| 4156 |
2024-05-09 11:02
|
 .hta 18dbd534f0a9f76cfb874a7a7e688c90
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://193.222.96.143:7287/Excel.xlsx
http://193.222.96.143:7287/xx.bat
|
1
193.222.96.143 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4157 |
2024-05-09 07:42
|
 mimi.exe 201cd297b3a0fe2bbe24c8dd42747c08
Malicious Packer UPX PE64 PE File OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4158 |
2024-05-09 07:39
|
 AlterableStockstill.exe e4680b5d58eb24f57fa55432f03bead9
Generic Malware Malicious Library PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4159 |
2024-05-09 07:38
|
 update.exe bd4fecd7009225a2618b2a47d9bcf6e5
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4160 |
2024-05-09 07:37
|
 lomik.exe 9fd353d70e6814ecb7ab0c866feb6b7e
EnigmaProtector Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192)
db-ip.com(172.67.75.166)
104.26.5.15
34.117.186.192
147.45.47.126
|
8
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
12.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4161 |
2024-05-09 07:36
|
 eee01.exe 0576835e3964b2d0bd3a87c3c80115b2
Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 MZP Format VirusTotal Malware unpack itself AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4162 |
2024-05-08 08:07
|
 ngrok.exe f886615860dbbcd3fe966cf1c79203f9
Malicious Library Malicious Packer UPX PE64 PE File wget OS Processor Check sandbox evasion WriteConsoleW |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4163 |
2024-05-08 08:04
|
 candy.exe 9eefd6a7ded126926524719593d0ac07
EnigmaProtector Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192)
db-ip.com(104.26.5.15)
172.67.75.166
147.45.47.126
34.117.186.192
|
6
ET MALWARE RisePro TCP Heartbeat Packet
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE RisePro CnC Activity (Inbound)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
12.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4164 |
2024-05-08 08:02
|
 artifact.exe 3a87727e80537e3d27798bc4af55a54b
Malicious Library PE64 PE File Malware download Cobalt Strike Cobalt Malware c&c buffers extracted RWX flags setting unpack itself ComputerName DNS |
2
http://192.144.220.86:5667/jquery-3.3.2.slim.min.js
http://192.144.220.86:5667/jquery-3.3.1.min.js
|
1
|
4
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4165 |
2024-05-08 08:02
|
 060.exe 95bc6944bac20cc15abd010760c63182
Emotet Gen1 Generic Malware Malicious Library UPX PE File PE32 MZP Format PE64 DLL OS Processor Check ftp DllRegisterServer dll Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName crashed |
|
|
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4166 |
2024-05-08 07:59
|
 cryptography_module_windows.ex... ec69806113c382160f37a6ace203e280
Gen1 Generic Malware Malicious Library UPX Anti_VM PE64 PE File OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files DNS |
|
5
182.162.106.144
172.67.193.79
182.162.106.33 - malware
104.21.18.166
172.67.169.89
|
|
|
3.2 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4167 |
2024-05-08 07:57
|
 Discord.exe f0d723bcc3e6a9b9c2bce6662d7c5075
AsyncRAT Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Tofsee DNS |
|
5
pastebin.ai(198.12.245.107)
172.67.182.192 - mailcious
198.12.245.107 - malware
104.21.90.14
172.67.169.89
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4168 |
2024-05-08 07:54
|
 rdbc.exe bebc3002ec0a3811aea8644a88bf590e
Craxs RAT Malicious Library Socket AntiDebug AntiVM PE File .NET EXE PE32 PNG Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications AntiVM_Disk sandbox evasion anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=185.82.218.142
|
5
ipinfo.io(34.117.186.192)
db-ip.com(172.67.75.166)
172.67.75.166
185.82.218.142 - malware
34.117.186.192
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RisePro CnC Activity (Inbound)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE RisePro CnC Activity (Outbound)
|
|
15.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4169 |
2024-05-08 07:52
|
 Isetup2.exe 6fbe36ef1d6599968f107c7b6eb19225
Generic Malware NSIS Antivirus Malicious Library UPX AntiDebug AntiVM PE64 PE File PowerShell PE32 OS Processor Check VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization Tofsee Windows ComputerName DNS Cryptographic key crashed |
7
http://193.233.132.234/files/setup.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://nic-it.nl/games/index.php
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://yip.su/RNWPd.exe - rule_id: 37623
https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe
|
18
jonathantwo.com(104.21.31.124)
onlycitylink.com(104.21.18.166)
realdeepai.org(104.21.90.14)
nic-it.nl(190.220.21.28)
pastebin.com(172.67.19.24) - mailcious
yip.su(104.21.79.77) - mailcious
firstfirecar.com(104.21.60.76)
182.162.106.33 - malware
104.20.3.235
104.21.60.76
172.67.182.192 - mailcious
172.67.176.131
172.67.193.220
185.172.128.59 - malware
78.89.199.216 - malware
193.233.132.234 - mailcious
104.21.90.14
172.67.169.89
|
10
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO EXE - Served Attached HTTP
|
2
https://pastebin.com/raw/xYhKBupz
https://yip.su/RNWPd.exe
|
20.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4170 |
2024-05-08 07:52
|
 ProjectE_5.exe aabe25c748360f1575c09d77cc281e07
Malicious Library UPX PE64 PE File Malware Malicious Traffic Checks debugger unpack itself ComputerName DNS |
1
http://64.95.10.243/api/mytest
|
1
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|