| 47101 |
2024-08-13 09:45
|
240903-회국회(정) 제1차 전체회의 의사일정안(결... f5f5a585a12df9cb406dde6b3e6da23d
AntiDebug AntiVM CHM Format VirusTotal Malware Code Injection Check memory unpack itself crashed |
|
|
|
|
2.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47102 |
2024-08-13 09:45
|
 Helpstore.exe fc2aa8460ff7dd8a4f121d75116161cf
Generic Malware Malicious Library Antivirus UPX PE File CAB PE32 OS Processor Check DLL VirusTotal Malware Creates executable files ComputerName Remote Code Execution |
|
2
googlesharepoint.com(152.32.201.190)
152.32.201.190
|
|
|
4.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47103 |
2024-08-13 10:23
|
240903-회국회(정) 제1차 전체회의 의사일정안(결... f5f5a585a12df9cb406dde6b3e6da23d
AntiDebug AntiVM CHM Format VirusTotal Malware Code Injection Check memory unpack itself |
|
|
|
|
2.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47104 |
2024-08-13 10:27
|
240903-회국회(정) 제1차 전체회의 의사일정안(결... f5f5a585a12df9cb406dde6b3e6da23d
AntiDebug AntiVM CHM Format VirusTotal Malware Code Injection Check memory crashed |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47105 |
2024-08-13 10:44
|
arch1208_0924.7z f6b650c35ed4de1040e590b400db1ef3
Escalate priviledges PWS KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47106 |
2024-08-13 11:06
|
arch1208_0924.7z f6b650c35ed4de1040e590b400db1ef3
Escalate priviledges PWS KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47107 |
2024-08-13 11:22
|
 T9.exe 762e2c938ec4a35e6b67fafb977fd05c
Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
1
http://147.45.44.131/files/mservice64.exe - rule_id: 42058
|
2
94.232.249.46 - mailcious
147.45.44.131 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://147.45.44.131/files/mservice64.exe
|
11.4 |
M |
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47108 |
2024-08-13 11:29
|
 T9.exe 762e2c938ec4a35e6b67fafb977fd05c
RedLine stealer Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
1
http://147.45.44.131/files/mservice64.exe - rule_id: 42058
|
2
94.232.249.46 - mailcious
147.45.44.131 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://147.45.44.131/files/mservice64.exe
|
11.4 |
M |
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47109 |
2024-08-13 16:00
|
 NursultanClient.exe b3d8b18d332153db164df8b55c3272a4
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Check memory crashed |
|
|
|
|
1.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47110 |
2024-08-13 17:09
|
 sahost.exe 29e3de6b17d0fdfb360834f038b59a39
NSIS Suspicious_Script_Bin Malicious Library UPX Anti_VM PE File PE32 DLL VirusTotal Malware AppData folder |
|
|
|
|
1.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47111 |
2024-08-13 17:10
|
 sahost.exe d996f588469a7a1af5ababce991b42f5
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
6
api.telegram.org(149.154.167.220) - mailcious
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(132.226.247.73)
132.226.247.73
104.21.67.152
149.154.167.220 - mailcious
|
9
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
15.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47112 |
2024-08-13 17:11
|
sweetrosefalvourcakeandbutterb... 04f40400495c1c17270f9c71e6d40717
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS DDNS crashed |
2
http://servidorwindows.ddns.com.br/Files/vbs.jpeg - rule_id: 41854
http://107.172.31.124/xampp/knb/sweetbutterbuneatingtaste.tIF
|
3
servidorwindows.ddns.com.br(177.106.217.75) - malware
107.172.31.124 - malware
177.106.217.75 - malware
|
2
ET MALWARE Base64 Encoded MZ In Image
ET MALWARE Malicious Base64 Encoded Payload In Image
|
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47113 |
2024-08-13 17:12
|
mondayequitosssMPDW-constraint... 1b1dd5797314342cfb948c6cfbac09b0
Generic Malware Antivirus Hide_URL PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47114 |
2024-08-13 17:14
|
madamwebbbbbbMPDW-constraints.... 3dfbd33df96998e1f6a37dc298a75ca4
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47115 |
2024-08-13 17:14
|
greeceeeeArchive.vbs 9218fd739d9081a575a2f5f1402e6fec
Generic Malware Antivirus PowerShell VBScript powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt - rule_id: 41177
|
3
pastecode.dev(172.66.43.27) - mailcious
172.66.43.27 - mailcious
198.46.176.133 - mailcious
|
3
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|