| 6091 |
2024-01-26 12:15
|
 about%20.url e3b601a28343c3eb7c8ffcafc492bb0c
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
4.2 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6092 |
2024-01-26 12:13
|
ibmSever.vbs bb9a31982bd53b29cc81e3027709727bVirusTotal Malware wscript.exe payload download Tofsee |
2
http://paste.ee/d/Kiio7
https://paste.ee/d/Kiio7
|
2
paste.ee(104.21.84.67) - mailcious
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6093 |
2024-01-26 12:11
|
currentupdationoftheexplertsay... bfc3ef7d2fa438d76b535b0410fe1296
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://paste.ee/d/Kiio7
http://172.245.208.3/440/ibmSever.vbs
https://paste.ee/d/Kiio7
|
3
paste.ee(172.67.187.200) - mailcious
172.245.208.3 - mailcious
172.67.187.200 - mailcious
|
3
ET INFO Dotted Quad Host VBS Request
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6094 |
2024-01-26 12:11
|
vnextofficeupdationwaitingfort... 869dc88123916a7193c56809db6b5e97
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://192.3.176.145/310/conhost.exe
|
3
api.ipify.org(64.185.227.156)
192.3.176.145 - malware
104.237.62.211
|
9
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6095 |
2024-01-26 09:30
|
 installs.exe dee63473a06ba61e8c176166609f3dbc
Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6096 |
2024-01-26 09:28
|
 somzx.exe e899fbf28973beed105f99e209e11be5
AgentTesla Malicious Library .NET framework(MSIL) UPX PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Discord Browser Email ComputerName DNS Software crashed keylogger |
1
https://discordapp.com/api/webhooks/1197254961164202145/ptzKDsgHtj6pY49BfLZoBFgkUGXIM695d512QfX0eWtZsuDouCKEGxBU0TiPSCQb8iSK
|
4
discordapp.com(162.159.134.233) - mailcious
api.ipify.org(64.185.227.156)
162.159.133.233 - malware
64.185.227.156
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
|
14.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6097 |
2024-01-26 09:26
|
 konotaverse2.1.exe e646eccc6a2a4ae885d9d96e8fa83926
Process Kill Malicious Library FindFirstVolume CryptGenKey UPX PE32 PE File Device_File_Check OS Processor Check VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS DDNS |
|
2
jogard.duckdns.org(91.92.255.54)
91.92.255.54
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6098 |
2024-01-26 09:24
|
 TrueCrypt_NyNIUi.exe 103b8f2dfacb5d9fac830f710c031f22
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware DNS crashed |
|
1
|
|
|
1.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6099 |
2024-01-26 09:22
|
 zodzx.exe 807942ef0aa75b3e4a16357df18004bc
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Google Chrome User Data Downloader Malicious Library .NET framework(MSIL) UPX Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Internet API KeyLogger AntiDebug An Remcos VirusTotal Malware Buffer PE Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows DNS keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
178.237.33.50
173.211.106.128
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
10.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6100 |
2024-01-26 09:19
|
 MRK.exe 8b5cf3d102548da37888f34d3d468e27
RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows DNS Cryptographic key crashed |
|
1
143.95.79.226 - mailcious
|
|
|
3.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6101 |
2024-01-26 09:19
|
 adobe.exe a5881f935fa46c5e8cfe5dd0428df074
Emotet Gen1 Malicious Library UPX Malicious Packer VMProtect PE32 PE File MZP Format DLL PE64 OS Processor Check DllRegisterServer dll Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName crashed |
|
|
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6102 |
2024-01-26 09:17
|
 tuc5.exe 2763f9339f4a7a8e80822e5a1da41f69
Emotet Gen1 Malicious Library UPX Malicious Packer VMProtect PE32 PE File MZP Format DLL PE64 OS Processor Check DllRegisterServer dll VirusTotal Malware Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
5.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6103 |
2024-01-26 09:16
|
 uedfh12.exe 511dcb92421ebd7e873e753f804c6b4f
RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
3.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6104 |
2024-01-26 09:14
|
 sadsadsadsa.exe 5a6358bb95f251ab50b99305958a4c98
RedlineStealer RedLine stealer .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Family Activity (Response)
|
|
6.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6105 |
2024-01-26 09:13
|
 rost.exe 03135ee6d7c5c029982e63d36d368267
Themida Packer Malicious Packer UPX PE32 PE File Malware download VirusTotal Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
2
http://www.maxmind.com/geoip/v2.1/city/me
https://db-ip.com/demo/home.php?s=175.208.134.152
|
7
ipinfo.io(34.117.186.192)
db-ip.com(104.26.5.15)
www.maxmind.com(104.18.145.235)
172.67.75.166
34.117.186.192
104.18.145.235
193.233.132.62 - mailcious
|
4
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|