46366 |
2024-07-28 10:53
|
random.exe 8c0430ee2841a6554d709869a81a375b RedLine stealer RedlineStealer SystemBC Gen1 Themida Packer Generic Malware Downloader UPX Malicious Library .NET framework(MSIL) Malicious Packer Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audi Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare AppData folder VMware anti-virtualization installed browsers check Tofsee Ransomware Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
8
http://185.215.113.16/Jo89Ku7d/index.php
http://185.215.113.16/inc/build.exe
http://185.215.113.16/inc/crypted.exe
http://185.215.113.16/inc/5447jsX.exe
http://185.215.113.16/inc/crypteda.exe
http://185.215.113.16/inc/25072023.exe
http://185.215.113.16/inc/pered.exe
http://185.215.113.16/inc/2020.exe
|
9
coe.com.vn(103.28.36.182) - malware
mktrex155.xyz() - malware
atlpvt.com(58.65.168.132) 185.215.113.16 - mailcious
185.215.113.9
58.65.168.132 - malware
45.33.6.223
103.28.36.182 - malware
185.215.113.67 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET HUNTING Download Request Containing Suspicious Filename - Crypted ET MALWARE Amadey Bot Activity (POST) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
17.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46367 |
2024-07-28 14:18
|
Bin_HookShark64_2011-12-31_19.... 4f19a7e5f8225992821041d0109ffc8c AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
4.2 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46368 |
2024-07-28 14:48
|
Bin_HookShark64_2011-12-31_19.... 4f19a7e5f8225992821041d0109ffc8c AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.8 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46369 |
2024-07-29 13:22
|
winiti.exe e8b4997fd647c6236e8d6a5460724cee Formbook North Korea Generic Malware Malicious Library .NET framework(MSIL) Antivirus UPX PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder suspicious TLD WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
13
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip http://www.noghteyab.com/f97t/?UX8=hkoMjg324npAs1ZBeZ8TzD/yod4wthTGeTvgOqr4Vk4zrcx6pPdRyFEwEDn18B/c37XIJfunev42iw6n9kOhHfgC7TNK8DtkFlqbOeckPp33fVEaTkv/0VMweSZvG65qVo/UWng=&_e=jxcPGi4BG http://www.zocalo-fuk.com/iczo/ http://www.zocalo-fuk.com/iczo/?UX8=JY7jtaSJ5x5vzidnjWySlw1C0GfgB4v3ywH460gVL7Ewt7sZ57bbwI6mxyJFGNyl5vwWXeVDvThdvQiyRvynE/Zjj7HkpiyOTqmD4v0kKDcwzqr276eGi6TkYHYmx5vmFqXXwms=&_e=jxcPGi4BG http://www.loangoatworld.com/8y3s/?UX8=m+e1HwtEOOeM4G5NTLK68Gp6Kwp+MY7uBR7SzEsfX5sQt5Y/60pxYxuDgYg2mwpPnMRTzCuNJ1kKNM0TTa/Wnuj7pyZLvslRvIdrySy2NFkwbRUK0Niqet6rEb5EadRpffeEIOc=&_e=jxcPGi4BG http://www.miquwawa.com/tqql/ - rule_id: 41186 http://www.loangoatworld.com/8y3s/ http://www.exporationgenius.sbs/x06k/?UX8=T/qtMR3LKa4LTbjxJENTE1gbHfbcMoDNkQwOkzuXYGM8AEnHwE1BoCD8ihzw/kVeeFO4GyYqoWqmFjylDbVKWJ6wgOd2jmN6i9pg74XS81AjK7oOmIcxjkpvsNU18Pzzy/zqp1g=&_e=jxcPGi4BG - rule_id: 41185 http://www.exporationgenius.sbs/x06k/ - rule_id: 41185 http://www.tcfreal.top/sg27/ http://www.tcfreal.top/sg27/?UX8=cpYt0YSQq6qumPKkPw6QLfXM1KObFctjUwEln5zritMpGV/+kM1tCQF1oqocoz5p4KbVgOmLQvtuRCfM7FFF+QE7cX+gmvJNP2ErFAfMZUG54lXQ6wu+5V3NDlvvWDRsBB/6vdY=&_e=jxcPGi4BG http://www.miquwawa.com/tqql/?UX8=u0XZF227Y/r9f3hnjIOG+jjSMjDg7zLaE5MpTM9c21roNqnsj5Giqo9JdiKVg3NN2RVqT0KrdJuiKB8prP8iYWfx9j8cghYBBFjwmC7Tnk8aYBcBXjkKDK2u4+7cSJR9pJqJ93M=&_e=jxcPGi4BG - rule_id: 41186 http://www.noghteyab.com/f97t/
|
13
www.noghteyab.com(46.105.190.248) www.miquwawa.com(95.169.27.235) - mailcious www.loangoatworld.com(3.33.130.190) www.exporationgenius.sbs(104.21.57.28) - mailcious www.zocalo-fuk.com(157.7.107.37) www.tcfreal.top(203.161.50.128) 104.21.57.28 - mailcious 95.169.27.235 - mailcious 3.33.130.190 - phishing 203.161.50.128 157.7.107.37 45.33.6.223 51.89.93.193
|
2
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
4
http://www.miquwawa.com/tqql/ http://www.exporationgenius.sbs/x06k/ http://www.exporationgenius.sbs/x06k/ http://www.miquwawa.com/tqql/
|
13.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46370 |
2024-07-29 13:23
|
cp.exe aed4c0c1a8eddddad6e556442795f474 Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware Telegram AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check Tofsee Windows ComputerName DNS keylogger |
|
2
api.telegram.org(149.154.167.220) - mailcious 149.154.167.220 - mailcious
|
4
ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46371 |
2024-07-29 13:29
|
ef.exe 94b423329b05b002507c36396870bb25 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware DNS |
|
2
142.250.196.238 142.250.71.129
|
|
|
2.2 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46372 |
2024-07-29 13:32
|
cred.dll d696e4ee5dac5d3e4b5073359224fcdc Generic Malware Malicious Library UPX Antivirus PE File DLL PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process sandbox evasion installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://185.215.113.101/g99kdj4vsA/index.php
|
3
185.215.113.101 - malware 172.217.31.14 142.251.222.193
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
|
10.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46373 |
2024-07-29 13:34
|
win10.exe 7fa42ffc17069589fd85c3ea2b46a57c Generic Malware Malicious Library Malicious Packer UPX DllRegisterServer dll PE File PE32 MZP Format OS Processor Check DLL JPEG Format VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
10
drive.usercontent.google.com(142.250.206.193) - mailcious docs.google.com(142.250.76.142) - mailcious www.dropbox.com(162.125.80.18) - mailcious freedns.afraid.org(69.42.215.252) xred.mooo.com() - mailcious 162.125.80.18 - mailcious 38.147.172.248 - mailcious 69.42.215.252 172.217.31.14 142.251.222.193
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
68 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46374 |
2024-07-29 13:36
|
beyondtransfer.exe 99f875d6395b7697228e9cbc8533fdc7 .NET framework(MSIL) PE File .NET EXE PE32 Malware download VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows ComputerName DNS |
1
http://193.233.203.218/creative/Fpdvdr.mp4
|
1
193.233.203.218 - malware
|
4
ET MALWARE PE EXE or DLL Windows file download disguised as ASCII ET MALWARE PE EXE or DLL Windows file download Text M2 ET HUNTING [TW] Likely Hex Executable String ET SHELLCODE Common 0a0a0a0a Heap Spray String
|
|
5.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46375 |
2024-07-29 13:38
|
3-1.exe 3482f7d0b7c1a3eeca3874bc9a1397ce Generic Malware Malicious Library ASPack UPX Malicious Packer Socket ScreenShot Escalate priviledges PWS SMTP SSL DNS Dynamic Dns Internet API persistence KeyLogger AntiDebug AntiVM DllRegisterServer dll PE File PE32 MZP Format OS Processor Check JPEG For VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities AppData folder malicious URLs sandbox evasion Tofsee Windows Browser Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
13
www.dropbox.com(162.125.80.18) - mailcious drive.usercontent.google.com(142.250.206.193) - mailcious freedns.afraid.org(69.42.215.252) docs.google.com(172.217.25.174) - mailcious xred.mooo.com() - mailcious smtp.163.com(103.129.252.45) 103.129.252.45 162.125.80.18 - mailcious 142.250.71.129 142.250.196.238 38.147.172.248 - mailcious 45.33.6.223 69.42.215.252
|
3
SURICATA Applayer Detect protocol only one direction ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
69 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46376 |
2024-07-29 13:38
|
sa.exe b78d38577f3a1ba9178e7fab5e5bddf6 Antivirus UPX PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName DNS keylogger |
|
2
142.250.197.65 142.250.76.14
|
|
|
6.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46377 |
2024-07-29 13:39
|
wd.exe d65f5982c1f1f2967fdd91b7f21a5696 Generic Malware Malicious Library Malicious Packer ASPack UPX DllRegisterServer dll PE File PE32 MZP Format OS Processor Check DLL JPEG Format VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself AppData folder sandbox evasion Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
9
drive.usercontent.google.com(142.250.206.193) - mailcious docs.google.com(172.217.161.238) - mailcious www.dropbox.com(162.125.80.18) - mailcious freedns.afraid.org(69.42.215.252) xred.mooo.com() - mailcious 69.42.215.252 142.250.197.65 162.125.80.18 - mailcious 142.250.76.14
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
8.2 |
M |
70 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46378 |
2024-07-29 13:42
|
random.exe a45cd34dab56ce2f61232c79a750374d RedLine stealer Generic Malware EnigmaProtector UPX Malicious Library Code injection Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Amadey VirusTotal Malware AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Checks Bios Detects VMWare AppData folder malicious URLs VMware anti-virtualization human activity check installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName DNS crashed |
3
http://185.215.113.19/Vi9leo/index.php
http://185.215.113.16/stealc/random.exe
http://185.215.113.16/well/random.exe
|
4
crash-reports.mozilla.com(34.49.45.138) 34.49.45.138
185.215.113.16 - mailcious
185.215.113.19 - malware
|
8
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Packed Executable Download SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
18.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46379 |
2024-07-29 13:42
|
clip64.dll 7d257e3bb8441810561e09092162df73 Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://185.215.113.101/g99kdj4vsA/index.php
|
1
185.215.113.101 - malware
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
|
3.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46380 |
2024-07-29 13:45
|
main.exe e3e1f7fa42dd68f410bb885f0aefe5e3 Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|