44806 |
2024-06-03 07:27
|
GetFormsOnline.b1b4093ff0ac420... 72c1f55ceb95184b435249f2b2c1daa3 Generic Malware Malicious Library UPX PE File PE32 DLL OS Processor Check BMP Format VirusTotal Malware Check memory Creates executable files unpack itself Check virtual network interfaces AppData folder sandbox evasion Tofsee |
2
http://x1.i.lencr.org/ https://dp.tb.ask.com/installerParams.jhtml?coId=b1b4093ff0ac420aaf9e0b856b2b6f2d
|
6
dp.tb.ask.com(35.201.91.40) anx.mindspark.com(34.120.232.229) x1.i.lencr.org(23.52.33.11) 23.41.113.9 34.120.232.229 35.201.91.40
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44807 |
2024-06-03 07:29
|
SCP.Desktop.Client.IssueView.e... fc8a44c4044a479d678d7ecca1825be6 Emotet Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44808 |
2024-06-03 07:29
|
logo2.jpg 74330f4c8e412ee96b41d01561ed1873 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44809 |
2024-06-03 07:31
|
abc.exe 0423137cc78e3e3d7af3ecb534847d1b Malicious Library PE64 PE File VirusTotal Malware RWX flags setting DNS |
|
1
|
|
|
3.2 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44810 |
2024-06-03 07:35
|
@DDRI2_2.exe 1cfa70c1b2f1eb15d9f6b0d502095360 Gen1 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
2.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44811 |
2024-06-03 07:35
|
GTA_V.exe adf5adfae118dabb87818f625502d0d8 Emotet Gen1 Generic Malware Malicious Library UPX ASPack Admin Tool (Sysinternals etc ...) Malicious Packer PE File PE32 MZP Format OS Processor Check DLL PNG Format MSOffice File PE64 .NET DLL DllRegisterServer dll ftp VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
4.6 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44812 |
2024-06-03 08:51
|
mdll.exe d65acc2321b1580bc524b991fad0f78a Emotet Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Check memory RWX flags setting sandbox evasion Browser Remote Code Execution DNS |
|
1
|
|
|
5.0 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44813 |
2024-06-03 08:51
|
S1.exe db4468bcb2b2a4831714f107451eebfd Emotet Malicious Library UPX PE File PE32 OS Processor Check PNG Format VirusTotal Malware Check memory Checks debugger RWX flags setting unpack itself sandbox evasion Tofsee Browser Remote Code Execution DNS |
|
3
www.baidu.com(119.63.197.139) 149.88.76.85 - malware 119.63.197.151
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44814 |
2024-06-03 09:36
|
2.exe fd75736f30d58471359129fe5bb6d452 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44815 |
2024-06-03 09:38
|
download.php ba1078a938632c3219edc00cc855625a Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44816 |
2024-06-03 09:40
|
AppGate2103v01.exe 9905d4c0f3aaf44c8f7a0f6c4b4d3543 Emotet North Korea Generic Malware UPX Malicious Library .NET framework(MSIL) Malicious Packer Downloader Admin Tool (Sysinternals etc ...) Socket ScreenShot Steal credential DNS Code injection Anti_VM AntiDebug AntiVM PE64 PE File PE32 OS Process Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Check virtual network interfaces malicious URLs Firewall state off IP Check Tofsee Windows Browser ComputerName Remote Code Execution DNS crashed |
15
http://5.42.66.10/download/th/retail.php - rule_id: 39943 http://176.111.174.109/google http://185.172.128.69/download.php?pub=inte - rule_id: 39937 http://185.172.128.69/download.php?pub=inte http://5.42.66.10/download/th/space.php - rule_id: 39944 http://5.42.99.177/api/crazyfish.php http://apps.identrust.com/roots/dstrootcax3.p7c http://94.232.45.38/eee01/eee01.exe - rule_id: 39938 http://147.45.47.149:54674/rade/kano.exe http://185.172.128.159/dl.php - rule_id: 39941 http://5.42.66.10/download/th/getimage12.php - rule_id: 39942 http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe - rule_id: 39939 http://5.42.99.177/api/twofish.php http://5.42.66.10/download/123p.exe - rule_id: 39935 https://db-ip.com/demo/home.php?s=
|
26
f.123654987.xyz() - malware db-ip.com(172.67.75.166) monoblocked.com(45.130.41.108) - malware api64.ipify.org(104.237.62.213) api.myip.com(104.26.9.59) lop.foxesjoy.com(104.21.66.124) - malware ipinfo.io(34.117.186.192) vk.com(87.240.132.72) - mailcious 176.111.174.109 61.111.58.34 - malware 5.42.99.177 104.26.9.59 104.26.4.15 172.67.159.232 34.117.186.192 45.130.41.108 - malware 147.45.47.149 94.232.45.38 - malware 104.237.62.213 185.172.128.69 - malware 87.240.132.67 - mailcious 5.42.66.10 - malware 185.172.128.159 - malware 91.202.233.232 - mailcious 5.42.65.116 149.88.76.85 - malware
|
18
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET INFO TLS Handshake Failure ET DROP Spamhaus DROP Listed Traffic Inbound group 1 SURICATA Applayer Mismatch protocol both directions ET DROP Spamhaus DROP Listed Traffic Inbound group 14 ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET DROP Spamhaus DROP Listed Traffic Inbound group 30 ET DROP Dshield Block Listed Source group 1 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
8
http://5.42.66.10/download/th/retail.php http://185.172.128.69/download.php?pub=inte http://5.42.66.10/download/th/space.php http://94.232.45.38/eee01/eee01.exe http://185.172.128.159/dl.php http://5.42.66.10/download/th/getimage12.php http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe http://5.42.66.10/download/123p.exe
|
18.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44817 |
2024-06-03 09:41
|
123p.exe d43ac79abe604caffefe6313617079a3 PE64 PE File VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
2
pool.hashvault.pro(131.153.76.130) - mailcious 131.153.76.130 - mailcious
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
1.8 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44818 |
2024-06-03 10:46
|
123p.exe d43ac79abe604caffefe6313617079a3 Generic Malware PE64 PE File VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
2
pool.hashvault.pro(131.153.76.130) - mailcious 131.153.76.130 - mailcious
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
1.8 |
M |
58 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44819 |
2024-06-03 10:48
|
123p.exe d43ac79abe604caffefe6313617079a3 Generic Malware PE64 PE File VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
2
pool.hashvault.pro(125.253.92.50) - mailcious 131.153.76.130 - mailcious
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
2.4 |
M |
58 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44820 |
2024-06-03 11:07
|
google 25f75c4de10c970fd05472f8e6c3f337 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|