5971 |
2024-02-02 09:18
|
start.exe b303dde38d52546dcaa7a1021dc95d84 Cryptocurrency_miner XMRig Miner Generic Malware .NET framework(MSIL) UPX Antivirus Malicious Library Malicious Packer PE32 PE File .NET EXE PE64 OS Processor Check VirusTotal Malware powershell AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
7
http://185.221.198.109/xmrig.exe - rule_id: 39220 http://185.221.198.109/xmrig.exe http://185.221.198.109/WatchDog.exe - rule_id: 39221 http://185.221.198.109/WinRing0x64.sys - rule_id: 39223 http://185.221.198.109/WinRing0x64.sys https://pastebin.com/raw/NaRs5ZxJ - rule_id: 39219 https://pastebin.com/raw/NaRs5ZxJ
|
3
pastebin.com(104.20.67.143) - mailcious 185.221.198.109 - malware 104.20.67.143 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://185.221.198.109/xmrig.exe http://185.221.198.109/WatchDog.exe http://185.221.198.109/WinRing0x64.sys https://pastebin.com/raw/NaRs5ZxJ
|
11.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5972 |
2024-02-02 09:18
|
rdpcllp.exe 05a607cfc9ac7c66d4ce77dde0a2e491 PE File PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency Remote Code Execution DNS CoinMiner |
|
2
xmr.2miners.com(162.19.139.184) - mailcious 162.19.139.184 - mailcious
|
1
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
|
|
2.0 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5973 |
2024-02-02 09:16
|
firefoxsunny.exe ffd6c86af20c38cccffcd9b0e15ece4c Hide_EXE Downloader Malicious Library UPX ScreenShot DNS Create Service Socket DGA Http API Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE32 PE File M VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Windows Browser ComputerName crashed |
|
1
PWwrYtNUyGoOzOdfBdytV.PWwrYtNUyGoOzOdfBdytV()
|
|
|
11.8 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5974 |
2024-02-02 09:15
|
RDX.exe f733785f9d088490b784d4dc5584ebfb RedlineStealer RedLine stealer .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Family Activity (Response)
|
|
7.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5975 |
2024-02-02 09:13
|
meta12.exe 455af7b85c5f2f4f7bd03fccc9f38ffe RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5976 |
2024-02-02 09:13
|
xmrig.exe 118c2d536d52dd30116baaf06dfe5e63 XMRig Miner Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself ComputerName |
|
|
|
|
2.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5977 |
2024-02-01 11:21
|
ouwediysnbosav.pdf.exe d417bfe203bb31ec8cc510494ae97f63 AgentTesla Malicious Library Malicious Packer UPX PE32 PE File .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mail.asdekorasyon.com.tr(185.85.205.51) api.ipify.org(64.185.227.156) 104.237.62.212 185.85.205.51
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction ET MALWARE AgentTesla Exfil Via SMTP
|
|
7.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5978 |
2024-02-01 09:34
|
vk_seller1234_crypted.exe c8b5dcfbdbf417d517edf952f366ef7f XMRig Miner Generic Malware Malicious Library UPX .NET framework(MSIL) Malicious Packer Antivirus PE32 PE File OS Processor Check .NET EXE PE64 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware powershell Microsoft AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
6
http://185.221.198.109/xmrig.exe http://185.221.198.109/WatchDog.exe http://185.221.198.109/WinRing0x64.sys https://github.com/wlCF2fie4Ks7woEO/project/raw/main/start.exe https://raw.githubusercontent.com/wlCF2fie4Ks7woEO/project/main/start.exe https://pastebin.com/raw/NaRs5ZxJ
|
8
github.com(20.200.245.247) - mailcious raw.githubusercontent.com(185.199.108.133) - malware pastebin.com(172.67.34.170) - mailcious 185.199.111.133 - mailcious 185.221.198.109 45.15.156.127 20.200.245.247 - malware 172.67.34.170 - mailcious
|
10
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5979 |
2024-02-01 09:33
|
legend1234ff.exe 1850ff637de86020fe977b676b5c81ca PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5980 |
2024-02-01 09:31
|
x......x..........x..doc b3c0ce50761120df74269d25e8d57f90 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://paste.ee/d/Pz2XE http://172.232.172.53/3031/Rosefromtitanic.vbs https://paste.ee/d/Pz2XE
|
3
paste.ee(172.67.187.200) - mailcious 104.21.84.67 - malware 172.232.172.53 - mailcious
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5981 |
2024-02-01 09:31
|
Rosefromtitanic.vbs 8527bea52d77fc7c2fff7add03a2f51cVirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/Pz2XE https://paste.ee/d/Pz2XE
|
2
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5982 |
2024-02-01 08:04
|
rty25.exe 5fd7aff48d27771ca0aec6776afefb93 Malicious Packer UPX PE File PE64 PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
182.162.106.33 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5983 |
2024-02-01 08:03
|
anydesk.exe 32259010418da240da7f3a5d2b8e3981 PE32 PE File .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5984 |
2024-02-01 08:02
|
InstallSetup2.exe 72291a2593e330da68e21589b3977f54 UPX PE32 PE File .NET EXE OS Processor Check PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5985 |
2024-02-01 08:01
|
d.exe 15a9d8defb55dc7124128453c630e43c PE32 PE File .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|