46666 |
2024-08-05 11:14
|
killer.exe 814b21e6d086af54d0f76290622ad1db UPX PE File PE64 VirusTotal Malware Check memory Checks debugger Creates executable files Windows utilities WriteConsoleW Windows |
|
|
|
|
5.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46667 |
2024-08-05 11:16
|
xmrig.exe e2fe87cc2c7dab8ca6516620dccd1381 XMRig Miner Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself ComputerName |
|
|
|
|
1.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46668 |
2024-08-05 11:18
|
Apex.exe 017933f498a5e5fec5429ac2a1dc3b4a PE File PE32 VirusTotal Malware unpack itself DNS crashed |
1
http://42.193.241.116:19920/1p172BRmPZK29yhc1OKl/?card=&mac=&soft=apex&Var=1
|
1
|
|
|
3.4 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46669 |
2024-08-05 11:21
|
kill.exe da72c93960a58f7fc95220cd8428b548 UPX PE File PE64 VirusTotal Malware Check memory Checks debugger Creates executable files Windows utilities WriteConsoleW Windows |
|
|
|
|
5.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46670 |
2024-08-05 11:26
|
x64.exe e4b9f59c60edde996ac3c2d2b133dbf7 Emotet Swrort Generic Malware Armageddon APT [C] All Process Malicious Library UPX Malicious Packer Antivirus Anti_VM PE File PE32 OS Processor Check DLL PE64 ftp MZP Format VirusTotal Malware PDB Creates executable files AppData folder Remote Code Execution |
|
|
|
|
3.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46671 |
2024-08-05 13:56
|
Apex.exe 017933f498a5e5fec5429ac2a1dc3b4a UPX PE File PE32 VirusTotal Malware unpack itself DNS crashed |
1
http://42.193.241.116:19920/1p172BRmPZK29yhc1OKl/?card=&mac=&soft=apex&Var=1 - rule_id: 41762
|
1
|
|
1
http://42.193.241.116:19920/
|
3.4 |
M |
54 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46672 |
2024-08-05 14:01
|
SS.exe 1f0754128f1fd32781886c3d9e7dc138 UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows utilities WriteConsoleW Windows crashed |
|
|
|
|
5.0 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46673 |
2024-08-05 14:04
|
Na.exe e91d7d92b5c5ab6d2c6ee2da175bb119 UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows utilities WriteConsoleW Windows crashed |
|
|
|
|
5.0 |
M |
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46674 |
2024-08-05 14:30
|
민혜지2.jse 6fba482cb866a3c51dc9063527886f5d Generic Malware Hide_EXE Antivirus Malicious Library VMProtect Anti_VM JPEG Format PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://pmlroma.kro.kr/index.php
|
2
pmlroma.kro.kr(77.73.69.166) 77.73.69.166
|
|
|
10.2 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46675 |
2024-08-05 14:47
|
wanmgr.exe 27aa8ad8930fa0d076510cfb6573ce74 Malicious Library DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore Cobalt Strike NetWireRC VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process human activity check Windows RAT ComputerName DNS DDNS |
|
2
blackangel.hopto.org(103.89.91.169) 103.89.91.169
|
5
ET POLICY DNS Query to DynDNS Domain *.hopto .org ET MALWARE NanoCore RAT CnC 7 ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) ET MALWARE NanoCore RAT Keepalive Response 1 ET MALWARE NanoCore RAT Keepalive Response 3
|
|
13.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46676 |
2024-08-05 15:06
|
Update.js 965ef5d776d9b91d2743a44b4093298aVBScript wscript.exe payload download Tofsee Dropper |
1
https://bwly.living.miraclesofeucharisticjesus.org/orderReview
|
2
bwly.living.miraclesofeucharisticjesus.org(162.252.175.41) 162.252.175.41 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46677 |
2024-08-05 15:24
|
archive.7z 662ee89f76cfb8a8bddc6894b08203a6 Amadey Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Amadey Vidar Cryptocurrency Miner Malware c&c Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check Tofsee Stealc Stealer Windows Discord Browser RisePro DNS plugin CoinMiner |
28
http://detectportal.firefox.com/canonical.html http://185.225.200.214/api/crazyfish.php http://185.215.113.24/0d60be0de163924d/sqlite3.dll http://185.215.113.24/0d60be0de163924d/vcruntime140.dll http://185.215.113.24/0d60be0de163924d/msvcp140.dll http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin http://185.215.113.16/well/random.exe - rule_id: 41492 http://194.58.114.223/d/525403 http://185.215.113.19/Vi9leo/index.php - rule_id: 41489 http://185.215.113.24/ - rule_id: 41729 http://176.111.174.109/socker http://147.45.44.104/prog/66af31c75d213_123p.exe http://185.215.113.24/0d60be0de163924d/softokn3.dll http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe http://147.45.44.104/prog/66af531b832ee_main.exe#space http://185.215.113.24/e2b1563c6670f193.php http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene http://detectportal.firefox.com/success.txt?ipv4 http://185.215.113.24/0d60be0de163924d/nss3.dll http://185.225.200.214/api/twofish.php http://185.215.113.24/0d60be0de163924d/freebl3.dll http://185.215.113.16/nemo/herso.exe http://185.215.113.24/0d60be0de163924d/mozglue.dll http://www.google.com/ https://stan.pinefootsteps.com/ssl/crt.exe https://steamcommunity.com/profiles/76561199747278259 https://iplogger.org/1nhuM4.js https://api.myip.com/
|
81
detectportal.firefox.com(34.107.221.82) stan.pinefootsteps.com(104.21.32.226) www.reddit.com(151.101.1.140) vanaheim.cn(213.226.112.95) - mailcious firefox.settings.services.mozilla.com(34.149.100.209) example.org(93.184.215.14) - mailcious ipinfo.io(34.117.59.81) accounts.google.com(64.233.188.84) prod.content-signature-chains.prod.webservices.mozgcp.net(34.160.144.191) accounts.youtube.com(142.250.206.206) - phishing contile.services.mozilla.com(34.117.188.166) www.wikipedia.org(103.102.166.224) play.google.com(142.250.206.206) steamcommunity.com(23.194.74.106) - mailcious prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) iplogger.org(104.21.4.208) - mailcious www.gstatic.com(142.250.206.227) twitter.com(104.244.42.129) star-mini.c10r.facebook.com(157.240.215.35) shavar.services.mozilla.com(35.165.99.161) cdn.discordapp.com(162.159.133.233) - malware content-signature-2.cdn.mozilla.net(34.160.144.191) tracking-protection.cdn.mozilla.net(34.120.158.37) shavar.prod.mozaws.net(44.239.110.200) pool.hashvault.pro(142.202.242.43) - mailcious youtube-ui.l.google.com(172.217.161.206) push.services.mozilla.com(34.107.243.93) www.youtube.com(172.217.161.206) - mailcious prod.remote-settings.prod.webservices.mozgcp.net(34.149.100.209) www3.l.google.com(142.250.206.206) ipv4only.arpa(192.0.0.170) prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82) fonts.gstatic.com(142.250.207.99) dyna.wikimedia.org(103.102.166.224) reddit.map.fastly.net(151.101.1.140) aus5.mozilla.org(35.244.181.201) t.me(149.154.167.99) - mailcious www.facebook.com(157.240.215.35) www.google.com(142.250.76.132) api.myip.com(104.26.8.59) tracking-protection.prod.mozaws.net(34.120.158.37) benimmekansohbet.com(178.63.100.241) 34.107.243.93 77.105.164.24 142.250.207.99 44.239.110.200 34.107.221.82 34.160.144.191 162.159.135.233 - malware 178.63.100.241 168.119.176.241 34.120.158.37 184.26.241.154 - mailcious 149.154.167.99 - mailcious 185.215.113.24 - mailcious 194.58.114.223 176.111.174.92 193.143.1.5 142.250.76.132 34.117.59.81 213.226.112.95 34.149.100.209 176.113.115.84 - mailcious 176.111.174.109 - malware 104.26.8.59 147.45.44.104 185.225.200.214 176.113.115.135 - mailcious 176.113.115.136 - mailcious 104.21.32.226 - malware 35.244.181.201 34.117.188.166 125.253.92.50 142.250.206.206 - mailcious 185.215.113.16 - mailcious 185.215.113.19 - malware 45.143.201.238 - mailcious 142.250.206.227 62.122.184.58 - mailcious 64.233.187.84 172.67.132.113
|
44
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) ET DROP Spamhaus DROP Listed Traffic Inbound group 33 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET INFO Executable Download from dotted-quad Host ET DROP Spamhaus DROP Listed Traffic Inbound group 30 ET HUNTING Redirect to Discord Attachment Download ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO TLS Handshake Failure ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET DROP Spamhaus DROP Listed Traffic Inbound group 6 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
|
3
http://185.215.113.16/well/random.exe http://185.215.113.19/Vi9leo/index.php http://185.215.113.24/
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46678 |
2024-08-05 15:39
|
66af45d13a3cb_xincz.exe#xin 50d48645ac2526fbc7f99c5d7fb9eb42 Generic Malware Malicious Library Malicious Packer UPX DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
0.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46679 |
2024-08-05 15:39
|
setup.exe 91debd6b56717f90a922f0ea33155e68 Generic Malware Malicious Library Antivirus AntiDebug AntiVM PE File PE32 PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios suspicious process WriteConsoleW anti-virtualization Windows ComputerName Cryptographic key |
|
|
|
|
10.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46680 |
2024-08-05 15:41
|
crt.exe f0958ee9db38d69ba0c9757926f0b895 Emotet Gen1 Malicious Library UPX PE File PE32 MZP Format PE64 DLL DllRegisterServer dll OS Processor Check Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|