| 5311 |
2024-05-02 07:23
|
 get.php 378532ba8c8073c2639528b08b15047b
Malicious Library PE File .NET EXE PE32 Malware download njRAT VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself DNS |
|
3
4.tcp.ngrok.io(3.133.207.110) - mailcious
3.138.180.119
3.131.147.49
|
3
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
SURICATA Applayer Detect protocol only one direction
|
|
2.8 |
|
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5312 |
2024-05-02 07:22
|
 jSB8SNaV.exe af593a9f7ef816da78b444227537c5f2
Gen1 Generic Malware Malicious Library Malicious Packer UPX PE64 PE File OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5313 |
2024-05-02 07:20
|
 see.exe e908276b036728bc78a3dea637580af2
AgentTesla Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.26.13.205)
104.26.12.205
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5314 |
2024-05-02 07:20
|
 scg.exe 9e5e6b8901f999088856e0eb04746864
Malicious Library Malicious Packer UPX PE64 PE File VirusTotal Malware MachineGuid |
|
2
scll.netlify.com(18.139.194.139)
46.137.195.11 - malware
|
|
|
3.2 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5315 |
2024-05-01 17:04
|
wedesingedfisherboattoundersta... 0930bc0ba7c5af0fd2ee2a78a98faa22
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
|
3
paste.ee(104.21.84.67) - mailcious
107.172.31.6 - mailcious
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5316 |
2024-05-01 17:02
|
fishermansaidyouaremyloverbeca... 1d4987e736173e36c054c48f4354ab4d
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
|
4
paste.ee(104.21.84.67) - mailcious
107.175.242.96 - mailcious
172.67.187.200 - mailcious
45.33.6.223
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5317 |
2024-05-01 17:01
|
 bin.exe 4160db87b054d159be5eb8ee4cd27c38
Generic Malware Malicious Library .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 DLL Browser Info Stealer VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Browser DNS |
21
http://www.agoraeubebo.com/nrup/
http://www.zopter.dev/nrup/?xaRt=i3HAzC/U9OJxIpd/cVIqioUroH7qJoGS67PrGCHTQB0skmoYQlANVfiIbPI4IH/9kWpHr7erIPqYDzJ48SYt+oJ/0g0iC6yZWX/8c4ct4DQ3d1iauYFK6CebNAulbWCgMaeXdHw=&c18u_=M74HXBoKY4
http://www.quirkyquotients.online/nrup/
http://www.297tamatest1kb.com/nrup/
http://www.deniztemiz.fun/nrup/
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip
http://www.nimaster.com/nrup/?xaRt=QRCJemSun6KfUPjbw7Wl+EOfwXHgZ1iyr2LzNdaeeYxuOQk1p7mHourK8lVarsbBIBvr9aHYFlgCj6gFp9RacDqO10qGjeH1kC54hh2O/YnQ/xfdeKLFPyrwmVjF+1gbpdrtHJA=&c18u_=M74HXBoKY4
http://www.nimaster.com/nrup/
http://www.hggg2qyws.sbs/nrup/?xaRt=cxIeN1iVhQqOwsowvitnNvuwmm+qqrvfdqpS9UswCbkbA/58Vi1sucBg6AEQyfE3zCqKK/TeeNcUyXCS2fazATIsLYQU9UjmCyAW0hXXUGLfcbDiNK6ibWhgqHsNoHkz1gGc9BA=&c18u_=M74HXBoKY4
http://www.quirkyquotients.online/nrup/?xaRt=rSdoiViGYDYLrRKaJiLWx0o3GtWbUyMrBzK7mFXa25NHqewciJOPoSpxRDHHO+kRgCzM5kcGIwbMEKTHJRshE8TECWuxqnWE5XbWOupO3d188GRCRjny7znmim8cpOOWG3XQuQg=&c18u_=M74HXBoKY4
http://www.297tamatest1kb.com/nrup/?xaRt=aN7x9cBVxwix9wZx9HG3+EyfX6HqMCI/orbHVM7uweNeZbe3aghpRaSsJCdVU54yexiCzw7M43tjxUam+UkaT2wmXrLzq3RCnmrT+WsLWscIcK9ZkaiF0pmbsoq7wiXgkQMFFG4=&c18u_=M74HXBoKY4
http://www.thechurchinkaty.com/nrup/?xaRt=a+HLDFsiIkHuV4rg7wup8csxdWPagIuMO9xbFOtVeNEzn7JMPDdWHI+uhZWQfHs/Ujvr+dR2RkWjKuppUanuG8WbeCSiVE7Ei81rIR6FZpKHS1/3Xety/MDmz3VaKjqLYqmj5Ic=&c18u_=M74HXBoKY4
http://www.hggg2qyws.sbs/nrup/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.deniztemiz.fun/nrup/?xaRt=3O5z/vVa1aiBIg/20FYhZ9gN3gEIDgA4MhhTC4igeHW13Qm1DZfDyX2p9mwAZMK6YdFTnsLdJzS54TsXooWKxMFKzkTPzf0/wvcz0IEqhbvScFDLwEMJ7HljO9/d9GWeP3ZvlWk=&c18u_=M74HXBoKY4
http://www.gudvain.top/nrup/?xaRt=SizHnN/9xgcqSIkRxdV/yLkuLlfb9ih/0t0LsappuxDuweYFtCvxWsRrJ8CRzXcbZvFBcd4a+abpRctwr4ssx6D/64ygBVY2l9ARrA+Cnd/k0rcrBh5k0YyNTI11ygD5K0ma9bo=&c18u_=M74HXBoKY4
http://www.thechurchinkaty.com/nrup/
http://www.zopter.dev/nrup/
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.gudvain.top/nrup/
http://www.agoraeubebo.com/nrup/?xaRt=dWrD1PFadq7V5KkT+bFohqEZffGVUNdu4bG3e9Abb7XIEj/TR5WiVjbbrLaqi43PNcTkySoUuB0roTQbaYzLsbJy/Bzx6mO/iyMVNYumf/O/IEDIdi+XIYrNNSqPi1S0X8+SZl8=&c18u_=M74HXBoKY4
|
21
www.hggg2qyws.sbs(47.238.226.135)
www.deniztemiz.fun(46.28.105.2)
www.quirkyquotients.online(66.96.162.142)
www.gudvain.top(203.161.62.199)
www.thechurchinkaty.com(91.195.240.19)
www.5597043.com(91.195.240.94)
www.agoraeubebo.com(162.240.81.18)
www.297tamatest1kb.com(162.255.119.150)
www.zopter.dev(192.185.225.30)
www.nimaster.com(217.26.48.101)
91.195.240.19 - mailcious
46.28.105.2 - mailcious
162.255.119.150
203.161.62.199
66.96.162.142 - mailcious
47.238.226.135
217.26.48.101 - mailcious
45.33.6.223
192.185.225.30 - phishing
162.240.81.18 - mailcious
91.195.240.94 - phishing
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
|
11.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5318 |
2024-05-01 17:01
|
softmindwithagoodheartpersonwi... 086511c0267905cbda55ede83eb8d7d0
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed |
|
1
|
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5319 |
2024-05-01 17:00
|
 jfesawdr.exe 9fb56dd5b5beb0b9c5d0102f22373c0b
Generic Malware Downloader Malicious Library UPX VMProtect Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 OS Processo VirusTotal Malware PDB Code Injection Creates executable files unpack itself AppData folder ComputerName Remote Code Execution |
|
|
|
|
4.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5320 |
2024-05-01 16:59
|
wearegoingtobegoodwithmebecaus... f34f96b8cd842e5709a476360c30a4d2
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
|
1
|
7
ET MALWARE Possible MalDoc Payload Download Nov 11 2014
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5321 |
2024-05-01 16:57
|
 realtekmonitor.exe 6adbec7e5713644931e8e5815ed56356
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5322 |
2024-05-01 16:57
|
iwanttokiswithlotoflovesheismy... d1ff78be8248efe25e0710b7508f4d59
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://104.168.45.23/9090/imageveryclearfisherman.gif
https://paste.ee/d/xsPQV
|
4
paste.ee(172.67.187.200) - mailcious
141.94.96.144 - mailcious
172.67.187.200 - mailcious
104.168.45.23 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5323 |
2024-05-01 16:56
|
 shitload.exe 36010b83bccfcd1032971df9fc5082a1
Worm Phorpiex Generic Malware Malicious Library Downloader Admin Tool (Sysinternals etc ...) Malicious Packer UPX PE File PE32 Malware download VirusTotal Malware Buffer PE AutoRuns Malicious Traffic Checks debugger buffers extracted Creates executable files ICMP traffic Disables Windows Security AppData folder Windows Update DNS |
9
http://185.215.113.66/_1
http://185.215.113.66/_3
http://185.215.113.66/_2
http://185.215.113.66/3 - rule_id: 26696
http://185.215.113.66/2 - rule_id: 26695
http://185.215.113.66/1 - rule_id: 26694
http://193.233.132.177/_1
http://193.233.132.177/_3
http://193.233.132.177/_2
|
25
www.update.microsoft.com(20.72.235.82)
109.74.69.43
188.212.231.63
213.246.19.117
185.215.113.66 - malware
92.47.143.130
189.222.182.86
31.186.54.5
176.15.59.1
193.233.132.177 - malware
213.230.126.39
151.234.226.175
178.184.11.31
5.238.133.220
20.72.235.82
92.46.174.254
189.190.10.16
134.35.173.140
92.124.148.61
89.43.220.234
5.234.235.21
91.202.233.141
95.59.235.26
46.35.86.48
151.233.21.215
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
|
3
http://185.215.113.66/3
http://185.215.113.66/2
http://185.215.113.66/1
|
13.8 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5324 |
2024-05-01 16:55
|
 svchostMon.exe f5a52d7f38e29a3749139aef116c1809
PE64 PE File Malware download Amadey VirusTotal Cryptocurrency Miner Malware Malicious Traffic unpack itself DNS CoinMiner SilentCryptoMiner |
1
http://miner1.squezz.com/api/endpoint.php
|
5
miner1.squezz.com(185.250.47.93)
pool.supportxmr.com(141.94.96.71) - mailcious
141.94.96.144 - mailcious
185.250.47.93 - malware
141.94.96.71
|
3
ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3
ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
|
|
3.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5325 |
2024-04-30 10:06
|
 PAP46E1UkZ.exe bb1cb5cd557cac752ccea3f4ba806709
Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE64 PE File ftp OS Processor Check DLL PE32 ZIP Format VirusTotal Malware Check memory Creates executable files AppData folder Ransomware |
|
|
|
|
4.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|