44191 |
2024-05-08 08:02
|
artifact.exe 3a87727e80537e3d27798bc4af55a54b Malicious Library PE64 PE File Malware download Cobalt Strike Cobalt Malware c&c buffers extracted RWX flags setting unpack itself ComputerName DNS |
2
http://192.144.220.86:5667/jquery-3.3.2.slim.min.js http://192.144.220.86:5667/jquery-3.3.1.min.js
|
1
|
4
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2 ET MALWARE Cobalt Strike Beacon Activity (GET) ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3 ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44192 |
2024-05-08 08:04
|
candy.exe 9eefd6a7ded126926524719593d0ac07 EnigmaProtector Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 172.67.75.166 147.45.47.126 34.117.186.192
|
6
ET MALWARE RisePro TCP Heartbeat Packet SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE RisePro CnC Activity (Inbound) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
12.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44193 |
2024-05-08 08:07
|
ngrok.exe f886615860dbbcd3fe966cf1c79203f9 Malicious Library Malicious Packer UPX PE64 PE File wget OS Processor Check sandbox evasion WriteConsoleW |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44194 |
2024-05-09 07:36
|
eee01.exe 0576835e3964b2d0bd3a87c3c80115b2 Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 MZP Format VirusTotal Malware unpack itself AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44195 |
2024-05-09 07:37
|
lomik.exe 9fd353d70e6814ecb7ab0c866feb6b7e EnigmaProtector Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 104.26.5.15 34.117.186.192 147.45.47.126
|
8
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
12.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44196 |
2024-05-09 07:38
|
update.exe bd4fecd7009225a2618b2a47d9bcf6e5 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44197 |
2024-05-09 07:39
|
AlterableStockstill.exe e4680b5d58eb24f57fa55432f03bead9 Generic Malware Malicious Library PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44198 |
2024-05-09 07:42
|
mimi.exe 201cd297b3a0fe2bbe24c8dd42747c08 Malicious Packer UPX PE64 PE File OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44199 |
2024-05-09 11:02
|
.hta 18dbd534f0a9f76cfb874a7a7e688c90 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://193.222.96.143:7287/Excel.xlsx http://193.222.96.143:7287/xx.bat
|
1
193.222.96.143 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44200 |
2024-05-09 11:02
|
2.hta bb537c9f88a70e710c5993e3fe383bb6 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Exploit Email ComputerName DNS Cryptographic key crashed |
2
http://193.222.96.124:7287/22.xlsx http://193.222.96.124:7287/xD.bat
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44201 |
2024-05-09 11:05
|
3.hta 4ab94c892e634430c8eabae82af4d875 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://193.222.96.124:7287/xD.bat http://193.222.96.124:7287/33.xlsx
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44202 |
2024-05-09 11:05
|
4.hta 1e5a563b24dd2e44b449042b69ddbd7c Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Exploit Email ComputerName DNS Cryptographic key crashed |
2
http://193.222.96.124:7287/xD.bat http://193.222.96.124:7287/222.xlsx
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44203 |
2024-05-09 11:06
|
1.hta cc022fea5d0660e1e221b02d2c55553b Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell ZIP Format Lnk Format GIF Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://193.222.96.124:7287/xD.bat http://193.222.96.124:7287/11.xlsx
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44204 |
2024-05-09 11:06
|
beautifulgirlsarerememberingth... 5e1a930f016dadf045d8962abfc13581 MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
6
http://www.gregoriusalvin.com/a42m/ http://www.qeintechnologies.com/IYiwE0.bin http://192.3.109.149/20780/hjv.exe http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip http://www.tintasmaiscor.com/a42m/ http://www.gregoriusalvin.com/a42m/?R2SEOS=6CH/YRMAK7aydmoeIYug/5bPLtmJ66q3593I/qH1Euv5gdtO1aVIO5sIkdD8Uy+PegRauaWIQNwg1s6QWSBfdi8lbfjBcXeXE7/rv5fmweeN04I7MmJWMdAH+Ho2e4yDZBqoJ1k=&PvPh=CYalcyam-GQM6F
|
13
www.italiangreyhounds.online() www.gregoriusalvin.com(103.247.10.164) www.qeintechnologies.com(199.217.106.226) www.tintasmaiscor.com(162.240.81.18) www.designsbysruly.com() www.gcashservice247.com() www.weeveno.com() www.infomail.website() 199.217.106.226 192.3.109.149 - mailcious 45.33.6.223 162.240.81.18 - mailcious 103.247.10.164
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET) M5
|
|
5.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44205 |
2024-05-09 11:08
|
rakshasa.exe 653247865f2d222abc8ad696d6e756e3 Malicious Library Malicious Packer UPX PE64 PE File VirusTotal Malware Check virtual network interfaces WriteConsoleW |
|
|
|
|
2.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|