3916 |
2024-05-20 10:32
|
setup.exe 5cc472dcd66120aed74de36341bfd75a Generic Malware Malicious Library Antivirus AntiDebug AntiVM PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios powershell.exe wrote suspicious process WriteConsoleW anti-virtualization Windows ComputerName Cryptographic key |
|
|
|
|
12.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3917 |
2024-05-20 10:30
|
AppGate2103v01.exe 5ede7f188f5353878c0e62808ce3e770 Generic Malware UPX MPRESS PE64 PE File OS Processor Check VirusTotal Malware heapspray unpack itself Windows Remote Code Execution crashed |
|
|
|
|
4.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3918 |
2024-05-20 10:28
|
GroceryExtensive.exe fb88fe2ec46424fce9747de57525a486 Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
6.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3919 |
2024-05-20 10:27
|
online_security_mkl.exe b80362872ea704846e892f16aab924c3 Generic Malware Malicious Library UPX PE File PE32 MZP Format OS Processor Check PE64 VirusTotal Malware Checks debugger unpack itself Check virtual network interfaces AppData folder Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
adblock2024.shop(172.67.176.247) - mailcious 61.111.58.35 - malware 104.21.43.83 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3920 |
2024-05-20 10:27
|
start-pub.exe 52bcb73bddd7e3b613ec7fb1367c91c1 NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 P VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
6
http://apps.identrust.com/roots/dstrootcax3.p7c http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt - rule_id: 39695 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2841&c=2841 - rule_id: 39690 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=2841 - rule_id: 39689 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=2841 - rule_id: 39689 https://d1vt2h4o64rfsv.cloudfront.net/load/load.php?c=2841&a=2841 - rule_id: 39691
|
11
d22hce23hy1ej9.cloudfront.net(13.225.110.70) - mailcious cdn-edge-node.com(104.21.11.117) - mailcious 240429000936002.mjt.kqri92.top(94.156.35.76) - mailcious d1vt2h4o64rfsv.cloudfront.net(18.244.65.223) - mailcious adblock2024.shop(172.67.176.247) - mailcious 172.67.165.254 - mailcious 18.244.65.10 - mailcious 104.21.43.83 - mailcious 13.225.110.102 182.162.106.144 179.43.158.2
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile
|
5
http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt https://d22hce23hy1ej9.cloudfront.net/load/th.php https://d22hce23hy1ej9.cloudfront.net/load/dl.php https://d22hce23hy1ej9.cloudfront.net/load/dl.php https://d1vt2h4o64rfsv.cloudfront.net/load/load.php
|
11.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3921 |
2024-05-20 10:25
|
lumma1234.exe c4ffab152141150528716daa608d5b92 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself WriteConsoleW crashed |
|
|
|
|
2.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3922 |
2024-05-20 09:36
|
206.238.220.102.dll dc22b7f350d6cd3e08f155d26e431e3a Malicious Library UPX PE File DLL DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware Checks debugger unpack itself Remote Code Execution DNS |
|
1
|
|
|
3.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3923 |
2024-05-20 08:59
|
csrss.exe 591deb3212cb1720fa03640f6257b5dc Browser Login Data Stealer Gen1 EnigmaProtector Generic Malware UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://142.93.40.72/msvcp140.dll
http://142.93.40.72/freebl3.dll
http://142.93.40.72/softokn3.dll
http://142.93.40.72/
http://142.93.40.72/vcruntime140.dll
http://142.93.40.72/nss3.dll
http://142.93.40.72/sql.dll
http://142.93.40.72/mozglue.dll
https://t.me/obeliszxgeaea_1337
|
3
t.me(149.154.167.99) - mailcious 142.93.40.72
149.154.167.99 - mailcious
|
13
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
12.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3924 |
2024-05-20 08:55
|
gena.exe e520f65d2af59a1c69a96809fd025d9b EnigmaProtector Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 172.67.75.166 147.45.47.126 - mailcious 34.117.186.192
|
7
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3925 |
2024-05-20 08:55
|
sdf34ert3etgrthrthfghfghjfgh.e... 7fce620eed38da6eb6552e1713e4fa84 Malicious Library Downloader Malicious Packer UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3926 |
2024-05-20 07:45
|
random.exe d0d9b758764ced5f38eddd0f9c765b79 Amadey Gen1 RedLine stealer RedlineStealer XMRig Miner Generic Malware NSIS Downloader Malicious Library UPX .NET framework(MSIL) Malicious Packer MPRESS Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal cr Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Cryptocurrency Miner Malware Cryptocurrency powershell Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check installed browsers check Kelihos Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed CoinMiner |
35
http://5.42.96.7/lend/lumma1234.exe http://coatdetail.fun/load/download.php?c=1004 http://5.42.96.7/lend/lumma1.exe - rule_id: 39647 http://5.42.96.170/server/12/AppGate2103v01.exe http://file-file-host6.com/downloads/toolspub1.exe - rule_id: 39651 http://5.42.96.7/lend/gold.exe - rule_id: 39643 http://77.221.151.47/install.exe - rule_id: 39645 http://5.42.96.78/files/Silent.exe http://5.42.96.78/files/start-pub.exe http://x1.i.lencr.org/ http://riskarbs.com/wegergbsertter4/upd2.php?key=35c9606d64e49b301a865b7c11183bde http://5.42.96.78/files/setup.exe http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300 http://riskarbs.com/wegergbsertter4/upd2.php http://185.172.128.19/Newoff.exe http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt http://5.42.96.7/lend/redline1.exe - rule_id: 39644 http://5.42.96.7/lend/alex.exe - rule_id: 39642 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.42.96.7/zamo7h/index.php - rule_id: 39641 http://5.42.96.78/files/file300un.exe - rule_id: 39648 https://free.360totalsecurity.com/totalsecurity/360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002 https://bitbucket.org/qwizzi/tt522222/downloads/GroceryExtensive.exe https://pastebin.com/raw/E0rY26ni - rule_id: 37702 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002 https://d2csnxzxwctx26.cloudfront.net/load/load.php?c=1002 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=2841 https://bbuseruploads.s3.amazonaws.com/c238a61a-be46-44a2-84f2-dcbe608a006a/downloads/8fa016f0-6b2d-4c55-8cd6-ae05fdfeb815/GroceryExtensive.exe?response-content-disposition=attachment%3B%20filename%3D%22GroceryExtensive.exe%22&AWSAccessKeyId=ASIA6KOSE3BNINPUTCTS&Signature=IVvaIU%2Bk4bXFTwvhHaqgth67tjM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIDHOADIhZOmbUC8wQ1L%2BkX9WHF%2FdFSks8rjm6Sn5NzrsAiB1CFSPGGFvrlKSS7LX7TJiMKBEs7aMEgNB41XNlRH4WyqnAgggEAAaDDk4NDUyNTEwMTE0NiIMtVvNiFxS3Qgrm54GKoQCmAs1%2BQPoHPpvDIFsbUjuIbSxWRYd6AvopjLc8FSc%2BU%2BOxJrbBvhRTHsIyyLHqb95Exs%2BirIbDYzqn7ZvmeNQm9VDbAE%2Bx4bA%2B4g4hc9GcY7zI6oOqEqIwGFUFRPxS7HPdlhe7HSVGxS2MFSNFGA%2FwgUEDbAlwWK1jY%2BJg9r2A9cozo6cLgQSDridHAVyt1A%2FVhp%2FbknQnZKStXWGPjMBvtUnIrDf%2BpVLUCZIAWF4bnjchi87vx55yIxJKOkXDfdWiZdqIidvZje9T9bsL30%2Fxf8YZ2%2BRy0us2lDP1b8c2vxUo2K5yHB9eXLcKTFLoQQX3u8ZltHOBIAb7Nwzn83wqTE18rsw8%2FmpsgY6ngFciXNYdFP9p1NaXoKomjNE7%2BHOdUeLPNl8PICjgQv%2BKBzqw91%2BAhrkwqMpiyaTGFTVP7JgmC4xxibwE1uTSoRdLEc6v%2BgmOIghtc4SdM41V0JgpV8WnNlGdGNnH8bZOg9NgZLoIVttU5%2Br6pA7b%2Fb7fqWsetNxECnXkxMpXiwC2S4KTUPvxRPefGUrNW8etLsOkMylbLtmzo1amRwzlQ%3D%3D&Expires=1716159483 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2841&c=2841 https://d1vt2h4o64rfsv.cloudfront.net/load/load.php?c=2841&a=2841 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002 https://yip.su/RNWPd.exe - rule_id: 37623 https://cdn-edge-node.com/online_security_mkl.exe https://iplogger.com/1lyxz
|
45
iplogger.com(172.67.188.178) - mailcious free.360totalsecurity.com(54.192.175.27) bbuseruploads.s3.amazonaws.com(3.5.20.106) - malware download.winzip.com(23.201.35.121) xmr.2miners.com(162.19.139.184) - mailcious file-file-host6.com(45.131.41.39) - malware d22hce23hy1ej9.cloudfront.net(13.225.110.102) coatdetail.fun(194.54.164.123) cdn-edge-node.com(104.21.11.117) 240429000936002.mjt.kqri92.top(94.156.35.76) riskarbs.com(109.98.58.98) d1vt2h4o64rfsv.cloudfront.net(18.244.65.223) x1.i.lencr.org(23.52.33.11) pastebin.com(172.67.19.24) - mailcious bitbucket.org(104.192.141.1) - malware d2csnxzxwctx26.cloudfront.net(18.64.13.116) adblock2024.shop(104.21.43.83) yip.su(104.21.79.77) - mailcious 94.207.16.210 18.244.65.34 121.254.136.130 54.192.175.27 13.225.110.24 104.21.43.83 172.67.188.178 - mailcious 179.43.158.2 5.42.96.170 172.67.169.89 185.215.113.67 - mailcious 61.111.58.35 - malware 104.21.11.117 77.221.151.47 - malware 185.172.128.19 - mailcious 45.131.41.39 52.217.138.209 13.225.110.102 104.20.3.235 - malware 194.54.164.123 5.42.96.7 - malware 104.192.141.1 - mailcious 109.98.58.98 5.42.96.78 - mailcious 23.41.113.9 18.64.13.116 162.19.139.184 - mailcious
|
22
ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 32 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Possible Kelihos.F EXE Download Common Structure ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) ET POLICY Cryptocurrency Miner Checkin SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Packed Executable Download ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
|
|
32.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3927 |
2024-05-20 07:42
|
1234.exe d3a80c7a3a80478b08cc17522a55bb44 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself DNS crashed |
|
3
45.33.6.223 104.20.3.235 - malware 172.67.169.89
|
|
|
4.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3928 |
2024-05-20 07:40
|
Document0984757478.exe c36f798f2646092c180c6fc904c418f7 Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Malicious Packer PE File Device_File_Check PE32 OS Processor Check DLL FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
12
http://www.hidrapelenobrasil.shop/tnob/ http://www.vgyuren.icu/tnob/?M768=NZLAttDy15cbxmTAaaJAAhcdtbbzbdC6cQASBxA5nayYu/GOfC/5A+IahllAzFRUiFmSt5kq6F0oVQiv/GR/+8xUZyS/zwm/ST73YGuTYQJxL0QGvxJmA8+4HRiCsYQg+9RGN1M=&8VV=cbpI8Z http://www.vgyuren.icu/tnob/ http://www.infiniteiris.xyz/tnob/ http://www.agiluxer.com/tnob/ http://www.hidrapelenobrasil.shop/tnob/?M768=TPrZ4a0urPHyVFZKcsh5aEnGH6x10c+LVWP6ua7p29CzcHV40vt+Ed5yRYmyzTCpigI2rSAw2/G/eFm8oGlzQ7+/7cLR6wXoQapfC3ZuTGxBv6b1IEkJAtht8fY8zqhXw31ZFKk=&8VV=cbpI8Z http://www.arlobear.com/tnob/ http://www.arlobear.com/tnob/?M768=mRJtfJxmotkXpphcq/QE5FfNUlyuhqJ4xTDuf4BcDBVqwLPDVx7TaFjEYZ/wXCuyUE/EPLaluHW5tfzg79EX9lgH2c6h3RXVi7dgiQ81i4DOx3Z88Lcisl2d1B4Lf8dw8FhpRx8=&8VV=cbpI8Z http://www.astrologervijay.co.in/tnob/ http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip http://www.agiluxer.com/tnob/?M768=xucYkVA0pSGnJLauQED+MX/AFeENqsoRBgDyCFwoPTJzowq3+SiQ/gcTvZgaze9ZduNu+YKWql+189tIlRko0A5LPpTiApeLXRVMRPzwdFYfTFxYQJVx/YqpG4REi2vAdvDqirs=&8VV=cbpI8Z http://www.infiniteiris.xyz/tnob/?M768=dKcAFocpbczRW7Ograh51MDLU8SGd9cCF4nhV6jObVdk20h2WG8oxGerRI8ZVjKSHAzMSzznD5M+/O7693UL+HQ2E52xXWoR98sgwtG4w7xMcOP0BgswZlze6fxvf5u2IXPt7lE=&8VV=cbpI8Z
|
22
www.likbez22.store() www.hidrapelenobrasil.shop(162.241.2.244) www.ablazeaiagents.com() www.astrologervijay.co.in(43.231.124.79) www.justgoodsin.com() www.sdshopping.org() www.agiluxer.com(74.208.236.41) www.infiniteiris.xyz(162.0.237.22) www.arlobear.com(46.30.215.3) www.artismeapparel.com() www.vgyuren.icu(192.207.62.21) 104.21.11.117 162.0.237.22 194.54.164.123 162.19.139.184 - mailcious 162.241.2.244 - mailcious 43.231.124.79 74.208.236.41 - mailcious 13.225.110.102 192.207.62.21 45.33.6.223 46.30.215.3
|
3
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO DNS Query for Suspicious .icu Domain ET INFO HTTP POST Request to Suspicious *.icu domain
|
|
7.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3929 |
2024-05-20 07:40
|
build13.exe b99a7c6c9e6a2eb2945d894b2ce2c63b Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself DNS crashed |
|
3
54.192.175.27 18.244.65.34 13.225.110.102
|
|
|
4.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3930 |
2024-05-20 07:35
|
conhost.exe be320b59ef29060678bcb78d6c8fa059 Malicious Library UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|