6106 |
2024-01-26 09:12
|
agodzx.exe b29fbc48ad3305f4dcab0be3145682a6 AgentTesla Malicious Library .NET framework(MSIL) UPX PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed |
2
http://ip-api.com/line/?fields=hosting http://apps.identrust.com/roots/dstrootcax3.p7c
|
7
api.ipify.org(64.185.227.156) mail.processengrg.com(194.36.191.196) ip-api.com(208.95.112.1) 23.43.165.66 64.185.227.156 194.36.191.196 - mailcious 208.95.112.1
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com SURICATA Applayer Detect protocol only one direction
|
|
15.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6107 |
2024-01-26 09:11
|
rost.exe 2f9214f932a930a4cdff2b48a3a8eded RedLine stealer Amadey RedLine Infostealer RedlineStealer UltraVNC Generic Malware NSIS Hide_EXE Malicious Packer Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) .NET framework(MSIL) ScreenShot PWS Anti_VM AntiDebug AntiVM PE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Update Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner |
28
http://109.107.182.3/cost/niks.exe http://109.107.182.3/lego/MRK.exe http://109.107.182.3/lego/alex.exe - rule_id: 39110 http://109.107.182.3/lego/moto.exe - rule_id: 39111 http://109.107.182.3/lego/rdx1122.exe - rule_id: 39118 http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://109.107.182.3/cost/networa.exe http://185.215.113.68/mine/stan.exe - rule_id: 39114 http://109.107.182.3/lego/installs.exe http://109.107.182.3/lego/crypted.exe - rule_id: 39115 http://109.107.182.3/cost/ko.exe http://185.215.113.68/mine/amers.exe http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981 http://109.107.182.3/cost/vinu.exe http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://185.172.128.109/syncUpd.exe - rule_id: 39052 http://185.172.128.19/latestrocki.exe - rule_id: 39054 http://109.107.182.3/lego/2024.exe - rule_id: 39120 http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp1cKQEpRqzJgd1mJyXaQDg8g6EPaDZyF3Iq1LCz13B1O_GRb-DpHv1Q3bMHBt1iGhMePExXmg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-435268675%3A1706227291300357 https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?Gfi3rg https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3H8r8UWuhQ6m2JhTn_UJWtMXXOP18B2sMD6q0yM1EirdCpLoeYafxU7OnBJOlDJRzgLznF https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
22
db-ip.com(172.67.75.166) pool.hashvault.pro(142.202.242.43) - mailcious www.google.com(142.250.76.132) ssl.gstatic.com(142.250.76.131) ipinfo.io(34.117.186.192) accounts.google.com(142.250.157.84) 94.156.67.230 195.20.16.103 - mailcious 5.42.64.33 - mailcious 104.26.4.15 185.215.113.68 - malware 185.172.128.19 - mailcious 141.95.211.148 - mailcious 142.251.170.84 142.250.66.36 216.58.203.67 193.233.132.62 - mailcious 185.172.128.90 - mailcious 34.117.186.192 185.172.128.109 - malware 109.107.182.3 - mailcious 125.253.92.50
|
25
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Family Activity (Response) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET HUNTING Download Request Containing Suspicious Filename - Crypted
|
12
http://109.107.182.3/lego/alex.exe http://109.107.182.3/lego/moto.exe http://109.107.182.3/lego/rdx1122.exe http://185.215.113.68/theme/Plugins/cred64.dll http://185.215.113.68/mine/stan.exe http://109.107.182.3/lego/crypted.exe http://185.172.128.90/cpa/ping.php http://185.215.113.68/theme/Plugins/clip64.dll http://185.172.128.109/syncUpd.exe http://185.172.128.19/latestrocki.exe http://109.107.182.3/lego/2024.exe http://185.215.113.68/theme/index.php
|
32.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6108 |
2024-01-26 09:10
|
Schellingianism.exe e778bb2a5cf80db389e541958d9c3bf2 Malicious Library UPX PE32 PE File DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Ransomware |
|
|
|
|
2.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6109 |
2024-01-26 09:10
|
conhost.exe b90adcc386503d5864f6df6bfaa3409b .NET framework(MSIL) PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
3.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6110 |
2024-01-26 09:09
|
user13.exe d252ce47e96b7cf75c6be209eff61072 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
0.4 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6111 |
2024-01-26 09:07
|
Atqumy.exe dade3d1f204511b49e65d585685a8b1f Hide_EXE .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6112 |
2024-01-26 09:05
|
musicc.exe 8c737832e41951697322de7005e2771b Process Kill Malicious Library FindFirstVolume CryptGenKey UPX PE32 PE File Device_File_Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Browser Email ComputerName DNS crashed |
1
http://ip-api.com/line/?fields=hosting
|
8
ftp.elquijotebanquetes.com(143.95.79.226) ip-api.com(208.95.112.1) 185.172.128.19 - mailcious 185.215.113.68 - malware 208.95.112.1 109.107.182.3 - mailcious 143.95.79.226 - mailcious 125.253.92.50
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET POLICY External IP Lookup ip-api.com SURICATA Applayer Detect protocol only one direction
|
|
7.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6113 |
2024-01-26 09:05
|
fsdfsfsfs.exe b2f3f214e959043b7a6b623b82c95946 PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6114 |
2024-01-26 09:04
|
Setup.exe 2522036524378a539e696724ed56a5a4 Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware Check memory buffers extracted Creates shortcut unpack itself Collect installed applications IP Check installed browsers check Tofsee Browser Email ComputerName Trojan Banking DNS |
|
3
api.ipify.org(173.231.16.75) 185.225.200.120 173.231.16.75
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt SURICATA Applayer Protocol detection skipped ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
11.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6115 |
2024-01-25 16:36
|
vLnNHh.exe 3cf7e35d135707c3c8db1e571b28f191 AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.109.133) 185.199.111.133 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6116 |
2024-01-25 16:34
|
grace.exe bc2b81ee5871a2af529ba6d695e656c6 Process Kill Malicious Library FindFirstVolume CryptGenKey UPX PE32 PE File Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
api.ipify.org(104.237.62.211) mymobileorder.com(162.0.232.65) - mailcious 162.0.232.65 - phishing 173.231.16.75
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction
|
|
10.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6117 |
2024-01-25 16:32
|
Rehman_GROUP_RFQ.vbs 181f9015b54b57a4175e9c4584751d57 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://paste.ee/d/VmrQ4
https://paste.ee/d/VmrQ4
https://wallpapercave.com/uwp/uwp4228677.png
https://paste.ee/d/MQLUA/0
|
4
paste.ee(104.21.84.67) - mailcious
wallpapercave.com(104.22.53.71) - malware 104.21.84.67 - malware
104.22.52.71 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6118 |
2024-01-25 14:30
|
Order_Information.url 7f4085aab74f2da761e65d5fb41fd40f AntiDebug AntiVM URL Format MSOffice File Code Injection RWX flags setting unpack itself Windows utilities Tofsee Windows DNS |
1
http://62.173.141.114/scarica/PayPal_List.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6119 |
2024-01-25 14:01
|
statement_trans_24_01_2024.lnk 6e9db0f67fedf5f6ee30d92e86581cce Generic Malware task schedule AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware AutoRuns Code Injection Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
1
https://entertainment-in-tenerife.com/wp-content/uploads/reader.php
|
|
|
|
4.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6120 |
2024-01-25 13:56
|
조선 시장 물가 분석(신의주).hwp... e26422ba7e1eed4481e9389806e798c3 HWP PS PostScript MSOffice File Lnk Format GIF Format VirusTotal Malware Checks debugger Creates shortcut Creates executable files |
|
|
|
|
1.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|