5821 |
2024-02-07 18:30
|
20a6e2ae.exe 28714b46faf9526f294e3361a8b07da5 PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5822 |
2024-02-07 18:29
|
booking.exe 02544f92ccf3b68f5e2f3dd507571417 Suspicious_Script_Bin Malicious Library UPX .NET framework(MSIL) AntiDebug AntiVM PE32 PE File OS Processor Check .NET EXE VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution Cryptographic key |
|
|
|
|
11.8 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5823 |
2024-02-07 18:28
|
happybabygirl.vbs 0287a027d55b1b828ee376c5ec5a49f4VirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/C7vB8 https://paste.ee/d/C7vB8
|
2
paste.ee(104.21.84.67) - mailcious 104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5824 |
2024-02-07 18:27
|
conhost.exe d5bb377745f31568c0c859082ac014fa PE32 PE File .NET EXE VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
3.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5825 |
2024-02-07 18:26
|
microsoftballonprocessmethodis... 7f9e5a43667c46a0443441a49c96c769 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://107.174.212.6/44551/babyangelheaven.vbs http://paste.ee/d/Obpny https://paste.ee/d/Obpny
|
3
paste.ee(172.67.187.200) - mailcious 107.174.212.6 - mailcious 172.67.187.200 - mailcious
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5826 |
2024-02-07 18:25
|
ss_conn_service.exe 4fd20b83f785393e13bf3734fb9ed52f Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
4.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5827 |
2024-02-07 15:58
|
AnyDesk_setup.exe 75eecc3a8b215c465f541643e9c4f484 UPX PE32 PE File VirusTotal Malware PDB Check memory WMI unpack itself Check virtual network interfaces sandbox evasion anti-virtualization ComputerName Software AnyDesk |
|
2
boot.net.anydesk.com(92.223.88.41) 92.223.88.232
|
1
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
|
|
5.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5828 |
2024-02-07 10:07
|
1.exe 3ae39f0bbdf786e7616d65c3a9b82a05 Antivirus UPX PE32 PE File .NET EXE OS Processor Check Lnk Format GIF Format AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName |
|
|
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5829 |
2024-02-07 09:58
|
plaza.exe 335d5775c28ccd69cdd1e8e2a515b6c8 Client SW User Data Stealer browser info stealer Themida Packer Generic Malware Google Chrome User Data Downloader Malicious Packer UPX Malicious Library Code injection Http API PWS Create Service Socket DGA ScreenShot Escalate priviledges Steal cred Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
15
http://193.233.132.167/mine/plaza.exe - rule_id: 39347 http://193.233.132.167/cost/ladas.exe - rule_id: 39348 http://193.233.132.167/cost/fu.exe - rule_id: 39344 http://193.233.132.167/mine/amert.exe - rule_id: 39345 http://193.233.132.167/cost/niks.exe - rule_id: 39346 http://www.maxmind.com/geoip/v2.1/city/me https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp28tnRArG_VN8BI9dfzHYakq9N2zEEx8cxLdaF94Kjjq2DERGsvvHIjjqW9ygxAMghmBqY2&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S2114938119%3A1707266605169843 https://accounts.google.com/ https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?TjCi7Q https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp2HN8VLVuuwKfA0fxKKg5d9ZDbUME-wmo6yxQxKMid1cKFB360oS5JNvk6nx6RGqmFrMRQe https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
db-ip.com(172.67.75.166) www.google.com(172.217.161.228) ssl.gstatic.com(172.217.161.195) ipinfo.io(34.117.186.192) accounts.google.com(64.233.188.84) www.maxmind.com(104.18.146.235) 104.18.145.235 104.26.4.15 173.194.174.84 193.233.132.62 - mailcious 34.117.186.192 142.251.220.35 193.233.132.167 - malware 142.251.220.4
|
12
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Packed Executable Download
|
5
http://193.233.132.167/mine/plaza.exe http://193.233.132.167/cost/ladas.exe http://193.233.132.167/cost/fu.exe http://193.233.132.167/mine/amert.exe http://193.233.132.167/cost/niks.exe
|
25.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5830 |
2024-02-07 09:49
|
may.exe b7c2f2c7bc17e610c69a15f8090753b7 Emotet Gen1 Malicious Library UPX Anti_VM PE32 PE File MZP Format DllRegisterServer dll OS Processor Check PE64 DLL ftp VirusTotal Malware Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName crashed |
|
|
|
|
4.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5831 |
2024-02-07 09:47
|
niks.exe 3f5e1dc9589f4a74df9c3b8b53af5719 PE32 PE File .NET EXE suspicious privilege Checks debugger unpack itself Disables Windows Security Windows Update ComputerName crashed |
|
|
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5832 |
2024-02-07 09:46
|
ladas.exe 3abeb1a3fd51f3ab844411ae46be1f6a UPX PE32 PE File Malware download Malware AutoRuns MachineGuid Checks debugger unpack itself Windows utilities Checks Bios Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) www.maxmind.com(104.18.145.235) 104.26.5.15 193.233.132.62 - mailcious 34.117.186.192 104.18.145.235
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
9.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5833 |
2024-02-07 09:25
|
newmicrosoftupgradeisveryimpor... feae475c805c9a6bc0dce1922ff54d9b MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://paste.ee/d/cV1eC
https://paste.ee/d/cV1eC
http://172.245.135.142/3106/watermillon.vbs
|
3
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
172.245.135.142 - mailcious
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5834 |
2024-02-07 09:23
|
watermillon.vbs fb2db02162fdb9cf1ff46c0ea22026e3VirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/cV1eC https://paste.ee/d/cV1eC
|
2
paste.ee(172.67.187.200) - mailcious 104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5835 |
2024-02-07 09:21
|
lumma.exe c9babbaf26dae390499b2b9209904871 Malicious Library UPX ScreenShot AntiDebug AntiVM PE32 PE File OS Processor Check VirusTotal Malware Code Injection Checks debugger buffers extracted unpack itself Remote Code Execution crashed |
|
|
|
|
6.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|