| 48241 |
2024-09-22 15:17
|
 svchost.exe d2b9d12a630cf96b6d4da31de2af0e35
Malicious Library UPX AntiDebug AntiVM PE File PE32 VirusTotal Malware AutoRuns Code Injection Check memory ICMP traffic unpack itself Windows utilities suspicious process AppData folder Windows DNS |
|
3
ref.tbfull.com(47.76.175.95) - mailcious
150.158.102.191
47.76.175.95
|
|
|
8.4 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48242 |
2024-09-22 15:19
|
game.exe 49a4df6234a85f29ff15b8d58dcb995b
Generic Malware Malicious Library ASPack UPX Anti_VM PE File PE32 OS Processor Check VirusTotal Malware PDB DNS |
|
1
|
|
|
1.8 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48243 |
2024-09-22 15:22
|
 config.exe 1734e1fd7e4ca651b03421c5a75441e9
Emotet Generic Malware Malicious Library Malicious Packer ASPack UPX PE File PE32 OS Processor Check VirusTotal Malware PDB Check memory unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48244 |
2024-09-22 17:19
|
wecreatednewthingsinthisworldt... 16e108820a6288c25887dbc7f7dff60a
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
8
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.goldenjade-travel.com/fo8o/?6tE9=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&9p=CzyK2TzevP2p - rule_id: 39854
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://104.243.38.54/600/audiodg.exe
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.magmadokum.com/fo8o/?6tE9=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&9p=CzyK2TzevP2p - rule_id: 39856
http://www.3xfootball.com/fo8o/?6tE9=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&9p=CzyK2TzevP2p - rule_id: 39852
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
|
10
www.magmadokum.com(85.159.66.93) - mailcious
www.kasegitai.tokyo() - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi() - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
45.33.6.223
104.243.38.54 - mailcious
154.215.72.110 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET) M5
|
6
http://www.magmadokum.com/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48245 |
2024-09-22 17:20
|
seethepicturetogetmebacktheupd... 8ba173734c1a8532e0b2ebcb3b6602ab
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
|
3
ia601706.us.archive.org(207.241.227.96) - malware
172.236.19.62 - mailcious
207.241.227.96 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48246 |
2024-09-22 17:21
|
 66eef0d509347_vfdshg16.exe 4ae2d1685d2732cfcd128560424c53cc
Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199780418869
|
6
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.170.104) - mailcious
149.154.167.99 - mailcious
116.203.165.127
104.76.74.15
85.159.66.93 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
16.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48247 |
2024-09-22 17:23
|
 66ecb454d2b4a_lgfdsjgds.exe 384a847ad2833788fa253433fd2eea8d
Antivirus ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS |
|
1
|
|
|
8.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48248 |
2024-09-22 17:23
|
 audiodg.exe 8b016746ea349838ed337927770248eb
Formbook Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL FormBook Browser Info Stealer Malware download VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser |
8
http://www.magmadokum.com/fo8o/?01Rq=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&G0g-=NkDPf - rule_id: 39856
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.goldenjade-travel.com/fo8o/?01Rq=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&G0g-=NkDPf - rule_id: 39854
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.3xfootball.com/fo8o/?01Rq=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&G0g-=NkDPf - rule_id: 39852
|
9
www.magmadokum.com(85.159.66.93) - mailcious
www.kasegitai.tokyo() - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi() - mailcious
45.33.6.223
85.159.66.93 - mailcious
116.50.37.244 - mailcious
154.215.72.110 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET) M5
|
6
http://www.magmadokum.com/fo8o/
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.3xfootball.com/fo8o/
|
6.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48249 |
2024-09-22 17:24
|
 66e579d0cbf2d_win.exe 049d2f0e9e03c057d906287c2003331b
UPX PE File PE32 VirusTotal Malware AutoRuns Creates executable files Check virtual network interfaces Windows DNS |
|
4
win.ust.cx(154.91.34.235)
www.google.com(142.250.207.100)
154.91.34.235
85.159.66.93 - mailcious
|
|
|
6.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48250 |
2024-09-22 17:25
|
 Traxx1.exe 937239c0053f3daec25ca7984676696a
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Downloader |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48251 |
2024-09-22 17:26
|
 ypqhgl.exe 990ddf57779c6d17b6885dab3f5c3494
UPX PE File PE32 VirusTotal Malware DNS |
|
1
|
|
|
1.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48252 |
2024-09-22 17:27
|
weskineverythingtobeperfectwit... c496e9e3167af07c0c305a267d462140
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
|
3
ia600100.us.archive.org(207.241.227.240)
207.241.227.240
45.90.89.123 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48253 |
2024-09-22 17:29
|
 66eea6336b153_app1654040698346... e8e6cd9ec48fafccc174f7bf07d045e2
RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
193.233.255.84 - mailcious
|
|
|
10.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48254 |
2024-09-22 17:29
|
 66e8772555389_lsndfsg.exe a5098dee7d78acfb0294523855906aad
Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
3.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48255 |
2024-09-22 17:31
|
 66ef2d38305f6_crypted.exe#1 c61cc62b59b5959951d1158887b20b7b
RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
12.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|