| 5971 |
2024-02-02 09:18
|
 start.exe b303dde38d52546dcaa7a1021dc95d84
Cryptocurrency_miner XMRig Miner Generic Malware .NET framework(MSIL) UPX Antivirus Malicious Library Malicious Packer PE32 PE File .NET EXE PE64 OS Processor Check VirusTotal Malware powershell AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
7
http://185.221.198.109/xmrig.exe - rule_id: 39220
http://185.221.198.109/xmrig.exe
http://185.221.198.109/WatchDog.exe - rule_id: 39221
http://185.221.198.109/WinRing0x64.sys - rule_id: 39223
http://185.221.198.109/WinRing0x64.sys
https://pastebin.com/raw/NaRs5ZxJ - rule_id: 39219
https://pastebin.com/raw/NaRs5ZxJ
|
3
pastebin.com(104.20.67.143) - mailcious
185.221.198.109 - malware
104.20.67.143 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://185.221.198.109/xmrig.exe
http://185.221.198.109/WatchDog.exe
http://185.221.198.109/WinRing0x64.sys
https://pastebin.com/raw/NaRs5ZxJ
|
11.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5972 |
2024-02-02 09:18
|
 rdpcllp.exe 05a607cfc9ac7c66d4ce77dde0a2e491
PE File PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency Remote Code Execution DNS CoinMiner |
|
2
xmr.2miners.com(162.19.139.184) - mailcious
162.19.139.184 - mailcious
|
1
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
|
|
2.0 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5973 |
2024-02-02 09:16
|
 firefoxsunny.exe ffd6c86af20c38cccffcd9b0e15ece4c
Hide_EXE Downloader Malicious Library UPX ScreenShot DNS Create Service Socket DGA Http API Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE32 PE File M VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Windows Browser ComputerName crashed |
|
1
PWwrYtNUyGoOzOdfBdytV.PWwrYtNUyGoOzOdfBdytV()
|
|
|
11.8 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5974 |
2024-02-02 09:15
|
 RDX.exe f733785f9d088490b784d4dc5584ebfb
RedlineStealer RedLine stealer .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Family Activity (Response)
|
|
7.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5975 |
2024-02-02 09:13
|
 meta12.exe 455af7b85c5f2f4f7bd03fccc9f38ffe
RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5976 |
2024-02-02 09:13
|
 xmrig.exe 118c2d536d52dd30116baaf06dfe5e63
XMRig Miner Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware unpack itself ComputerName |
|
|
|
|
2.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5977 |
2024-02-01 11:21
|
 ouwediysnbosav.pdf.exe d417bfe203bb31ec8cc510494ae97f63
AgentTesla Malicious Library Malicious Packer UPX PE32 PE File .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mail.asdekorasyon.com.tr(185.85.205.51)
api.ipify.org(64.185.227.156)
104.237.62.212
185.85.205.51
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
7.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5978 |
2024-02-01 09:34
|
 vk_seller1234_crypted.exe c8b5dcfbdbf417d517edf952f366ef7f
XMRig Miner Generic Malware Malicious Library UPX .NET framework(MSIL) Malicious Packer Antivirus PE32 PE File OS Processor Check .NET EXE PE64 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware powershell Microsoft AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
6
http://185.221.198.109/xmrig.exe
http://185.221.198.109/WatchDog.exe
http://185.221.198.109/WinRing0x64.sys
https://github.com/wlCF2fie4Ks7woEO/project/raw/main/start.exe
https://raw.githubusercontent.com/wlCF2fie4Ks7woEO/project/main/start.exe
https://pastebin.com/raw/NaRs5ZxJ
|
8
github.com(20.200.245.247) - mailcious
raw.githubusercontent.com(185.199.108.133) - malware
pastebin.com(172.67.34.170) - mailcious
185.199.111.133 - mailcious
185.221.198.109
45.15.156.127
20.200.245.247 - malware
172.67.34.170 - mailcious
|
10
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Family Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5979 |
2024-02-01 09:33
|
 legend1234ff.exe 1850ff637de86020fe977b676b5c81ca
PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5980 |
2024-02-01 09:31
|
x......x..........x..doc b3c0ce50761120df74269d25e8d57f90
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://paste.ee/d/Pz2XE
http://172.232.172.53/3031/Rosefromtitanic.vbs
https://paste.ee/d/Pz2XE
|
3
paste.ee(172.67.187.200) - mailcious
104.21.84.67 - malware
172.232.172.53 - mailcious
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5981 |
2024-02-01 09:31
|
Rosefromtitanic.vbs 8527bea52d77fc7c2fff7add03a2f51cVirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/Pz2XE
https://paste.ee/d/Pz2XE
|
2
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5982 |
2024-02-01 08:04
|
 rty25.exe 5fd7aff48d27771ca0aec6776afefb93
Malicious Packer UPX PE File PE64 PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
182.162.106.33 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5983 |
2024-02-01 08:03
|
 anydesk.exe 32259010418da240da7f3a5d2b8e3981
PE32 PE File .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5984 |
2024-02-01 08:02
|
 InstallSetup2.exe 72291a2593e330da68e21589b3977f54
UPX PE32 PE File .NET EXE OS Processor Check PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5985 |
2024-02-01 08:01
|
 d.exe 15a9d8defb55dc7124128453c630e43c
PE32 PE File .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|