| 46756 |
2024-08-07 09:51
|
 excel.exe 0f73677af37f11c406ca9f726653eb54
PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Checks debugger Creates executable files unpack itself Windows utilities suspicious process Windows Cryptographic key |
|
|
|
|
6.6 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46757 |
2024-08-07 09:53
|
 zoom.vbs 23beb362ea6c6447b481f4b507fc4fe7VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7045/is-ready
|
4
chongmei33.publicvm.com(46.246.6.6) - mailcious
ip-api.com(208.95.112.1)
46.246.6.6
208.95.112.1
|
3
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46758 |
2024-08-07 09:54
|
 719.vbs bddc705622e0b2e5022ab7e66e2fd204VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7044/is-ready
|
4
chongmei33.publicvm.com(46.246.6.6) - mailcious
ip-api.com(208.95.112.1)
46.246.6.6
208.95.112.1
|
3
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
ET POLICY External IP Lookup ip-api.com
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
10.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46759 |
2024-08-07 09:55
|
 cred64.dll 22b622506f13b2f13f4ef2db22d23a3f
Generic Malware Malicious Library UPX Antivirus PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process suspicious TLD sandbox evasion installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://ruspyc.top/h9k4kfklCdszZ3/index.php - rule_id: 38931
|
3
ruspyc.top(154.216.20.234) - mailcious
154.216.20.234 - malware
208.95.112.1
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO HTTP Request to a *.top domain
|
1
|
10.2 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46760 |
2024-08-07 09:56
|
 w79.vbs 661e4447857ab3a35bd5d510c4b53657VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7044/is-ready
|
4
chongmei33.publicvm.com(46.246.6.6) - mailcious
ip-api.com(208.95.112.1)
46.246.6.6
208.95.112.1
|
3
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
ET POLICY External IP Lookup ip-api.com
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46761 |
2024-08-07 09:57
|
 setup.exe fc99ddf185aa553bf30c431cc897c903
Generic Malware Malicious Library UPX ftp PE File PE32 OS Processor Check VirusTotal Malware Telegram Code Injection unpack itself IP Check DNS |
1
http://myexternalip.com/raw
|
4
myexternalip.com(34.160.111.145)
api.telegram.org(149.154.167.220) - mailcious
34.160.111.145
149.154.167.220 - mailcious
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET POLICY External IP Check myexternalip.com
|
|
5.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46762 |
2024-08-07 09:58
|
 clip64.dll 40c8cf4849514e1d32f865bafe75f898
Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://ruspyc.top/h9k4kfklCdszZ3/index.php - rule_id: 38931
|
2
ruspyc.top(154.216.20.234) - mailcious
154.216.20.234 - malware
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
1
|
3.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46763 |
2024-08-07 10:00
|
 cred.dll 2fb39d6664f6b415124cf2368db92fb4
Generic Malware Malicious Library UPX Antivirus PE File DLL PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process sandbox evasion installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://ruspyc.top/h9k4kfklCdszZ3/index.php - rule_id: 38931
|
2
ruspyc.top(154.216.20.234) - mailcious
154.216.20.234 - malware
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO HTTP Request to a *.top domain
|
1
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46764 |
2024-08-07 10:02
|
 ds.exe 3b6b710da92a115329d00c5e55ad7671
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46765 |
2024-08-07 10:04
|
 193.exe 5a5ccdbe3cdd135a57f61138867932a8
Generic Malware UPX PE File PE32 VirusTotal Malware DNS |
1
http://115.159.47.193/4.jpg
|
1
|
|
|
4.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46766 |
2024-08-07 10:04
|
 amadey.exe 107c3b33e05d1d569cccc2052e56055e
Amadey Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check DLL PE64 JPEG Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Software |
4
http://80.66.75.214/g8djmsaxA/Plugins/cred64.dll
http://80.66.75.214/g8djmsaxA/Plugins/clip64.dll
http://80.66.75.214/g8djmsaxA/index.php?scr=1
http://80.66.75.214/g8djmsaxA/index.php
|
29
197.234.223.180
77.246.158.216
157.97.109.159
83.243.47.17
118.25.101.87
47.99.144.17
79.124.17.242
37.16.7.184
34.43.67.154
162.0.211.158
213.100.160.101
110.42.3.95
80.66.75.214 - malware
63.134.234.92
146.148.25.153
116.202.81.93
125.229.77.252
182.92.155.50
38.249.8.144
38.249.14.69
119.176.96.94
184.154.46.96
213.199.32.146
79.96.222.94
178.17.168.102
155.159.241.238
87.230.85.251
162.240.68.86
68.183.179.133
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET MALWARE Amadey Bot Activity (POST) M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
13.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46767 |
2024-08-07 10:04
|
 sahost.exe 849c7ae770318ac09e0fde466e1becfe
Malicious Library .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself crashed |
|
|
|
|
7.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46768 |
2024-08-07 10:06
|
masdaaaewebbbMPDW-constraints.... 2bcdb70c9930b9ade4d2f993105816ca
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46769 |
2024-08-07 10:07
|
 jm.vbs 1e4160cfab325ccbe906be8bfd94fb53VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7045/is-ready
|
4
chongmei33.publicvm.com(46.246.6.6) - mailcious
ip-api.com(208.95.112.1)
46.246.6.6
208.95.112.1
|
3
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46770 |
2024-08-07 10:08
|
 Eqmosyuwc.exe 5bd96efdf03f3f0758f1822e678dacaa
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|