44116 |
2024-05-03 15:53
|
svchosts.exe 10e53496bc04214f85f2ba5688430edb XMRig Miner Generic Malware Malicious Library Malicious Packer UPX PE File DllRegisterServer dll PE32 OS Processor Check PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns Check memory Creates executable files unpack itself Auto service Check virtual network interfaces WriteConsoleW Windows ComputerName Remote Code Execution Firmware |
|
|
|
|
6.6 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44117 |
2024-05-03 15:54
|
buben.exe 89614bcd95a77224939391e14e6a45d4 EnigmaProtector Malicious Packer PE File PE32 Malware download VirusTotal Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) 147.45.47.93 - malware 104.26.4.15 34.117.186.192
|
6
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP)
|
|
7.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44118 |
2024-05-03 15:56
|
system.exe 059d9888296f3847e68774bf2adb2225 Generic Malware Malicious Library UPX PE File DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware Windows Remote Code Execution DNS crashed |
1
http://43.142.10.246:7000/output_86.bin
|
1
|
2
ET POLICY Unsupported/Fake Windows NT Version 5.0 ET HUNTING Generic .bin download from Dotted Quad
|
|
2.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44119 |
2024-05-03 16:00
|
get300.exe 4cea9711ee6cf7c880c00246253fd14a Generic Malware Malicious Library UPX Antivirus AntiDebug AntiVM PE64 PE File PowerShell PE32 OS Processor Check VirusTotal Malware powershell Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization Tofsee Windows ComputerName DNS Cryptographic key crashed |
7
http://193.233.132.234/files/setup.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://193.233.132.234/files/thterh.exe https://yip.su/RNWPd.exe - rule_id: 37623 https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe https://pastebin.com/raw/V6VJsrV3 - rule_id: 37255 https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe
|
15
skategirls.org(104.21.55.197) jonathantwo.com(104.21.31.124) realdeepai.org(104.21.90.14) pastebin.com(104.20.4.235) - mailcious yip.su(172.67.169.89) - mailcious 172.67.193.79 172.67.176.131 121.254.136.18 185.172.128.59 - malware 104.21.79.77 - phishing 193.233.132.234 - mailcious 193.233.132.175 - malware 104.21.90.14 172.67.19.24 - mailcious 172.67.172.161
|
9
ET DNS Query for .su TLD (Soviet Union) Often Malware Related SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET DROP Spamhaus DROP Listed Traffic Inbound group 32 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
2
https://yip.su/RNWPd.exe https://pastebin.com/raw/V6VJsrV3
|
21.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44120 |
2024-05-04 14:17
|
webeautifultogetitbackwithenti... 626acb4c6c9d2819c4cde10a34b9df73 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
|
3
paste.ee(104.21.84.67) - mailcious 172.245.123.18 - malware 172.67.187.200 - mailcious
|
3
ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44121 |
2024-05-04 14:18
|
shelovedsomeonetounderstandthe... a2b050f9634ea0c8cb1456e13b59b505 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed Downloader |
1
|
3
api.ipify.org(172.67.74.152) 192.3.239.4 - mailcious 104.26.13.205
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44122 |
2024-05-04 14:19
|
youhaveonefilefortody.vbs d8042714120e0e780d00490e045a2816VirusTotal Malware VBScript wscript.exe payload download Creates shortcut Check virtual network interfaces Tofsee Dropper |
1
|
2
paste.ee(172.67.187.200) - mailcious 104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44123 |
2024-05-04 14:20
|
prnportsixinfromationalprotect... 49e3c07508aa3f53a67fbec97fa07dc1 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://192.3.243.154/prnport.vbs https://paste.ee/d/MHUUd
|
6
paste.ee(104.21.84.67) - mailcious uploaddeimagens.com.br(104.21.45.138) - malware 192.3.243.154 - malware 104.21.84.67 - malware 61.111.58.35 - malware 172.67.215.45 - malware
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44124 |
2024-05-04 14:21
|
yohan.exe 7f991bd7699126d6cca12241de7e7c44 Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check VirusTotal Malware Checks debugger Disables Windows Security Windows DNS |
|
1
|
|
|
4.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44125 |
2024-05-04 14:22
|
wewanthowthemagicalwordshappen... b113b57d6e1f23380163d91dcfa68a5a MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
1
|
3
paste.ee(172.67.187.200) - mailcious 104.21.84.67 - malware 192.3.101.142 - malware
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44126 |
2024-05-04 14:24
|
Archivenfromationalprotectiont... 2b9ab36214ca6de144e42468706d2c64 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://192.3.243.154/ArchiveJs.js https://paste.ee/d/gsMxf
|
6
paste.ee(172.67.187.200) - mailcious uploaddeimagens.com.br(104.21.45.138) - malware 192.3.243.154 - malware 61.111.58.34 - malware 104.21.84.67 - malware 172.67.215.45 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
4.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44127 |
2024-05-04 14:24
|
hotstuffnewrdp.vbs bf7046a9d40c33822cbf5dea1c9629ecVirusTotal Malware VBScript wscript.exe payload download Creates shortcut Check virtual network interfaces Tofsee DNS Dropper |
1
|
3
paste.ee(172.67.187.200) - mailcious 104.26.13.205 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44128 |
2024-05-04 14:26
|
master.exe eb508c21c59a7fff7924f7243e5949e8 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44129 |
2024-05-05 10:17
|
ExcUserFault_imagent-2024-04-2... 1194e4a6c9cc73464db69aed6aa4dedd AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44130 |
2024-05-05 10:33
|
T76434567000.exe fbccdd35ee6dccadaeaa69e37fbbd171 Generic Malware Suspicious_Script_Bin Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
3
http://checkip.dyndns.org/ https://scratchdreams.tk/_send_.php?TS https://reallyfreegeoip.org/xml/175.208.134.152
|
6
scratchdreams.tk(172.67.169.18) reallyfreegeoip.org(172.67.177.134) checkip.dyndns.org(132.226.8.169) 193.122.6.168 172.67.169.18 172.67.177.134
|
7
ET DNS Query to a .tk domain - Likely Hostile ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
11.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|