| 46786 |
2024-08-07 13:43
|
mine-29.js 8e97b83aaf385610c76bee59559d25bf
Malicious Library Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check human activity check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
6
checkip.dyndns.org(158.101.44.242)
reallyfreegeoip.org(172.67.177.134)
api.telegram.org(149.154.167.220) - mailcious
158.101.44.242
104.21.67.152
149.154.167.220 - mailcious
|
9
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
|
|
11.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46787 |
2024-08-07 13:51
|
wps.js dd48925ed36788cf0e624fc3c5b78582
AsyncRAT task schedule Downloader Malicious Library Malicious Packer .NET framework(MSIL) UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDe VirusTotal Malware AutoRuns Code Injection Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS DDNS |
|
2
chongmei33.publicvm.com(46.246.6.6) - mailcious
46.246.6.6
|
1
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
8.0 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46788 |
2024-08-07 14:19
|
 clip64.dll 83a532c46261758c3d74cc11fc0f20ef
Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://80.66.75.214/g8djmsaxA/index.php - rule_id: 41863
|
1
|
|
1
http://80.66.75.214/g8djmsaxA/index.php
|
3.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46789 |
2024-08-07 14:21
|
 cred64.dll c7612ef960097ff466e641c7fe0cd5d3
Amadey Generic Malware Malicious Library UPX PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Malicious Traffic Checks debugger unpack itself Windows utilities sandbox evasion human activity check installed browsers check Windows Browser DNS Software |
1
http://80.66.75.214/g8djmsaxA/index.php - rule_id: 41863
|
1
|
|
1
http://80.66.75.214/g8djmsaxA/index.php
|
7.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46790 |
2024-08-08 07:51
|
 0x3fg.exe c4aeaafc0507785736e000ff7e823f5e
Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check AutoRuns ICMP traffic unpack itself AppData folder suspicious TLD Windows DNS |
|
2
o7labs.top() - mailcious
94.228.166.74 - mailcious
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
5.0 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46791 |
2024-08-08 11:16
|
 sahost.exe 3cd277b692b93cea6874d7879f1134d0
NSIS Suspicious_Script_Bin Generic Malware Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46792 |
2024-08-08 11:16
|
 wahost.exe 14b98daca4a9912ad416eb7c0231cc21
Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
8
api.telegram.org(149.154.167.220) - mailcious
smtp.coxenregy.com(208.91.199.224)
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(193.122.6.168)
132.226.8.169
208.91.199.225 - mailcious
104.21.67.152
149.154.167.220 - mailcious
|
10
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET HUNTING Telegram API Domain in DNS Lookup
|
|
14.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46793 |
2024-08-08 11:18
|
 sahost.exe 99a5ba6045c45bd20f081ca3fb06a58a
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
4
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(193.122.6.168)
193.122.6.168
104.21.67.152
|
6
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46794 |
2024-08-08 11:18
|
 latest.exe 5d42fb68071f9f02ae6928865478e003
Generic Malware Downloader Malicious Library UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check DllRegisterServer dll JPEG Format DLL Code Injection Check memory Creates executable files AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46795 |
2024-08-08 11:20
|
 logon.exe ceccc726e628b9592af475cc27d0a7ae
Generic Malware Malicious Library PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46796 |
2024-08-08 11:20
|
 sahost.exe c79d8b7c07b992c6aa435e4101770f99
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser SnakeKeylogger Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
7
us2.smtp.mailhostbox.com(208.91.198.143)
reallyfreegeoip.org(172.67.177.134)
checkip.dyndns.org(132.226.247.73)
208.91.199.225 - mailcious
208.91.199.224 - mailcious
158.101.44.242
104.21.67.152
|
8
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
SURICATA Applayer Detect protocol only one direction
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET MALWARE Snake Keylogger Exfil via SMTP
|
|
16.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46797 |
2024-08-08 11:22
|
 regasm.exe 62b9f8d4c98febbcd68e635c14d8d882
Malicious Library .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
8
api.telegram.org(149.154.167.220) - mailcious
smtp.coxenregy.com(208.91.198.143)
reallyfreegeoip.org(172.67.177.134)
checkip.dyndns.org(193.122.130.0)
193.122.6.168
208.91.199.224 - mailcious
104.21.67.152
149.154.167.220 - mailcious
|
10
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO TLS Handshake Failure
ET POLICY External IP Lookup - checkip.dyndns.org
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
SURICATA Applayer Detect protocol only one direction
|
|
14.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46798 |
2024-08-08 11:25
|
 regasm.exe f74f2df998219d602185c46107329e82
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
5
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(158.101.44.242)
132.226.8.169
208.91.199.224 - mailcious
172.67.177.134
|
6
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
|
|
16.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46799 |
2024-08-08 14:04
|
 javaw.exe f8fbe90216db05230b6a9cbf2c6cc218
Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46800 |
2024-08-08 14:07
|
 logon.exe ceccc726e628b9592af475cc27d0a7ae
Generic Malware Malicious Library PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
1.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|