6181 |
2024-01-23 14:17
|
first.exe 8063f5bf899b386530ad3399f0c5f2a1 Generic Malware Malicious Library Antivirus UPX PE32 PE File .NET EXE OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
4.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6182 |
2024-01-23 14:15
|
PrivateCheat.exe 92d5541274a80650bf7fc9d40f2be865 Generic Malware Downloader Malicious Library UPX MPRESS Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE32 PE File OS Processor C VirusTotal Malware PDB Code Injection Creates executable files AppData folder suspicious TLD Tofsee ComputerName Remote Code Execution crashed |
|
2
ca94025.tw1.ru(188.225.40.162) 188.225.40.162
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6183 |
2024-01-23 14:14
|
build.exe 225f0256ef50aab5c935499df55437ce Gen1 Generic Malware Malicious Library Malicious Packer UPX Antivirus Anti_VM PE File PE64 DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
3.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6184 |
2024-01-23 14:12
|
microsoftunderstandthepowerofn... 82997e653dabd2e665f2a25b35a02760 MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
3
http://www.randomgirlsai.com/de74/?hBZ=G3IsVFJ99ljdomQWxTpaweF7KMD/ZXy9GEvEnxjwlPNv7uTT17eHu9Yxk+2tzL5QkeJSM4MJ&or=3f5pdRAXd
http://www.apkreal.net/de74/?hBZ=rjGIOJeuXQuFujpnQMEV1DsPSxOh46YUdJAF0YMvBCHG7R8Pr9i6MH6o+C2iQUj6ISartky+&or=3f5pdRAXd
http://107.175.243.133/3804/conhost.exe
|
7
www.hennabyrushda.com()
www.randomgirlsai.com(91.195.240.19)
www.apkreal.net(172.67.135.139) 104.21.7.3
107.175.243.133 - malware
91.195.240.19 - mailcious
122.176.133.66 - malware
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6185 |
2024-01-23 14:10
|
microsoftdesignednewthechnolog... c3edf3c7fa0702cfc2fdc855d1b30472 MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
3
http://www.mgplatinemlak.xyz/he09/?q48=H2yL0jOsTn68oh3cPez/xoWoV7OCTr05wR+Pmrsx9qPM06ZXiwJZoZaQ/uWx+S8/yDrIFJJZ&rTFDr=GB1hul2hXlAhMt
http://www.8xb898.com/he09/?q48=nj631wJ8eKStkbAdSpbY0CVUfsZuCG4z4On3ILPNHxmyp7IfnS/A3N5Ab0AuSDDV/YcUavHV&rTFDr=GB1hul2hXlAhMt
http://192.3.176.145/2355/conhost.exe
|
7
www.moneyshift.store()
www.kembangzadsloh.xyz()
www.8xb898.com(15.197.148.33)
www.mgplatinemlak.xyz(85.159.66.93) 15.197.148.33 - mailcious
85.159.66.93 - mailcious
192.3.176.145 - malware
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6186 |
2024-01-23 14:10
|
mm.txt.exe 471b2fe37c91bb020e7907897587099e Malicious Library PE32 PE File VirusTotal Malware Check memory RWX flags setting AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
1
|
|
|
4.2 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6187 |
2024-01-23 14:10
|
rem1.exe 8f70e913513b30a144165829ba3261bb Client SW User Data Stealer Backdoor RemcosRAT Browser Login Data Stealer browser info stealer Generic Malware Suspicious_Script_Bin Google Chrome User Data Downloader Malicious Library Malicious Packer UPX Create Service Socket ScreenShot Escalate privil Browser Info Stealer Remcos VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory buffers extracted unpack itself suspicious process human activity check Windows Browser DNS keylogger |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50) 178.237.33.50 122.176.133.66 - malware
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
11.0 |
|
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6188 |
2024-01-23 08:04
|
face.exe b367a4da8177d0be7638599aad1caa9b Amadey Generic Malware NSIS Malicious Packer Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE32 PE File PNG Format OS Processor Check DLL .NET EXE ZIP Format MZP Format JPEG Format BMP Format CHM Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
19
http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951
http://109.107.182.3/cost/vimu.exe - rule_id: 39038
http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948
http://109.107.182.3/cost/nika.exe - rule_id: 39037
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981
http://109.107.182.3/cost/go.exe - rule_id: 39025
http://185.215.113.68/mine/amer.exe - rule_id: 39024
http://185.215.113.68/theme/index.php - rule_id: 38935
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp19ppAsRv2o6lyozUloXtl2vtHTQ_Z5hQtp6-dWz_Yb_d5Sog8ygYecStquNLy1xgWdXfMz&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-955853393%3A1705964159222861
https://www.google.com/favicon.ico
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://db-ip.com/demo/home.php?s=175.208.134.152
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/generate_204?dNjB8g
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0prvDtaojbUs_fFiN9b9CD7hkEJ1nHDhTfd9vIUqM3YxyI4uMpGixUZhaFGRKzHsJvSPCU
https://i.alie3ksgaa.com/sta/imagd.jpg
|
23
db-ip.com(104.26.4.15)
www.google.com(142.250.76.132)
ssl.gstatic.com(142.250.207.99)
www.fleefight.it(94.177.48.37) - malware
ipinfo.io(34.117.186.192)
i.alie3ksgaa.com(154.92.15.189) - mailcious
accounts.google.com(64.233.188.84) 193.233.132.62 - mailcious
216.58.200.227
94.177.48.37 - malware
87.251.77.166 - mailcious
104.26.4.15
173.194.174.84
185.215.113.68 - malware
185.172.128.19 - mailcious
185.172.128.90 - mailcious
34.117.186.192
142.251.220.68
61.111.58.35 - malware
185.172.128.53 - malware
154.92.15.189 - mailcious
185.172.128.109 - malware
109.107.182.3 - mailcious
|
19
ET MALWARE [ANY.RUN] RisePro TCP (Token) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Amadey Bot Activity (POST) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
|
8
http://185.215.113.68/theme/Plugins/clip64.dll http://109.107.182.3/cost/vimu.exe http://185.215.113.68/theme/Plugins/cred64.dll http://109.107.182.3/cost/nika.exe http://185.172.128.90/cpa/ping.php http://109.107.182.3/cost/go.exe http://185.215.113.68/mine/amer.exe http://185.215.113.68/theme/index.php
|
25.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6189 |
2024-01-23 08:00
|
7ec9f8f6-24a9-402a-86a4-d42c74... c49490eda6028f4169eba29b9e3ad3bc Malicious Library PE32 PE File .NET EXE MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6190 |
2024-01-23 07:59
|
Launcher.exe 6dbf943c1313d219a7356cf45babe562 Malicious Packer Downloader UPX PE File PE64 ftp OS Processor Check PDB |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6191 |
2024-01-23 07:56
|
conhost.exe e882b8df405f9651962b3e983ed78274 .NET framework(MSIL) PE32 PE File .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6192 |
2024-01-23 07:54
|
conhost.exe 6ec1aed2634c28a25d17be93a71150a2 Formbook .NET framework(MSIL) AntiDebug AntiVM PE32 PE File .NET EXE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
6.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6193 |
2024-01-23 07:52
|
5777786423.exe ebd6f7a6cb7aa2c1f16389618828dd18 Malicious Library PE32 PE File VirusTotal Malware unpack itself DNS |
|
1
|
|
|
2.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6194 |
2024-01-22 15:02
|
Windows.exe 9af0b7ca55fe8970d0259163c88b92ae Malicious Packer .NET framework(MSIL) UPX PE32 PE File .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName Cryptographic key |
|
|
|
|
3.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6195 |
2024-01-22 15:00
|
AquaPhobia.exe 0662fbb81cfbbb132abf4a5976e4ec2c Gen1 RedLine stealer NSIS Generic Malware Suspicious_Script Downloader Malicious Library UPX Antivirus Malicious Packer Javascript_Blob Anti_VM PE32 PE File DLL PE64 OS Processor Check ftp wget MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Ransomware |
|
|
|
|
3.2 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|