6136 |
2024-01-25 09:20
|
stan.exe 04301ab0e3daa0be320a90c29059f088 Client SW User Data Stealer RedLine stealer RedLine Infostealer RedlineStealer Amadey browser info stealer Themida Packer UltraVNC Generic Malware NSIS Hide_EXE Google Chrome User Data Downloader Malicious Packer Malicious Library UPX .NET frame Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Update Exploit Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader |
20
http://109.107.182.3/cost/networ.exe - rule_id: 39053 http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://185.215.113.68/mine/amer.exe - rule_id: 39024 http://109.107.182.3/cost/nika.exe - rule_id: 39037 http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981 http://109.107.182.3/cost/go.exe - rule_id: 39025 http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://109.107.182.3/cost/vimu.exe - rule_id: 39038 http://185.172.128.19/latestrocki.exe - rule_id: 39054 http://apps.identrust.com/roots/dstrootcax3.p7c http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://accounts.google.com/generate_204?QWfFag https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3437MpdLqeJXXmnjo86ElWj-h7hAFZEOqRy5ULnXiPzkWs5AxnDO0Ovl-mxK_rlOLCFHwf https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp3vDgA9dYQaukba9RXlX2wDMY1M-AxrCojfMZ91Il_gwrJz-Ee78hH-C5Y4mLG_WvowvhkPKQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1963367809%3A1706140574270777
|
22
db-ip.com(104.26.4.15) www.google.com(172.217.161.228) ssl.gstatic.com(142.250.76.131) ipinfo.io(34.117.186.192) i.alie3ksgaa.com(154.92.15.189) - mailcious accounts.google.com(64.233.188.84) 142.250.204.36 195.20.16.103 - mailcious 104.26.4.15 185.215.113.68 - malware 5.42.64.33 - mailcious 185.172.128.19 - mailcious 141.95.211.148 - mailcious 34.117.186.192 185.172.128.90 - mailcious 61.111.58.35 - malware 193.233.132.62 - mailcious 154.92.15.189 - mailcious 142.251.220.35 80.79.4.61 - mailcious 109.107.182.3 - mailcious 64.233.188.84
|
22
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET HUNTING Download Request Containing Suspicious Filename - Crypted
|
|
30.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6137 |
2024-01-25 09:04
|
alex.exe a615f2eee64c5d7449a8792cc782b6d6 RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
3.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6138 |
2024-01-25 09:04
|
conhost.exe 1898e4173e44594f9dc312cf8622116b Formbook AntiDebug AntiVM PE32 PE File .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key Downloader |
5
http://www.zhangnational.site/b21s/?LZa0=y0Dj+cpzYNB0KREV3i9vRRBmemYalAwO39f2/WBFUnsbQy2Uen8j2v8X32Jt1Fp/TC7TXkMI&uTux=njoTZ26xmz http://www.martinkeyword.top/b21s/?LZa0=0tEjvMOQZ1u+KiVdVD9NMdDqyg4NNl7IsBZDKOPbb44psP0R1uri9OUTuHQ9LNmBSi0J17UR&uTux=njoTZ26xmz http://107.172.31.179/500/Gaqqic.wav http://www.gattgraphic.com/b21s/?LZa0=EodxxVnP6AALhCm6PMojoLYK50H/6a9ovP9+wbqeR1Lo4rltyls8iqRv+JR8KYWFAhTe4tyj&uTux=njoTZ26xmz http://www.family-doctor-79417.com/b21s/?LZa0=Mxt8ckLWX1wN0TXkckU8PS2/S2ul7U/m+MSjsB7vFpbxPb8t47jkcaQcBHmi0NSFrzd3m2nN&uTux=njoTZ26xmz
|
10
www.bruderhertz.art() www.gattgraphic.com(34.149.87.45) www.family-doctor-79417.com(103.224.212.213) www.zhangnational.site(104.21.49.198) www.martinkeyword.top(104.21.6.136) 172.67.154.225 34.149.87.45 - phishing 107.172.31.179 - malware 103.224.212.213 104.21.49.198
|
10
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET) ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers ET MALWARE Possible MalDoc Payload Download Nov 11 2014 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6139 |
2024-01-25 09:02
|
conhost.exe 639b18e886bd8b899714bcbede9343d3 Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PE32 PE File .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6140 |
2024-01-25 09:00
|
Loader.exe 8b8c6376bb40d5bd505d1ae0deee9d2c Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware DNS crashed |
|
3
185.172.128.19 - mailcious 109.107.182.3 - mailcious 185.215.113.68 - malware
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
|
|
1.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6141 |
2024-01-25 09:00
|
Gzxzuhejdab.exe 2fadc3984b71f0fd08c832adeedf2b52 Hide_EXE UPX PE32 PE File .NET EXE OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
3.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6142 |
2024-01-25 08:58
|
t7.exe 88f9483fc5ae7c415d9618257bfbe596 Malicious Library UPX PE32 PE File OS Processor Check DNS |
|
1
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6143 |
2024-01-25 08:56
|
bin.exe d36b9ed936c51fc667d67cb5fa419a94 Formbook Malicious Library Malicious Packer PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic unpack itself suspicious TLD DNS |
4
http://www.zhangnational.site/b21s/?LZa0=y0Dj+cpzYNB0KREV3i9vRRBmemYalAwO39f2/WBFUnsbQy2Uen8j2v8X32Jt1Fp/TC7TXkMI&uTux=njoTZ26xmz http://www.gattgraphic.com/b21s/?LZa0=EodxxVnP6AALhCm6PMojoLYK50H/6a9ovP9+wbqeR1Lo4rltyls8iqRv+JR8KYWFAhTe4tyj&uTux=njoTZ26xmz http://www.family-doctor-79417.com/b21s/?LZa0=Mxt8ckLWX1wN0TXkckU8PS2/S2ul7U/m+MSjsB7vFpbxPb8t47jkcaQcBHmi0NSFrzd3m2nN&uTux=njoTZ26xmz http://www.martinkeyword.top/b21s/?LZa0=0tEjvMOQZ1u+KiVdVD9NMdDqyg4NNl7IsBZDKOPbb44psP0R1uri9OUTuHQ9LNmBSi0J17UR&uTux=njoTZ26xmz
|
9
www.bruderhertz.art() www.gattgraphic.com(34.149.87.45) www.family-doctor-79417.com(103.224.212.213) www.zhangnational.site(104.21.49.198) www.martinkeyword.top(172.67.154.225) 34.149.87.45 - phishing 104.21.6.136 103.224.212.213 172.67.166.205
|
4
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
3.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6144 |
2024-01-25 08:55
|
swizzy.exe 239d67b4a07dcc1ea81b612e93bc97ff PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
185.94.230.135 - mailcious
|
|
|
3.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6145 |
2024-01-25 08:54
|
conhost.exe 8666f07fa7e7240b0f1866c1252cc63f PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(173.231.16.75) mail.telefoonreparatiebovenkarspel.nl(185.94.230.135) - mailcious 64.185.227.156 185.94.230.135 - mailcious
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction
|
|
12.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6146 |
2024-01-25 08:53
|
Awwnbpxqsf.exe 7115d6d1f8c8f7df0564dfd3e5201392 Hide_EXE .NET framework(MSIL) Anti_VM PE32 PE File .NET EXE VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
4.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6147 |
2024-01-24 13:27
|
edca71eda8650a2c591c37c780b6a0... edca71eda8650a2c591c37c780b6a0c5 Malicious Library UPX PE File DLL PE64 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.8 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6148 |
2024-01-24 09:44
|
StealerClient_Cpp.exe 910a8c9c1a1c5ae9af654fe148d885d1 Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6149 |
2024-01-24 09:42
|
StealerClient_Cpp_1_3.exe be1d8fb7825e9cd0f2572096d60bbd5f Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6150 |
2024-01-24 09:39
|
crypted_d786fd3e.exe 8f1d79f77c7f0c6bc7fe6c1361cc6919 PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|