| 5881 |
2024-02-05 07:51
|
 gzz.exe 7d9c852903de2a824aa3f80dd1ab2b89
UPX PE File PE64 unpack itself DNS |
|
4
175.24.197.196 - malware
172.67.75.166
104.18.146.235
118.195.148.176
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5882 |
2024-02-05 07:49
|
 32.exe 9f0408f176f9f9d3095be30eaf39f08f
Generic Malware Malicious Library Malicious Packer Antivirus UPX Anti_VM PE32 PE File OS Processor Check Malware download NetWireRC Malware GhostRAT PDB Check memory AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check Browser |
|
2
i.wanna.see.20242525.xyz(175.24.197.196)
175.24.197.196
|
1
ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5883 |
2024-02-05 07:49
|
 lux32.exe 2d129049627290cb0ece76e92a8643aa
Generic Malware Malicious Library Malicious Packer Antivirus UPX Anti_VM PE32 PE File OS Processor Check PDB DNS |
|
1
|
|
|
2.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5884 |
2024-02-05 07:47
|
 dota.exe efc03ba934fc40778b5ad928025b9ba3
Themida Packer Malicious Library UPX Malicious Packer Anti_VM AntiDebug AntiVM PE32 PE File MSOffice File OS Processor Check ZIP Format .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
13
http://109.107.182.3/cost/niks.exe - rule_id: 39168
http://109.107.182.3/cost/fu.exe
http://www.maxmind.com/geoip/v2.1/city/me
http://109.107.182.3/cost/vinu.exe - rule_id: 39178
https://www.google.com/favicon.ico
https://db-ip.com/demo/home.php?s=175.208.134.152
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/generate_204?yc322w
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp1ZKKpOCIP9ZhPVdQk16OHjygMq5RScsY2K_tbWFUe9lSpTfcKeSmk4WaOW_cKsaxe28G9q&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1693574939%3A1707086594246543
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0cbcYDHZ0LNWjCdxhBl1JZbfzpWSMZ2RZiwEgp20MHlmXJ63zEd0mcXRVhE5CQ3iLdzPzZ
|
14
db-ip.com(172.67.75.166)
www.google.com(142.250.206.228)
ssl.gstatic.com(172.217.25.163)
ipinfo.io(34.117.186.192)
accounts.google.com(64.233.188.84)
www.maxmind.com(104.18.145.235)
172.67.75.166
104.18.146.235
34.117.186.192
172.217.25.4 - suspicious
193.233.132.62 - mailcious
142.251.220.35
109.107.182.3 - mailcious
74.125.23.84
|
13
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO Packed Executable Download
|
2
http://109.107.182.3/cost/niks.exe
http://109.107.182.3/cost/vinu.exe
|
23.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5885 |
2024-02-05 07:47
|
 admin.exe cf9517248d87d99d6a04d7247c9a96d2
Malicious Library PE File PE64 RWX flags setting DNS |
|
1
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5886 |
2024-02-05 07:47
|
 321.exe f50536d2ac683c7edc8706198103ccb8
PE32 PE File .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5887 |
2024-02-05 07:43
|
 Intelligence.exe 205557b4a34f1c6ed8fac7abf5282870
North Korea Malicious Library UPX PE32 PE File .NET EXE OS Processor Check PDB Check memory Checks debugger unpack itself ComputerName Remote Code Execution |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5888 |
2024-02-04 17:26
|
 may.exe 3d7038e19336d8021079d081b3968c97
Emotet Gen1 Malicious Library UPX Anti_VM PE32 PE File MZP Format OS Processor Check DllRegisterServer dll PE64 DLL ftp VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName DNS crashed |
|
1
|
|
|
4.8 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5889 |
2024-02-04 17:22
|
 Ipotrb.exe e0deb2fc7bb606d0f2b1ef5f3ca8a857
Generic Malware Antivirus PE32 PE File .NET EXE Malware download AsyncRAT NetWireRC VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Ransomware Windows ComputerName DNS Cryptographic key |
|
1
|
4
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SURICATA Applayer Detect protocol only one direction
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
8.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5890 |
2024-02-04 17:20
|
 studycomputingpro.exe 2b43471ea8864a15a49f4203aa2a4bc9
PE File PE64 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5891 |
2024-02-04 17:20
|
 LoTR.exe 496ce3c7173dc70d020beb2fe1c25f3b
Generic Malware Antivirus PE32 PE File .NET EXE Malware download AsyncRAT NetWireRC VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Ransomware Windows ComputerName DNS Cryptographic key |
|
1
|
4
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SURICATA Applayer Detect protocol only one direction
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
9.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5892 |
2024-02-04 17:18
|
x.......x.......x.......x.doC 30776225f54785b7099a83401ad50a2a
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
4
http://www.passiveprofitshomemadehappy.com/cg86/?tXU8Ezu=3TFdxd21UEn580arE2lD9dsITMetQoYbfxDX9SbFu7HGXATIwyt7pLNjhS7cAsyB3b6jQav7&CTs0=ctxDHjNp
http://www.vxscnb.cfd/cg86/?tXU8Ezu=Huw27SQ9cXMoEXGBgUH5+YQPTCmruNl8RJ6hwqvjms1t/fmUszNh6hLoNJce/1CkQtFWe6Ei&CTs0=ctxDHjNp
http://www.cerapoxy.net/cg86/?tXU8Ezu=LPXDmVohGtv5wuFdmALAYW70wKulzAjbDCCll5l94lbORgDVtLy+kE1Whz26neVdfmWeyLhO&CTs0=ctxDHjNp
http://107.174.212.74/4567/conhost.exe
|
8
www.passiveprofitshomemadehappy.com(104.16.13.194)
www.cerapoxy.net(3.33.152.147)
www.vxscnb.cfd(150.95.255.38)
3.33.152.147 - mailcious
104.16.13.194
212.224.86.223
150.95.255.38 - mailcious
107.174.212.74 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE FormBook CnC Checkin (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5893 |
2024-02-04 17:18
|
 V-12.exe a0da1a1c992508b1eee2c766af8d161e
Generic Malware Antivirus PE32 PE File .NET EXE Malware download AsyncRAT NetWireRC VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Ransomware Windows ComputerName DNS Cryptographic key |
|
3
172.67.75.166
212.224.86.223
104.18.146.235
|
4
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SURICATA Applayer Detect protocol only one direction
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
10.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5894 |
2024-02-04 17:18
|
 ladas.exe 131e1852763515da84f38dc27d08d2e2
RedLine Infostealer RedlineStealer RedLine stealer Amadey UltraVNC NSIS Themida Packer Admin Tool (Sysinternals etc ...) Malicious Library UPX .NET framework(MSIL) Malicious Packer Anti_VM AntiDebug AntiVM PE32 PE File ZIP Format OS Processor Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Update Exploit Browser RisePro Email ComputerName Trojan DNS Cryptographic key Software crashed Downloader CoinMiner |
23
http://109.107.182.3/lego/redline1234.exe - rule_id: 39165
http://185.172.128.127/syncUpd.exe - rule_id: 39250
http://109.107.182.3/lego/sadsadsadsa.exe - rule_id: 39166
http://109.107.182.3/cost/niks.exe - rule_id: 39168
http://109.107.182.3/lego/alex.exe - rule_id: 39110
http://109.107.182.3/lego/moto.exe - rule_id: 39111
http://185.172.128.90/cpa/ping.php?substr=nine&s=ab - rule_id: 38981
http://193.233.132.167/lend/crpta.exe
http://185.215.113.68/mine/amers.exe - rule_id: 39177
http://109.107.182.3/cost/vinu.exe - rule_id: 39178
http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951
http://www.maxmind.com/geoip/v2.1/city/me
http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948
http://185.215.113.68/theme/index.php - rule_id: 38935
https://www.google.com/favicon.ico
https://db-ip.com/demo/home.php?s=175.208.134.152
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp1vihYdYMcK55SVnfSt1kcjem1J9N7YxPBCjIHuYctGuYRJkwP6IDQz6oqA4fxY2JBTPdd18Q
https://accounts.google.com/generate_204?C8dR5A
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp3ZbinaYxU-gAnigtL1sC_NpjpOsF80BMSg-2AP5uNb6ghGt73hnRU04PcovA8yfmi1Yo-ozw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1611222706%3A1707034193384724
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
27
db-ip.com(104.26.5.15)
pool.hashvault.pro(131.153.76.130) - mailcious
www.google.com(172.217.161.228)
ssl.gstatic.com(142.250.196.99)
ipinfo.io(34.117.186.192)
accounts.google.com(64.233.188.84)
www.maxmind.com(104.18.145.235)
94.156.67.230 - mailcious
104.18.146.235
131.153.76.130 - mailcious
185.215.113.68 - malware
5.42.64.33 - mailcious
172.67.75.166
34.117.186.192
172.217.25.4 - suspicious
142.250.66.35
65.109.90.47 - mailcious
185.172.128.90 - mailcious
185.172.128.19 - mailcious
125.253.92.50
185.172.128.127 - malware
193.233.132.62 - mailcious
45.15.156.209 - mailcious
92.222.212.74
142.251.8.84
193.233.132.167 - malware
109.107.182.3 - mailcious
|
27
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE RisePro CnC Activity (Inbound)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET INFO Packed Executable Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET POLICY Cryptocurrency Miner Checkin
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET MALWARE Single char EXE direct download likely trojan (multiple families)
|
12
http://109.107.182.3/lego/redline1234.exe
http://185.172.128.127/syncUpd.exe
http://109.107.182.3/lego/sadsadsadsa.exe
http://109.107.182.3/cost/niks.exe
http://109.107.182.3/lego/alex.exe
http://109.107.182.3/lego/moto.exe
http://185.172.128.90/cpa/ping.php
http://185.215.113.68/mine/amers.exe
http://109.107.182.3/cost/vinu.exe
http://185.215.113.68/theme/Plugins/clip64.dll
http://185.215.113.68/theme/Plugins/cred64.dll
http://185.215.113.68/theme/index.php
|
28.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5895 |
2024-02-04 17:16
|
 r.exe b3db8db328d89d5d301bdabd65901c33
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|