46306 |
2024-07-26 10:47
|
crypteda.exe 04e90b2cf273efb3f6895cfcef1e59ba Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46307 |
2024-07-26 10:48
|
RP.exe 3fc6176c962e7a70da7cc35fbdaf3fdc Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware PDB MachineGuid |
|
|
|
|
2.0 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46308 |
2024-07-26 10:49
|
industries.exe b77405e92a8557ab11d1d6ed25d6b390 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
13
http://www.coremagic.dev/rvsk/?MX7FkojV=Q6rrnvlrZTKYSle47xg6Y6OwSS9N0FqK+Mj9cH/UpKnUyMI1FWbgFk/FlNfWovow3hwVTGhvILolNNo3GNpr7hq9bWNUl6+SP6zUu/gjCFkqdjEUw+tJr6mTAbu4eV1uJ6YGGN8=&2Oj70=wymB9 http://www.balneo.shop/9kwt/?MX7FkojV=/fSY3QZdojWpNRWxwqctiQNAdxt1JuBXe68kaBTFsj+2jUSklURH6kjWh0GMyO+4mMP491VErEY7I0ob1VlJfdzB+SlT7K2iZIvlJJCUvillQoZjNNO9VKVTJ25PKBfJXbttaTY=&2Oj70=wymB9 http://www.butlay.website/u759/?MX7FkojV=MCukImoArEyLOTWqdQ1z2ePajSp2A5/BJZ6VTOICmOwJAgwJdKZCqOuSR5fILSmCknZcGV/72lN4bKl6niuzWckaU42fOjXxFvVyCgHozLVBKAJAIlIa8E7shRk9RybY7kmvMQk=&2Oj70=wymB9 http://www.hyattcreekoutpost.biz/sz4t/?MX7FkojV=PqYvDSUa5xpzdedq5tdpwiJC3gthoupmRjBzzJ3FbntVibPZI1/EKZl9s9hOn0Zmb9xaCSNsWJoSe51ux6SQqL8VwrNWtNbiyPi6OavNpFulETA7IisDPhWpDVcfmzCLy1FFmkA=&2Oj70=wymB9 http://www.mospos.top/q66s/?MX7FkojV=WxU+nNp+nJpz7Op4b6PDRlI6uXxtCFalh3oS6b0UMJSG3vkyp0IBCXywBW0+wHruShb13AiiEAiVUnW1+sH/RYwiBhm8QqKdAs/yfan11L/sTt125NYKX4Rdp1lkm/iDq+nnZa4=&2Oj70=wymB9 http://www.tepco-co.online/hkxp/?MX7FkojV=gPAUIlTRKA7qXOL1ZTlMStdeIysZD39Vk2/re0B3mS8rGAQ0GotM5sSvAkfRsadCl6ftFGx2rGJjUrcRh8RdozefQI8XmfbOp1GwBEXiGavuSYQFbTIXZtPOAEv8EMoS+0xwku0=&2Oj70=wymB9 http://www.sweatequitypac.org/raxq/?MX7FkojV=x7NDGsgoCWTIEJ1tNCkkA1f2sMsJkFt2/Kg/6Gal8l5Ws0UwXECJP572vAzACYdkP61pUsrmPyJQfMGcau4sPIxMO6OtXz5Fl6YkZsF6thbJOhJ/u+Iz2uLJY5XPwE+BFsUyCr8=&2Oj70=wymB9 http://www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip http://www.summitpublications.net/ra7c/?MX7FkojV=SvKeswTuzWazx34ZRwNYWOUL+4Qzi3RGXdHaFUpExCUZEgDUs1lV719mAF8EtsBn/AVD65QVQa8ibY4gFbZqCpH5b+leOD1Jj6HueKbZfx9J0tpKEMSaJYca0b0uZ3KvEkzLgBc=&2Oj70=wymB9 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip http://www.teandone.buzz/o6pn/?MX7FkojV=UJn6hLCr5CE83JGsiFr6F3dlh+gjmnQgpGSYIUWsdErR1O5ttgS2rCz/oa92Vy1JsAs4Vb0vhE186yqRppZqSaM6EjKfJ/MzG1s7XTw2DqO7xvMmiA2yEfwBZPs4V1K4aWoq150=&2Oj70=wymB9 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip http://www.summitpublications.net/ra7c/
|
21
www.hyattcreekoutpost.biz(15.197.148.33) www.sweatequitypac.org(15.197.148.33) www.balneo.shop(81.169.145.84) www.mospos.top(203.161.42.161) www.nswurology.store() www.teandone.buzz(104.21.5.210) www.unyiinnflcng.xyz() www.butlay.website(103.224.182.242) www.summitpublications.net(66.81.203.135) www.tepco-co.online(84.32.84.32) www.coremagic.dev(85.13.154.127) 15.197.148.33 - mailcious 85.13.154.127 84.32.84.32 - mailcious 172.67.133.217 3.33.130.190 - phishing 203.161.42.161 81.169.145.84 - mailcious 66.81.203.10 45.33.6.223 103.224.182.242 - phishing
|
4
ET DNS Query to a *.top domain - Likely Hostile ET INFO Observed DNS Query to .biz TLD ET INFO HTTP Request to a *.buzz domain ET INFO HTTP Request to a *.top domain
|
|
7.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46309 |
2024-07-26 10:50
|
5447jsX.exe 5dd9c1ffc4a95d8f1636ce53a5d99997 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46310 |
2024-07-26 10:51
|
25072023.exe a9a37926c6d3ab63e00b12760fae1e73 RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.67 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
7.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46311 |
2024-07-26 10:52
|
RoguePotato.exe 2dd755be5842e71b304d2fbff93eb2a3 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware DNS |
|
1
|
|
|
2.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46312 |
2024-07-26 10:55
|
svhosts.exe fcd623c9b95c16f581efb05c9a87affb Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46313 |
2024-07-26 10:56
|
pf32.exe 2a74db17b50025d13a63d947d8a8f828 Antivirus UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46314 |
2024-07-26 10:59
|
gawdth.exe c02798b26bdaf8e27c1c48ef5de4b2c3 SystemBC Generic Malware Downloader Malicious Library UPX Malicious Packer Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiV VirusTotal Malware AutoRuns PDB Code Injection Creates executable files unpack itself AppData folder Windows Remote Code Execution |
|
|
|
|
5.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46315 |
2024-07-26 11:58
|
svchost.exe 2e6d807e953cc0961f1bae27e34bc50d njRAT backdoor Generic Malware PE File .NET EXE PE32 Malware download njRAT VirusTotal Malware Check memory Checks debugger unpack itself suspicious process WriteConsoleW DNS |
|
1
|
1
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
|
|
4.0 |
|
68 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46316 |
2024-07-26 11:59
|
winiti.exe 76a4d0d810f2007100c2619d184ef7de AgentTesla North Korea Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://ip-api.com/line/?fields=hosting https://api.ipify.org/
|
4
api.ipify.org(104.26.12.205) ip-api.com(208.95.112.1) 104.26.12.205 208.95.112.1
|
5
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup ip-api.com
|
|
15.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46317 |
2024-07-26 12:03
|
asec.exe 132609f10f23a5a1fc5653ae7e91bdb2 Generic Malware UPX Antivirus PE File PE32 PowerShell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Disables Windows Security suspicious process WriteConsoleW Windows Update ComputerName DNS Cryptographic key |
|
3
144.160.159.21 144.160.235.143 67.195.204.80
|
|
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46318 |
2024-07-26 12:03
|
newtpp.exe e2e3268f813a0c5128ff8347cbaa58c8 Generic Malware Downloader Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX Antivirus PE File PE32 PowerShell Malware download Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AppData folder WriteConsoleW IP Check Windows Update Email ComputerName DNS Cryptographic key |
8
http://185.215.113.66/ns/91.txt - rule_id: 39702 http://185.215.113.66/5 - rule_id: 26698 http://185.215.113.66/ns/n.txt - rule_id: 39702 http://icanhazip.com/ http://185.215.113.66/4 - rule_id: 26697 http://185.215.113.66/3 - rule_id: 26696 http://185.215.113.66/2 - rule_id: 26695 http://185.215.113.66/1 - rule_id: 26694
|
72
bellsouth.net(216.77.188.73) mx.altice.prod.cloud.openwave.ai(65.20.63.100) al-ip4-mx-vip1.prodigy.net(144.160.235.143) sbcglobal.net() ntlworld.com(213.105.9.42) al-ip4-mx-vip2.prodigy.net(144.160.235.144) icanhazip.com(104.16.184.241) comcast.net(96.99.227.0) mta6.am0.yahoodns.net(67.195.228.106) mx0.charter.net(47.43.18.9) mx2.mxge.comcast.net(96.102.18.147) mx2h1.comcast.net(96.102.157.180) mail.com(82.165.229.87) att.net(144.160.36.42) juno.com(64.136.53.46) cxr.mx.a.cloudfilter.net(34.212.80.54) mx01.mail.com(74.208.5.22) mx1h1.comcast.net(96.102.157.181) ff-ip4-mx-vip1.prodigy.net(144.160.159.21) cox.net(98.182.1.143) mx.dca.untd.com(64.136.44.37) aim.com(13.248.158.7) netzero.net(64.136.45.168) yahoo.com(74.6.143.25) mx-aol.mail.gm0.yahoodns.net(98.136.96.92) verizon.net(72.21.81.253) mx.vgs.untd.com(64.136.52.37) optonline.net(167.206.148.154) www.update.microsoft.com(20.109.209.108) mxin5.virginmedia.com(84.116.6.18) mx1a1.comcast.net(96.103.145.163) mx2c1.comcast.net(96.102.18.146) charter.net(99.83.251.242) 151.241.237.185 47.43.18.9 78.85.106.173 77.91.77.92 96.102.157.181 194.93.26.210 109.74.43.21 213.230.90.222 5.238.186.28 95.59.4.234 185.215.113.66 - malware 217.30.160.154 2.185.163.114 83.239.55.170 64.136.44.37 98.136.96.93 74.208.5.22 86.62.3.154 109.74.35.21 195.158.22.13 65.20.63.100 104.16.185.241 35.162.106.154 67.195.204.75 96.103.145.163 144.160.159.21 144.160.235.143 144.160.235.144 64.136.52.37 20.109.209.108 96.102.157.180 95.58.72.245 77.221.27.219 84.116.6.18 98.136.96.92 67.195.204.80 96.102.18.147 96.102.18.146 67.195.228.111
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com) ET POLICY IP Check Domain (icanhazip. com in HTTP Host) SURICATA Applayer Detect protocol only one direction ET MALWARE Win32/Phorpiex Template 9 Active - Outbound Malicious Email Spam ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC
|
7
http://185.215.113.66/ http://185.215.113.66/5 http://185.215.113.66/ http://185.215.113.66/4 http://185.215.113.66/3 http://185.215.113.66/2 http://185.215.113.66/1
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46319 |
2024-07-26 12:04
|
2020.exe 95606667ac40795394f910864b1f8cc4 Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format Check memory Creates executable files |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46320 |
2024-07-26 12:04
|
pered.exe faf1270013c6935ae2edaf8e2c2b2c08 Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format ftp VirusTotal Malware Check memory Creates executable files DNS |
|
1
|
|
|
2.2 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|