44416 |
2024-05-19 10:36
|
vpn-1002.exe ccb630a81a660920182d1c74b8db7519 NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 PowerS VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed |
7
http://apps.identrust.com/roots/dstrootcax3.p7c http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002 https://cdn-edge-node.com/online_security_mkl.exe https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002 https://d2csnxzxwctx26.cloudfront.net/load/load.php?c=1002
|
11
d22hce23hy1ej9.cloudfront.net(13.225.110.70) cdn-edge-node.com(172.67.165.254) 240429000936002.mjt.kqri92.top(94.156.35.76) d2csnxzxwctx26.cloudfront.net(18.64.13.65) adblock2024.shop(172.67.176.247) 104.21.11.117 104.21.43.83 18.64.13.155 94.156.35.76 - malware 13.225.110.102 121.254.136.9
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile
|
|
10.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44417 |
2024-05-19 10:38
|
gena.exe e823604de8e1907f31935dd778dc6686 EnigmaProtector Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) 147.45.47.126 - mailcious 104.26.4.15 34.117.186.192
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44418 |
2024-05-19 10:38
|
inte.exe 3f77b69c60f28f076bd02d531490b300 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Malicious Traffic WMI Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
1
http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
|
1
http://185.172.128.90/cpa/ping.php
|
5.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44419 |
2024-05-19 10:38
|
inte.exe d4b94a173c3eacbb022ccbaba87776be Generic Malware Malicious Library PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44420 |
2024-05-19 10:51
|
crypted_9f4ae6b2.exe 98daa2d8ad0b3ee66a55d6d34090e76e Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44421 |
2024-05-19 10:51
|
xmrig-notls.exe b03bd8c9b9965ed83232260719faedbf XMRig Miner Generic Malware Malicious Library Malicious Packer UPX PE64 PE File OS Processor Check VirusTotal Malware unpack itself ComputerName |
|
|
|
|
2.0 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44422 |
2024-05-19 10:53
|
demo.exe 951a002246e2efab46649de942b7c775 Generic Malware Malicious Library Malicious Packer PE64 PE File VirusTotal Malware Code Injection unpack itself crashed |
|
|
|
|
3.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44423 |
2024-05-20 07:35
|
conhost.exe be320b59ef29060678bcb78d6c8fa059 Malicious Library UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44424 |
2024-05-20 07:40
|
build13.exe b99a7c6c9e6a2eb2945d894b2ce2c63b Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself DNS crashed |
|
3
54.192.175.27 18.244.65.34 13.225.110.102
|
|
|
4.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44425 |
2024-05-20 07:40
|
Document0984757478.exe c36f798f2646092c180c6fc904c418f7 Gen1 Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX Malicious Packer PE File Device_File_Check PE32 OS Processor Check DLL FormBook Browser Info Stealer Malware download VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
12
http://www.hidrapelenobrasil.shop/tnob/ http://www.vgyuren.icu/tnob/?M768=NZLAttDy15cbxmTAaaJAAhcdtbbzbdC6cQASBxA5nayYu/GOfC/5A+IahllAzFRUiFmSt5kq6F0oVQiv/GR/+8xUZyS/zwm/ST73YGuTYQJxL0QGvxJmA8+4HRiCsYQg+9RGN1M=&8VV=cbpI8Z http://www.vgyuren.icu/tnob/ http://www.infiniteiris.xyz/tnob/ http://www.agiluxer.com/tnob/ http://www.hidrapelenobrasil.shop/tnob/?M768=TPrZ4a0urPHyVFZKcsh5aEnGH6x10c+LVWP6ua7p29CzcHV40vt+Ed5yRYmyzTCpigI2rSAw2/G/eFm8oGlzQ7+/7cLR6wXoQapfC3ZuTGxBv6b1IEkJAtht8fY8zqhXw31ZFKk=&8VV=cbpI8Z http://www.arlobear.com/tnob/ http://www.arlobear.com/tnob/?M768=mRJtfJxmotkXpphcq/QE5FfNUlyuhqJ4xTDuf4BcDBVqwLPDVx7TaFjEYZ/wXCuyUE/EPLaluHW5tfzg79EX9lgH2c6h3RXVi7dgiQ81i4DOx3Z88Lcisl2d1B4Lf8dw8FhpRx8=&8VV=cbpI8Z http://www.astrologervijay.co.in/tnob/ http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip http://www.agiluxer.com/tnob/?M768=xucYkVA0pSGnJLauQED+MX/AFeENqsoRBgDyCFwoPTJzowq3+SiQ/gcTvZgaze9ZduNu+YKWql+189tIlRko0A5LPpTiApeLXRVMRPzwdFYfTFxYQJVx/YqpG4REi2vAdvDqirs=&8VV=cbpI8Z http://www.infiniteiris.xyz/tnob/?M768=dKcAFocpbczRW7Ograh51MDLU8SGd9cCF4nhV6jObVdk20h2WG8oxGerRI8ZVjKSHAzMSzznD5M+/O7693UL+HQ2E52xXWoR98sgwtG4w7xMcOP0BgswZlze6fxvf5u2IXPt7lE=&8VV=cbpI8Z
|
22
www.likbez22.store() www.hidrapelenobrasil.shop(162.241.2.244) www.ablazeaiagents.com() www.astrologervijay.co.in(43.231.124.79) www.justgoodsin.com() www.sdshopping.org() www.agiluxer.com(74.208.236.41) www.infiniteiris.xyz(162.0.237.22) www.arlobear.com(46.30.215.3) www.artismeapparel.com() www.vgyuren.icu(192.207.62.21) 104.21.11.117 162.0.237.22 194.54.164.123 162.19.139.184 - mailcious 162.241.2.244 - mailcious 43.231.124.79 74.208.236.41 - mailcious 13.225.110.102 192.207.62.21 45.33.6.223 46.30.215.3
|
3
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO DNS Query for Suspicious .icu Domain ET INFO HTTP POST Request to Suspicious *.icu domain
|
|
7.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44426 |
2024-05-20 07:42
|
1234.exe d3a80c7a3a80478b08cc17522a55bb44 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself DNS crashed |
|
3
45.33.6.223 104.20.3.235 - malware 172.67.169.89
|
|
|
4.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44427 |
2024-05-20 07:45
|
random.exe d0d9b758764ced5f38eddd0f9c765b79 Amadey Gen1 RedLine stealer RedlineStealer XMRig Miner Generic Malware NSIS Downloader Malicious Library UPX .NET framework(MSIL) Malicious Packer MPRESS Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal cr Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Cryptocurrency Miner Malware Cryptocurrency powershell Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VMware anti-virtualization VM Disk Size Check installed browsers check Kelihos Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed CoinMiner |
35
http://5.42.96.7/lend/lumma1234.exe http://coatdetail.fun/load/download.php?c=1004 http://5.42.96.7/lend/lumma1.exe - rule_id: 39647 http://5.42.96.170/server/12/AppGate2103v01.exe http://file-file-host6.com/downloads/toolspub1.exe - rule_id: 39651 http://5.42.96.7/lend/gold.exe - rule_id: 39643 http://77.221.151.47/install.exe - rule_id: 39645 http://5.42.96.78/files/Silent.exe http://5.42.96.78/files/start-pub.exe http://x1.i.lencr.org/ http://riskarbs.com/wegergbsertter4/upd2.php?key=35c9606d64e49b301a865b7c11183bde http://5.42.96.78/files/setup.exe http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300 http://riskarbs.com/wegergbsertter4/upd2.php http://185.172.128.19/Newoff.exe http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt http://5.42.96.7/lend/redline1.exe - rule_id: 39644 http://5.42.96.7/lend/alex.exe - rule_id: 39642 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.42.96.7/zamo7h/index.php - rule_id: 39641 http://5.42.96.78/files/file300un.exe - rule_id: 39648 https://free.360totalsecurity.com/totalsecurity/360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002 https://bitbucket.org/qwizzi/tt522222/downloads/GroceryExtensive.exe https://pastebin.com/raw/E0rY26ni - rule_id: 37702 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002 https://d2csnxzxwctx26.cloudfront.net/load/load.php?c=1002 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=2841 https://bbuseruploads.s3.amazonaws.com/c238a61a-be46-44a2-84f2-dcbe608a006a/downloads/8fa016f0-6b2d-4c55-8cd6-ae05fdfeb815/GroceryExtensive.exe?response-content-disposition=attachment%3B%20filename%3D%22GroceryExtensive.exe%22&AWSAccessKeyId=ASIA6KOSE3BNINPUTCTS&Signature=IVvaIU%2Bk4bXFTwvhHaqgth67tjM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIDHOADIhZOmbUC8wQ1L%2BkX9WHF%2FdFSks8rjm6Sn5NzrsAiB1CFSPGGFvrlKSS7LX7TJiMKBEs7aMEgNB41XNlRH4WyqnAgggEAAaDDk4NDUyNTEwMTE0NiIMtVvNiFxS3Qgrm54GKoQCmAs1%2BQPoHPpvDIFsbUjuIbSxWRYd6AvopjLc8FSc%2BU%2BOxJrbBvhRTHsIyyLHqb95Exs%2BirIbDYzqn7ZvmeNQm9VDbAE%2Bx4bA%2B4g4hc9GcY7zI6oOqEqIwGFUFRPxS7HPdlhe7HSVGxS2MFSNFGA%2FwgUEDbAlwWK1jY%2BJg9r2A9cozo6cLgQSDridHAVyt1A%2FVhp%2FbknQnZKStXWGPjMBvtUnIrDf%2BpVLUCZIAWF4bnjchi87vx55yIxJKOkXDfdWiZdqIidvZje9T9bsL30%2Fxf8YZ2%2BRy0us2lDP1b8c2vxUo2K5yHB9eXLcKTFLoQQX3u8ZltHOBIAb7Nwzn83wqTE18rsw8%2FmpsgY6ngFciXNYdFP9p1NaXoKomjNE7%2BHOdUeLPNl8PICjgQv%2BKBzqw91%2BAhrkwqMpiyaTGFTVP7JgmC4xxibwE1uTSoRdLEc6v%2BgmOIghtc4SdM41V0JgpV8WnNlGdGNnH8bZOg9NgZLoIVttU5%2Br6pA7b%2Fb7fqWsetNxECnXkxMpXiwC2S4KTUPvxRPefGUrNW8etLsOkMylbLtmzo1amRwzlQ%3D%3D&Expires=1716159483 https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2841&c=2841 https://d1vt2h4o64rfsv.cloudfront.net/load/load.php?c=2841&a=2841 https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002 https://yip.su/RNWPd.exe - rule_id: 37623 https://cdn-edge-node.com/online_security_mkl.exe https://iplogger.com/1lyxz
|
45
iplogger.com(172.67.188.178) - mailcious free.360totalsecurity.com(54.192.175.27) bbuseruploads.s3.amazonaws.com(3.5.20.106) - malware download.winzip.com(23.201.35.121) xmr.2miners.com(162.19.139.184) - mailcious file-file-host6.com(45.131.41.39) - malware d22hce23hy1ej9.cloudfront.net(13.225.110.102) coatdetail.fun(194.54.164.123) cdn-edge-node.com(104.21.11.117) 240429000936002.mjt.kqri92.top(94.156.35.76) riskarbs.com(109.98.58.98) d1vt2h4o64rfsv.cloudfront.net(18.244.65.223) x1.i.lencr.org(23.52.33.11) pastebin.com(172.67.19.24) - mailcious bitbucket.org(104.192.141.1) - malware d2csnxzxwctx26.cloudfront.net(18.64.13.116) adblock2024.shop(104.21.43.83) yip.su(104.21.79.77) - mailcious 94.207.16.210 18.244.65.34 121.254.136.130 54.192.175.27 13.225.110.24 104.21.43.83 172.67.188.178 - mailcious 179.43.158.2 5.42.96.170 172.67.169.89 185.215.113.67 - mailcious 61.111.58.35 - malware 104.21.11.117 77.221.151.47 - malware 185.172.128.19 - mailcious 45.131.41.39 52.217.138.209 13.225.110.102 104.20.3.235 - malware 194.54.164.123 5.42.96.7 - malware 104.192.141.1 - mailcious 109.98.58.98 5.42.96.78 - mailcious 23.41.113.9 18.64.13.116 162.19.139.184 - mailcious
|
22
ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 32 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Possible Kelihos.F EXE Download Common Structure ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) ET POLICY Cryptocurrency Miner Checkin SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Packed Executable Download ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
|
|
32.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44428 |
2024-05-20 08:55
|
sdf34ert3etgrthrthfghfghjfgh.e... 7fce620eed38da6eb6552e1713e4fa84 Malicious Library Downloader Malicious Packer UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
2.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44429 |
2024-05-20 08:55
|
gena.exe e520f65d2af59a1c69a96809fd025d9b EnigmaProtector Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 172.67.75.166 147.45.47.126 - mailcious 34.117.186.192
|
7
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE RisePro CnC Activity (Inbound)
|
|
13.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44430 |
2024-05-20 08:59
|
csrss.exe 591deb3212cb1720fa03640f6257b5dc Browser Login Data Stealer Gen1 EnigmaProtector Generic Malware UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://142.93.40.72/msvcp140.dll
http://142.93.40.72/freebl3.dll
http://142.93.40.72/softokn3.dll
http://142.93.40.72/
http://142.93.40.72/vcruntime140.dll
http://142.93.40.72/nss3.dll
http://142.93.40.72/sql.dll
http://142.93.40.72/mozglue.dll
https://t.me/obeliszxgeaea_1337
|
3
t.me(149.154.167.99) - mailcious 142.93.40.72
149.154.167.99 - mailcious
|
13
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
12.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|