3001 |
2024-06-14 17:49
|
tes.ps1 bfb1332339eda5252ef18e4a877bccba Generic Malware Antivirus unpack itself Windows Cryptographic key |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3002 |
2024-06-14 15:16
|
HA.COM e5e5779fa73ba24b03346cc766a50f20 |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3003 |
2024-06-14 13:46
|
bin2.scr 0b2395819398823d092534e26209e799 Formbook Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Browser DNS |
29
http://www.carolinappttery.com/q380/ - rule_id: 40238 http://www.carolinappttery.com/q380/ http://www.carolinappttery.com/q380/?PJd=ehUrFCKl0QR4T29AJZh5dRT/ZDPm9qTvUW59H2BhLEsiO0kIW28uNcfa56DEKhzH0iD+lYFdD8RRxblUIft60LyxhWLZTQGF9CEZTcwXHMEEzcDS8bPwZbiqnYj5NbIEEA54k2w=&roo=krO0qmwhIp_LJR2y - rule_id: 40238 http://www.carolinappttery.com/q380/?PJd=ehUrFCKl0QR4T29AJZh5dRT/ZDPm9qTvUW59H2BhLEsiO0kIW28uNcfa56DEKhzH0iD+lYFdD8RRxblUIft60LyxhWLZTQGF9CEZTcwXHMEEzcDS8bPwZbiqnYj5NbIEEA54k2w=&roo=krO0qmwhIp_LJR2y http://www.gospelstudygroup.org/qmdw/ http://www.aritum.top/f2qc/ - rule_id: 40240 http://www.aritum.top/f2qc/ http://www.winnscce.com/xk70/?PJd=E9dNAQXSau8gxD7ycO4dLfQfH5YRjq6/aXbIhWqdNKhuK+zum8oLAEgkUh6j+ec/Dsz5NNoJPY83q7uKVhR+kQSzALNmdhL2cm95N3pKuY1dSsInVS8QGD1t6OErSJExWBCOe4E=&roo=krO0qmwhIp_LJR2y - rule_id: 40235 http://www.ay62m.top/orwn/ - rule_id: 40237 http://www.ay62m.top/orwn/ http://www.gospelstudygroup.org/qmdw/?PJd=kZQE5+J7NyHk1VKpZsdFopgUcfLAHlvR1AW0jxdBnvp4EB411rckL9DsM1GhyImy3YF39ksngIoiWe7h2+CLHpk3uYhNkgQe0XYv/yb90vBP9OLAjjQiCyGhN1bVP2EzpaLZrOo=&roo=krO0qmwhIp_LJR2y http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip http://www.tqfabxah.com/f5wa/?PJd=gvfimVYyVoaIA6LSQiLyJJ4rCFA+SDI9PWBc8jEgnhWVxILhAYweklxvvqcAelfwJ0IvmpbMteemAhVl67fWtrB9/BgWrmQnFTV5QmYGhYRFat8wsaPDvDNh/p04Lm04k2miCbo=&roo=krO0qmwhIp_LJR2y http://www.sjzsls.com/9ypd/ - rule_id: 40234 http://www.ybw73.top/zfmd/ - rule_id: 40239 http://www.ybw73.top/zfmd/ http://www.ay62m.top/orwn/?PJd=3cBNLJTm2SpTWV5+FkCnTYkROdg55TQjKQDEk1HDa97easJD35wZE2GMsxRselnzvm7j4PFdEanRmF1YrarFthUoWpYtpzXpGMx8vyWuQ49fEDOcUJzL6xCqo7J2o8DZINEYFF8=&roo=krO0qmwhIp_LJR2y - rule_id: 40237 http://www.ay62m.top/orwn/?PJd=3cBNLJTm2SpTWV5+FkCnTYkROdg55TQjKQDEk1HDa97easJD35wZE2GMsxRselnzvm7j4PFdEanRmF1YrarFthUoWpYtpzXpGMx8vyWuQ49fEDOcUJzL6xCqo7J2o8DZINEYFF8=&roo=krO0qmwhIp_LJR2y http://www.ybw73.top/zfmd/?PJd=Wy9Xy0arXTA/u2vvBYrKIOUBpzUpOEWJyNtxnnOaFAzOmZ+G/QUaP7IPedalQRfZTnOTlfhQhpBKLAk/X9K39OImH5VRArdmcUQpro/j/mKcwsNXkqPqNRMPQWcketlQaFqDwMQ=&roo=krO0qmwhIp_LJR2y - rule_id: 40239 http://www.ybw73.top/zfmd/?PJd=Wy9Xy0arXTA/u2vvBYrKIOUBpzUpOEWJyNtxnnOaFAzOmZ+G/QUaP7IPedalQRfZTnOTlfhQhpBKLAk/X9K39OImH5VRArdmcUQpro/j/mKcwsNXkqPqNRMPQWcketlQaFqDwMQ=&roo=krO0qmwhIp_LJR2y http://www.w90dm.top/8ms4/ - rule_id: 40236 http://www.w90dm.top/8ms4/ http://www.tqfabxah.com/f5wa/ http://www.sjzsls.com/9ypd/?PJd=Fp4YMLPzXpbUfY9ET0WH3a72p3fXf7YhU2uVF/1Su8SRdO97GHvogqvz+96x72oMEQq3eHyW0zw8RVfXjuFBE/DSpz5ZNszOE2hxgYcLkAt/YsxuqXlLrzOhs3BZhOu+6KXTzoA=&roo=krO0qmwhIp_LJR2y - rule_id: 40234 http://www.aritum.top/f2qc/?PJd=+PlbwI8tNruUpga2nartzvIoOczIwOvbU1ANxXfMuvMQEzSRrWQM3cmspk1IFvcCMV40t1yig50Ax37YShWjrdIjOvIEgJJROzqkte3OBXYcjah0B7lnBY2SKVXOZr2cpq5/qwU=&roo=krO0qmwhIp_LJR2y - rule_id: 40240 http://www.aritum.top/f2qc/?PJd=+PlbwI8tNruUpga2nartzvIoOczIwOvbU1ANxXfMuvMQEzSRrWQM3cmspk1IFvcCMV40t1yig50Ax37YShWjrdIjOvIEgJJROzqkte3OBXYcjah0B7lnBY2SKVXOZr2cpq5/qwU=&roo=krO0qmwhIp_LJR2y http://www.w90dm.top/8ms4/?PJd=udGRhKSFzWywOShfg4LrArlkOSU57jdgfHHoAEODJUB2/fB/f7uvWahs0ChcgR3p3uHY1bC8mP+rUPbsneCLatPp1qyYsRzD0wOOKHTt4GdecEtntAcROmt09OnVjaXmhkctiwE=&roo=krO0qmwhIp_LJR2y - rule_id: 40236 http://www.w90dm.top/8ms4/?PJd=udGRhKSFzWywOShfg4LrArlkOSU57jdgfHHoAEODJUB2/fB/f7uvWahs0ChcgR3p3uHY1bC8mP+rUPbsneCLatPp1qyYsRzD0wOOKHTt4GdecEtntAcROmt09OnVjaXmhkctiwE=&roo=krO0qmwhIp_LJR2y http://www.winnscce.com/xk70/ - rule_id: 40235
|
19
www.aritum.top(203.161.55.102) www.gospelstudygroup.org(185.245.180.25) www.tqfabxah.com(35.241.42.217) www.carolinappttery.com(123.58.214.101) www.yedurrum.xyz() www.winnscce.com(123.58.214.101) - mailcious www.sjzsls.com(154.212.44.122) - mailcious www.ay62m.top(38.47.207.132) www.ybw73.top(38.47.232.233) www.w90dm.top(38.47.232.178) 38.47.232.178 203.161.55.102 38.47.232.233 154.212.44.122 - mailcious 38.47.207.132 185.245.180.25 45.33.6.223 123.58.214.101 - mailcious 35.241.42.217
|
2
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
14
http://www.carolinappttery.com/q380/ http://www.carolinappttery.com/q380/ http://www.aritum.top/f2qc/ http://www.winnscce.com/xk70/ http://www.ay62m.top/orwn/ http://www.sjzsls.com/9ypd/ http://www.ybw73.top/zfmd/ http://www.ay62m.top/orwn/ http://www.ybw73.top/zfmd/ http://www.w90dm.top/8ms4/ http://www.sjzsls.com/9ypd/ http://www.aritum.top/f2qc/ http://www.w90dm.top/8ms4/ http://www.winnscce.com/xk70/
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3004 |
2024-06-14 13:29
|
lummac2.exe 6e3d83935c7a0810f75dfa9badc3f199 Lumma Stealer PE File PE32 VirusTotal Malware |
|
|
|
|
1.6 |
M |
60 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3005 |
2024-06-14 10:55
|
RFQ#ORDER-SP-24-0217891-003.do... 527d1b34d5c5759d38b6496008e379b1 NSIS Malicious Library UPX PE32 PE File DLL JPEG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder DNS |
|
1
|
|
|
3.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3006 |
2024-06-14 10:46
|
file.rar c6479683dc4b3a056b853c2f66e20998 Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord RisePro DNS CoinMiner |
10
http://5.42.66.10/download/th/space.php - rule_id: 39944 http://77.91.77.80/rome/kenzo.exe - rule_id: 40187 http://5.42.99.177/api/crazyfish.php - rule_id: 40006 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.42.99.177/api/twofish.php - rule_id: 40008 http://88.218.93.76/d/385135 - rule_id: 40184 http://5.42.66.10/download/123p.exe - rule_id: 39935 https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188 https://steamcommunity.com/profiles/76561199699680841 https://db-ip.com/demo/home.php?s=
|
36
db-ip.com(172.67.75.166) pool.hashvault.pro(131.153.76.130) - mailcious cdn-download.avgbrowser.com(104.100.168.115) api64.ipify.org(173.231.16.77) api.myip.com(104.26.9.59) steamcommunity.com(23.66.133.162) - mailcious lop.foxesjoy.com(104.21.66.124) - malware t.me(149.154.167.99) - mailcious iplogger.org(104.21.4.208) - mailcious ipinfo.io(34.117.186.192) bitbucket.org(104.192.141.1) - malware cdn.discordapp.com(162.159.133.233) - malware vk.com(93.186.225.194) - mailcious raw.githubusercontent.com(185.199.111.133) - malware 185.199.109.133 - mailcious 87.240.129.133 - mailcious 104.26.5.15 104.21.4.208 147.45.47.126 - mailcious 23.1.179.144 - mailcious 34.117.186.192 121.254.136.18 23.43.165.105 149.154.167.99 - mailcious 104.21.66.124 - malware 65.109.240.138 104.237.62.213 5.42.99.177 - mailcious 5.42.66.10 - malware 104.192.141.1 - mailcious 23.52.128.153 125.253.92.50 162.159.134.233 - malware 104.26.9.59 77.91.77.80 - malware 88.218.93.76 - mailcious
|
25
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SURICATA Applayer Mismatch protocol both directions ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Packed Executable Download ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Redirect to Discord Attachment Download ET INFO EXE - Served Attached HTTP ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) SURICATA Applayer Wrong direction first Data
|
7
http://5.42.66.10/download/th/space.php http://77.91.77.80/rome/kenzo.exe http://5.42.99.177/api/crazyfish.php http://5.42.99.177/api/twofish.php http://88.218.93.76/d/385135 http://5.42.66.10/download/123p.exe https://lop.foxesjoy.com/ssl/crt.exe
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3007 |
2024-06-14 10:18
|
zardsystemschange.exe 414d550d9c7fed5b71913ed7e4dd967b Generic Malware Malicious Library Malicious Packer UPX PE64 DllRegisterServer dll PE File OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3008 |
2024-06-14 10:16
|
theporndude.exe 97b47da3b16adb27c0ad00f1d5f7e112 Generic Malware Malicious Library Malicious Packer UPX PE64 DllRegisterServer dll MSOffice File PE File OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3009 |
2024-06-14 09:45
|
setup%E4%B8%8B%E8%BD%BD%E5%90%... 0a31329b6172776635649ab5005c4671 Generic Malware Malicious Library Antivirus UPX PE64 PE File OS Processor Check Emotet Malware download NetWireRC VirusTotal Malware Code Injection unpack itself sandbox evasion Anonymous RAT DNS |
|
1
|
1
ET MALWARE Anonymous RAT CnC Domain in DNS Lookup (anonymousrat8 .com)
|
|
6.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3010 |
2024-06-14 09:43
|
setup%E4%B8%8B%E8%BD%BD%E5%90%... 7ff7c6f0c4233bc3c77cdb833764af21 Generic Malware UPX PE64 PE File VirusTotal Malware Check memory DNS crashed |
|
1
|
|
|
4.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3011 |
2024-06-14 09:43
|
setup%E4%B8%8B%E8%BD%BD%E5%90%... e52c00bdc49c2e842a573532762c5f0b Generic Malware Malicious Library PE64 PE File Malware download VirusTotal Malware Malicious Traffic unpack itself DNS crashed Downloader |
1
http://8.134.180.138/123.conf
|
1
|
1
ET MALWARE Suspicious User Agent Detected (RookIE) - Common with Downloaders
|
|
3.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3012 |
2024-06-14 09:42
|
setup%E4%B8%8B%E8%BD%BD%E5%90%... 50c43ce25a63eb9f2c4b74e215be8135 Generic Malware Malicious Library PE64 PE File Malware download VirusTotal Malware Malicious Traffic Downloader |
11
http://cwgedu.cn/diangong/diangong/diangong/diangong/diangong/diangong/diangong/diangong/diangong/diangong/123.conf http://cwgedu.cn/diangong/diangong/diangong/diangong/diangong/123.conf http://cwgedu.cn/diangong/diangong/diangong/diangong/123.conf http://cwgedu.cn/diangong/diangong/diangong/diangong/diangong/diangong/diangong/diangong/123.conf http://cwgedu.cn/diangong/diangong/diangong/123.conf http://cwgedu.cn/diangong/diangong/diangong/diangong/diangong/diangong/123.conf http://cwgedu.cn/diangong/123.conf http://cwgedu.cn/diangong/diangong/diangong/diangong/diangong/diangong/diangong/123.conf http://cwgedu.cn/diangong/diangong/123.conf http://8.134.239.3/123.conf http://cwgedu.cn/diangong/diangong/diangong/diangong/diangong/diangong/diangong/diangong/diangong/123.conf
|
2
cwgedu.cn(8.134.239.3) 8.134.239.3
|
1
ET MALWARE Suspicious User Agent Detected (RookIE) - Common with Downloaders
|
|
2.0 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3013 |
2024-06-14 09:41
|
setup%E4%B8%8B%E8%BD%BD%E5%90%... 8ece12bccc4c83c2ec683a7d5a7dc348 Malicious Library PE64 PE File VirusTotal Malware DNS |
1
http://8.134.147.84/123.conf
|
1
|
|
|
3.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3014 |
2024-06-14 09:28
|
setup%E4%B8%8B%E8%BD%BD%E5%90%... 2b2690881f0030510504113baf20831b Malicious Library PE64 PE File VirusTotal Malware DNS |
|
1
|
|
|
3.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3015 |
2024-06-14 09:28
|
steal.exe 1db2c9b7cd800917493a1439dcfa8eb6 Emotet Gen1 Generic Malware ASPack Malicious Library UPX Admin Tool (Sysinternals etc ...) Anti_VM PE64 ftp PE File OS Processor Check DLL DllRegisterServer dll ZIP Format VirusTotal Malware Check memory Creates executable files unpack itself crashed |
|
|
|
|
2.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|