| 2971 |
2024-06-16 10:04
|
 newbild.exe f9fc06f0cc64b6a700eda6fd6d816df3
PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2972 |
2024-06-16 10:02
|
 random.exe 8f7aaf6053a152035540f30992647b10
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger exploit crash installed browsers check Exploit Browser crashed |
|
|
|
|
4.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2973 |
2024-06-16 10:02
|
 appst.exe f05da219bf720502ed4a9d17c7bbcb65
Generic Malware Malicious Library UPX PE64 PE File VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.0 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2974 |
2024-06-16 10:00
|
 x86_0923_1.exe 95996d628e7f15ed7290902c879aa81b
Generic Malware Malicious Packer Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege sandbox evasion WriteConsoleW Windows Advertising Remote Code Execution Firmware DNS crashed |
|
1
|
|
|
7.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2975 |
2024-06-16 09:59
|
 %E5%A4%A7JJ.exe d436dc7faa63db35b10524ac82ab7631
Generic Malware Malicious Library Downloader ASPack UPX Malicious Packer Anti_VM DllRegisterServer dll PE File PE32 OS Processor Check VirusTotal Malware Creates executable files ICMP traffic unpack itself Windows utilities AppData folder WriteConsoleW installed browsers check Windows Browser Remote Code Execution |
|
4
ddos.dnsnb8.net(44.221.84.105) - mailcious
smtp.163.com(103.129.252.45)
103.129.252.45
44.221.84.105
|
1
SURICATA Applayer Detect protocol only one direction
|
|
6.8 |
M |
68 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2976 |
2024-06-16 09:58
|
 sc.exe 1c7ce77089b1bc88099485ff0c30a928
Malicious Packer Malicious Library UPX PE64 PE File |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2977 |
2024-06-16 09:56
|
 8989.exe 7d8056785948284e8f6b89004886c936
Backdoor Farfli Hide_EXE Generic Malware Malicious Library UPX PE File PE32 DLL OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows DNS |
|
1
|
|
|
7.8 |
M |
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2978 |
2024-06-16 09:55
|
 999999.exe 2b6bdd0a18e76a5df3a867a49f951125
Backdoor Farfli Hide_EXE Generic Malware Malicious Library UPX PE File PE32 DLL OS Processor Check VirusTotal Malware AutoRuns Check memory Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows DNS |
|
1
|
|
|
7.2 |
M |
69 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2979 |
2024-06-15 08:30
|
 amadka.exe 5a12fd39ea2482c5ef29e1ca1fe5c083
Amadey Gen1 RedLine stealer RedlineStealer Lumma Stealer Generic Malware Themida Packer Malicious Library UPX Downloader Malicious Packer Antivirus .NET framework(MSIL) ScreenShot Http API PWS Code injection Anti_VM AntiDebug AntiVM PE File PE32 P Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Cryptocurrency Miner Malware powershell Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD WriteConsoleW VMware anti-virtualization IP Check human activity check installed browsers check Tofsee Stealer Windows Exploit Browser RisePro ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
12
http://185.172.128.19/b2c2c1.exe
http://185.172.128.19/NewKindR.exe
http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300
http://77.91.77.81/Kiru9gu/index.php - rule_id: 40037
http://147.45.47.155/ku4Nor9/index.php
http://185.172.128.19/FirstZ.exe - rule_id: 39930
http://apps.identrust.com/roots/dstrootcax3.p7c
http://77.91.77.81/lend/setup222.exe
http://x1.i.lencr.org/
http://77.91.77.81/lend/servoces64.exe
https://d1i94yju6i4l9g.cloudfront.net/setup.exe
https://db-ip.com/demo/home.php?s=175.208.134.152
|
24
xmr-eu1.nanopool.org(146.59.154.106) - mailcious
db-ip.com(104.26.4.15)
kmsandallapp.ru(31.31.198.35) - mailcious
d1i94yju6i4l9g.cloudfront.net(18.244.65.58)
ipinfo.io(34.117.186.192)
x1.i.lencr.org(23.52.33.11)
pastebin.com(104.20.3.235) - mailcious
boredombusters.online(104.21.44.95)
zeph-eu2.nanopool.org(163.172.171.111) - mailcious
182.162.106.33 - malware
51.15.89.13
147.45.47.126 - mailcious
163.172.154.142 - mailcious
18.244.65.161
185.172.128.19 - mailcious
23.41.113.9
172.67.198.131
34.117.186.192
147.45.47.155 - malware
77.91.77.81 - mailcious
31.31.198.35 - mailcious
104.26.5.15
172.67.19.24 - mailcious
185.215.113.67 - mailcious
|
22
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
3
http://185.172.128.19/ghsdh39s/index.php
http://77.91.77.81/Kiru9gu/index.php
http://185.172.128.19/FirstZ.exe
|
28.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2980 |
2024-06-15 08:26
|
 installer2.exe 5aece647826a6f39a8bb8b17cd4186d6
PE64 PE File DNS |
|
4
172.67.198.131
147.45.47.126 - mailcious
163.172.154.142 - mailcious
185.172.128.19 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2981 |
2024-06-15 08:22
|
 help.scr 5315d928cff19507f66d59b174280e8a
Emotet Generic Malware Malicious Packer Malicious Library UPX Antivirus PE File PE32 OS Processor Check DLL PE64 ftp Cryptocurrency Miner Malware Cryptocurrency Traffic Potential Scan AutoRuns suspicious privilege Malicious Traffic Check memory buffers extracted WMI Creates executable files unpack itself Windows utilities Auto service suspicious process WriteConsoleW Windows Exploit ComputerName Remote Code Execution |
2
http://192.168.56.1/ipc$
http://192.168.56.1/
|
3
are.nishabig.pro()
auto.c3pool.org(18.163.115.97) - mailcious
47.76.164.119 - mailcious
|
4
ET POLICY Cryptocurrency Miner Checkin
ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray
ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
|
|
8.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2982 |
2024-06-15 08:21
|
 %E5%8C%97%E7%AC%99%E5%87%BA%E8... 596e9b32324853cc471332f6289689bd
Generic Malware Malicious Packer Malicious Library ASPack VMProtect UPX DllRegisterServer dll PE File PE32 OS Processor Check DLL Check memory Creates executable files unpack itself AppData folder Remote Code Execution DNS |
|
1
47.76.164.119 - mailcious
|
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2983 |
2024-06-15 08:21
|
 4.exe 24981658666a4f40f07f37bfb48d1372
Malicious Library UPX PE File PE32 OS Processor Check AutoRuns Windows DNS |
|
2
164.155.205.99
94.177.131.249
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2984 |
2024-06-15 08:19
|
 test.exe 71687e0babe1e0575c7471b0e696e9d3
UPX PE64 PE File Traffic Potential Scan suspicious privilege Windows utilities WriteConsoleW Windows Exploit DNS |
|
1
|
3
ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray
ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2985 |
2024-06-15 08:13
|
Dispatch of the APC HMLTV tech... 73a0170ea882989f6ffc3b4726a3ee56
Generic Malware AntiDebug AntiVM GIF Format Lnk Format Code Injection Check memory buffers extracted Creates shortcut RWX flags setting Check virtual network interfaces suspicious process Tofsee Interception |
3
http://x1.i.lencr.org/
https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0 - rule_id: 40280
https://mailnepalarmymil.mods.email/dispachofapc-46703841?yui=0
|
4
mailnepalarmymil.mods.email(91.223.208.175)
x1.i.lencr.org(23.52.33.11)
91.223.208.175
23.41.113.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://mailnepalarmymil.mods.email/dispachofapc-46703841
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|