5881 |
2024-02-05 07:51
|
gzz.exe 7d9c852903de2a824aa3f80dd1ab2b89 UPX PE File PE64 unpack itself DNS |
|
4
175.24.197.196 - malware 172.67.75.166 104.18.146.235 118.195.148.176
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5882 |
2024-02-05 07:49
|
32.exe 9f0408f176f9f9d3095be30eaf39f08f Generic Malware Malicious Library Malicious Packer Antivirus UPX Anti_VM PE32 PE File OS Processor Check Malware download NetWireRC Malware GhostRAT PDB Check memory AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check Browser |
|
2
i.wanna.see.20242525.xyz(175.24.197.196) 175.24.197.196
|
1
ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5883 |
2024-02-05 07:49
|
lux32.exe 2d129049627290cb0ece76e92a8643aa Generic Malware Malicious Library Malicious Packer Antivirus UPX Anti_VM PE32 PE File OS Processor Check PDB DNS |
|
1
|
|
|
2.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5884 |
2024-02-05 07:47
|
dota.exe efc03ba934fc40778b5ad928025b9ba3 Themida Packer Malicious Library UPX Malicious Packer Anti_VM AntiDebug AntiVM PE32 PE File MSOffice File OS Processor Check ZIP Format .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
13
http://109.107.182.3/cost/niks.exe - rule_id: 39168 http://109.107.182.3/cost/fu.exe http://www.maxmind.com/geoip/v2.1/city/me http://109.107.182.3/cost/vinu.exe - rule_id: 39178 https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?yc322w https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp1ZKKpOCIP9ZhPVdQk16OHjygMq5RScsY2K_tbWFUe9lSpTfcKeSmk4WaOW_cKsaxe28G9q&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1693574939%3A1707086594246543 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0cbcYDHZ0LNWjCdxhBl1JZbfzpWSMZ2RZiwEgp20MHlmXJ63zEd0mcXRVhE5CQ3iLdzPzZ
|
14
db-ip.com(172.67.75.166) www.google.com(142.250.206.228) ssl.gstatic.com(172.217.25.163) ipinfo.io(34.117.186.192) accounts.google.com(64.233.188.84) www.maxmind.com(104.18.145.235) 172.67.75.166 104.18.146.235 34.117.186.192 172.217.25.4 - suspicious 193.233.132.62 - mailcious 142.251.220.35 109.107.182.3 - mailcious 74.125.23.84
|
13
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Packed Executable Download
|
2
http://109.107.182.3/cost/niks.exe http://109.107.182.3/cost/vinu.exe
|
23.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5885 |
2024-02-05 07:47
|
admin.exe cf9517248d87d99d6a04d7247c9a96d2 Malicious Library PE File PE64 RWX flags setting DNS |
|
1
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5886 |
2024-02-05 07:47
|
321.exe f50536d2ac683c7edc8706198103ccb8 PE32 PE File .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5887 |
2024-02-05 07:43
|
Intelligence.exe 205557b4a34f1c6ed8fac7abf5282870 North Korea Malicious Library UPX PE32 PE File .NET EXE OS Processor Check PDB Check memory Checks debugger unpack itself ComputerName Remote Code Execution |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5888 |
2024-02-04 17:26
|
may.exe 3d7038e19336d8021079d081b3968c97 Emotet Gen1 Malicious Library UPX Anti_VM PE32 PE File MZP Format OS Processor Check DllRegisterServer dll PE64 DLL ftp VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName DNS crashed |
|
1
|
|
|
4.8 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5889 |
2024-02-04 17:22
|
Ipotrb.exe e0deb2fc7bb606d0f2b1ef5f3ca8a857 Generic Malware Antivirus PE32 PE File .NET EXE Malware download AsyncRAT NetWireRC VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Ransomware Windows ComputerName DNS Cryptographic key |
|
1
|
4
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SURICATA Applayer Detect protocol only one direction ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
8.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5890 |
2024-02-04 17:20
|
studycomputingpro.exe 2b43471ea8864a15a49f4203aa2a4bc9 PE File PE64 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5891 |
2024-02-04 17:20
|
LoTR.exe 496ce3c7173dc70d020beb2fe1c25f3b Generic Malware Antivirus PE32 PE File .NET EXE Malware download AsyncRAT NetWireRC VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Ransomware Windows ComputerName DNS Cryptographic key |
|
1
|
4
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SURICATA Applayer Detect protocol only one direction ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
9.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5892 |
2024-02-04 17:18
|
x.......x.......x.......x.doC 30776225f54785b7099a83401ad50a2a MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
4
http://www.passiveprofitshomemadehappy.com/cg86/?tXU8Ezu=3TFdxd21UEn580arE2lD9dsITMetQoYbfxDX9SbFu7HGXATIwyt7pLNjhS7cAsyB3b6jQav7&CTs0=ctxDHjNp
http://www.vxscnb.cfd/cg86/?tXU8Ezu=Huw27SQ9cXMoEXGBgUH5+YQPTCmruNl8RJ6hwqvjms1t/fmUszNh6hLoNJce/1CkQtFWe6Ei&CTs0=ctxDHjNp
http://www.cerapoxy.net/cg86/?tXU8Ezu=LPXDmVohGtv5wuFdmALAYW70wKulzAjbDCCll5l94lbORgDVtLy+kE1Whz26neVdfmWeyLhO&CTs0=ctxDHjNp
http://107.174.212.74/4567/conhost.exe
|
8
www.passiveprofitshomemadehappy.com(104.16.13.194)
www.cerapoxy.net(3.33.152.147)
www.vxscnb.cfd(150.95.255.38) 3.33.152.147 - mailcious
104.16.13.194
212.224.86.223
150.95.255.38 - mailcious
107.174.212.74 - malware
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE FormBook CnC Checkin (GET) ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5893 |
2024-02-04 17:18
|
V-12.exe a0da1a1c992508b1eee2c766af8d161e Generic Malware Antivirus PE32 PE File .NET EXE Malware download AsyncRAT NetWireRC VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Ransomware Windows ComputerName DNS Cryptographic key |
|
3
172.67.75.166 212.224.86.223 104.18.146.235
|
4
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SURICATA Applayer Detect protocol only one direction ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
10.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5894 |
2024-02-04 17:18
|
ladas.exe 131e1852763515da84f38dc27d08d2e2 RedLine Infostealer RedlineStealer RedLine stealer Amadey UltraVNC NSIS Themida Packer Admin Tool (Sysinternals etc ...) Malicious Library UPX .NET framework(MSIL) Malicious Packer Anti_VM AntiDebug AntiVM PE32 PE File ZIP Format OS Processor Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Update Exploit Browser RisePro Email ComputerName Trojan DNS Cryptographic key Software crashed Downloader CoinMiner |
23
http://109.107.182.3/lego/redline1234.exe - rule_id: 39165 http://185.172.128.127/syncUpd.exe - rule_id: 39250 http://109.107.182.3/lego/sadsadsadsa.exe - rule_id: 39166 http://109.107.182.3/cost/niks.exe - rule_id: 39168 http://109.107.182.3/lego/alex.exe - rule_id: 39110 http://109.107.182.3/lego/moto.exe - rule_id: 39111 http://185.172.128.90/cpa/ping.php?substr=nine&s=ab - rule_id: 38981 http://193.233.132.167/lend/crpta.exe http://185.215.113.68/mine/amers.exe - rule_id: 39177 http://109.107.182.3/cost/vinu.exe - rule_id: 39178 http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://www.maxmind.com/geoip/v2.1/city/me http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp1vihYdYMcK55SVnfSt1kcjem1J9N7YxPBCjIHuYctGuYRJkwP6IDQz6oqA4fxY2JBTPdd18Q https://accounts.google.com/generate_204?C8dR5A https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp3ZbinaYxU-gAnigtL1sC_NpjpOsF80BMSg-2AP5uNb6ghGt73hnRU04PcovA8yfmi1Yo-ozw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1611222706%3A1707034193384724 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
27
db-ip.com(104.26.5.15) pool.hashvault.pro(131.153.76.130) - mailcious www.google.com(172.217.161.228) ssl.gstatic.com(142.250.196.99) ipinfo.io(34.117.186.192) accounts.google.com(64.233.188.84) www.maxmind.com(104.18.145.235) 94.156.67.230 - mailcious 104.18.146.235 131.153.76.130 - mailcious 185.215.113.68 - malware 5.42.64.33 - mailcious 172.67.75.166 34.117.186.192 172.217.25.4 - suspicious 142.250.66.35 65.109.90.47 - mailcious 185.172.128.90 - mailcious 185.172.128.19 - mailcious 125.253.92.50 185.172.128.127 - malware 193.233.132.62 - mailcious 45.15.156.209 - mailcious 92.222.212.74 142.251.8.84 193.233.132.167 - malware 109.107.182.3 - mailcious
|
27
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RisePro CnC Activity (Inbound) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 22 ET INFO Packed Executable Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET POLICY Cryptocurrency Miner Checkin ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET MALWARE Single char EXE direct download likely trojan (multiple families)
|
12
http://109.107.182.3/lego/redline1234.exe http://185.172.128.127/syncUpd.exe http://109.107.182.3/lego/sadsadsadsa.exe http://109.107.182.3/cost/niks.exe http://109.107.182.3/lego/alex.exe http://109.107.182.3/lego/moto.exe http://185.172.128.90/cpa/ping.php http://185.215.113.68/mine/amers.exe http://109.107.182.3/cost/vinu.exe http://185.215.113.68/theme/Plugins/clip64.dll http://185.215.113.68/theme/Plugins/cred64.dll http://185.215.113.68/theme/index.php
|
28.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5895 |
2024-02-04 17:16
|
r.exe b3db8db328d89d5d301bdabd65901c33 Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|