45676 |
2024-07-01 11:03
|
Hooks.jpg.exe 422f3763021f8f9bfc31a9a7e4b049f9 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Downloader Malicious Packer .NET framework(MSIL) UPX Antivirus PE File PE32 DLL OS Processor Check VirusTotal Malware powershell AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
2
http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe http://43.198.152.240:8080/api/node/ip_validate
|
18
gtxvdqvuweqs.com(16.162.201.176) - mailcious ipv6-api.iproyal.com() down.ftp21.cc(119.203.212.165) - malware download.microsoft.com(23.207.40.161) api6.my-ip.io() www.362-com.com(1.226.84.135) www.4i7i.com(1.226.84.135) api.iproyal.com(193.228.196.69) worldtimeapi.org(213.188.196.246) 23.45.52.224 93.189.62.83 213.188.196.246 193.228.196.69 51.161.196.188 43.198.152.240 16.162.201.176 - mailcious 1.226.84.135 119.203.212.165 - malware
|
4
ET DNS Query for .cc TLD ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET INFO SSH-2.0-Go version string Observed in Network Traffic ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
|
|
11.2 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45677 |
2024-07-01 11:05
|
MpMgSvc.jpg.exe 40670d0d30c6855dd2b3db30b81f9ce2 Emotet Generic Malware UPX Malicious Library Malicious Packer Downloader Anti_VM PE File PE32 DLL OS Processor Check ftp PE64 Malware SMB Traffic Potential Scan Malicious Traffic Creates executable files ICMP traffic AppData folder sandbox evasion Remote Code Execution DNS DDNS |
2
http://118.184.169.48/dyndns/getip http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8
|
4
opendata.baidu.com(45.113.194.189) members.3322.org(118.184.169.48) 45.113.194.127 118.184.169.48
|
3
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection ET INFO DYNAMIC_DNS Query to 3322.org Domain ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45678 |
2024-07-01 14:56
|
FIX_0x80070643_(Need_reboot).r... 177d5e4e498f2a2db92df607fe0e1692 ScreenShot Escalate priviledges KeyLogger AntiDebug AntiVM AutoRuns Code Injection Check memory unpack itself Windows |
3
https://companyupdates.ltd/act/CONT
https://companyupdates.ltd/act/FP
https://companyupdates.ltd/act/ENC
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45679 |
2024-07-01 14:56
|
CONT.exe 1cdf5a27c0f2ceaf51055ed3721d5c32 UPX PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45680 |
2024-07-01 15:06
|
ENC.zip 34dd73380e19295eef9c195a9f35c9b3 ZIP Format VirusTotal Malware Malicious Traffic Tofsee |
8
https://kaylen.xyz//mozglue.dll https://kaylen.xyz//freebl3.dll https://kaylen.xyz//softokn3.dll https://kaylen.xyz//nss3.dll https://kaylen.xyz//msvcp140.dll https://kaylen.xyz//sql.dll https://kaylen.xyz/ https://kaylen.xyz//vcruntime140.dll
|
2
kaylen.xyz(172.67.220.235) 104.21.94.78
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45681 |
2024-07-01 15:24
|
outbyte-pc-repair.exe 044b5657529471e023ee2da2dad94cfa Gen1 Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM PE File PE32 MZP Format OS Processor Check DLL DllRegisterServer dll ftp PE64 Browser Info Stealer VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Checks Bios AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser ComputerName crashed |
1
https://www.google-analytics.com/mp/collect?measurement_id=G-924XWBQ2KM&api_secret=MEBZff_HSwaYXMkgDlV-YQ
|
4
outbyte.com(45.33.97.245) www.google-analytics.com(216.239.34.178) 172.217.24.78 45.33.97.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45682 |
2024-07-01 15:33
|
tsjtmfdm.pkg.exe 98cc12248c1dfc68103dd9fc4d959f68 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45683 |
2024-07-01 16:46
|
Update.js 365d4f4e6ffed01288e0fae6e352e8a5VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://czvqr.fans.smalladventureguide.com/orderReview
|
2
czvqr.fans.smalladventureguide.com(162.252.175.117) 162.252.175.117
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45684 |
2024-07-02 07:45
|
igccu.exe bb1b8864e1d82735205d07d202c5d864 LokiBot Malicious Library Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://dashboardproducts.info/bally/fre.php
|
2
dashboardproducts.info(91.219.150.102) 91.92.240.69
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
|
|
13.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45685 |
2024-07-02 07:45
|
snukingorig2.5.exe 7d50650cd2ba63482d4caf875ae65a8e Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(104.26.12.205) 104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45686 |
2024-07-02 07:49
|
IHBHXXQF.exe 5f4de1a8ed39bdcaf3e4c6d5fa547fc2 Gen1 HermeticWiper Malicious Library UPX Malicious Packer ASPack Anti_VM PE File PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45687 |
2024-07-02 07:51
|
csrss.exe a273d142217177ab8013d6ebeafbc22f Malicious Library Malicious Packer Antivirus UPX PE File PE64 OS Processor Check PDB Check memory Checks debugger ComputerName Remote Code Execution |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45688 |
2024-07-02 07:54
|
buildcr.exe 88932ab33c38072946abc06b426d33b8 [m] Generic Malware Generic Malware Suspicious_Script_Bin task schedule Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Dridex VirusTotal Malware Microsoft AutoRuns Code Injection Checks debugger buffers extracted Creates executable files unpack itself Windows utilities AppData folder malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS |
3
http://defgyma.com/dl/build2.exe - rule_id: 40622 http://cajgtus.com/files/1/build3.exe - rule_id: 40623 https://api.2ip.ua/geo.json
|
6
defgyma.com(181.204.98.226) - malware api.2ip.ua(104.21.65.24) cajgtus.com(178.134.214.182) - malware 104.21.65.24 186.233.231.45 190.13.174.94
|
9
ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET POLICY PE EXE or DLL Windows file download HTTP
|
2
http://defgyma.com/dl/build2.exe http://cajgtus.com/files/1/build3.exe
|
12.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45689 |
2024-07-02 07:54
|
kdmapper.exe afb27825d8a45bea2992eca0e060a968 Gen1 Emotet HermeticWiper Generic Malware NSIS NMap Malicious Library Malicious Packer UPX Downloader Admin Tool (Sysinternals etc ...) ASPack Anti_VM PE File PE32 MZP Format OS Processor Check DllRegisterServer dll HWP CAB ActiveXObject PE64 ftp VirusTotal Malware AutoRuns Check memory Creates executable files installed browsers check Windows Browser |
|
|
|
|
4.0 |
|
69 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45690 |
2024-07-02 07:55
|
asec.exe 8962b367891c933d896bc4ed9c2cffba Generic Malware UPX Antivirus PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Disables Windows Security suspicious process WriteConsoleW Windows Update ComputerName Cryptographic key |
|
|
|
|
9.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|