5791 |
2024-02-09 04:07
|
merlin.js 36f47633918675a107df6c1d1b0cc672 task schedule Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM unpack itself malicious URLs crashed |
|
|
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5792 |
2024-02-09 04:07
|
merlin.min.js 2941b51484f9f83a0e3dfe592fd16957 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM malicious URLs crashed |
|
|
|
|
1.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5793 |
2024-02-08 18:10
|
putty.bat f46a83e052ee544c9696654fb450d00a Generic Malware Downloader Antivirus UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE32 PE File suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5794 |
2024-02-08 18:06
|
ballonservicefrommicrosfotisgr... 28e198167f8b55c4e5ba832afa4a2b60 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://paste.ee/d/pQbyK - rule_id: 39359
https://paste.ee/d/pQbyK
http://83.143.104.148/3460/loveandlover.vbs
|
3
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
83.143.104.148 - mailcious
|
3
ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5795 |
2024-02-08 18:04
|
wedfreshairgetfrommicrosfotbal... 3740b9bffc150fd3f4c211caaa4bb385 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://paste.ee/d/umYKc - rule_id: 39358
https://paste.ee/d/umYKc
http://172.245.214.91/wednewsmangero.vbs
|
3
paste.ee(104.21.84.67) - mailcious 172.245.214.91 - mailcious
172.67.187.200 - mailcious
|
3
ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5796 |
2024-02-08 18:02
|
lumma123142124.exe cad41f50c144c92747eee506f5c69a05 PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5797 |
2024-02-08 18:00
|
Goldprime.exe 7e9e39a623a04307eb499ff6617b9746 PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5798 |
2024-02-08 17:59
|
Update.exe db25dde66c6101eb5c357a1fecb34925 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check MachineGuid Check virtual network interfaces WriteConsoleW Tofsee |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://anonhost.in/vlog2/uploads/putty.bat
|
3
anonhost.in(103.215.221.168) - malware 103.215.221.168 - malware
182.162.106.144
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5799 |
2024-02-08 17:58
|
wednewsmangero.vbs 3183b42ec0106c38fc5f9fb28cc5e789VirusTotal Malware wscript.exe payload download Tofsee DNS |
2
http://paste.ee/d/umYKc https://paste.ee/d/umYKc
|
3
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious 104.26.4.15
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5800 |
2024-02-08 17:56
|
LM.exe 196921b3788eac48b29d5ce802ff8e27 Admin Tool (Sysinternals etc ...) PE32 PE File VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5801 |
2024-02-08 17:56
|
loveandlover.vbs 6507643094054c35167c2eb65b8b3051VirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/pQbyK https://paste.ee/d/pQbyK
|
2
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5802 |
2024-02-08 17:55
|
plaza.exe 0aeac9446941d8e6a6cb29f6b55a6dc8 Themida Packer Malicious Packer UPX Malicious Library Anti_VM AntiDebug AntiVM PE32 PE File OS Processor Check MSOffice File Lnk Format GIF Format .NET EXE ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare suspicious process AppData folder AntiVM_Disk WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
18
http://193.233.132.167/mine/plaza.exe - rule_id: 39347 http://193.233.132.167/cost/ladas.exe - rule_id: 39348 http://193.233.132.167/cost/fu.exe - rule_id: 39344 http://193.233.132.167/mine/amert.exe - rule_id: 39345 http://193.233.132.167/cost/niks.exe - rule_id: 39346 https://go-case.com/ea88eabe96f6e1d298bdbefcd87f3c2b89da8f81a109/37c8058f29e4cafa320a6bce6e2003846a12d0ac4e05.css https://go-case.com/main/__API_PATH__ https://go-case.com/ea88eabe96f6e1d298bdbefcd87f3c2b89da8f81a109/8c04721601d4b0869688793cfdededac05f9e1b6527b.css https://go-case.com/main/case https://db-ip.com/demo/home.php?s=175.208.134.152 https://go-case.com/ea88eabe96f6e1d298bdbefcd87f3c2b89da8f81a109/6047737420655b305e8fcedbf6265131bd00500e096f.css https://go-case.com/ea88eabe96f6e1d298bdbefcd87f3c2b89da8f81a109/47b3bb7687444f066efeaf7acf1fe209d1838913b526.css https://go-case.com/ea88eabe96f6e1d298bdbefcd87f3c2b89da8f81a109/61cd0aa212eab546eed8d3a173521dd7e459f60a7786.css https://cdnjs.cloudflare.com/ajax/libs/vue/2.6.11/vue.min.js https://go-case.com/ea88eabe96f6e1d298bdbefcd87f3c2b89da8f81a109/b2c695698d09c07c061cb077414b1281d9d9222ba576.css https://go-case.com/a35da298f2efef2b88faf0d96c576c2cd104dd05b22a/859642ba6002479054942d3fb64df2698fda97138bb9.js https://go-case.com/66-l/script.js https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js
|
14
db-ip.com(104.26.4.15) ipinfo.io(34.117.186.192) media.discordapp.net(162.159.134.232) go-case.com(172.67.176.216) code.jquery.com(151.101.194.137) cdnjs.cloudflare.com(104.17.25.14) - mailcious 104.17.25.14 104.26.4.15 162.159.130.232 34.117.186.192 104.21.17.146 193.233.132.62 - mailcious 151.101.194.137 193.233.132.167 - malware
|
13
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO Packed Executable Download
|
5
http://193.233.132.167/mine/plaza.exe http://193.233.132.167/cost/ladas.exe http://193.233.132.167/cost/fu.exe http://193.233.132.167/mine/amert.exe http://193.233.132.167/cost/niks.exe
|
23.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5803 |
2024-02-08 17:54
|
for.exe 8c281571c5fdaf40aa847d90e5a81075 PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5804 |
2024-02-08 17:53
|
photosensi.cur f1d2fa9c23646b2e3718fb7e9f48e7a9 Suspicious_Script_Bin |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5805 |
2024-02-08 14:01
|
키위파이낸셜_S.apk c8df2c033cd82239668f2477adde9b2e ZIP Format VirusTotal Malware |
|
|
|
|
0.4 |
|
7 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|