| 46081 |
2024-07-17 09:13
|
 x.exe e61141a7ae1bbdd5fb0434f2c946b566
Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46082 |
2024-07-17 09:15
|
 se.exe a907d2e6edda829467a10bc8a87cb76f
PE File PE64 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46083 |
2024-07-17 20:50
|
 d3l.ps1 d4668b957d53463c68684d6cab89c2b2
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.2 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46084 |
2024-07-17 20:50
|
 shell.bat 4baea5b66334a3be30d12b1956fe889e
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
191.232.181.180 - malware
|
|
|
7.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46085 |
2024-07-17 20:54
|
 66967d2323cae_cry.exe 156d89382dd0eb5cd6fd5ef7d1cb9006
Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199743486170
https://t.me/s41l0
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(96.17.209.196) - mailcious
149.154.167.99 - mailcious
104.71.154.102
78.46.255.249
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46086 |
2024-07-17 20:55
|
 client.exe d585cbc4612c2fd171d7b20bf62241d7
Gen1 Generic Malware Malicious Library UPX Anti_VM PE File PE64 OS Processor Check DLL ZIP Format ftp VirusTotal Malware Check memory Creates executable files |
|
|
|
|
2.4 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46087 |
2024-07-17 20:55
|
 ZHR.txt.exe d34f0dab54d1463e8ab9d016f6a78440
Malicious Library Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
6
checkip.dyndns.org(132.226.8.169)
reallyfreegeoip.org(172.67.177.134)
api.telegram.org(149.154.167.220)
193.122.130.0
172.67.177.134
149.154.167.220
|
9
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
7.8 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46088 |
2024-07-17 20:56
|
 java.exe cf8827cf86ed8c72f1276eb9c2456278
UPX PE File PE64 VirusTotal Malware suspicious privilege Windows utilities WriteConsoleW Windows Java DNS |
|
1
|
|
|
4.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46089 |
2024-07-17 20:57
|
 669662d10259b_file150724.exe b3757b09ed2150ce857f446c0c61363c
Suspicious_Script_Bin Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download VirusTotal Malware Microsoft AutoRuns Code Injection Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs Tofsee Windows ComputerName DNS |
2
http://cajgtus.com/test1/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
https://api.2ip.ua/geo.json
|
4
cajgtus.com(181.123.219.23) - malware
api.2ip.ua(172.67.139.220)
172.67.139.220
187.152.15.89
|
6
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
|
|
10.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46090 |
2024-07-17 20:58
|
 66979ab41b05f_crypta.exe 4fdec920bb078c6636323ec0d77be95d
Malicious Library .NET framework(MSIL) UPX ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
|
|
8.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46091 |
2024-07-17 21:00
|
bh..x.x.xbh.....x.x.x.xbhbh.do... f4e21b4629aaf817a7bd3410d1910c52
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://103.161.133.121/60960/greatlionloveroseentierworldlover.gIF
http://198.46.176.133/Upload/vbs.jpeg - rule_id: 41176
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
4
pastecode.dev(172.66.43.27) - mailcious
103.161.133.121 - malware
172.66.43.27 - mailcious
198.46.176.133 - mailcious
|
5
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
ET MALWARE Base64 Encoded MZ In Image
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Malicious Base64 Encoded Payload In Image
|
2
http://198.46.176.133/Upload/vbs.jpeg
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46092 |
2024-07-17 21:00
|
greatlionloveroseentierworldlo... 899326d947e7833eb5e0e9a94bddae5c
Generic Malware Antivirus PowerShell Malware download Malware VBScript powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
http://198.46.176.133/Upload/vbs.jpeg - rule_id: 41176
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
3
pastecode.dev(172.66.43.27) - mailcious
172.66.43.27 - mailcious
198.46.176.133 - mailcious
|
5
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Base64 Encoded MZ In Image
ET MALWARE Malicious Base64 Encoded Payload In Image
|
2
http://198.46.176.133/Upload/vbs.jpeg
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46093 |
2024-07-17 21:12
|
 669698e482bd9_finesoft.exe 5e7ccedcf6a3958320c46d90e9cd604e
Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199743486170
https://t.me/s41l0
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(96.17.209.196) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
78.46.255.249
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
17.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46094 |
2024-07-17 21:14
|
 6696629242869_crypted.exe 9579c9ca9e85cfd4436f4acb8e11642b
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46095 |
2024-07-18 08:27
|
 sc2.exe 0bb47290ac45642ac44a00846eda74e2
AsyncRAT Malicious Library Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Malware download AsyncRAT NetWireRC VirusTotal Malware DNS DDNS |
|
2
scar77747.duckdns.org(2.58.80.130)
2.58.80.130
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
1.6 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|