47191 |
2024-08-17 22:16
|
gsprout.exe 92ae7a1286d992e104c0072f639941f7 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic DNS |
1
http://45.138.16.71/cfg/?data=IDaJhCHdIlfHcldJAISHfgpYzZhgReLDAihcV0Oa
|
1
|
|
|
3.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47192 |
2024-08-17 22:17
|
sss.exe f93a30378f7682e1bf9f4adfbe5729be Generic Malware Malicious Library Malicious Packer .NET framework(MSIL) UPX Anti_VM PE File .NET EXE PE32 OS Processor Check JPEG Format VirusTotal Malware Telegram Malicious Traffic Windows utilities IP Check Tofsee Windows DNS |
2
http://icanhazip.com/ https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00
|
7
icanhazip.com(104.16.184.241) api.mylnikov.org(104.21.44.66) api.telegram.org(149.154.167.220) - mailcious 104.16.184.241 194.58.114.223 - mailcious 104.21.44.66 149.154.167.220 - mailcious
|
7
ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET POLICY IP Check Domain (icanhazip. com in HTTP Host) ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com) ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
|
|
3.4 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47193 |
2024-08-17 22:18
|
file1.exe a107fbd4b2549ebb3babb91cd462cec8 Generic Malware Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 PowerShell OS Processor Check PE64 DLL Browser Info Stealer Malware download VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW anti-virtualization installed browsers check Tofsee CryptBot Windows Discord Browser ComputerName DNS Cryptographic key crashed |
8
http://tvezx20pt.top/v1/upload.php http://194.58.114.223/d/385104 - rule_id: 41929 http://58yongzhe.com/parts/setup1.exe - rule_id: 42034 http://91.121.59.207/Files/6ec431703915b7c3a66be6ef8e2bf8f9.exe http://91.121.59.207/Files/Channel1.exe https://pastebin.com/raw/E0rY26ni - rule_id: 37702 https://yip.su/RNWPd.exe - rule_id: 37623 https://cdn.discordapp.com/attachments/1272578305203110022/1274336696627892317/setup.exe?ex=66c1e208&is=66c09088&hm=d301fab09c009c8ddf7bbdaccf84e9e284b1d644909338534cae1eab5b7ee0ef&
|
12
tvezx20pt.top(77.232.42.234) 58yongzhe.com(62.133.62.93) - malware pastebin.com(172.67.19.24) - mailcious yip.su(104.21.79.77) - mailcious cdn.discordapp.com(162.159.133.233) - malware 91.121.59.207 77.232.42.234 104.21.79.77 - phishing 162.159.135.233 - malware 62.133.62.93 194.58.114.223 - mailcious 172.67.19.24 - mailcious
|
13
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET DNS Query for .su TLD (Soviet Union) Often Malware Related SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 ET HUNTING Redirect to Discord Attachment Download
|
4
http://194.58.114.223/d/385104 http://58yongzhe.com/parts/setup1.exe https://pastebin.com/raw/E0rY26ni https://yip.su/RNWPd.exe
|
19.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47194 |
2024-08-17 22:18
|
tuesdayequitossssdroiudMPDW-co... 7a3fa640d6740b436c7fb40056e94edc Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
3
ia803104.us.archive.org(207.241.232.154) - malware 45.138.16.71
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47195 |
2024-08-17 22:19
|
Ukodbcdcl.exe 25ed0fce4a9df59b3ed88853db8206f3 Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
3.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47196 |
2024-08-17 22:21
|
Armanivenntii_crypted_EASY.exe 795197155ca03f53eed7d90a2613d2a7 Generic Malware Malicious Library Malicious Packer UPX PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder DNS crashed |
|
1
162.159.135.233 - malware
|
|
|
4.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47197 |
2024-08-17 22:21
|
stub.exe f48972736d07992d0cfd2b8bc7972e27 Generic Malware Malicious Library UPX Antivirus PE File PE32 OS Processor Check PE64 .NET EXE Malware download VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Checks Bios AntiVM_Disk suspicious TLD anti-virtualization VM Disk Size Check Tofsee Windows Email ComputerName DNS Cryptographic key crashed |
6
http://185.216.214.225/freedom.exe http://185.216.214.225/Jhiidutz.exe https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62 https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62&tsk=5F9ADF https://solutionhub.cc/socket/?serviceCheckup - rule_id: 41399 https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62&tsk=5F9ADE
|
5
garageserviceoperation.com(172.67.202.34) solutionhub.cc(172.67.128.126) - malware 185.216.214.225 - malware 172.67.202.34 172.67.128.126 - mailcious
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc) ET DNS Query for .cc TLD ET MALWARE Observed ZharkBot Domain (solutionhub .cc in TLS SNI) ET MALWARE ZharkBot User-Agent Observed ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
|
1
https://solutionhub.cc/socket/
|
10.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47198 |
2024-08-17 22:23
|
5_6190317556063017550.exe eb89a69599c9d1dde409ac2b351d9a00 Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Malicious Traffic Check memory buffers extracted unpack itself Collect installed applications suspicious TLD anti-virtualization installed browsers check CryptBot Browser ComputerName DNS |
1
http://fivexc5sr.top/v1/upload.php
|
2
fivexc5sr.top(195.133.48.136) 195.133.48.136
|
3
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 ET INFO HTTP Request to a *.top domain
|
|
6.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47199 |
2024-08-17 22:23
|
MePaxil.exe bbe6311c3e2fab459f729dc8cd6e3519 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName DNS |
|
2
104.16.184.241 104.21.44.66
|
|
|
6.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47200 |
2024-08-17 22:25
|
14082024.exe 9bba979bb2972a3214a399054242109b RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.67 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
8.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47201 |
2024-08-17 22:25
|
rorukal.exe 77ecafee1b0ba32bd4e3b90b6d92a81f PE File PE64 VirusTotal Malware Checks debugger sandbox evasion Browser crashed |
|
|
|
|
3.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47202 |
2024-08-17 22:28
|
NorthSperm.exe ff83471ce09ebbe0da07d3001644b23c Generic Malware Malicious Library UPX PE File PE32 OS Processor Check suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
4.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47203 |
2024-08-17 22:30
|
DOC.exe 2dbdc645b9776239b18f772c30c1a626 Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 Malware download VirusTotal Malware Malicious Traffic Check memory ICMP traffic suspicious TLD CryptBot DNS |
1
http://fivexc5vt.top/v1/upload.php
|
2
fivexc5vt.top(104.21.15.43) 172.67.161.137
|
3
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 ET INFO HTTP Request to a *.top domain
|
|
4.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47204 |
2024-08-17 22:30
|
Survox.exe 06a9fb51c5455ef7c06cdad4f015c96b Malicious Library Malicious Packer PE File .NET EXE PE32 Malware download Nanocore Cobalt Strike NetWireRC VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself human activity check Windows RAT ComputerName |
|
2
vowquybcw.org(45.89.247.19) 45.89.247.19
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 4 ET MALWARE NanoCore RAT CnC 7 ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) ET MALWARE NanoCore RAT Keepalive Response 3 ET MALWARE NanoCore RAT Keepalive Response 1
|
|
7.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47205 |
2024-08-17 22:30
|
leon.exe 962f3de7b7ee4a08179142efffa50372 Stealc Gen1 Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Antivirus Malicious Packer PE File PE32 DLL OS Processor Check .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c AutoRuns Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare AppData folder sandbox evasion VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
13
http://185.215.113.16/well/random.exe - rule_id: 41492 http://185.215.113.16/num/random.exe - rule_id: 41818 http://185.215.113.100/0d60be0de163924d/nss3.dll http://185.215.113.100/0d60be0de163924d/freebl3.dll http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968 http://185.215.113.100/0d60be0de163924d/vcruntime140.dll http://31.41.244.10/Dem7kTu/index.php http://185.215.113.100/0d60be0de163924d/sqlite3.dll http://185.215.113.100/ - rule_id: 41969 http://185.215.113.100/0d60be0de163924d/mozglue.dll http://185.215.113.100/0d60be0de163924d/softokn3.dll http://185.215.113.16/steam/random.exe - rule_id: 41792 http://185.215.113.100/0d60be0de163924d/msvcp140.dll
|
4
31.41.244.10 185.215.113.100 - mailcious 185.215.113.16 - mailcious 172.67.202.34
|
20
ET DROP Spamhaus DROP Listed Traffic Inbound group 2 ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
5
http://185.215.113.16/well/random.exe http://185.215.113.16/num/random.exe http://185.215.113.100/e2b1563c6670f193.php http://185.215.113.100/ http://185.215.113.16/steam/random.exe
|
15.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|