| 3496 |
2024-06-03 14:00
|
 Job Description (LM HR Divisio... 73d2899aade924476e58addf26254c2e
Generic Malware Malicious Library Malicious Packer UPX PDF PE64 PE File OS Processor Check DLL DllRegisterServer dll VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Auto service suspicious process sandbox evasion WriteConsoleW installed browsers check Windows Browser ComputerName DNS DDNS |
1
http://imagedownload.ignorelist.com/index.php
|
1
imagedownload.ignorelist.com()
|
1
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
|
|
11.0 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3497 |
2024-06-03 13:27
|
김명희_20240515.xlsx.lnk 0993cf18121be84f5b1511318df80f44
Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3498 |
2024-06-03 12:04
|
0329bb5b3a450b0a8f148a57e045bf... 3c81dc763a4f003ba6e33cd5b63068cd
Generic Malware Antivirus AntiDebug AntiVM MSOffice File Lnk Format HWP GIF Format VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
https://phasechangesolutions.com/wp-admin/css/colors/coffee/hurryup/?rv=super&za=mongo0
https://phasechangesolutions.com/wp-admin/css/colors/coffee/hurryup/?rv=super&za=mongo1
|
|
|
|
6.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3499 |
2024-06-03 11:14
|
0329bb5b3a450b0a8f148a57e045bf... 3c81dc763a4f003ba6e33cd5b63068cd
Generic Malware Antivirus AntiDebug AntiVM MSOffice File Lnk Format HWP GIF Format VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
7.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3500 |
2024-06-03 11:07
|
 kano.exe e9ac7172d4fe46c82cce7948a264f615
Malicious Packer Anti_VM PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
147.45.47.126 - mailcious
104.26.4.15
34.117.186.192
|
8
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3501 |
2024-06-03 11:07
|
 google 25f75c4de10c970fd05472f8e6c3f337
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3502 |
2024-06-03 10:48
|
 123p.exe d43ac79abe604caffefe6313617079a3
Generic Malware PE64 PE File VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
2
pool.hashvault.pro(125.253.92.50) - mailcious
131.153.76.130 - mailcious
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
2.4 |
M |
58 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3503 |
2024-06-03 10:46
|
 123p.exe d43ac79abe604caffefe6313617079a3
Generic Malware PE64 PE File VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
2
pool.hashvault.pro(131.153.76.130) - mailcious
131.153.76.130 - mailcious
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
1.8 |
M |
58 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3504 |
2024-06-03 09:41
|
 123p.exe d43ac79abe604caffefe6313617079a3
PE64 PE File VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
2
pool.hashvault.pro(131.153.76.130) - mailcious
131.153.76.130 - mailcious
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
1.8 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3505 |
2024-06-03 09:40
|
 AppGate2103v01.exe 9905d4c0f3aaf44c8f7a0f6c4b4d3543
Emotet North Korea Generic Malware UPX Malicious Library .NET framework(MSIL) Malicious Packer Downloader Admin Tool (Sysinternals etc ...) Socket ScreenShot Steal credential DNS Code injection Anti_VM AntiDebug AntiVM PE64 PE File PE32 OS Process Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Check virtual network interfaces malicious URLs Firewall state off IP Check Tofsee Windows Browser ComputerName Remote Code Execution DNS crashed |
15
http://5.42.66.10/download/th/retail.php - rule_id: 39943
http://176.111.174.109/google
http://185.172.128.69/download.php?pub=inte - rule_id: 39937
http://185.172.128.69/download.php?pub=inte
http://5.42.66.10/download/th/space.php - rule_id: 39944
http://5.42.99.177/api/crazyfish.php
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.232.45.38/eee01/eee01.exe - rule_id: 39938
http://147.45.47.149:54674/rade/kano.exe
http://185.172.128.159/dl.php - rule_id: 39941
http://5.42.66.10/download/th/getimage12.php - rule_id: 39942
http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe - rule_id: 39939
http://5.42.99.177/api/twofish.php
http://5.42.66.10/download/123p.exe - rule_id: 39935
https://db-ip.com/demo/home.php?s=
|
26
f.123654987.xyz() - malware
db-ip.com(172.67.75.166)
monoblocked.com(45.130.41.108) - malware
api64.ipify.org(104.237.62.213)
api.myip.com(104.26.9.59)
lop.foxesjoy.com(104.21.66.124) - malware
ipinfo.io(34.117.186.192)
vk.com(87.240.132.72) - mailcious
176.111.174.109
61.111.58.34 - malware
5.42.99.177
104.26.9.59
104.26.4.15
172.67.159.232
34.117.186.192
45.130.41.108 - malware
147.45.47.149
94.232.45.38 - malware
104.237.62.213
185.172.128.69 - malware
87.240.132.67 - mailcious
5.42.66.10 - malware
185.172.128.159 - malware
91.202.233.232 - mailcious
5.42.65.116
149.88.76.85 - malware
|
18
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET DROP Dshield Block Listed Source group 1
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
8
http://5.42.66.10/download/th/retail.php
http://185.172.128.69/download.php?pub=inte
http://5.42.66.10/download/th/space.php
http://94.232.45.38/eee01/eee01.exe
http://185.172.128.159/dl.php
http://5.42.66.10/download/th/getimage12.php
http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
http://5.42.66.10/download/123p.exe
|
18.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3506 |
2024-06-03 09:38
|
 download.php ba1078a938632c3219edc00cc855625a
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3507 |
2024-06-03 09:36
|
 2.exe fd75736f30d58471359129fe5bb6d452
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3508 |
2024-06-03 08:51
|
 S1.exe db4468bcb2b2a4831714f107451eebfd
Emotet Malicious Library UPX PE File PE32 OS Processor Check PNG Format VirusTotal Malware Check memory Checks debugger RWX flags setting unpack itself sandbox evasion Tofsee Browser Remote Code Execution DNS |
|
3
www.baidu.com(119.63.197.139)
149.88.76.85 - malware
119.63.197.151
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3509 |
2024-06-03 08:51
|
 mdll.exe d65acc2321b1580bc524b991fad0f78a
Emotet Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Check memory RWX flags setting sandbox evasion Browser Remote Code Execution DNS |
|
1
|
|
|
5.0 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3510 |
2024-06-03 07:35
|
 GTA_V.exe adf5adfae118dabb87818f625502d0d8
Emotet Gen1 Generic Malware Malicious Library UPX ASPack Admin Tool (Sysinternals etc ...) Malicious Packer PE File PE32 MZP Format OS Processor Check DLL PNG Format MSOffice File PE64 .NET DLL DllRegisterServer dll ftp VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
4.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|