| 48271 |
2024-09-22 17:49
|
 Susel1.exe 8e131058444fc8b6d2ca45c404abd52e
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS |
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48272 |
2024-09-22 17:51
|
 66ef3064a18c2_setup3.exe#lyla bf87a376305099cac2ea13ff482ba319
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
|
|
2.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48273 |
2024-09-22 17:51
|
 66ea90ff1fefe_15.exe 96cb7df578398d5d46dd4daeffbdc41f
Client SW User Data Stealer LokiBot CoinMiner Emotet ftp Client info stealer Generic Malware Malicious Library Antivirus UPX Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization IP Check installed browsers check Tofsee Windows Browser ComputerName Trojan DNS Software |
6
http://41.216.188.190/api/wp-admin.php
http://41.216.188.190/api/wp-ping.php
http://147.45.44.104/revada/66efcc2ab2731_setup3.exe#lyla
https://steamcommunity.com/profiles/76561199780418869
https://db-ip.com/demo/home.php?s=
https://api.myip.com/
|
20
db-ip.com(172.67.75.166)
api64.ipify.org(104.237.62.213)
api.myip.com(104.26.8.59)
steamcommunity.com(104.76.74.15) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
bitbucket.org(104.192.140.25) - malware
149.154.167.99 - mailcious
176.111.174.109 - malware
104.26.8.59
104.76.74.15
176.113.115.33 - malware
104.26.4.15
41.216.188.190
104.192.140.24 - malware
116.203.165.127
147.45.44.104 - malware
173.231.16.77
34.117.59.81
103.130.147.211 - malware
|
18
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
17.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48274 |
2024-09-22 17:52
|
 66e571613a5a3_Server.exe d42e570ec9cf6757af9fbd23f251bdbc
Generic Malware Malicious Library UPX PE File PE32 VirusTotal Malware AutoRuns buffers extracted WMI Creates executable files AppData folder Tofsee Windows ComputerName |
3
http://downapp.baidu.com/appsearch/AndroidPhone/1.0.65.172/1/1012271b/20171027150542/appsearch_AndroidPhone_1-0-65-172_1012271b.apk?responseContentDisposition=attachment%3Bfilename%3D%22appsearch_AndroidPhone_v8.0.3%281.0.65.172%29_1012271b.apk%22&responseContentType=application%2Fvnd.android.package-archive&request_id=1516457256_8032127161&type=dynamic
http://downapp.baidu.com/
https://en.ipip.net/
|
9
win.ust.cx(154.91.34.235)
downapp.baidu.com(60.190.116.35)
luoyefeihua.site()
www.ipip.net(172.67.22.102)
en.ipip.net(104.22.30.153)
60.190.116.35
154.91.34.235
104.22.30.153
104.22.31.153
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48275 |
2024-09-22 17:55
|
 audiodii.exe 779e7b9e777defc2d1da4d4cc590c3e1
Formbook Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL FormBook Browser Info Stealer Malware download VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder Browser |
7
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.goldenjade-travel.com/fo8o/?vHAf-k=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&01Im=1DlGhcZUHObCfT- - rule_id: 39854
http://www.magmadokum.com/fo8o/?vHAf-k=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&01Im=1DlGhcZUHObCfT- - rule_id: 39856
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.3xfootball.com/fo8o/?vHAf-k=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&01Im=1DlGhcZUHObCfT- - rule_id: 39852
|
9
www.magmadokum.com(85.159.66.93) - mailcious
www.kasegitai.tokyo() - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi() - mailcious
45.33.6.223
85.159.66.93 - mailcious
116.50.37.244 - mailcious
154.215.72.110 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET) M5
|
6
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.magmadokum.com/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.3xfootball.com/fo8o/
|
6.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48276 |
2024-09-22 17:56
|
 %E5%85%AC%E7%9B%8A%E4%BC%A0%E5... 27f9ee956e01f9e39de89aa138e26c8b
Malicious Library Malicious Packer UPX PE File DllRegisterServer dll PE32 MZP Format VirusTotal Malware Remote Code Execution DNS |
|
1
|
|
|
3.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48277 |
2024-09-22 17:59
|
 66ef2dea4d06c_rrr01.exe 59f2f7f0cf8faf41dbb0a7878b5d66bb
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege AntiVM_Disk VM Disk Size Check DNS |
|
2
45.33.6.223
62.210.113.223
|
|
|
4.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48278 |
2024-09-22 18:01
|
niceworkonudpationprocesstoget... d63c7600ca42fe65af91ae662ef7b637
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Windows Exploit DNS crashed |
|
3
maan2u.com(112.137.173.77) - mailcious
107.175.243.142 - mailcious
112.137.173.77 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48279 |
2024-09-22 18:03
|
 gf9.exe c9298899bde5efb635d28f14a6c62125
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS |
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48280 |
2024-09-22 18:06
|
 needmoney.exe 7fa5c660d124162c405984d14042506f
Malicious Library UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware unpack itself ComputerName crashed |
|
|
|
|
3.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48281 |
2024-09-22 18:07
|
 Name.exe 922ddb400915ecc12148b5502b5b7748
PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48282 |
2024-09-22 18:10
|
seethebestwayforunderstandtheg... 05a89145fa97e81da22c0102237b689f
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
|
3
ia803104.us.archive.org(207.241.232.154) - malware
23.94.148.16 - mailcious
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48283 |
2024-09-22 18:12
|
 LummaC222222.exe 49ac2a0a553de507388c97455531588b
UPX PE File PE32 |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48284 |
2024-09-22 18:16
|
 fck.exe d8a0d9575d0188e8d0420c1d70d04cb2
Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
0.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48285 |
2024-09-22 18:16
|
 xx.exe cdb08964f95490ea413b0202f9d4576f
Gen1 Generic Malware Malicious Library ASPack UPX Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Checks debugger Creates executable files |
|
|
|
|
2.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|