| 46666 |
2024-08-05 11:14
|
 killer.exe 814b21e6d086af54d0f76290622ad1db
UPX PE File PE64 VirusTotal Malware Check memory Checks debugger Creates executable files Windows utilities WriteConsoleW Windows |
|
|
|
|
5.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46667 |
2024-08-05 11:16
|
 xmrig.exe e2fe87cc2c7dab8ca6516620dccd1381
XMRig Miner Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself ComputerName |
|
|
|
|
1.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46668 |
2024-08-05 11:18
|
 Apex.exe 017933f498a5e5fec5429ac2a1dc3b4a
PE File PE32 VirusTotal Malware unpack itself DNS crashed |
1
http://42.193.241.116:19920/1p172BRmPZK29yhc1OKl/?card=&mac=&soft=apex&Var=1
|
1
|
|
|
3.4 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46669 |
2024-08-05 11:21
|
 kill.exe da72c93960a58f7fc95220cd8428b548
UPX PE File PE64 VirusTotal Malware Check memory Checks debugger Creates executable files Windows utilities WriteConsoleW Windows |
|
|
|
|
5.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46670 |
2024-08-05 11:26
|
 x64.exe e4b9f59c60edde996ac3c2d2b133dbf7
Emotet Swrort Generic Malware Armageddon APT [C] All Process Malicious Library UPX Malicious Packer Antivirus Anti_VM PE File PE32 OS Processor Check DLL PE64 ftp MZP Format VirusTotal Malware PDB Creates executable files AppData folder Remote Code Execution |
|
|
|
|
3.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46671 |
2024-08-05 13:56
|
 Apex.exe 017933f498a5e5fec5429ac2a1dc3b4a
UPX PE File PE32 VirusTotal Malware unpack itself DNS crashed |
1
http://42.193.241.116:19920/1p172BRmPZK29yhc1OKl/?card=&mac=&soft=apex&Var=1 - rule_id: 41762
|
1
|
|
1
http://42.193.241.116:19920/
|
3.4 |
M |
54 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46672 |
2024-08-05 14:01
|
 SS.exe 1f0754128f1fd32781886c3d9e7dc138
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows utilities WriteConsoleW Windows crashed |
|
|
|
|
5.0 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46673 |
2024-08-05 14:04
|
 Na.exe e91d7d92b5c5ab6d2c6ee2da175bb119
UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows utilities WriteConsoleW Windows crashed |
|
|
|
|
5.0 |
M |
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46674 |
2024-08-05 14:30
|
 민혜지2.jse 6fba482cb866a3c51dc9063527886f5d
Generic Malware Hide_EXE Antivirus Malicious Library VMProtect Anti_VM JPEG Format PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://pmlroma.kro.kr/index.php
|
2
pmlroma.kro.kr(77.73.69.166)
77.73.69.166
|
|
|
10.2 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46675 |
2024-08-05 14:47
|
 wanmgr.exe 27aa8ad8930fa0d076510cfb6573ce74
Malicious Library DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore Cobalt Strike NetWireRC VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process human activity check Windows RAT ComputerName DNS DDNS |
|
2
blackangel.hopto.org(103.89.91.169)
103.89.91.169
|
5
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET MALWARE NanoCore RAT CnC 7
ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
ET MALWARE NanoCore RAT Keepalive Response 1
ET MALWARE NanoCore RAT Keepalive Response 3
|
|
13.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46676 |
2024-08-05 15:06
|
 Update.js 965ef5d776d9b91d2743a44b4093298aVBScript wscript.exe payload download Tofsee Dropper |
1
https://bwly.living.miraclesofeucharisticjesus.org/orderReview
|
2
bwly.living.miraclesofeucharisticjesus.org(162.252.175.41)
162.252.175.41 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46677 |
2024-08-05 15:24
|
archive.7z 662ee89f76cfb8a8bddc6894b08203a6
Amadey Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Amadey Vidar Cryptocurrency Miner Malware c&c Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check Tofsee Stealc Stealer Windows Discord Browser RisePro DNS plugin CoinMiner |
28
http://detectportal.firefox.com/canonical.html
http://185.225.200.214/api/crazyfish.php
http://185.215.113.24/0d60be0de163924d/sqlite3.dll
http://185.215.113.24/0d60be0de163924d/vcruntime140.dll
http://185.215.113.24/0d60be0de163924d/msvcp140.dll
http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin
http://185.215.113.16/well/random.exe - rule_id: 41492
http://194.58.114.223/d/525403
http://185.215.113.19/Vi9leo/index.php - rule_id: 41489
http://185.215.113.24/ - rule_id: 41729
http://176.111.174.109/socker
http://147.45.44.104/prog/66af31c75d213_123p.exe
http://185.215.113.24/0d60be0de163924d/softokn3.dll
http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe
http://147.45.44.104/prog/66af531b832ee_main.exe#space
http://185.215.113.24/e2b1563c6670f193.php
http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene
http://detectportal.firefox.com/success.txt?ipv4
http://185.215.113.24/0d60be0de163924d/nss3.dll
http://185.225.200.214/api/twofish.php
http://185.215.113.24/0d60be0de163924d/freebl3.dll
http://185.215.113.16/nemo/herso.exe
http://185.215.113.24/0d60be0de163924d/mozglue.dll
http://www.google.com/
https://stan.pinefootsteps.com/ssl/crt.exe
https://steamcommunity.com/profiles/76561199747278259
https://iplogger.org/1nhuM4.js
https://api.myip.com/
|
81
detectportal.firefox.com(34.107.221.82)
stan.pinefootsteps.com(104.21.32.226)
www.reddit.com(151.101.1.140)
vanaheim.cn(213.226.112.95) - mailcious
firefox.settings.services.mozilla.com(34.149.100.209)
example.org(93.184.215.14) - mailcious
ipinfo.io(34.117.59.81)
accounts.google.com(64.233.188.84)
prod.content-signature-chains.prod.webservices.mozgcp.net(34.160.144.191)
accounts.youtube.com(142.250.206.206) - phishing
contile.services.mozilla.com(34.117.188.166)
www.wikipedia.org(103.102.166.224)
play.google.com(142.250.206.206)
steamcommunity.com(23.194.74.106) - mailcious
prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201)
iplogger.org(104.21.4.208) - mailcious
www.gstatic.com(142.250.206.227)
twitter.com(104.244.42.129)
star-mini.c10r.facebook.com(157.240.215.35)
shavar.services.mozilla.com(35.165.99.161)
cdn.discordapp.com(162.159.133.233) - malware
content-signature-2.cdn.mozilla.net(34.160.144.191)
tracking-protection.cdn.mozilla.net(34.120.158.37)
shavar.prod.mozaws.net(44.239.110.200)
pool.hashvault.pro(142.202.242.43) - mailcious
youtube-ui.l.google.com(172.217.161.206)
push.services.mozilla.com(34.107.243.93)
www.youtube.com(172.217.161.206) - mailcious
prod.remote-settings.prod.webservices.mozgcp.net(34.149.100.209)
www3.l.google.com(142.250.206.206)
ipv4only.arpa(192.0.0.170)
prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82)
fonts.gstatic.com(142.250.207.99)
dyna.wikimedia.org(103.102.166.224)
reddit.map.fastly.net(151.101.1.140)
aus5.mozilla.org(35.244.181.201)
t.me(149.154.167.99) - mailcious
www.facebook.com(157.240.215.35)
www.google.com(142.250.76.132)
api.myip.com(104.26.8.59)
tracking-protection.prod.mozaws.net(34.120.158.37)
benimmekansohbet.com(178.63.100.241)
34.107.243.93
77.105.164.24
142.250.207.99
44.239.110.200
34.107.221.82
34.160.144.191
162.159.135.233 - malware
178.63.100.241
168.119.176.241
34.120.158.37
184.26.241.154 - mailcious
149.154.167.99 - mailcious
185.215.113.24 - mailcious
194.58.114.223
176.111.174.92
193.143.1.5
142.250.76.132
34.117.59.81
213.226.112.95
34.149.100.209
176.113.115.84 - mailcious
176.111.174.109 - malware
104.26.8.59
147.45.44.104
185.225.200.214
176.113.115.135 - mailcious
176.113.115.136 - mailcious
104.21.32.226 - malware
35.244.181.201
34.117.188.166
125.253.92.50
142.250.206.206 - mailcious
185.215.113.16 - mailcious
185.215.113.19 - malware
45.143.201.238 - mailcious
142.250.206.227
62.122.184.58 - mailcious
64.233.187.84
172.67.132.113
|
44
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET HUNTING Redirect to Discord Attachment Download
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO TLS Handshake Failure
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET DROP Spamhaus DROP Listed Traffic Inbound group 6
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
|
3
http://185.215.113.16/well/random.exe
http://185.215.113.19/Vi9leo/index.php
http://185.215.113.24/
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46678 |
2024-08-05 15:39
|
 66af45d13a3cb_xincz.exe#xin 50d48645ac2526fbc7f99c5d7fb9eb42
Generic Malware Malicious Library Malicious Packer UPX DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
0.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46679 |
2024-08-05 15:39
|
 setup.exe 91debd6b56717f90a922f0ea33155e68
Generic Malware Malicious Library Antivirus AntiDebug AntiVM PE File PE32 PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios suspicious process WriteConsoleW anti-virtualization Windows ComputerName Cryptographic key |
|
|
|
|
10.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46680 |
2024-08-05 15:41
|
 crt.exe f0958ee9db38d69ba0c9757926f0b895
Emotet Gen1 Malicious Library UPX PE File PE32 MZP Format PE64 DLL DllRegisterServer dll OS Processor Check Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|