43591 |
2024-03-24 13:59
|
sarra.exe cb6ca7a54ebb767d3d996fde3d6b20bb Amadey Themida Packer Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library UPX Malicious Packer Antivirus Anti_VM AntiDebug AntiVM PE File PE32 MSOffice File ZIP Format OS Processor Check Lnk Format GIF Format DLL PE64 Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare powershell.exe wrote suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader |
16
http://193.233.132.56/Pneh2sXQk0/index.php http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll http://193.233.132.62:57893/hera/amadka.exe - rule_id: 39491 http://www.maxmind.com/geoip/v2.1/city/me http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll http://193.233.132.167/cost/go.exe http://193.233.132.167/lend/lumma21.exe https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/_/bscframe https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko&ifkv=ARZ0qKKZ5yLw91CeXZgf6l3nIZ3R1Ri0N7zkeLQ91IYy93V6HIEFRBR3xUlg9T_5GyHFxbOd4i67&passive=true&service=youtube&uilel=3&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1845397159%3A1711255787052476 https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKjgyHg6fMmr6lxYRHxyoe5wXVroRpHBfaB59EVywFVFeAi3uitzW1gGA6ffBNDx0ObflIffQ https://www.youtube.com/account https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/generate_204?RhQsIg
|
18
db-ip.com(104.26.5.15) www.google.com(142.250.207.100) www.youtube.com(142.250.196.142) - mailcious ssl.gstatic.com(142.250.196.131) ipinfo.io(34.117.186.192) accounts.google.com(64.233.188.84) www.maxmind.com(104.18.146.235) 142.250.66.100 104.18.145.235 104.26.4.15 216.58.200.238 193.233.132.74 193.233.132.62 - mailcious 34.117.186.192 108.177.97.84 216.58.203.67 193.233.132.56 - malware 193.233.132.167 - malware
|
16
ET INFO Executable Download from dotted-quad Host SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://193.233.132.62:57893/hera/amadka.exe
|
29.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43592 |
2024-03-24 14:00
|
lummalg.exe 04df085b57814d1a1accead4e153909e Craxs RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43593 |
2024-03-24 14:00
|
ISetup3.exe 46cb065381895196cf6c887ea1c38aa6 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43594 |
2024-03-24 14:02
|
kissmydearuarereallysweetforme... cf97df47c7e054abfa506a0f7d5cc20d MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted |
|
|
|
|
2.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43595 |
2024-03-24 14:02
|
djdjdje1939_crypted_EASY.exe d27ac79a31d3b896630513670235991b Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43596 |
2024-03-24 14:03
|
riviera_tour_sochi.pdf.exe 5bcfa8f37baca2ce16991579bbcd6637 Client SW User Data Stealer browser info stealer NSIS Generic Malware Themida Packer Google Chrome User Data Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code Browser Info Stealer VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates shortcut Creates executable files exploit crash unpack itself Checks Bios Detects VirtualBox Detects VMWare AppData folder malicious URLs VMware anti-virtualization installed browsers check Windows Exploit Browser Firmware crashed |
|
|
|
|
12.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43597 |
2024-03-24 14:04
|
kissherwithlotoflovetoundersta... 61ebc536a8018c94dd5ec0dbe911dce1 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted RWX flags setting exploit crash Exploit DNS crashed |
|
1
198.46.176.175 - mailcious
|
|
|
5.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43598 |
2024-03-24 14:05
|
america.vbs c2d1123deff869fb763cbfe7ec1d8ff9 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware VBScript powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key Dropper |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://paste.ee/d/jtEGA
|
5
paste.ee(104.21.84.67) - mailcious uploaddeimagens.com.br(104.21.45.138) - malware 172.67.187.200 - mailcious 104.21.45.138 - malware 182.162.106.33 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43599 |
2024-03-24 14:06
|
baran.exe 90d15f28eeafb9aec92021da5ef95099 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43600 |
2024-03-24 14:07
|
Build.exe 2b74fd898c6ca79faa64f3d9cae268d4 Generic Malware Malicious Library UPX Antivirus PE File PE32 OS Processor Check ftp .NET EXE VirusTotal Cryptocurrency Miner Malware Cryptocurrency Telegram suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed CoinMiner |
1
https://steamcommunity.com/profiles/76561199654112719
|
11
t.me(149.154.167.99) - mailcious relative-national-gibbon.ngrok-free.app(18.177.53.48) github.com(20.200.245.247) - mailcious steamcommunity.com(104.76.78.101) - mailcious xmr.2miners.com(162.19.139.184) - mailcious 149.154.167.99 - mailcious 5.75.221.51 104.75.41.21 - mailcious 162.19.139.184 - mailcious 18.177.60.68 20.200.245.247 - malware
|
7
ET INFO TLS Handshake Failure ET POLICY Cryptocurrency Miner Checkin SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) ET INFO Observed DNS Query to *.ngrok Domain (ngrok .app)
|
|
9.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43601 |
2024-03-24 14:08
|
ISetup6.exe 816f37f278af644bf55369c30b6b59ba Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43602 |
2024-03-24 14:09
|
americaisveryniceplaceforkisst... 9b02d303ef9ba87d855551bd4a541105 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit DNS crashed |
|
2
162.19.139.184 - mailcious 107.173.4.9 - mailcious
|
|
|
4.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43603 |
2024-03-24 14:11
|
anki.exe e990d75ee17deb0ad3a5c6ac25d66ad5 Malicious Library UPX PE File PE32 DLL VirusTotal Malware AppData folder |
|
|
|
|
1.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43604 |
2024-03-24 14:11
|
ISetup5.exe 5d7d22a6259d24baa5fe96e51a84a178 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43605 |
2024-03-24 14:15
|
ankiWinthisbeautifulmomentwith... 129ac441a02f8ecf7f6d4a14135c4bdb MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit Advertising Google DNS crashed |
2
https://drive.google.com/uc?export=download&id=1X2MIa7Hk04p4Y5gHv-EIXOcylX4ude2z https://drive.usercontent.google.com/download?id=1X2MIa7Hk04p4Y5gHv-EIXOcylX4ude2z&export=download
|
5
drive.usercontent.google.com(142.250.76.129) - mailcious drive.google.com(172.217.25.174) - mailcious 142.251.220.1 216.58.203.78 103.237.87.56 - malware
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|