43936 |
2024-04-19 13:04
|
xlamlikeiamverymuchwithentiret... cd7c4ece35508ec593df126f064bb3a8 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://192.3.216.151/breadinbakery.jpeg https://paste.ee/d/IZzaN
|
6
paste.ee(172.67.187.200) - mailcious uploaddeimagens.com.br(104.21.45.138) - malware 192.3.216.151 - mailcious 23.67.53.17 172.67.187.200 - mailcious 104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
5.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43937 |
2024-04-19 13:07
|
22.exe f6317c56f0eba0c5ce7d0067707f96c4 Generic Malware Antivirus PE File .NET EXE PE32 VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
2
bishopberrian.com(192.124.249.113) - phishing 192.124.249.113 - malware
|
|
|
6.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43938 |
2024-04-19 13:07
|
ireallywantakissfrommywifeshei... 9278d07272accaf33d132bb6dbf6a7e7 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://23.95.60.75/xampp/hnv/EXAMPLEOFIMAGE.JPEG https://paste.ee/d/H71Tg
|
6
paste.ee(172.67.187.200) - mailcious uploaddeimagens.com.br(104.21.45.138) - malware 23.67.53.17 172.67.187.200 - mailcious 23.95.60.75 - malware 104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43939 |
2024-04-19 13:09
|
rules.exe 65be3195b801d271e01d41f7bf576bd8 Generic Malware Malicious Library PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43940 |
2024-04-19 13:10
|
Transfusionist.vbs 03e2a0c33e613d9aabf9167bd28cf3c7 GuLoader Generic Malware Suspicious_Script_Bin Admin Tool (Sysinternals etc ...) Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Advertising Google ComputerName Cryptographic key crashed |
2
https://drive.google.com/uc?export=download&id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3 https://drive.usercontent.google.com/download?id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3&export=download
|
4
drive.usercontent.google.com(142.250.206.193) - mailcious drive.google.com(142.250.76.142) - mailcious 142.250.207.78 172.217.31.1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43941 |
2024-04-19 13:12
|
HJC.exe 29af19382bdeadee6d93b98f354e703d Emotet Malicious Library UPX PE File DllRegisterServer dll PE32 MZP Format VirusTotal Malware RWX flags setting unpack itself Tofsee Interception Remote Code Execution crashed |
|
2
onedrive.live.com(13.107.139.11) - mailcious 13.107.137.11 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43942 |
2024-04-19 13:12
|
js.exe 269a3d770289d6442ad0b01e03276a10 Generic Malware Malicious Library UPX PE File DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware Check memory buffers extracted Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser ComputerName Remote Code Execution DNS |
1
http://192.227.146.252:2025/%6f%75%74%70%75%74_86%2e%62%69%6e
|
1
|
4
SURICATA Applayer Protocol detection skipped ET POLICY Unsupported/Fake Windows NT Version 5.0 ET HUNTING Generic .bin download from Dotted Quad ET HUNTING Rejetto HTTP File Sever Response
|
|
7.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43943 |
2024-04-19 13:14
|
last_stage ad15c8f35af52d9258c025bc2f051e34 UPX PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43944 |
2024-04-19 13:14
|
shortcut.exe 2758e553732310d8b606fca67a1096c1 Malicious Library VMProtect Antivirus UPX PE File .NET EXE PE32 OS Processor Check MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check ComputerName crashed |
|
|
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43945 |
2024-04-19 13:15
|
amadka.exe f854143c49c4d2fa4cf73bab97ba8d3a Amadey Generic Malware UPX Antivirus Malicious Library Anti_VM PE File PE32 ZIP Format DLL OS Processor Check PE64 Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName DNS Cryptographic key Software crashed |
6
http://193.233.132.56/Pneh2sXQk0/index.php http://193.233.132.167/mine/amert.exe - rule_id: 39345 http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll http://193.233.132.167/mine/random.exe https://db-ip.com/demo/home.php?s=175.208.134.152
|
8
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) 104.26.4.15 34.117.186.192 192.227.146.252 147.45.47.93 - malware 193.233.132.56 - malware 193.233.132.167 - malware
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)
|
1
http://193.233.132.167/mine/amert.exe
|
26.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43946 |
2024-04-19 13:16
|
build_1GyXIDXRUC.exe 51b0ed6b4908a21e5cc1d9ec7c046040 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43947 |
2024-04-19 13:18
|
o9RbXKF6ZJDK949.scr 739cefccf7fa26e1f7f9923a6cc9620a Generic Malware Malicious Library .NET framework(MSIL) Antivirus AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows Browser ComputerName Cryptographic key |
14
http://www.wewear-jim.com/9upe/ http://www.rkq86.website/9upe/ http://www.elenasurace.com/9upe/ http://www.webwheelsmedia.com/9upe/?DEn3=NSaCIZEoJ+QZ9jhF7tGDa+BLrEl0CK7Y96sMLirGe7sAJNGWEq2haaIDmSWp5pek3fOljaFVwf9eD3E05Ub0QyiP1sqr/DG6ZDElNR+6IIlsZoOyWosn7gR0L3c79adfxmQQp18=&6N=uFu_uEha_vdqrt9 http://www.webwheelsmedia.com/9upe/ http://www.elenasurace.com/9upe/?DEn3=roxVtZ6sPbqNh3mmVsIVFGlZg6mVXDhYapneEeUBrZ6gsD61pFwm4w8vCQUZ8838/v4xuxqTXQ3vquRQRSvS8x4sDL7HX1Kr5+4oY6tLYNDuU6rqNgpZgsmXdXZKkQsWwlY/qsQ=&6N=uFu_uEha_vdqrt9 http://www.book-of-degen.xyz/9upe/?DEn3=w8ceaZezyRwJxQICLHqVb8U/ZCj0O3GRVN4zSgr8MPWHVqOcrJ/AN6KAjgmhVVCGormLE0lSzE4ZXdW6chjE6eb6/+Um41z0Bsg5e+8+y/yF6GG+e9JqVhUYOXhdW5X0FVLwUQo=&6N=uFu_uEha_vdqrt9 http://www.book-of-degen.xyz/9upe/ http://www.applesolve.com/9upe/?DEn3=kNu3VLHdy2qLq2t0g8a4WpY0UEFP+oO+aXmu0FybT3J4obaRnHm7/qNvSnU6g5M9Potav1I9h8BPHs7SGURDc+CMgPGgU1DqYhR58+5eiA76tZfMGIuQdhKzGe4jIrALf/YuiF0=&6N=uFu_uEha_vdqrt9 http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip http://www.applesolve.com/9upe/ http://www.wewear-jim.com/9upe/?DEn3=/0uOrRlAg1O0h1gSL0PyiwT1m8MI30HeGLx/vAKDXBPRefGx2pNK4ZDQRhus9iU+8XJ+1v+0+5UILlAlva2yetuXnrt/D2zTU6ZnrAl3uuTfmMV8gyoYpZNelPrzr6iVl54/Nbk=&6N=uFu_uEha_vdqrt9 http://www.rkq86.website/9upe/?DEn3=ZiRrp0B+qg3ajnxesOi8agsjvCPBc77bLQYrd0Vyocfp5DdL00yg53FpmSyOsltuaKsI/xD3SlAC6Pba1qEeq6Xc1xCtt5jIfskoFaC5CyupALSgForvVCkyHahycVL6pGpPO3M=&6N=uFu_uEha_vdqrt9 http://www.qj0yean.us/9upe/
|
15
www.qj0yean.us(91.195.240.123) www.wewear-jim.com(91.195.240.117) www.elenasurace.com(62.149.189.71) www.webwheelsmedia.com(162.241.253.78) www.rkq86.website(137.175.115.33) www.applesolve.com(188.116.38.155) www.book-of-degen.xyz(75.2.60.5) 162.241.253.78 - malware 75.2.60.5 - mailcious 137.175.115.33 91.195.240.117 - mailcious 62.149.189.71 45.33.6.223 91.195.240.123 - mailcious 188.116.38.155
|
|
|
13.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43948 |
2024-04-19 13:18
|
H8w3nxJQ4Gya5ED.scr 75fd7827bbf0b22f48275d5882af458f AgentTesla Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
1
http://ip-api.com/line/?fields=hosting
|
2
ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
15.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43949 |
2024-04-19 13:19
|
Amzey.exe 926fc8b724cc682d97cf0849c0fcbda3 Generic Malware WinRAR Malicious Library UPX Antivirus PE File PE32 OS Processor Check PowerShell VirusTotal Malware powershell PDB suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Remote Code Execution Cryptographic key |
|
|
|
|
6.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43950 |
2024-04-19 13:20
|
Factura_SA161.pdf.lnk 6b602c96ff01c4f55c7a625b2358a988 Generic Malware Suspicious_Script_Bin NSIS Hide_EXE Downloader UPX Malicious Library Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persiste VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW installed browsers check Interception Windows Browser ComputerName DNS Cryptographic key |
1
http://93.190.140.76/SA160.pdf
|
2
WnPTaVSLwChHmHUZLZbxxYzryHGcJ.WnPTaVSLwChHmHUZLZbxxYzryHGcJ() 93.190.140.76 - malware
|
7
ET INFO Dotted Quad Host PDF Request ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Download from dotted-quad Host ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
18.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|