46801 |
2024-08-08 14:07
|
Dropper.exe 5341c5bb13ae2b2753b2fdadcf93aa51 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46802 |
2024-08-08 14:09
|
rat.exe 1db146fcedaecd4bc84186d1ad75e7ba Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
1
http://asd123123.zapto.org/
|
|
|
|
2.0 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46803 |
2024-08-08 14:09
|
latest.exe 664cebe18c30cc4c32a4dbf0715bf864 Generic Malware Downloader Malicious Library UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check JPEG Format DllRegisterServer dll DLL VirusTotal Malware Code Injection Check memory Creates executable files AppData folder AntiVM_Disk VM Disk Size Check |
|
|
|
|
4.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46804 |
2024-08-08 14:11
|
www.exe 7cab3f98a04b09bc2673f84bbccd6a63 UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself sandbox evasion Tofsee ComputerName DNS |
|
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46805 |
2024-08-08 14:23
|
sahost.exe e3b7b813fdaeba4ef1d1b17bc827df20 Formbook Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
13
http://www.hourglasspoise.net/5gvb/?gkJb=/cc9D7vqfViixqGthiuMbdR5vErImywOC8ezpB4FmcTpRtjTbyPN8oLjmjUaYTUAZZsBqqPA4LzpXUrs3zKz1+bcJTGwBkjtMfI/kGKzlFznEvk/PsID24fmvZA2hoz8baldBw0=&EjQU=FuDkP7Tse-i7U - rule_id: 41514 http://www.theiconsummit.life/6fdz/ - rule_id: 41517 http://www.lontos.top/ukrf/ - rule_id: 41516 http://www.hourglasspoise.net/5gvb/ - rule_id: 41514 http://www.accelbusiness.net/sg0d/?gkJb=ZFII8SVAvGzgMmVXToVI4LwsaVgSRAPMY6hEAWMgzd/rbIPLPNZ+lpDrj56GxiOWRiizuXBqoJ7dds0AusnvIdaVAlrc/osgyVUIbfwB8yhx2m5WAGulmI8my104pwb/sqeANsY=&EjQU=FuDkP7Tse-i7U - rule_id: 41512 http://www.lontos.top/ukrf/?gkJb=F/tpX3aJNzQcZIorwbtn4XzXZf0a/CrYoWsqF027uxYn9zYWtTXD5RI4AWcWVnLyOuVjbatHjcymGXUCp/2iE/8I1+t1d0MzMQiJ/YLZDKzAaLFDJakAPmxPg9uDu26TEYHLTo4=&EjQU=FuDkP7Tse-i7U - rule_id: 41516 http://www.bosonserver.net/x10g/?gkJb=AtIpZIbrclbIO3wVV4nf5MkbKr3zgThFYZcx/yn27KMXet/sCHbTSg7iXdN1LprNnU90TGJjlk60YPXU/gV8xNKsA5d5wJ0kF02lQrh6bPl2Ka0ee+60c3gL6UuubkfRvx1R8AU=&EjQU=FuDkP7Tse-i7U - rule_id: 41513 http://www.asymtos.tech/34b9/?gkJb=W6RiSnxSk7sWUyAWvsuBUQf3TLDMvpVwUriP78iMWJLg9pjq2qbXoN6eJJBee+3TNvEAo0P2a/B9rNSGOSr+g5jIYLHfTFZsXGTqlaF0jUedL/CiwqWjEQX6GQUFudPhspdJ5Ls=&EjQU=FuDkP7Tse-i7U - rule_id: 41515 http://www.asymtos.tech/34b9/ - rule_id: 41515 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip http://www.bosonserver.net/x10g/ - rule_id: 41513 http://www.accelbusiness.net/sg0d/ - rule_id: 41512 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
|
12
www.hourglasspoise.net(15.197.148.33) - mailcious www.theiconsummit.life(15.197.148.33) - mailcious www.lontos.top(203.161.42.162) - mailcious www.accelbusiness.net(15.197.148.33) - mailcious www.asymtos.tech(217.160.164.240) - mailcious www.bosonserver.net(195.200.3.58) - mailcious 195.200.3.58 - mailcious 3.33.130.190 - phishing 217.160.164.240 - mailcious 15.197.148.33 - mailcious 203.161.42.162 - mailcious 45.33.6.223
|
4
ET INFO HTTP Request to a *.top domain ET INFO Observed DNS Query to .life TLD ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to Suspicious *.life Domain
|
11
http://www.hourglasspoise.net/5gvb/ http://www.theiconsummit.life/6fdz/ http://www.lontos.top/ukrf/ http://www.hourglasspoise.net/5gvb/ http://www.accelbusiness.net/sg0d/ http://www.lontos.top/ukrf/ http://www.bosonserver.net/x10g/ http://www.asymtos.tech/34b9/ http://www.asymtos.tech/34b9/ http://www.bosonserver.net/x10g/ http://www.accelbusiness.net/sg0d/
|
10.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46806 |
2024-08-08 14:24
|
sincesheiseverbuildnewthingent... f4b49bfacf066b76dd2f64aa5667e927 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself Exploit DNS DDNS crashed |
1
http://192.3.193.155/xampp/uhj/picturegreatforeveryonetokissherlips.gIF
|
4
servidorwindows.ddns.com.br(189.15.73.202) - malware 3.33.130.190 - phishing 192.3.193.155 189.15.73.202
|
|
|
6.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46807 |
2024-08-08 14:26
|
hmay.txt.exe edfad175f97fe91185a1ed5beed5f468 PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself ComputerName DNS DDNS |
|
2
hmay8500.duckdns.org(12.221.146.138) 12.221.146.138 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46808 |
2024-08-08 14:26
|
picturegreatforeveryonetokissh... ab5e63bdc212cfe4832dcfaa5bcd47dd Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut ICMP traffic unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
2
servidorwindows.ddns.com.br(189.15.73.202) - malware 189.15.73.202
|
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46809 |
2024-08-08 14:26
|
like.exe f40919d4beadd501ea89202a719ab940 Malicious Library PE File PE64 Malware download Cobalt Strike Cobalt VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
2
http://23.94.247.40:7890/OBjb http://23.94.247.40:7890/ga.js
|
2
45.33.6.223 23.94.247.40 - mailcious
|
2
ET MALWARE Cobalt Strike Beacon Observed ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
|
|
3.8 |
|
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46810 |
2024-08-08 14:28
|
mygirlistotalchangeswithentire... c29dda8b224f54eeade764fdb7c6bb23 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself Exploit DNS DDNS crashed |
1
http://192.3.109.147/88/greatbiscutforbabieshealthgreatthings.gIF
|
3
servidorwindows.ddns.com.br(189.15.73.202) - malware 192.3.109.147 - mailcious 189.15.73.202
|
|
|
6.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46811 |
2024-08-08 14:28
|
hvilkes-receipt.vbs be57d52692dc2ef67f7c35290b424149 Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
s2r.tn(70.38.21.234) 70.38.21.234
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46812 |
2024-08-08 14:37
|
wecreatednewentertainmenttound... 0016aef348632b4114588b23be613073 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.210.150.33/88/sweetdresswearwithgirlstyle.gIF
|
3
archive.org(207.241.224.2) - mailcious 207.241.224.2 - mailcious
192.210.150.33 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46813 |
2024-08-08 14:37
|
106.hta 3c35707d9cacb409481600e0b5eed83a Generic Malware Antivirus Downloader PE File DLL PE32 .NET DLL Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://192.3.176.138/106/sahost.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46814 |
2024-08-08 14:39
|
70.hta d25adfb8a78f72868ee40f379c1d9fe2 Generic Malware Downloader Antivirus AntiDebug AntiVM PowerShell MSOffice File PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://192.3.176.138/70/sahost.exe
|
1
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46815 |
2024-08-08 14:40
|
66b1c36969eae_main.exe 3d04dfed5185e2f62819f0951249e391 Client SW User Data Stealer LokiBot RedLine stealer ftp Client info stealer Malicious Library Antivirus .NET framework(MSIL) ASPack UPX Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199751190313
https://t.me/pech0nk
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.222.161.105) - mailcious 149.154.167.99 - mailcious
184.26.241.154 - mailcious
78.47.227.64
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
18.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|