6076 |
2024-01-27 16:16
|
lololoolll.exe 8bb5a33d341fa1694ab9c00258421182 RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6077 |
2024-01-27 16:12
|
Gzcueoarue.exe 721fb763958ddcf207551558ff06b1a0 Hide_EXE .NET framework(MSIL) PWS AntiDebug AntiVM PE File PE64 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6078 |
2024-01-27 16:10
|
amers.exe a2694e00b509f5192ab406b4c4dbd5d4 Amadey RedLine Infostealer RedlineStealer RedLine stealer UltraVNC Generic Malware NSIS UPX Malicious Library Antivirus Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Malicious Packer Anti_VM AntiDebug AntiVM PE32 PE File PNG Format OS Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Stealer Windows Update Exploit Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
24
http://109.107.182.3/cost/niks.exe http://109.107.182.3/lego/alex.exe - rule_id: 39110 http://109.107.182.3/lego/moto.exe - rule_id: 39111 http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://185.215.113.68/mine/stan.exe - rule_id: 39114 http://109.107.182.3/lego/crypted.exe - rule_id: 39115 http://109.107.182.3/cost/ko.exe http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981 http://109.107.182.3/cost/vinu.exe http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://185.172.128.109/syncUpd.exe - rule_id: 39052 http://185.172.128.19/latestrocki.exe - rule_id: 39054 http://apps.identrust.com/roots/dstrootcax3.p7c http://109.107.182.3/lego/2024.exe - rule_id: 39120 http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0ZvGCz0fk8hqCTekN1L6IFObRSt0FnIziWyOpr8xOZhORjutgVOlbm595iNSmRYmohWq9E&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1191012356%3A1706338947208913 https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0LeW44r7VVR74bP_-DTZ1tUx2XPR-89LBFra8MZNpjPX0WU1E7ZoU1WTHj5ozbI1pULjHf https://accounts.google.com/generate_204?oMaQNA https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
26
db-ip.com(172.67.75.166) www.google.com(142.250.76.132) ssl.gstatic.com(142.250.76.131) ipinfo.io(34.117.186.192) i.alie3ksgaa.com(154.92.15.189) - mailcious pastebin.com(104.20.67.143) - mailcious zeph-eu2.nanopool.org(51.195.138.197) - mailcious accounts.google.com(64.233.188.84) 94.156.67.230 193.233.132.62 - mailcious 172.67.75.166 195.20.16.103 - mailcious 185.215.113.68 - malware 5.42.64.33 - mailcious 172.217.25.4 - suspicious 185.172.128.90 - mailcious 108.177.97.84 34.117.186.192 104.20.68.143 - mailcious 185.172.128.19 - mailcious 154.92.15.189 - mailcious 51.15.61.114 114.108.166.96 185.172.128.109 - malware 109.107.182.3 - mailcious 142.250.204.99
|
25
ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) ET HUNTING Download Request Containing Suspicious Filename - Crypted ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Family Activity (Response)
|
11
http://109.107.182.3/lego/alex.exe http://109.107.182.3/lego/moto.exe http://185.215.113.68/theme/Plugins/cred64.dll http://185.215.113.68/mine/stan.exe http://109.107.182.3/lego/crypted.exe http://185.172.128.90/cpa/ping.php http://185.215.113.68/theme/Plugins/clip64.dll http://185.172.128.109/syncUpd.exe http://185.172.128.19/latestrocki.exe http://109.107.182.3/lego/2024.exe http://185.215.113.68/theme/index.php
|
25.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6079 |
2024-01-27 16:09
|
Cxqdczh.exe 3ede46cd121b2387c6559c3afae0dc31 Hide_EXE .NET framework(MSIL) PWS AntiDebug AntiVM PE File PE64 .NET EXE VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
9.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6080 |
2024-01-27 16:06
|
build.exe 6b1266f334d8f6c9986d1c94275a63fa Gen1 Generic Malware Malicious Library ASPack Malicious Packer UPX Antivirus Anti_VM PE File PE64 DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
3.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6081 |
2024-01-27 16:06
|
build.exe 5b49aff6fd63d3b47a42af95b2ab6233 PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
2
185.172.128.19 - mailcious 51.15.61.114
|
|
|
3.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6082 |
2024-01-27 16:04
|
d38mibbvz.exe e594d99c7fe16646a8799217b44bcabf Malicious Library PE32 PE File PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6083 |
2024-01-27 16:01
|
986.exe 6c1dfafc437e8cb6b57dd0729cb39822 PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6084 |
2024-01-27 16:00
|
hotels.exe 77709112275d51ebd4d9491673c93a62 .NET framework(MSIL) UPX Malicious Library Socket ScreenShot Steal credential DNS Code injection AntiDebug AntiVM PE32 PE File .NET EXE DLL OS Processor Check PNG Format ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 5.75.172.21 172.67.75.166 34.117.186.192
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
19.0 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6085 |
2024-01-27 15:59
|
ISIcentos.vbs 860f242d1a6e895bbd7c2c204c466511VirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/wVH5z https://paste.ee/d/wVH5z
|
2
paste.ee(104.21.84.67) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6086 |
2024-01-27 15:59
|
goo8.exe f94747901a9f32aa41d1212d6ecc4312 Emotet Gen1 Malicious Library UPX Confuser .NET Malicious Packer VMProtect PE32 PE File MZP Format DLL PE64 OS Processor Check DllRegisterServer dll VirusTotal Malware Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
4.6 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6087 |
2024-01-27 15:57
|
Droper.exe 6cb9581e342b238db72842250c54ca93 PE32 PE File .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6088 |
2024-01-27 15:57
|
RMC.txt.exe 9567a898f2ecf952f8817787e6ef5701 Browser Login Data Stealer Generic Malware Malicious Library Malicious Packer Downloader UPX PE32 PE File OS Processor Check Remcos VirusTotal Malware Malicious Traffic Check memory |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) top.noforabusers1.xyz(147.124.215.172) - mailcious 178.237.33.50 147.124.215.172
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
2.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6089 |
2024-01-27 15:55
|
987.exe c71e203acbb9a6de6ff5cbb21d5b0694 PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6090 |
2024-01-27 15:55
|
networa.exe 6013a3bf4241fe15b4a79978a50ef53c Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|