| 47086 |
2024-08-13 07:36
|
 out_test_sig.exe 47f2701f1d1f6645baccced737e8e20c
Generic Malware UPX Antivirus PE File PE32 Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote suspicious process AppData folder Windows ComputerName Remote Code Execution Cryptographic key |
2
http://uamgayumeqmwemas.xyz:1775/avast_update - rule_id: 41478
http://uamgayumeqmwemas.xyz:1775/api/client_hello - rule_id: 41479
|
10
ugmkmoigiimgmaaw.xyz() - mailcious
iqowocguasswcmca.xyz() - mailcious
scqekwyoswaguuyo.xyz(188.40.187.174) - mailcious
skssoeqouussusyi.xyz(15.197.192.55) - mailcious
kmiigggyqiwkeeci.xyz() - mailcious
kgeyscaqeacwaccu.xyz() - mailcious
uamgayumeqmwemas.xyz(185.172.129.25) - mailcious
15.197.192.55 - mailcious
188.40.187.174 - mailcious
185.172.129.25 - mailcious
|
2
ET HUNTING EXE Base64 Encoded potential malware
ET SHELLCODE Common 0a0a0a0a Heap Spray String
|
2
http://uamgayumeqmwemas.xyz:1775/avast_update
http://uamgayumeqmwemas.xyz:1775/api/client_hello
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47087 |
2024-08-13 07:44
|
 c7.exe 819ea2d1b7f70aa3fab1a5eefd8928fd
UPX PE File PE32 |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47088 |
2024-08-13 07:44
|
 T7.exe 106317cd019b63fde3dc44b2e365d0e6
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Malware download Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Downloader |
1
http://147.45.44.131/files/c7.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47089 |
2024-08-13 07:47
|
 mservice64.exe c1915f095d3e7b2ad07b5aadc21be2e3
RedLine stealer Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 suspicious privilege Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47090 |
2024-08-13 07:49
|
 sahost.exe 3264ed302538a2d29f2e48f26eff85b0
NSIS Suspicious_Script_Bin Malicious Library UPX PE File PE32 DLL AppData folder |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47091 |
2024-08-13 07:51
|
 cookie250.exe 1b099f749669dfe00b4177988018fc40
RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.9 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47092 |
2024-08-13 09:13
|
 e12f0f2d-542f-4d56-ab33-669633... 4a63cb4e572d98e0dadc8164dba486ef
Malicious Library Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47093 |
2024-08-13 09:14
|
 TTF.exe b5fe23cf43111d7500a18d432d1a9307
Generic Malware Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
1
http://147.45.44.131/files/mservice64.exe
|
2
94.232.249.46
147.45.44.131 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47094 |
2024-08-13 09:16
|
wkshindemips c609c2d0699ff09e975c4fbbe135f3b4
AntiDebug AntiVM ELF VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself installed browsers check Browser Email |
|
|
|
|
4.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47095 |
2024-08-13 09:16
|
 T9.exe 762e2c938ec4a35e6b67fafb977fd05c
AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
1
http://147.45.44.131/files/mservice64.exe
|
2
94.232.249.46
147.45.44.131 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47096 |
2024-08-13 09:31
|
 IMG001.scr fbbcf1e9501234d6661a0c9ae6dc01c9
NSIS Malicious Library UPX VMProtect PE File PE32 PE64 ftp DLL Lnk Format GIF Format VirusTotal Malware AutoRuns Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder suspicious TLD WriteConsoleW Windows ComputerName |
3
http://stafftest.ru/text.html
http://stafftest.ru/stat.html
http://stafftest.ru/test.html
|
2
stafftest.ru(31.177.80.32) - mailcious
31.177.76.32
|
1
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
|
|
7.4 |
M |
68 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47097 |
2024-08-13 09:36
|
stub.ps1 b4ce78d3ce06757ceac96f41e3d063b6
Generic Malware Antivirus VirusTotal Malware powershell Check memory unpack itself Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
|
2
sw.lifeboxtransfer.com(176.235.226.160) - malware
176.235.226.160 - malware
|
4
ET INFO Filesharing Domain in DNS Lookip (lifeboxtransfer .com)
ET INFO TLS Handshake Failure
ET INFO Observed Filesharing Domain (lifeboxtransfer .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47098 |
2024-08-13 09:36
|
 TST.ps1 34261ad4c802d025f6ead9dd56634860
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/TTF.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47099 |
2024-08-13 09:36
|
 IEnetcats.hta 1f18e6c2757cc8ed24b3a244dc8202d5
Generic Malware Antivirus AntiDebug AntiVM PowerShell PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://107.172.31.124/98/sahost.exe
|
1
|
3
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47100 |
2024-08-13 09:37
|
 Visual.ps1 0ceeb6420f475c07ac5f4b4783855400
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/WC.exe - rule_id: 41965
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
1
http://147.45.44.131/files/WC.exe
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|