor9/index.php http://185.172.128.19/FirstZ.exe - rule_id: 39930 http://apps.identrust.com/roots/dstrootcax3.p7c http://77.91.77.81/lend/setup222.exe http://x1.i.lencr.org/ http://77.91.77.81/lend/servoces64.exe https://d1i94yju6i4l9g.cloudfront.net/setup.exe https://db-ip.com/demo/home.php?s=175.208.134.152
|
24
xmr-eu1.nanopool.org(146.59.154.106) - mailcious db-ip.com(104.26.4.15) kmsandallapp.ru(31.31.198.35) - mailcious d1i94yju6i4l9g.cloudfront.net(18.244.65.58) ipinfo.io(34.117.186.192) x1.i.lencr.org(23.52.33.11) pastebin.com(104.20.3.235) - mailcious boredombusters.online(104.21.44.95) zeph-eu2.nanopool.org(163.172.171.111) - mailcious 182.162.106.33 - malware 51.15.89.13 147.45.47.126 - mailcious 163.172.154.142 - mailcious 18.244.65.161 185.172.128.19 - mailcious 23.41.113.9 172.67.198.131 34.117.186.192 147.45.47.155 - malware 77.91.77.81 - mailcious 31.31.198.35 - mailcious 104.26.5.15 172.67.19.24 - mailcious 185.215.113.67 - mailcious
|
22
ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
3
http://185.172.128.19/ghsdh39s/index.php http://77.91.77.81/Kiru9gu/index.php http://185.172.128.19/FirstZ.exe
|
28.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2980 |
2024-06-15 08:26
|
installer2.exe 5aece647826a6f39a8bb8b17cd4186d6 PE64 PE File DNS |
|
4
172.67.198.131 147.45.47.126 - mailcious 163.172.154.142 - mailcious 185.172.128.19 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2981 |
2024-06-15 08:22
|
help.scr 5315d928cff19507f66d59b174280e8a Emotet Generic Malware Malicious Packer Malicious Library UPX Antivirus PE File PE32 OS Processor Check DLL PE64 ftp Cryptocurrency Miner Malware Cryptocurrency Traffic Potential Scan AutoRuns suspicious privilege Malicious Traffic Check memory buffers extracted WMI Creates executable files unpack itself Windows utilities Auto service suspicious process WriteConsoleW Windows Exploit ComputerName Remote Code Execution |
2
http://192.168.56.1/ipc$ http://192.168.56.1/
|
3
are.nishabig.pro() auto.c3pool.org(18.163.115.97) - mailcious 47.76.164.119 - mailcious
|
4
ET POLICY Cryptocurrency Miner Checkin ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
|
|
8.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2982 |
2024-06-15 08:21
|
%E5%8C%97%E7%AC%99%E5%87%BA%E8... 596e9b32324853cc471332f6289689bd Generic Malware Malicious Packer Malicious Library ASPack VMProtect UPX DllRegisterServer dll PE File PE32 OS Processor Check DLL Check memory Creates executable files unpack itself AppData folder Remote Code Execution DNS |
|
1
47.76.164.119 - mailcious
|
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2983 |
2024-06-15 08:21
|
4.exe 24981658666a4f40f07f37bfb48d1372 Malicious Library UPX PE File PE32 OS Processor Check AutoRuns Windows DNS |
|
2
164.155.205.99 94.177.131.249
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2984 |
2024-06-15 08:19
|
test.exe 71687e0babe1e0575c7471b0e696e9d3 UPX PE64 PE File Traffic Potential Scan suspicious privilege Windows utilities WriteConsoleW Windows Exploit DNS |
|
1
|
3
ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2985 |
2024-06-15 08:13
|
Dispatch of the APC HMLTV tech... 73a0170ea882989f6ffc3b4726a3ee56 Generic Malware AntiDebug AntiVM GIF Format Lnk Format Code Injection Check memory buffers extracted Creates shortcut RWX flags setting Check virtual network interfaces suspicious process Tofsee Interception |
3
http://x1.i.lencr.org/ https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0 - rule_id: 40280 https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0
|
4
mailnepalarmymil.mods.email(91.223.208.175) x1.i.lencr.org(23.52.33.11) 91.223.208.175 23.41.113.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://mailnepalarmymil.mods.email/dispachofapc-46703841
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|