6046 |
2024-01-30 07:57
|
conhost.exe 63b53532b4267aacb2fab99033d2ea60 .NET framework(MSIL) PE File PE64 .NET EXE Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6047 |
2024-01-30 07:54
|
ToDelegation.exe 0088c0508f8aa299bea991f6dd9cc946 Gen1 Generic Malware Suspicious_Script_Bin Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P Malware Telegram Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS crashed |
2
https://steamcommunity.com/profiles/76561199627279110
https://t.me/tvrugrats
|
6
t.me(149.154.167.99) - mailcious
zrKFkcOxPLs.zrKFkcOxPLs()
steamcommunity.com(104.76.78.101) - mailcious 149.154.167.99 - mailcious
104.76.78.101 - mailcious
65.109.242.38
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6048 |
2024-01-30 07:53
|
1233213123213.exe b69036a695b48549380a64c8df3a00f1 Malicious Library UPX PE File PE64 OS Processor Check Check memory |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6049 |
2024-01-29 15:31
|
am.exe 3eedb7ab4ab81081e6fe25b117d4698c Emotet Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware AutoRuns PDB unpack itself Windows Remote Code Execution |
|
|
|
|
2.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6050 |
2024-01-29 08:11
|
aoiido.exe 34e24e68ad58de1a5cbb7ddd21c8f993 RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File OS Processor Check PDB Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6051 |
2024-01-29 08:09
|
lada.exe 68536fff9f64f007745e2fc88467856e Anti_VM PE32 PE File Malware download Malware AutoRuns MachineGuid Checks debugger unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) www.maxmind.com(104.18.145.235) 172.67.75.166 34.117.186.192 104.18.145.235 193.233.132.62 - mailcious
|
4
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6052 |
2024-01-29 08:06
|
PrivateCheatFortnite.exe bf0106f2a7756ab75de4993ad4db40cd Malicious Library UPX PE32 PE File Check memory Checks debugger unpack itself DNS crashed |
|
3
23.50.121.137 51.68.137.186 - mailcious 23.200.75.28
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6053 |
2024-01-29 08:06
|
kololl.exe 656e40709f4a60b1bc6b831334253919 Gen1 Browser Login Data Stealer Generic Malware Malicious Library Malicious Packer UPX Antivirus Anti_VM PE File PE64 DLL OS Processor Check ftp wget Check memory Creates executable files |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6054 |
2024-01-29 08:05
|
latestroc.exe 0fb0767520be820c0c3f415fb1bad41d Malicious Library UPX PE32 PE File .NET EXE PE64 Cryptocurrency Miner MachineGuid Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee DNS CoinMiner |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
8
zeph-eu2.nanopool.org(51.195.43.17) - mailcious i.alie3ksgaa.com(154.92.15.189) - mailcious pastebin.com(172.67.34.170) - mailcious 163.172.171.111 - mailcious 104.20.68.143 - mailcious 51.68.137.186 - mailcious 154.92.15.189 - mailcious 23.200.75.28
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6055 |
2024-01-29 08:04
|
donat.exe caa5e1a8cdd188b8a32628fa809e3e7b RedLine Infostealer RedlineStealer RedLine stealer Amadey UltraVNC Generic Malware Malicious Packer UPX Malicious Library .NET framework(MSIL) Code injection Http API PWS Anti_VM AntiDebug AntiVM PE32 PE File PE64 OS Processor Check .NET EXE DLL ZI Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Update Exploit Browser RisePro Email ComputerName Trojan Banking DNS Cryptographic key Software crashed keylogger Downloader CoinMiner |
21
http://185.215.113.68/mine/plata.exe http://109.107.182.3/lego/alex.exe - rule_id: 39110 http://109.107.182.3/lego/moto.exe - rule_id: 39111 http://109.107.182.3/cost/lada.exe http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://185.172.128.19/latestroc.exe http://109.107.182.3/lego/crypted.exe - rule_id: 39115 http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://109.107.182.3/lego/2024.exe - rule_id: 39120 http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp08ITWJUqsMpaLXtZ8Vao9NOdjBb1CJ2-DcCQtg1CsZRAnDooYsQ14Pvh2aA0dVfq84q9AxJQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1526455473%3A1706482517436359 https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3d6QSePlmuhZdxCmFqD2IdYY3VL1P6FRaevEj2T_ysbQDXlxlWx2OKmdmLhnOKRq_Qthy_mw https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/generate_204?SzOxuw
|
27
db-ip.com(104.26.4.15) pool.hashvault.pro(125.253.92.50) - mailcious www.google.com(142.250.76.132) ssl.gstatic.com(142.250.76.131) api.ipify.org(173.231.16.75) ipinfo.io(34.117.186.192) i.alie3ksgaa.com(154.92.15.189) - mailcious accounts.google.com(64.233.188.84) www.maxmind.com(104.18.145.235) 94.156.67.230 172.67.75.166 142.251.220.99 195.20.16.103 - mailcious 104.18.146.235 104.18.145.235 185.172.128.19 - mailcious 173.194.174.84 34.117.186.192 89.208.103.177 185.215.113.68 - malware 172.217.24.100 64.185.227.156 193.233.132.62 - mailcious 154.92.15.189 - mailcious 23.50.121.137 109.107.182.3 - mailcious 125.253.92.50
|
26
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO Dotted Quad Host DLL Request ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET INFO TLS Handshake Failure ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET POLICY Cryptocurrency Miner Checkin ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Family Activity (Response) ET HUNTING Download Request Containing Suspicious Filename - Crypted
|
7
http://109.107.182.3/lego/alex.exe http://109.107.182.3/lego/moto.exe http://185.215.113.68/theme/Plugins/cred64.dll http://109.107.182.3/lego/crypted.exe http://185.215.113.68/theme/Plugins/clip64.dll http://109.107.182.3/lego/2024.exe http://185.215.113.68/theme/index.php
|
36.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6056 |
2024-01-29 08:02
|
plata.exe 7c36240fbc9b608d4847cbaedf7f031a Malicious Packer UPX PE32 PE File Malware download Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) www.maxmind.com(104.18.145.235) 34.117.186.192 104.18.146.235 104.26.4.15 193.233.132.62 - mailcious
|
4
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6057 |
2024-01-29 08:02
|
btcgood.exe 52457d397f4d5abc4d9de5dc74fd42c5 Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check Browser Info Stealer Malware download Email Client Info Stealer Malware Check memory buffers extracted Creates shortcut unpack itself Collect installed applications IP Check installed browsers check Tofsee Browser Email ComputerName Trojan Banking DNS |
|
3
api.ipify.org(104.237.62.211) 64.185.227.156 89.208.103.177
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt SURICATA Applayer Protocol detection skipped
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6058 |
2024-01-29 08:00
|
vinu.exe b999d160106e9c1cc130e81cb65cb6c1 Malicious Packer Anti_VM PE32 PE File Malware download Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152
|
12
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) www.maxmind.com(104.18.145.235) 172.67.75.166 104.18.146.235 185.172.128.19 - mailcious 34.117.186.192 185.215.113.68 - malware 193.233.132.62 - mailcious 154.92.15.189 - mailcious 109.107.182.3 - mailcious 125.253.92.50
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6059 |
2024-01-29 07:59
|
conhost.exe d930d695d2832dcddfe4de6d917ddb25 Malicious Packer UPX PE32 PE File .NET EXE Malware PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI unpack itself Check virtual network interfaces IP Check Windows ComputerName Cryptographic key |
1
|
2
ip-api.com(208.95.112.1) 208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
6.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6060 |
2024-01-29 07:57
|
reo.exe 9a5ab5436636d809711978aad14df6cd Malicious Library UPX PE32 PE File OS Processor Check DNS |
|
1
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|