46756 |
2024-08-07 09:51
|
excel.exe 0f73677af37f11c406ca9f726653eb54 PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Checks debugger Creates executable files unpack itself Windows utilities suspicious process Windows Cryptographic key |
|
|
|
|
6.6 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46757 |
2024-08-07 09:53
|
zoom.vbs 23beb362ea6c6447b481f4b507fc4fe7VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7045/is-ready
|
4
chongmei33.publicvm.com(46.246.6.6) - mailcious
ip-api.com(208.95.112.1) 46.246.6.6
208.95.112.1
|
3
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com) ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46758 |
2024-08-07 09:54
|
719.vbs bddc705622e0b2e5022ab7e66e2fd204VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7044/is-ready
|
4
chongmei33.publicvm.com(46.246.6.6) - mailcious
ip-api.com(208.95.112.1) 46.246.6.6
208.95.112.1
|
3
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) ET POLICY External IP Lookup ip-api.com ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
10.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46759 |
2024-08-07 09:55
|
cred64.dll 22b622506f13b2f13f4ef2db22d23a3f Generic Malware Malicious Library UPX Antivirus PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process suspicious TLD sandbox evasion installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://ruspyc.top/h9k4kfklCdszZ3/index.php - rule_id: 38931
|
3
ruspyc.top(154.216.20.234) - mailcious 154.216.20.234 - malware 208.95.112.1
|
3
ET DNS Query to a *.top domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 25 ET INFO HTTP Request to a *.top domain
|
1
|
10.2 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46760 |
2024-08-07 09:56
|
w79.vbs 661e4447857ab3a35bd5d510c4b53657VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7044/is-ready
|
4
chongmei33.publicvm.com(46.246.6.6) - mailcious
ip-api.com(208.95.112.1) 46.246.6.6
208.95.112.1
|
3
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) ET POLICY External IP Lookup ip-api.com ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46761 |
2024-08-07 09:57
|
setup.exe fc99ddf185aa553bf30c431cc897c903 Generic Malware Malicious Library UPX ftp PE File PE32 OS Processor Check VirusTotal Malware Telegram Code Injection unpack itself IP Check DNS |
1
http://myexternalip.com/raw
|
4
myexternalip.com(34.160.111.145) api.telegram.org(149.154.167.220) - mailcious 34.160.111.145 149.154.167.220 - mailcious
|
4
ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) ET POLICY External IP Check myexternalip.com
|
|
5.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46762 |
2024-08-07 09:58
|
clip64.dll 40c8cf4849514e1d32f865bafe75f898 Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://ruspyc.top/h9k4kfklCdszZ3/index.php - rule_id: 38931
|
2
ruspyc.top(154.216.20.234) - mailcious 154.216.20.234 - malware
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 25 ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
1
|
3.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46763 |
2024-08-07 10:00
|
cred.dll 2fb39d6664f6b415124cf2368db92fb4 Generic Malware Malicious Library UPX Antivirus PE File DLL PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process sandbox evasion installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://ruspyc.top/h9k4kfklCdszZ3/index.php - rule_id: 38931
|
2
ruspyc.top(154.216.20.234) - mailcious 154.216.20.234 - malware
|
3
ET DNS Query to a *.top domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 25 ET INFO HTTP Request to a *.top domain
|
1
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46764 |
2024-08-07 10:02
|
ds.exe 3b6b710da92a115329d00c5e55ad7671 Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46765 |
2024-08-07 10:04
|
193.exe 5a5ccdbe3cdd135a57f61138867932a8 Generic Malware UPX PE File PE32 VirusTotal Malware DNS |
1
http://115.159.47.193/4.jpg
|
1
|
|
|
4.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46766 |
2024-08-07 10:04
|
amadey.exe 107c3b33e05d1d569cccc2052e56055e Amadey Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check DLL PE64 JPEG Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Software |
4
http://80.66.75.214/g8djmsaxA/Plugins/cred64.dll http://80.66.75.214/g8djmsaxA/Plugins/clip64.dll http://80.66.75.214/g8djmsaxA/index.php?scr=1 http://80.66.75.214/g8djmsaxA/index.php
|
29
197.234.223.180 77.246.158.216 157.97.109.159 83.243.47.17 118.25.101.87 47.99.144.17 79.124.17.242 37.16.7.184 34.43.67.154 162.0.211.158 213.100.160.101 110.42.3.95 80.66.75.214 - malware 63.134.234.92 146.148.25.153 116.202.81.93 125.229.77.252 182.92.155.50 38.249.8.144 38.249.14.69 119.176.96.94 184.154.46.96 213.199.32.146 79.96.222.94 178.17.168.102 155.159.241.238 87.230.85.251 162.240.68.86 68.183.179.133
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 25 ET MALWARE Amadey Bot Activity (POST) M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
13.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46767 |
2024-08-07 10:04
|
sahost.exe 849c7ae770318ac09e0fde466e1becfe Malicious Library .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself crashed |
|
|
|
|
7.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46768 |
2024-08-07 10:06
|
masdaaaewebbbMPDW-constraints.... 2bcdb70c9930b9ade4d2f993105816ca Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46769 |
2024-08-07 10:07
|
jm.vbs 1e4160cfab325ccbe906be8bfd94fb53VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7045/is-ready
|
4
chongmei33.publicvm.com(46.246.6.6) - mailcious
ip-api.com(208.95.112.1) 46.246.6.6
208.95.112.1
|
3
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com) ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46770 |
2024-08-07 10:08
|
Eqmosyuwc.exe 5bd96efdf03f3f0758f1822e678dacaa Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|