46786 |
2024-08-07 13:43
|
mine-29.js 8e97b83aaf385610c76bee59559d25bf Malicious Library Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check human activity check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
6
checkip.dyndns.org(158.101.44.242) reallyfreegeoip.org(172.67.177.134) api.telegram.org(149.154.167.220) - mailcious 158.101.44.242 104.21.67.152 149.154.167.220 - mailcious
|
9
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
|
|
11.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46787 |
2024-08-07 13:51
|
wps.js dd48925ed36788cf0e624fc3c5b78582 AsyncRAT task schedule Downloader Malicious Library Malicious Packer .NET framework(MSIL) UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDe VirusTotal Malware AutoRuns Code Injection Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS DDNS |
|
2
chongmei33.publicvm.com(46.246.6.6) - mailcious 46.246.6.6
|
1
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
8.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46788 |
2024-08-07 14:19
|
clip64.dll 83a532c46261758c3d74cc11fc0f20ef Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://80.66.75.214/g8djmsaxA/index.php - rule_id: 41863
|
1
|
|
1
http://80.66.75.214/g8djmsaxA/index.php
|
3.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46789 |
2024-08-07 14:21
|
cred64.dll c7612ef960097ff466e641c7fe0cd5d3 Amadey Generic Malware Malicious Library UPX PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Malicious Traffic Checks debugger unpack itself Windows utilities sandbox evasion human activity check installed browsers check Windows Browser DNS Software |
1
http://80.66.75.214/g8djmsaxA/index.php - rule_id: 41863
|
1
|
|
1
http://80.66.75.214/g8djmsaxA/index.php
|
7.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46790 |
2024-08-08 07:51
|
0x3fg.exe c4aeaafc0507785736e000ff7e823f5e Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check AutoRuns ICMP traffic unpack itself AppData folder suspicious TLD Windows DNS |
|
2
o7labs.top() - mailcious 94.228.166.74 - mailcious
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
5.0 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46791 |
2024-08-08 11:16
|
sahost.exe 3cd277b692b93cea6874d7879f1134d0 NSIS Suspicious_Script_Bin Generic Malware Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46792 |
2024-08-08 11:16
|
wahost.exe 14b98daca4a9912ad416eb7c0231cc21 Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
8
api.telegram.org(149.154.167.220) - mailcious smtp.coxenregy.com(208.91.199.224) reallyfreegeoip.org(104.21.67.152) checkip.dyndns.org(193.122.6.168) 132.226.8.169 208.91.199.225 - mailcious 104.21.67.152 149.154.167.220 - mailcious
|
10
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI ET HUNTING Telegram API Domain in DNS Lookup
|
|
14.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46793 |
2024-08-08 11:18
|
sahost.exe 99a5ba6045c45bd20f081ca3fb06a58a Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
4
reallyfreegeoip.org(104.21.67.152) checkip.dyndns.org(193.122.6.168) 193.122.6.168 104.21.67.152
|
6
ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46794 |
2024-08-08 11:18
|
latest.exe 5d42fb68071f9f02ae6928865478e003 Generic Malware Downloader Malicious Library UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check DllRegisterServer dll JPEG Format DLL Code Injection Check memory Creates executable files AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46795 |
2024-08-08 11:20
|
logon.exe ceccc726e628b9592af475cc27d0a7ae Generic Malware Malicious Library PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46796 |
2024-08-08 11:20
|
sahost.exe c79d8b7c07b992c6aa435e4101770f99 Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser SnakeKeylogger Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
7
us2.smtp.mailhostbox.com(208.91.198.143) reallyfreegeoip.org(172.67.177.134) checkip.dyndns.org(132.226.247.73) 208.91.199.225 - mailcious 208.91.199.224 - mailcious 158.101.44.242 104.21.67.152
|
8
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) SURICATA Applayer Detect protocol only one direction ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET MALWARE Snake Keylogger Exfil via SMTP
|
|
16.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46797 |
2024-08-08 11:22
|
regasm.exe 62b9f8d4c98febbcd68e635c14d8d882 Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
8
api.telegram.org(149.154.167.220) - mailcious smtp.coxenregy.com(208.91.198.143) reallyfreegeoip.org(172.67.177.134) checkip.dyndns.org(193.122.130.0) 193.122.6.168 208.91.199.224 - mailcious 104.21.67.152 149.154.167.220 - mailcious
|
10
ET HUNTING Telegram API Domain in DNS Lookup ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO TLS Handshake Failure ET POLICY External IP Lookup - checkip.dyndns.org ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) ET INFO 404/Snake/Matiex Keylogger Style External IP Check SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) SURICATA Applayer Detect protocol only one direction
|
|
14.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46798 |
2024-08-08 11:25
|
regasm.exe f74f2df998219d602185c46107329e82 Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
5
reallyfreegeoip.org(104.21.67.152) checkip.dyndns.org(158.101.44.242) 132.226.8.169 208.91.199.224 - mailcious 172.67.177.134
|
6
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
|
|
16.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46799 |
2024-08-08 14:04
|
javaw.exe f8fbe90216db05230b6a9cbf2c6cc218 Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46800 |
2024-08-08 14:07
|
logon.exe ceccc726e628b9592af475cc27d0a7ae Generic Malware Malicious Library PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|