45871 |
2024-07-08 09:52
|
my.exe 6470b936622d9502880cae6452d1bb48 Generic Malware Malicious Library Malicious Packer Antivirus UPX PE File PE64 ftp OS Processor Check VirusTotal Malware WriteConsoleW DNS |
|
2
60.251.145.96 - mailcious 91.238.203.71 - malware
|
|
|
4.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45872 |
2024-07-08 09:54
|
Client.exe 86108d3bcc19fe774cc81b71494d31f9 Generic Malware Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check PNG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Browser Email ComputerName DNS Software crashed |
1
|
4
freegeoip.app(172.67.160.84) ipbase.com(104.21.85.189) 104.21.73.97 172.67.209.71
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com) ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
|
|
7.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45873 |
2024-07-08 10:04
|
Update.js affe7c07da3776a191c69b73e50d491aVBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://pkjzv.fans.smalladventureguide.com/orderReview
|
2
pkjzv.fans.smalladventureguide.com(162.252.175.117) 162.252.175.117 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45874 |
2024-07-08 10:36
|
App.dll 1afdf73c0d1ba126c63927b423c55205 Generic Malware Malicious Library ASPack UPX PE File DLL PE64 OS Processor Check PDB Checks debugger crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45875 |
2024-07-08 11:11
|
archive.rar 2074be740d489e298715968ed68fd122 Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord DNS |
10
http://176.111.174.109/psyzh - rule_id: 40370 http://77.105.133.27/download/123p.exe - rule_id: 40857 http://5.42.99.177/api/crazyfish.php - rule_id: 40006 http://apps.identrust.com/roots/dstrootcax3.p7c http://80.78.242.100/d/525403 - rule_id: 40853 http://5.42.99.177/api/twofish.php - rule_id: 40008 http://80.78.242.100/d/385132 http://77.105.133.27/download/th/space.php - rule_id: 40856 https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188 https://db-ip.com/demo/home.php?s=
|
26
raw.githubusercontent.com(185.199.109.133) - malware db-ip.com(172.67.75.166) api64.ipify.org(104.237.62.213) api.myip.com(104.26.9.59) lop.foxesjoy.com(104.21.66.124) - malware ipinfo.io(34.117.186.192) cdn.discordapp.com(162.159.133.233) - malware vk.com(87.240.132.72) - mailcious iplogger.org(172.67.132.113) - mailcious 176.111.174.109 - malware 182.162.106.33 - malware 43.153.49.49 - mailcious 173.231.16.77 104.26.4.15 172.67.75.163 34.117.186.192 104.21.66.124 - malware 185.199.111.133 - mailcious 5.42.99.177 - mailcious 87.240.129.133 - mailcious 77.105.133.27 - mailcious 162.159.135.233 - malware 182.162.106.144 172.67.132.113 77.91.77.80 - malware 80.78.242.100 - mailcious
|
18
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SURICATA Applayer Mismatch protocol both directions ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET DROP Spamhaus DROP Listed Traffic Inbound group 30 ET HUNTING Redirect to Discord Attachment Download ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET INFO TLS Handshake Failure ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
|
7
http://176.111.174.109/psyzh http://77.105.133.27/download/123p.exe http://5.42.99.177/api/crazyfish.php http://80.78.242.100/d/525403 http://5.42.99.177/api/twofish.php http://77.105.133.27/download/th/space.php https://lop.foxesjoy.com/ssl/crt.exe
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45876 |
2024-07-08 13:29
|
node.js.exe 9e6ba754b50c865d54a69075a65620ae Gen1 RedLine stealer NSIS Generic Malware Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) Obsidium protector Antivirus Anti_VM Javascript_Blob PE File PE32 DLL PE64 OS Processor Check ftp VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder Ransomware |
|
|
|
|
4.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45877 |
2024-07-08 14:09
|
INVESTIGATION_OF_SEXUAL_HARASS... 9345d52abd5bab4320c1273eb2c90161 ZIP Format Word 2007 file format(docx) VirusTotal Malware unpack itself Tofsee |
2
http://x1.i.lencr.org/
https://investigation04.session-out.com/fbd901_harassment/doc.rtf
|
4
investigation04.session-out.com(89.150.40.43)
x1.i.lencr.org(23.52.33.11) 89.150.40.43
23.41.113.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45878 |
2024-07-08 14:16
|
482c30dc5680e0c01b8a117ce969ae... 482c30dc5680e0c01b8a117ce969aef0 MSOffice File VirusTotal Malware unpack itself suspicious TLD |
|
1
aloud.relax98.bilotora.ru() - mailcious
|
|
|
2.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45879 |
2024-07-08 14:24
|
INVESTIGATION_OF_SEXUAL_HARASS... 9345d52abd5bab4320c1273eb2c90161 ZIP Format Word 2007 file format(docx) VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
2
http://x1.i.lencr.org/ https://investigation04.session-out.com/fbd901_harassment/doc.rtf - rule_id: 41091
|
4
investigation04.session-out.com(89.150.40.43) - mailcious x1.i.lencr.org(23.52.33.11) 89.150.40.43 - mailcious 23.41.113.9
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://investigation04.session-out.com/fbd901_harassment/doc.rtf
|
2.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45880 |
2024-07-08 16:50
|
cp.exe a40cfc38fce8d0285fd1462bd2d7abd1 UPX PE File PE64 VirusTotal Malware suspicious privilege Windows utilities WriteConsoleW Windows DNS |
|
1
|
|
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45881 |
2024-07-08 16:50
|
Erlnb.exe 9352ddda312eeb93823ee2e6cc9a83bc Generic Malware Malicious Library .NET framework(MSIL) Antivirus AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Windows ComputerName Cryptographic key |
1
http://voucher-01-static.com/rkei/1085.txt
|
2
voucher-01-static.com(91.92.243.32) - malware 91.92.243.32 - malware
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
|
|
13.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45882 |
2024-07-08 16:51
|
venture45.hta e17e0242e9fe3834c192513619013b92VirusTotal Malware unpack itself crashed |
|
|
|
|
1.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45883 |
2024-07-08 16:52
|
svchost.exe cb146d2042ae0df2c95f3afde7256583 UPX PE File PE64 VirusTotal Malware suspicious privilege Windows utilities suspicious TLD WriteConsoleW Windows DNS |
1
http://source-update.hugratcat.top:2095/ws
|
3
source-update.hugratcat.top(172.67.133.143) 172.67.133.143 39.97.52.57 - malware
|
2
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
|
4.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45884 |
2024-07-08 16:53
|
Uialn.exe 4104370a4f4d897292560d55666cdb10 Generic Malware Malicious Library Antivirus AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Windows ComputerName Cryptographic key crashed |
1
http://voucher-01-static.com/rkei/1068.txt
|
5
strang-02-static.com(111.90.145.141) strang-01-static.com(111.90.145.141) voucher-01-static.com(91.92.243.32) - malware 111.90.145.141 91.92.243.32 - malware
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
|
|
15.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45885 |
2024-07-08 16:53
|
2019년 졸업자 취업통계조사 붙임.chm... 972be4aec6506e8bf4dc8d72491099f6 AntiDebug AntiVM CHM Format VirusTotal Malware Code Injection Check memory unpack itself crashed |
|
|
|
|
2.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|