| 5836 |
2024-03-21 07:28
|
 may.exe 0510338646cc1ba136cc3f6ebed04a0e
Emotet Gen1 Malicious Library UPX Antivirus PE File PE32 MZP Format DllRegisterServer dll OS Processor Check PE64 DLL VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName crashed |
|
|
|
|
4.2 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5837 |
2024-03-21 07:26
|
 june.exe 0f12e18f3a4da6647273810de0ac63a0
Emotet Gen1 Malicious Library UPX Antivirus PE File PE32 MZP Format PE64 OS Processor Check DllRegisterServer dll DLL VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName crashed |
|
|
|
|
3.6 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5838 |
2024-03-21 07:26
|
 cry.exe 960eb4d74f0f0c05c4c43ce1e98bf571
Client SW User Data Stealer LokiBot Craxs RAT ftp Client info stealer Http API PWS Code injection AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself malicious URLs Tofsee ComputerName DNS crashed |
1
https://steamcommunity.com/profiles/76561199654112719
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
118.214.72.32
116.202.5.172
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5839 |
2024-03-21 07:24
|
 control.exe 1c35fbe0502a246c9e89d91c80ab65f6
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5840 |
2024-03-21 07:23
|
 rty45.exe a3cc4a0054f5c47f3513117efaf2f335
Generic Malware Malicious Packer UPX PE64 PE File VirusTotal Malware PDB unpack itself Check virtual network interfaces Tofsee Remote Code Execution DNS |
1
|
5
i.alie3ksgaa.com(39.109.117.123) - mailcious
x1.i.lencr.org(23.52.33.11)
104.26.5.15
23.41.113.9
39.109.117.123 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5841 |
2024-03-21 07:21
|
 crypted.exe 9b5a036b6c0ad4683c19fd0a5737d296
Craxs RAT ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 PDB Code Injection Check memory Checks debugger buffers extracted unpack itself crashed |
|
|
|
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5842 |
2024-03-21 07:20
|
 ohara.exe 282dedc28c435180f5cf202ed21d8360
Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check Malware download Malware AutoRuns MachineGuid Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS |
2
http://www.maxmind.com/geoip/v2.1/city/me
https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192)
db-ip.com(172.67.75.166)
www.maxmind.com(104.18.145.235)
193.233.132.74
104.26.5.15
34.117.186.192
104.18.145.235
|
6
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
|
|
4.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5843 |
2024-03-21 07:20
|
 devon.exe 371a4e1549f6661f09384749a9926a4d
CryptBot Amadey Themida Packer Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library UPX Antivirus Socket ScreenShot Steal credential DNS Code injection Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Check ZIP Format MSOffice File icon Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare powershell.exe wrote suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader |
15
http://193.233.132.56/Pneh2sXQk0/index.php
http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
http://193.233.132.62:57893/hera/amadka.exe - rule_id: 39491
http://www.maxmind.com/geoip/v2.1/city/me
http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll
http://193.233.132.167/cost/go.exe
https://accounts.google.com/generate_204?6agu2w
https://www.google.com/favicon.ico
https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKfANW_2eFTWdDeN5HinidXCwyBeS0Y2PAvuefzuSx80bKxRyj5_F-pSH27ZfD62yOZVr9r_w
https://db-ip.com/demo/home.php?s=175.208.134.152
https://accounts.google.com/_/bscframe
https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko
https://www.youtube.com/account
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko&ifkv=ARZ0qKIvg7vJWFF19pPUmFpbrYpZ2wDfEbQxD45GdZ4-8awPZfwqI0kh_ZqzmAl3O8W2rHLHGh8FgQ&passive=true&service=youtube&uilel=3&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-251614898%3A1710972868354406
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
18
db-ip.com(172.67.75.166)
www.google.com(142.250.207.100)
www.youtube.com(142.250.76.142) - mailcious
ssl.gstatic.com(172.217.25.163)
ipinfo.io(34.117.186.192)
accounts.google.com(64.233.188.84)
www.maxmind.com(104.18.146.235)
142.251.220.78
74.125.203.84
104.18.145.235
34.117.186.192
193.233.132.74
193.233.132.62 - mailcious
193.233.132.56 - malware
142.251.222.196
104.26.5.15
193.233.132.167 - malware
142.250.199.67
|
16
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://193.233.132.62:57893/hera/amadka.exe
|
29.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5844 |
2024-03-21 07:19
|
 timeSync.exe 287c0ab11acffca7b5ce14f4d8ae3f4d
Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5845 |
2024-03-21 07:19
|
 random.exe 2e9936ceff7cb899d72ae573cb8ca876
CryptBot PE File PE32 Malware download Malware AutoRuns MachineGuid unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me
https://db-ip.com/demo/home.php?s=175.208.134.152
|
8
ipinfo.io(34.117.186.192)
db-ip.com(104.26.5.15)
www.maxmind.com(104.18.146.235)
104.18.145.235
104.26.4.15
34.117.186.192
193.233.132.62 - mailcious
193.233.132.56 - malware
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5846 |
2024-03-21 07:17
|
 risepro67.exe f1e9663c2a81ddbf2b94ad43072a954a
Craxs RAT PE File .NET EXE PE32 PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5847 |
2024-03-20 16:30
|
 HxD32.exe 804f06b24fba7ba4e1122faf2b119a2b
Emotet PhysicalDrive Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware Checks debugger unpack itself crashed |
|
|
|
|
2.0 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5848 |
2024-03-20 14:38
|
 HeaderFinder.exe 5f3c52c804bf6adadac97e2e53179bee
Icarus Stealer PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
3.0 |
M |
40 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5849 |
2024-03-20 08:17
|
 HeaderFinder.exe 5f3c52c804bf6adadac97e2e53179bee
PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
3.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5850 |
2024-03-20 08:15
|
 thost.exe 11e28d2499f7c530a6b28db768d10a0a
UPX PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|