46351 |
2024-07-27 14:57
|
pi.exe 1e8a2ed2e3f35620fb6b8c2a782a57f3 Generic Malware Downloader Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX PE File PE32 Malware download VirusTotal Malware AutoRuns Malicious Traffic Checks debugger ICMP traffic Disables Windows Security Windows DNS |
5
http://185.215.113.66/5 - rule_id: 26698 http://185.215.113.66/4 - rule_id: 26697 http://185.215.113.66/3 - rule_id: 26696 http://185.215.113.66/2 - rule_id: 26695 http://185.215.113.66/1 - rule_id: 26694
|
23
www.update.microsoft.com(20.72.235.82) 109.74.69.43 146.70.157.241 189.189.144.10 139.228.82.249 185.215.113.66 - malware 189.155.227.203 188.253.78.49 94.26.222.31 37.255.117.80 46.161.246.13 91.218.161.58 85.174.56.227 178.155.39.80 188.211.107.239 82.194.10.4 151.233.235.104 178.88.82.240 146.70.80.37 178.89.227.41 20.109.209.108 95.181.135.151 46.100.58.92
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC
|
5
http://185.215.113.66/5 http://185.215.113.66/4 http://185.215.113.66/3 http://185.215.113.66/2 http://185.215.113.66/1
|
9.2 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46352 |
2024-07-27 14:59
|
creamthingstohappenedgetmeback... e03f3290788de4d7a103f16b780b3cce MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit DNS crashed |
|
1
192.3.176.174 - mailcious
|
|
|
5.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46353 |
2024-07-27 14:59
|
createdgoodthingstogetmebackth... 9f63ee5ef179cfcf56619e1c9d44447a MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed |
1
http://104.168.45.34/59/createdthingstobefrankwithmeeverywhere.gIF
|
1
104.168.45.34 - mailcious
|
|
|
4.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46354 |
2024-07-27 15:02
|
funtogetbacktomeforgetbacktoge... f179217f7e89dea23f1a01c29fc61659 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS crashed |
1
http://192.3.176.154/xampp/glo/createactiveimagesbeautygirlfrnd.gIF
|
1
192.3.176.154 - mailcious
|
|
|
4.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46355 |
2024-07-27 15:02
|
iamtotalnewpersontogetmebackwi... 25a6c39dbc117a7596c857dbec4e5d93 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed |
1
http://192.3.176.154/50/screensimplethingstohandlecream.gIF
|
1
192.3.176.154 - mailcious
|
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46356 |
2024-07-27 15:03
|
HNBC.txt.exe 2b985c758a227407855e1d8e14f8863d Browser Login Data Stealer Generic Malware Downloader Malicious Library Malicious Packer UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser Email ComputerName DNS DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) maveing.duckdns.org(192.3.101.142) 178.237.33.50 192.3.101.142 - malware
|
3
ET JA3 Hash - Remcos 3.x/4.x TLS Connection ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
11.4 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46357 |
2024-07-27 15:07
|
LMTS.txt.exe 3ad8cb387874a15488508bf269fd2520 Browser Login Data Stealer Generic Malware Downloader Malicious Library Malicious Packer UPX Antivirus ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Malware download Remcos VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS keylogger |
1
http://geoplugin.net/json.gp
|
8
geoplugin.net(178.237.33.50) asociatiatraditiimaria.ro(93.113.54.56) - mailcious iwarsut775laudrye2.duckdns.org(192.253.251.227) new.quranushaiqer.org.sa(34.166.62.190) - mailcious 192.253.251.227 178.237.33.50 93.113.54.56 - mailcious 34.166.62.190
|
7
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Remcos 3.x Unencrypted Checkin ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
18.4 |
|
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46358 |
2024-07-27 20:30
|
YesTraderRun.exe 0c95469e9ee3bc62c0678d7ae0bed71c Themida Packer Generic Malware Anti_VM PE File PE32 VirusTotal Malware |
|
|
|
|
1.4 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46359 |
2024-07-28 10:34
|
DecryptJohn.exe c1853d1c36dc461668c9af843d07cc58 Generic Malware Malicious Library Malicious Packer UPX PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46360 |
2024-07-28 10:34
|
dccrypt.exe 55398a65a9d1abb512e943a0d8901cb0 Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE VirusTotal Malware PDB Code Injection Check memory Checks debugger Creates executable files unpack itself WriteConsoleW Remote Code Execution crashed |
|
|
|
|
6.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46361 |
2024-07-28 10:36
|
build_2024-07-25_20-56.exe bea49eab907af8ad2cbea9bfb807aae2 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46362 |
2024-07-28 10:36
|
Display1.exe 88696cf17417a2339b63f9452404c839 Generic Malware task schedule Malicious Library WinRAR UPX AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder WriteConsoleW ComputerName Remote Code Execution crashed |
|
|
|
|
8.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46363 |
2024-07-28 10:40
|
recreatednewthingswithentriene... 0a9c028203a8416be8db7371550d0fb5 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself suspicious TLD Windows Exploit DNS crashed |
14
http://104.219.239.104/80/winiti.exe
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.hourglasspoise.net/5gvb/
http://www.asymtos.tech/34b9/?_aRhhan=W6RiSnxSk7sWUyAWvsuBUQf3TLDMvpVwUriP78iMWJLg9pjq2qbXoN6eJJBee+3TNvEAo0P2a/B9rNSGOSr+g5jIYLHfTFZsXGTqlaF0jUedL/CiwqWjEQX6GQUFudPhspdJ5Ls=&my_=BkIk6xdg
http://www.accelbusiness.net/sg0d/?_aRhhan=ZFII8SVAvGzgMmVXToVI4LwsaVgSRAPMY6hEAWMgzd/rbIPLPNZ+lpDrj56GxiOWRiizuXBqoJ7dds0AusnvIdaVAlrc/osgyVUIbfwB8yhx2m5WAGulmI8my104pwb/sqeANsY=&my_=BkIk6xdg
http://www.lontos.top/ukrf/?_aRhhan=F/tpX3aJNzQcZIorwbtn4XzXZf0a/CrYoWsqF027uxYn9zYWtTXD5RI4AWcWVnLyOuVjbatHjcymGXUCp/2iE/8I1+t1d0MzMQiJ/YLZDKzAaLFDJakAPmxPg9uDu26TEYHLTo4=&my_=BkIk6xdg
http://www.asymtos.tech/34b9/
http://www.bosonserver.net/x10g/?_aRhhan=AtIpZIbrclbIO3wVV4nf5MkbKr3zgThFYZcx/yn27KMXet/sCHbTSg7iXdN1LprNnU90TGJjlk60YPXU/gV8xNKsA5d5wJ0kF02lQrh6bPl2Ka0ee+60c3gL6UuubkfRvx1R8AU=&my_=BkIk6xdg
http://www.theiconsummit.life/6fdz/?_aRhhan=Oie1FXKEyOqxuNWWyjoIb9DaNOxncG0Z1Eay2KtVdEC34I4dz//PFxK656i6sULSR99flzaSlbWC6MMpR37rak2rbcKEmCHEFn0mJCNpP5WZ+he/mmH/AJ6z3o1TiNYnnRR6Wlk=&my_=BkIk6xdg
http://www.bosonserver.net/x10g/
http://www.hourglasspoise.net/5gvb/?_aRhhan=/cc9D7vqfViixqGthiuMbdR5vErImywOC8ezpB4FmcTpRtjTbyPN8oLjmjUaYTUAZZsBqqPA4LzpXUrs3zKz1+bcJTGwBkjtMfI/kGKzlFznEvk/PsID24fmvZA2hoz8baldBw0=&my_=BkIk6xdg
http://www.accelbusiness.net/sg0d/
http://www.lontos.top/ukrf/
http://www.theiconsummit.life/6fdz/
|
13
www.hourglasspoise.net(15.197.148.33)
www.theiconsummit.life(15.197.148.33)
www.lontos.top(203.161.42.162)
www.accelbusiness.net(3.33.130.190)
www.asymtos.tech(217.160.164.240)
www.bosonserver.net(195.200.3.58) 15.197.148.33 - mailcious
3.33.130.190 - phishing
104.219.239.104 - mailcious
217.160.164.240
195.200.3.58
203.161.42.162
45.33.6.223
|
9
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO HTTP Request to a *.top domain ET INFO Observed DNS Query to .life TLD ET INFO HTTP Request to Suspicious *.life Domain ET DNS Query to a *.top domain - Likely Hostile
|
|
5.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46364 |
2024-07-28 10:40
|
random.exe 7e43d787c0813212855c05d5cc4b1752 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46365 |
2024-07-28 10:42
|
winiti.exe 1f5c95d40c06c01300f0a6592945a72d Generic Malware Malicious Library UPX PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser DNS |
12
http://www.accelbusiness.net/sg0d/?LDcoL=ZFII8SVAvGzgMmVXToVI4LwsaVgSRAPMY6hEAWMgzd/rbIPLPNZ+lpDrj56GxiOWRiizuXBqoJ7dds0AusnvIdaVAlrc/osgyVUIbfwB8yhx2m5WAGulmI8my104pwb/sqeANsY=&tzW0=VCPfEuN http://www.hourglasspoise.net/5gvb/?LDcoL=/cc9D7vqfViixqGthiuMbdR5vErImywOC8ezpB4FmcTpRtjTbyPN8oLjmjUaYTUAZZsBqqPA4LzpXUrs3zKz1+bcJTGwBkjtMfI/kGKzlFznEvk/PsID24fmvZA2hoz8baldBw0=&tzW0=VCPfEuN http://www.lontos.top/ukrf/ http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip http://www.bosonserver.net/x10g/?LDcoL=AtIpZIbrclbIO3wVV4nf5MkbKr3zgThFYZcx/yn27KMXet/sCHbTSg7iXdN1LprNnU90TGJjlk60YPXU/gV8xNKsA5d5wJ0kF02lQrh6bPl2Ka0ee+60c3gL6UuubkfRvx1R8AU=&tzW0=VCPfEuN http://www.asymtos.tech/34b9/ http://www.lontos.top/ukrf/?LDcoL=F/tpX3aJNzQcZIorwbtn4XzXZf0a/CrYoWsqF027uxYn9zYWtTXD5RI4AWcWVnLyOuVjbatHjcymGXUCp/2iE/8I1+t1d0MzMQiJ/YLZDKzAaLFDJakAPmxPg9uDu26TEYHLTo4=&tzW0=VCPfEuN http://www.bosonserver.net/x10g/ http://www.accelbusiness.net/sg0d/ http://www.asymtos.tech/34b9/?LDcoL=W6RiSnxSk7sWUyAWvsuBUQf3TLDMvpVwUriP78iMWJLg9pjq2qbXoN6eJJBee+3TNvEAo0P2a/B9rNSGOSr+g5jIYLHfTFZsXGTqlaF0jUedL/CiwqWjEQX6GQUFudPhspdJ5Ls=&tzW0=VCPfEuN http://www.theiconsummit.life/6fdz/ http://www.hourglasspoise.net/5gvb/
|
12
www.hourglasspoise.net(3.33.130.190) www.theiconsummit.life(3.33.130.190) www.lontos.top(203.161.42.162) www.accelbusiness.net(3.33.130.190) www.asymtos.tech(217.160.164.240) www.bosonserver.net(195.200.3.58) 195.200.3.58 3.33.130.190 - phishing 217.160.164.240 15.197.148.33 - mailcious 203.161.42.162 45.33.6.223
|
4
ET INFO HTTP Request to a *.top domain ET INFO HTTP Request to Suspicious *.life Domain ET DNS Query to a *.top domain - Likely Hostile ET INFO Observed DNS Query to .life TLD
|
|
10.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|