| 45406 |
2024-06-17 14:26
|
file.rar eb8589a8b967f7be1a94b8ae4cb0a15c
Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord RisePro Remote Code Execution DNS CoinMiner |
11
http://176.111.174.109/psyzh
http://5.42.66.10/download/th/space.php - rule_id: 39944
http://5.42.99.177/api/crazyfish.php - rule_id: 40006
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.232.45.38/eee01/eee01.exe - rule_id: 39938
http://5.42.99.177/api/twofish.php - rule_id: 40008
http://80.78.242.100/d/385135
http://5.42.66.10/download/123p.exe - rule_id: 39935
https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188
https://steamcommunity.com/profiles/76561199699680841 - rule_id: 40206
https://db-ip.com/demo/home.php?s=
|
34
db-ip.com(172.67.75.166)
pool.hashvault.pro(142.202.242.45) - mailcious
cdn-download.avgbrowser.com(23.199.47.133)
api64.ipify.org(104.237.62.213)
api.myip.com(104.26.8.59)
steamcommunity.com(23.66.133.162) - mailcious
lop.foxesjoy.com(104.21.66.124) - malware
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.186.192)
cdn.discordapp.com(162.159.134.233) - malware
vk.com(87.240.132.67) - mailcious
iplogger.org(172.67.132.113) - mailcious
94.232.45.38 - malware
182.162.106.33 - malware
182.162.106.144
184.26.241.154 - mailcious
149.154.167.99 - mailcious
147.45.47.126 - mailcious
34.117.186.192
5.42.99.177 - mailcious
125.253.92.50
176.111.174.109 - malware
104.26.8.59
162.159.130.233 - malware
65.109.240.138 - mailcious
172.67.159.232
77.91.77.80 - malware
5.42.66.10 - malware
23.52.128.153
80.78.242.100
173.231.16.77
104.26.4.15
87.240.132.78 - mailcious
172.67.132.113
|
28
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET DROP Dshield Block Listed Source group 1
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET INFO Executable Download from dotted-quad Host
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET HUNTING Redirect to Discord Attachment Download
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
SURICATA Applayer Wrong direction first Data
|
7
http://5.42.66.10/download/th/space.php
http://5.42.99.177/api/crazyfish.php
http://94.232.45.38/eee01/eee01.exe
http://5.42.99.177/api/twofish.php
http://5.42.66.10/download/123p.exe
https://lop.foxesjoy.com/ssl/crt.exe
https://steamcommunity.com/profiles/76561199699680841
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45407 |
2024-06-17 14:33
|
 psyzh 0fece9d4a04aae570fa8673cc1fdb912
Malicious Library UPX PE File PE32 OS Processor Check unpack itself Remote Code Execution |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45408 |
2024-06-17 14:33
|
 setup.exe 05ff3df4891c23297d2f683cb399f027
Generic Malware Malicious Library Antivirus AntiDebug AntiVM PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios suspicious process WriteConsoleW anti-virtualization Windows ComputerName Cryptographic key |
|
|
|
|
11.6 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45409 |
2024-06-17 16:58
|
 am.exe 6cfddd5ce9ca4bb209bd5d8c2cd80025
Gen1 Generic Malware Malicious Library Antivirus Obsidium protector .NET framework(MSIL) UPX Anti_VM PE File PE32 OS Processor Check PNG Format Browser Info Stealer Malware download Amadey VirusTotal Malware powershell PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser ComputerName Remote Code Execution Cryptographic key |
4
http://proresupdate.com/h9fmdW5/index.php
https://contur2fa.recipeupdates.rest/__hh/files/run_search
https://contur2fa.recipeupdates.rest/__hh/files/run
https://i.imgur.com/yximuB4.png
|
6
contur2fa.recipeupdates.rest(172.67.197.250)
i.imgur.com(199.232.192.193) - mailcious
proresupdate.com(45.152.112.146)
45.152.112.146
172.67.197.250
146.75.92.193 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
|
10.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45410 |
2024-06-17 18:10
|
Adobe Аctivator.rar dca81312c9c1c15e6c56c40faf58d745
Escalate priviledges PWS KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45411 |
2024-06-18 07:37
|
 IMG_812_06108.exe 9ea3d152c4e248841abf4f490a84b8c9
AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://78.111.67.189/ecg/Hiwpwthq.mp4
https://api.ipify.org/
|
3
api.ipify.org(172.67.74.152)
104.26.13.205
78.111.67.189 - malware
|
7
ET MALWARE PE EXE or DLL Windows file download disguised as ASCII
ET MALWARE PE EXE or DLL Windows file download Text M2
ET HUNTING [TW] Likely Hex Executable String
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET SHELLCODE Common 0a0a0a0a Heap Spray String
|
|
15.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45412 |
2024-06-18 07:37
|
 QuizPokemon.exe 814ff8b10d8641b03fcf1e9efc1005bf
NSIS Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45413 |
2024-06-18 07:39
|
 %E5%9B%BE%E8%A1%A8%E6%88%AA%E5... 2a2aee2fb354ba5189af608dd408460a
UPX PE File PE32 MZP Format Check memory unpack itself |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45414 |
2024-06-18 07:41
|
 dasheng.exe d4e78b1a0037296e0753b490eaf58adb
Generic Malware Malicious Library PE File PE32 PDB suspicious privilege |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45415 |
2024-06-18 07:41
|
 11.exe 792d2de7d845aac6a8e94566ca610952
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check PDB |
|
2
dashengyeyeye.eicp.net(47.111.82.157)
47.111.82.157
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45416 |
2024-06-18 07:43
|
 DTools.exe 45981826dbfca4c7c68514728a2f1cf9
ASPack PE File PE32 MZP Format Check memory unpack itself |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45417 |
2024-06-18 07:44
|
 1gcctv1.exe 070e6df2b1edef456d1eb581ffa0dc74
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check PDB DNS |
|
3
cctv.haoxiw.com(182.18.208.39)
104.26.13.205
182.18.208.39
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45418 |
2024-06-18 07:46
|
 miner.exe dd5fdaf7d0f6c0cbb695695ed546f54b
PE64 PE File Malware download Malware Malicious Traffic unpack itself DNS SilentCryptoMiner |
1
http://94.156.65.121/ACDG57T68GGYB/api/endpoint.php
|
3
randomxmonero.auto.nicehash.com(34.149.22.228) - mailcious
34.149.22.228 - mailcious
94.156.65.121 - malware
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 15
ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45419 |
2024-06-18 09:32
|
 54776tth.txt.vbs 0078fb0a4ff7e963ec03876cce667746
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://5.161.45.89:555/xx.jpg
|
|
|
|
5.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45420 |
2024-06-18 09:35
|
 dmi.txt.vbs 7e4e5ec429a0738c15593112bcf50406
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://38.22.104.227:666/tnttawy.jpg
|
|
|
|
5.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|