45406 |
2024-06-17 14:26
|
file.rar eb8589a8b967f7be1a94b8ae4cb0a15c Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord RisePro Remote Code Execution DNS CoinMiner |
11
http://176.111.174.109/psyzh http://5.42.66.10/download/th/space.php - rule_id: 39944 http://5.42.99.177/api/crazyfish.php - rule_id: 40006 http://apps.identrust.com/roots/dstrootcax3.p7c http://94.232.45.38/eee01/eee01.exe - rule_id: 39938 http://5.42.99.177/api/twofish.php - rule_id: 40008 http://80.78.242.100/d/385135 http://5.42.66.10/download/123p.exe - rule_id: 39935 https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188 https://steamcommunity.com/profiles/76561199699680841 - rule_id: 40206 https://db-ip.com/demo/home.php?s=
|
34
db-ip.com(172.67.75.166) pool.hashvault.pro(142.202.242.45) - mailcious cdn-download.avgbrowser.com(23.199.47.133) api64.ipify.org(104.237.62.213) api.myip.com(104.26.8.59) steamcommunity.com(23.66.133.162) - mailcious lop.foxesjoy.com(104.21.66.124) - malware t.me(149.154.167.99) - mailcious ipinfo.io(34.117.186.192) cdn.discordapp.com(162.159.134.233) - malware vk.com(87.240.132.67) - mailcious iplogger.org(172.67.132.113) - mailcious 94.232.45.38 - malware 182.162.106.33 - malware 182.162.106.144 184.26.241.154 - mailcious 149.154.167.99 - mailcious 147.45.47.126 - mailcious 34.117.186.192 5.42.99.177 - mailcious 125.253.92.50 176.111.174.109 - malware 104.26.8.59 162.159.130.233 - malware 65.109.240.138 - mailcious 172.67.159.232 77.91.77.80 - malware 5.42.66.10 - malware 23.52.128.153 80.78.242.100 173.231.16.77 104.26.4.15 87.240.132.78 - mailcious 172.67.132.113
|
28
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET INFO TLS Handshake Failure ET DROP Spamhaus DROP Listed Traffic Inbound group 30 ET DROP Dshield Block Listed Source group 1 ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO Executable Download from dotted-quad Host SURICATA Applayer Mismatch protocol both directions ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET HUNTING Redirect to Discord Attachment Download ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity) SURICATA Applayer Wrong direction first Data
|
7
http://5.42.66.10/download/th/space.php http://5.42.99.177/api/crazyfish.php http://94.232.45.38/eee01/eee01.exe http://5.42.99.177/api/twofish.php http://5.42.66.10/download/123p.exe https://lop.foxesjoy.com/ssl/crt.exe https://steamcommunity.com/profiles/76561199699680841
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45407 |
2024-06-17 14:33
|
psyzh 0fece9d4a04aae570fa8673cc1fdb912 Malicious Library UPX PE File PE32 OS Processor Check unpack itself Remote Code Execution |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45408 |
2024-06-17 14:33
|
setup.exe 05ff3df4891c23297d2f683cb399f027 Generic Malware Malicious Library Antivirus AntiDebug AntiVM PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios suspicious process WriteConsoleW anti-virtualization Windows ComputerName Cryptographic key |
|
|
|
|
11.6 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45409 |
2024-06-17 16:58
|
am.exe 6cfddd5ce9ca4bb209bd5d8c2cd80025 Gen1 Generic Malware Malicious Library Antivirus Obsidium protector .NET framework(MSIL) UPX Anti_VM PE File PE32 OS Processor Check PNG Format Browser Info Stealer Malware download Amadey VirusTotal Malware powershell PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser ComputerName Remote Code Execution Cryptographic key |
4
http://proresupdate.com/h9fmdW5/index.php https://contur2fa.recipeupdates.rest/__hh/files/run_search https://contur2fa.recipeupdates.rest/__hh/files/run https://i.imgur.com/yximuB4.png
|
6
contur2fa.recipeupdates.rest(172.67.197.250) i.imgur.com(199.232.192.193) - mailcious proresupdate.com(45.152.112.146) 45.152.112.146 172.67.197.250 146.75.92.193 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
|
10.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45410 |
2024-06-17 18:10
|
Adobe Аctivator.rar dca81312c9c1c15e6c56c40faf58d745 Escalate priviledges PWS KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45411 |
2024-06-18 07:37
|
IMG_812_06108.exe 9ea3d152c4e248841abf4f490a84b8c9 AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://78.111.67.189/ecg/Hiwpwthq.mp4 https://api.ipify.org/
|
3
api.ipify.org(172.67.74.152) 104.26.13.205 78.111.67.189 - malware
|
7
ET MALWARE PE EXE or DLL Windows file download disguised as ASCII ET MALWARE PE EXE or DLL Windows file download Text M2 ET HUNTING [TW] Likely Hex Executable String ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET SHELLCODE Common 0a0a0a0a Heap Spray String
|
|
15.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45412 |
2024-06-18 07:37
|
QuizPokemon.exe 814ff8b10d8641b03fcf1e9efc1005bf NSIS Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45413 |
2024-06-18 07:39
|
%E5%9B%BE%E8%A1%A8%E6%88%AA%E5... 2a2aee2fb354ba5189af608dd408460a UPX PE File PE32 MZP Format Check memory unpack itself |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45414 |
2024-06-18 07:41
|
dasheng.exe d4e78b1a0037296e0753b490eaf58adb Generic Malware Malicious Library PE File PE32 PDB suspicious privilege |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45415 |
2024-06-18 07:41
|
11.exe 792d2de7d845aac6a8e94566ca610952 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check PDB |
|
2
dashengyeyeye.eicp.net(47.111.82.157) 47.111.82.157
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45416 |
2024-06-18 07:43
|
DTools.exe 45981826dbfca4c7c68514728a2f1cf9 ASPack PE File PE32 MZP Format Check memory unpack itself |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45417 |
2024-06-18 07:44
|
1gcctv1.exe 070e6df2b1edef456d1eb581ffa0dc74 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check PDB DNS |
|
3
cctv.haoxiw.com(182.18.208.39) 104.26.13.205 182.18.208.39
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45418 |
2024-06-18 07:46
|
miner.exe dd5fdaf7d0f6c0cbb695695ed546f54b PE64 PE File Malware download Malware Malicious Traffic unpack itself DNS SilentCryptoMiner |
1
http://94.156.65.121/ACDG57T68GGYB/api/endpoint.php
|
3
randomxmonero.auto.nicehash.com(34.149.22.228) - mailcious 34.149.22.228 - mailcious 94.156.65.121 - malware
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 15 ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45419 |
2024-06-18 09:32
|
54776tth.txt.vbs 0078fb0a4ff7e963ec03876cce667746 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://5.161.45.89:555/xx.jpg
|
|
|
|
5.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45420 |
2024-06-18 09:35
|
dmi.txt.vbs 7e4e5ec429a0738c15593112bcf50406 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://38.22.104.227:666/tnttawy.jpg
|
|
|
|
5.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|