| 45676 |
2024-07-01 11:03
|
 Hooks.jpg.exe 422f3763021f8f9bfc31a9a7e4b049f9
Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Downloader Malicious Packer .NET framework(MSIL) UPX Antivirus PE File PE32 DLL OS Processor Check VirusTotal Malware powershell AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
2
http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe
http://43.198.152.240:8080/api/node/ip_validate
|
18
gtxvdqvuweqs.com(16.162.201.176) - mailcious
ipv6-api.iproyal.com()
down.ftp21.cc(119.203.212.165) - malware
download.microsoft.com(23.207.40.161)
api6.my-ip.io()
www.362-com.com(1.226.84.135)
www.4i7i.com(1.226.84.135)
api.iproyal.com(193.228.196.69)
worldtimeapi.org(213.188.196.246)
23.45.52.224
93.189.62.83
213.188.196.246
193.228.196.69
51.161.196.188
43.198.152.240
16.162.201.176 - mailcious
1.226.84.135
119.203.212.165 - malware
|
4
ET DNS Query for .cc TLD
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET INFO SSH-2.0-Go version string Observed in Network Traffic
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
|
|
11.2 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45677 |
2024-07-01 11:05
|
 MpMgSvc.jpg.exe 40670d0d30c6855dd2b3db30b81f9ce2
Emotet Generic Malware UPX Malicious Library Malicious Packer Downloader Anti_VM PE File PE32 DLL OS Processor Check ftp PE64 Malware SMB Traffic Potential Scan Malicious Traffic Creates executable files ICMP traffic AppData folder sandbox evasion Remote Code Execution DNS DDNS |
2
http://118.184.169.48/dyndns/getip
http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8
|
4
opendata.baidu.com(45.113.194.189)
members.3322.org(118.184.169.48)
45.113.194.127
118.184.169.48
|
3
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET INFO DYNAMIC_DNS Query to 3322.org Domain
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45678 |
2024-07-01 14:56
|
FIX_0x80070643_(Need_reboot).r... 177d5e4e498f2a2db92df607fe0e1692
ScreenShot Escalate priviledges KeyLogger AntiDebug AntiVM AutoRuns Code Injection Check memory unpack itself Windows |
3
https://companyupdates.ltd/act/CONT
https://companyupdates.ltd/act/FP
https://companyupdates.ltd/act/ENC
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45679 |
2024-07-01 14:56
|
 CONT.exe 1cdf5a27c0f2ceaf51055ed3721d5c32
UPX PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45680 |
2024-07-01 15:06
|
 ENC.zip 34dd73380e19295eef9c195a9f35c9b3
ZIP Format VirusTotal Malware Malicious Traffic Tofsee |
8
https://kaylen.xyz//mozglue.dll
https://kaylen.xyz//freebl3.dll
https://kaylen.xyz//softokn3.dll
https://kaylen.xyz//nss3.dll
https://kaylen.xyz//msvcp140.dll
https://kaylen.xyz//sql.dll
https://kaylen.xyz/
https://kaylen.xyz//vcruntime140.dll
|
2
kaylen.xyz(172.67.220.235)
104.21.94.78
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45681 |
2024-07-01 15:24
|
 outbyte-pc-repair.exe 044b5657529471e023ee2da2dad94cfa
Gen1 Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM PE File PE32 MZP Format OS Processor Check DLL DllRegisterServer dll ftp PE64 Browser Info Stealer VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Checks Bios AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser ComputerName crashed |
1
https://www.google-analytics.com/mp/collect?measurement_id=G-924XWBQ2KM&api_secret=MEBZff_HSwaYXMkgDlV-YQ
|
4
outbyte.com(45.33.97.245)
www.google-analytics.com(216.239.34.178)
172.217.24.78
45.33.97.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45682 |
2024-07-01 15:33
|
 tsjtmfdm.pkg.exe 98cc12248c1dfc68103dd9fc4d959f68
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45683 |
2024-07-01 16:46
|
 Update.js 365d4f4e6ffed01288e0fae6e352e8a5VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://czvqr.fans.smalladventureguide.com/orderReview
|
2
czvqr.fans.smalladventureguide.com(162.252.175.117)
162.252.175.117
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45684 |
2024-07-02 07:45
|
 igccu.exe bb1b8864e1d82735205d07d202c5d864
LokiBot Malicious Library Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
1
http://dashboardproducts.info/bally/fre.php
|
2
dashboardproducts.info(91.219.150.102)
91.92.240.69
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
|
|
13.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45685 |
2024-07-02 07:45
|
 snukingorig2.5.exe 7d50650cd2ba63482d4caf875ae65a8e
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(104.26.12.205)
104.26.13.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45686 |
2024-07-02 07:49
|
 IHBHXXQF.exe 5f4de1a8ed39bdcaf3e4c6d5fa547fc2
Gen1 HermeticWiper Malicious Library UPX Malicious Packer ASPack Anti_VM PE File PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45687 |
2024-07-02 07:51
|
 csrss.exe a273d142217177ab8013d6ebeafbc22f
Malicious Library Malicious Packer Antivirus UPX PE File PE64 OS Processor Check PDB Check memory Checks debugger ComputerName Remote Code Execution |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45688 |
2024-07-02 07:54
|
 buildcr.exe 88932ab33c38072946abc06b426d33b8
[m] Generic Malware Generic Malware Suspicious_Script_Bin task schedule Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Dridex VirusTotal Malware Microsoft AutoRuns Code Injection Checks debugger buffers extracted Creates executable files unpack itself Windows utilities AppData folder malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS |
3
http://defgyma.com/dl/build2.exe - rule_id: 40622
http://cajgtus.com/files/1/build3.exe - rule_id: 40623
https://api.2ip.ua/geo.json
|
6
defgyma.com(181.204.98.226) - malware
api.2ip.ua(104.21.65.24)
cajgtus.com(178.134.214.182) - malware
104.21.65.24
186.233.231.45
190.13.174.94
|
9
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY PE EXE or DLL Windows file download HTTP
|
2
http://defgyma.com/dl/build2.exe
http://cajgtus.com/files/1/build3.exe
|
12.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45689 |
2024-07-02 07:54
|
kdmapper.exe afb27825d8a45bea2992eca0e060a968
Gen1 Emotet HermeticWiper Generic Malware NSIS NMap Malicious Library Malicious Packer UPX Downloader Admin Tool (Sysinternals etc ...) ASPack Anti_VM PE File PE32 MZP Format OS Processor Check DllRegisterServer dll HWP CAB ActiveXObject PE64 ftp VirusTotal Malware AutoRuns Check memory Creates executable files installed browsers check Windows Browser |
|
|
|
|
4.0 |
|
69 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45690 |
2024-07-02 07:55
|
 asec.exe 8962b367891c933d896bc4ed9c2cffba
Generic Malware UPX Antivirus PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Disables Windows Security suspicious process WriteConsoleW Windows Update ComputerName Cryptographic key |
|
|
|
|
9.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|