48271 |
2024-09-22 17:49
|
Susel1.exe 8e131058444fc8b6d2ca45c404abd52e ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS |
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48272 |
2024-09-22 17:51
|
66ef3064a18c2_setup3.exe#lyla bf87a376305099cac2ea13ff482ba319 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
|
|
2.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48273 |
2024-09-22 17:51
|
66ea90ff1fefe_15.exe 96cb7df578398d5d46dd4daeffbdc41f Client SW User Data Stealer LokiBot CoinMiner Emotet ftp Client info stealer Generic Malware Malicious Library Antivirus UPX Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization IP Check installed browsers check Tofsee Windows Browser ComputerName Trojan DNS Software |
6
http://41.216.188.190/api/wp-admin.php http://41.216.188.190/api/wp-ping.php http://147.45.44.104/revada/66efcc2ab2731_setup3.exe#lyla https://steamcommunity.com/profiles/76561199780418869 https://db-ip.com/demo/home.php?s= https://api.myip.com/
|
20
db-ip.com(172.67.75.166) api64.ipify.org(104.237.62.213) api.myip.com(104.26.8.59) steamcommunity.com(104.76.74.15) - mailcious t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) bitbucket.org(104.192.140.25) - malware 149.154.167.99 - mailcious 176.111.174.109 - malware 104.26.8.59 104.76.74.15 176.113.115.33 - malware 104.26.4.15 41.216.188.190 104.192.140.24 - malware 116.203.165.127 147.45.44.104 - malware 173.231.16.77 34.117.59.81 103.130.147.211 - malware
|
18
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET DROP Spamhaus DROP Listed Traffic Inbound group 30 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
17.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48274 |
2024-09-22 17:52
|
66e571613a5a3_Server.exe d42e570ec9cf6757af9fbd23f251bdbc Generic Malware Malicious Library UPX PE File PE32 VirusTotal Malware AutoRuns buffers extracted WMI Creates executable files AppData folder Tofsee Windows ComputerName |
3
http://downapp.baidu.com/appsearch/AndroidPhone/1.0.65.172/1/1012271b/20171027150542/appsearch_AndroidPhone_1-0-65-172_1012271b.apk?responseContentDisposition=attachment%3Bfilename%3D%22appsearch_AndroidPhone_v8.0.3%281.0.65.172%29_1012271b.apk%22&responseContentType=application%2Fvnd.android.package-archive&request_id=1516457256_8032127161&type=dynamic http://downapp.baidu.com/ https://en.ipip.net/
|
9
win.ust.cx(154.91.34.235) downapp.baidu.com(60.190.116.35) luoyefeihua.site() www.ipip.net(172.67.22.102) en.ipip.net(104.22.30.153) 60.190.116.35 154.91.34.235 104.22.30.153 104.22.31.153
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48275 |
2024-09-22 17:55
|
audiodii.exe 779e7b9e777defc2d1da4d4cc590c3e1 Formbook Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL FormBook Browser Info Stealer Malware download VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser |
7
http://www.magmadokum.com/fo8o/ - rule_id: 39856 http://www.3xfootball.com/fo8o/ - rule_id: 39852 http://www.goldenjade-travel.com/fo8o/?vHAf-k=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&01Im=1DlGhcZUHObCfT- - rule_id: 39854 http://www.magmadokum.com/fo8o/?vHAf-k=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&01Im=1DlGhcZUHObCfT- - rule_id: 39856 http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854 http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip http://www.3xfootball.com/fo8o/?vHAf-k=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&01Im=1DlGhcZUHObCfT- - rule_id: 39852
|
9
www.magmadokum.com(85.159.66.93) - mailcious www.kasegitai.tokyo() - mailcious www.3xfootball.com(154.215.72.110) - mailcious www.goldenjade-travel.com(116.50.37.244) - mailcious www.antonio-vivaldi.mobi() - mailcious 45.33.6.223 85.159.66.93 - mailcious 116.50.37.244 - mailcious 154.215.72.110 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET) M5
|
6
http://www.magmadokum.com/fo8o/ http://www.3xfootball.com/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.magmadokum.com/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.3xfootball.com/fo8o/
|
6.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48276 |
2024-09-22 17:56
|
%E5%85%AC%E7%9B%8A%E4%BC%A0%E5... 27f9ee956e01f9e39de89aa138e26c8b Malicious Library Malicious Packer UPX PE File DllRegisterServer dll PE32 MZP Format VirusTotal Malware Remote Code Execution DNS |
|
1
|
|
|
3.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48277 |
2024-09-22 17:59
|
66ef2dea4d06c_rrr01.exe 59f2f7f0cf8faf41dbb0a7878b5d66bb Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege AntiVM_Disk VM Disk Size Check DNS |
|
2
45.33.6.223 62.210.113.223
|
|
|
4.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48278 |
2024-09-22 18:01
|
niceworkonudpationprocesstoget... d63c7600ca42fe65af91ae662ef7b637 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Windows Exploit DNS crashed |
|
3
maan2u.com(112.137.173.77) - mailcious 107.175.243.142 - mailcious 112.137.173.77 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48279 |
2024-09-22 18:03
|
gf9.exe c9298899bde5efb635d28f14a6c62125 ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS |
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48280 |
2024-09-22 18:06
|
needmoney.exe 7fa5c660d124162c405984d14042506f Malicious Library UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware unpack itself ComputerName crashed |
|
|
|
|
3.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48281 |
2024-09-22 18:07
|
Name.exe 922ddb400915ecc12148b5502b5b7748 PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48282 |
2024-09-22 18:10
|
seethebestwayforunderstandtheg... 05a89145fa97e81da22c0102237b689f MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
|
3
ia803104.us.archive.org(207.241.232.154) - malware 23.94.148.16 - mailcious 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48283 |
2024-09-22 18:12
|
LummaC222222.exe 49ac2a0a553de507388c97455531588b UPX PE File PE32 |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48284 |
2024-09-22 18:16
|
fck.exe d8a0d9575d0188e8d0420c1d70d04cb2 Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
0.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48285 |
2024-09-22 18:16
|
xx.exe cdb08964f95490ea413b0202f9d4576f Gen1 Generic Malware Malicious Library ASPack UPX Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Checks debugger Creates executable files |
|
|
|
|
2.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|