4156 |
2024-05-09 11:02
|
.hta 18dbd534f0a9f76cfb874a7a7e688c90 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://193.222.96.143:7287/Excel.xlsx http://193.222.96.143:7287/xx.bat
|
1
193.222.96.143 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4157 |
2024-05-09 07:42
|
mimi.exe 201cd297b3a0fe2bbe24c8dd42747c08 Malicious Packer UPX PE64 PE File OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4158 |
2024-05-09 07:39
|
AlterableStockstill.exe e4680b5d58eb24f57fa55432f03bead9 Generic Malware Malicious Library PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4159 |
2024-05-09 07:38
|
update.exe bd4fecd7009225a2618b2a47d9bcf6e5 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4160 |
2024-05-09 07:37
|
lomik.exe 9fd353d70e6814ecb7ab0c866feb6b7e EnigmaProtector Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 104.26.5.15 34.117.186.192 147.45.47.126
|
8
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
12.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4161 |
2024-05-09 07:36
|
eee01.exe 0576835e3964b2d0bd3a87c3c80115b2 Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 MZP Format VirusTotal Malware unpack itself AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4162 |
2024-05-08 08:07
|
ngrok.exe f886615860dbbcd3fe966cf1c79203f9 Malicious Library Malicious Packer UPX PE64 PE File wget OS Processor Check sandbox evasion WriteConsoleW |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4163 |
2024-05-08 08:04
|
candy.exe 9eefd6a7ded126926524719593d0ac07 EnigmaProtector Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 172.67.75.166 147.45.47.126 34.117.186.192
|
6
ET MALWARE RisePro TCP Heartbeat Packet SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE RisePro CnC Activity (Inbound) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
12.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4164 |
2024-05-08 08:02
|
artifact.exe 3a87727e80537e3d27798bc4af55a54b Malicious Library PE64 PE File Malware download Cobalt Strike Cobalt Malware c&c buffers extracted RWX flags setting unpack itself ComputerName DNS |
2
http://192.144.220.86:5667/jquery-3.3.2.slim.min.js http://192.144.220.86:5667/jquery-3.3.1.min.js
|
1
|
4
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2 ET MALWARE Cobalt Strike Beacon Activity (GET) ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3 ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4165 |
2024-05-08 08:02
|
060.exe 95bc6944bac20cc15abd010760c63182 Emotet Gen1 Generic Malware Malicious Library UPX PE File PE32 MZP Format PE64 DLL OS Processor Check ftp DllRegisterServer dll Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName crashed |
|
|
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4166 |
2024-05-08 07:59
|
cryptography_module_windows.ex... ec69806113c382160f37a6ace203e280 Gen1 Generic Malware Malicious Library UPX Anti_VM PE64 PE File OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files DNS |
|
5
182.162.106.144 172.67.193.79 182.162.106.33 - malware 104.21.18.166 172.67.169.89
|
|
|
3.2 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4167 |
2024-05-08 07:57
|
Discord.exe f0d723bcc3e6a9b9c2bce6662d7c5075 AsyncRAT Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Tofsee DNS |
|
5
pastebin.ai(198.12.245.107) 172.67.182.192 - mailcious 198.12.245.107 - malware 104.21.90.14 172.67.169.89
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4168 |
2024-05-08 07:54
|
rdbc.exe bebc3002ec0a3811aea8644a88bf590e Craxs RAT Malicious Library Socket AntiDebug AntiVM PE File .NET EXE PE32 PNG Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications AntiVM_Disk sandbox evasion anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=185.82.218.142
|
5
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 172.67.75.166 185.82.218.142 - malware 34.117.186.192
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE RisePro CnC Activity (Inbound) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RisePro CnC Activity (Outbound)
|
|
15.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4169 |
2024-05-08 07:52
|
Isetup2.exe 6fbe36ef1d6599968f107c7b6eb19225 Generic Malware NSIS Antivirus Malicious Library UPX AntiDebug AntiVM PE64 PE File PowerShell PE32 OS Processor Check VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization Tofsee Windows ComputerName DNS Cryptographic key crashed |
7
http://193.233.132.234/files/setup.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://nic-it.nl/games/index.php https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://yip.su/RNWPd.exe - rule_id: 37623 https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe https://onlycitylink.com/baf14778c246e15550645e30ba78ce1c.exe
|
18
jonathantwo.com(104.21.31.124) onlycitylink.com(104.21.18.166) realdeepai.org(104.21.90.14) nic-it.nl(190.220.21.28) pastebin.com(172.67.19.24) - mailcious yip.su(104.21.79.77) - mailcious firstfirecar.com(104.21.60.76) 182.162.106.33 - malware 104.20.3.235 104.21.60.76 172.67.182.192 - mailcious 172.67.176.131 172.67.193.220 185.172.128.59 - malware 78.89.199.216 - malware 193.233.132.234 - mailcious 104.21.90.14 172.67.169.89
|
10
ET DROP Spamhaus DROP Listed Traffic Inbound group 32 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO EXE - Served Attached HTTP
|
2
https://pastebin.com/raw/xYhKBupz https://yip.su/RNWPd.exe
|
20.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4170 |
2024-05-08 07:52
|
ProjectE_5.exe aabe25c748360f1575c09d77cc281e07 Malicious Library UPX PE64 PE File Malware Malicious Traffic Checks debugger unpack itself ComputerName DNS |
1
http://64.95.10.243/api/mytest
|
1
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|