| 46861 |
2024-08-09 16:22
|
Invoice.pdf.lnk 4d0c856b7c6eabdfc58568e3ea4aa729
Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://divorcelawyeroxnard.com/rtr/ghgadadas
|
|
|
|
4.8 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46862 |
2024-08-09 16:23
|
 107.hta e17602e8561e5da8a321f44610fd119b
Generic Malware Antivirus AntiDebug AntiVM PowerShell PE File DLL PE32 .NET DLL Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://192.3.176.138/107/sahost.exe
|
1
|
3
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46863 |
2024-08-09 16:27
|
 Snake_IT_Project.exe 9fa15d43ebdd6d22539f1ac310be032a
Gen1 NSIS Generic Malware Malicious Library UPX Malicious Packer Antivirus Anti_VM Javascript_Blob PE File PE32 Lnk Format GIF Format DLL OS Processor Check PE64 suspicious privilege Code Injection Check memory Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Ransomware Browser ComputerName crashed |
|
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46864 |
2024-08-09 16:33
|
 ghgadadas.exe eae8fea1fe3a77450002d315167b3471
UPX PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.6 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46865 |
2024-08-09 16:41
|
 66b45c742e0a1_123p.exe 488d85695b6e76307aa595f8db6a48fc
PE File PE64 VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
2
pool.hashvault.pro(125.253.92.50) - mailcious
131.153.76.130 - mailcious
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
1.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46866 |
2024-08-09 16:41
|
 file.exe 19e3d9fd4b09a33c2653151601ab548a
Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
|
|
8.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46867 |
2024-08-09 16:44
|
 main2.exe 305d50d93ffc87e36a9d7d0914f8c4c5
Stealc Client SW User Data Stealer LokiBot RedLine stealer ftp Client info stealer Malicious Library Antivirus .NET framework(MSIL) ASPack UPX Socket Http API PWS HTTP DNS Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Che FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software crashed |
2
https://steamcommunity.com/profiles/76561199751190313 - rule_id: 41879
https://t.me/pech0nk
|
6
t.me(149.154.167.99) - mailcious
steamcommunity.com(184.85.65.125) - mailcious
149.154.167.99 - mailcious
116.203.5.69
23.77.13.219
131.153.76.130 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
1
https://steamcommunity.com/profiles/76561199751190313
|
18.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46868 |
2024-08-09 16:46
|
 sahost.exe a1ae2e6d777478e37fb28514cdde98f6
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP Internet API KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
4
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(193.122.130.0)
193.122.6.168
104.21.67.152
|
6
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
16.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46869 |
2024-08-09 16:46
|
 66b24859611ad_agent_3.exe ba027ccb7de0f4a3769f48136d183dbd
Malicious Library Malicious Packer UPX PE File PE32 VirusTotal Malware AutoRuns Creates executable files Windows |
|
2
agent-runner-service2.com(95.164.44.107)
95.164.44.107
|
1
SURICATA Applayer Detect protocol only one direction
|
|
3.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46870 |
2024-08-09 16:48
|
 66ae9cc050ded_file0308.exe d7528cd33b73718b5949277420681f90
Suspicious_Script_Bin Malicious Library Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 Malware download VirusTotal Malware Microsoft AutoRuns Code Injection Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs Tofsee Windows ComputerName DNS |
2
http://cajgtus.com/test1/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
https://api.2ip.ua/geo.json
|
4
cajgtus.com(190.220.21.28) - malware
api.2ip.ua(104.21.65.24)
104.21.65.24
109.98.58.98
|
6
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
|
|
10.4 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46871 |
2024-08-09 17:06
|
firewall.db 471387c94509d92b8357a6ef9797faed |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46872 |
2024-08-10 12:28
|
 win32.exe 3970ef9883559736fed2976032935fe9
Suspicious_Script_Bin Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself powershell.exe wrote suspicious process AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
6.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46873 |
2024-08-10 12:30
|
 file.exe 364045dcd335ffd17f48a8cf5f816a01
Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check VirusTotal Malware Check memory Check virtual network interfaces |
1
|
4
download.cpuid.com(195.154.81.43)
x1.i.lencr.org(23.35.220.247)
195.154.81.43
23.41.113.9
|
|
|
3.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46874 |
2024-08-10 12:31
|
 66b62381ef649_crypted.exe#1 d8f1bd1e839eec9a05b55fbc77c9ef90
Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
147.45.44.124 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
|
|
8.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46875 |
2024-08-10 12:31
|
 autoupdate.exe e1dd2552700e2ddf9eff47d0b1c651ed
Antivirus UPX PE File .NET EXE PE32 Lnk Format GIF Format VirusTotal Malware Buffer PE MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Tofsee Interception ComputerName |
12
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
https://linhkiem.com/autoupdate_dev/hostfile/update.php
https://linhkiem.com/autoupdate_dev/launcher/js/mainsite.js
https://linhkiem.com/autoupdate_dev/launcher/css/box-event.css
https://linhkiem.com/autoupdate_devcheckupdate.php
https://linhkiem.com/autoupdate_dev/launcher/index.html
https://linhkiem.com/
https://linhkiem.com/autoupdate_dev/launcher/css/style.css
https://linhkiem.com/autoupdate_dev/launcher/js/fadegallery.js
https://linhkiem.com/autoupdate_dev/launcher/css/mainsite.css
https://linhkiem.com/autoupdate_dev/launcher/js/commone942.js?clear=20140520
https://linhkiem.com/autoupdate_devAutoUpdate.exe
|
5
linhkiem.com(103.150.124.120) - malware
s2lol.com() - malware
crt.sectigo.com(104.18.38.233)
103.150.124.120 - malware
104.18.38.233
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|