6211 |
2024-01-22 12:26
|
Oscrcelw.exe 302ac1d64dabebfeb1ecb1ddbd1f46b0 PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6212 |
2024-01-20 18:19
|
zonak.exe d1d8db81157f989532108d62c64cbc33 Amadey Malicious Packer UPX Malicious Library Anti_VM AntiDebug AntiVM PE32 PE File .NET EXE MSOffice File OS Processor Check DLL ZIP Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
21
http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951
http://109.107.182.3/cost/vimu.exe - rule_id: 39038
http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948
http://109.107.182.3/cost/nika.exe - rule_id: 39037
http://185.215.113.68/mine/livak.exe
http://www.maxmind.com/geoip/v2.1/city/me
http://109.107.182.3/cost/go.exe - rule_id: 39025
http://185.215.113.68/mine/amer.exe - rule_id: 39024
http://185.215.113.68/theme/index.php - rule_id: 38935
https://www.google.com/favicon.ico
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://db-ip.com/demo/home.php?s=175.208.134.152
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0MB1Kt9JRng3yyk_pct8ZP3zuC3fBqZFRXuexVmEhTR_dTxy42kBpfUijZBBTyoL_snfrEWg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S487216895%3A1705742046920610
https://accounts.google.com/generate_204?vBMMBg
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3-cnxAB265cMjA870JRwXCWmEackG0gZBWgg8enHGTomo63RZ5p2GNDc8fgTCQ6vFgzSFjkw
https://lizotel.pt/temp/322321.exe
https://lizotel.pt/temp/crypted.exe
https://lizotel.pt/temp/legnew.exe
|
17
db-ip.com(172.67.75.166)
lizotel.pt(185.240.248.84)
www.google.com(142.250.76.132)
ssl.gstatic.com(142.250.76.131)
ipinfo.io(34.117.186.192)
accounts.google.com(64.233.188.84)
www.maxmind.com(104.18.145.235) 108.177.125.84
142.250.207.67
104.18.146.235
104.26.4.15
185.215.113.68 - malware
172.217.25.4 - suspicious
34.117.186.192
185.240.248.84
193.233.132.62 - mailcious
109.107.182.3 - mailcious
|
18
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET INFO TLS Handshake Failure ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE Amadey Bot Activity (POST)
|
7
http://185.215.113.68/theme/Plugins/clip64.dll http://109.107.182.3/cost/vimu.exe http://185.215.113.68/theme/Plugins/cred64.dll http://109.107.182.3/cost/nika.exe http://109.107.182.3/cost/go.exe http://185.215.113.68/mine/amer.exe http://185.215.113.68/theme/index.php
|
19.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6213 |
2024-01-20 18:17
|
sl2_29.exe bbe98cc2bf5ce0c0bb4fb74370e2af68 PE File PE64 VirusTotal Malware DNS crashed |
|
2
185.215.113.68 - malware 193.233.132.62 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6214 |
2024-01-20 18:13
|
univ.exe a0a061a95699987d3bdb7d212c8cbdd6 Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6215 |
2024-01-20 18:11
|
inte.exe 68c58efa330393b980149c75b9f2b388 Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware suspicious privilege Malicious Traffic WMI Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
1
http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981
|
1
185.172.128.90 - mailcious
|
|
1
http://185.172.128.90/cpa/ping.php
|
5.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6216 |
2024-01-20 18:11
|
sl2_29.exe bbe98cc2bf5ce0c0bb4fb74370e2af68 PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6217 |
2024-01-20 18:11
|
build.exe 71a607a13b3a32bb32e8ec2ea9b43fd9 Gen1 Generic Malware Malicious Library ASPack Malicious Packer UPX Antivirus Anti_VM PE File PE64 DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
3.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6218 |
2024-01-20 18:10
|
univ.exe 39d19848d11f105b8271760bcabfd79f Emotet Generic Malware Malicious Library UPX PE32 PE File OS Processor Check CAB Creates executable files AppData folder Windows |
1
http://download.visualstudio.microsoft.com/download/pr/d6835aa3-6ec4-47ec-a5a5-9052ed310e4f/c1171996e95717bf532475f4546e479c/windowsdesktop-runtime-6.0.26-win-x86.exe
|
2
download.visualstudio.microsoft.com(192.229.232.200) 192.229.232.200
|
2
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6219 |
2024-01-20 18:07
|
SetupPowerGREPDemo.exe a29a203a471bcfaf00f00386bc60aee6 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 wget DllRegisterServer dll OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6220 |
2024-01-20 18:06
|
bin.exe cb200521eb0a2795343b74dc489bceb6 Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6221 |
2024-01-20 18:05
|
sma.exe 2c8d9825ebb93a1fb86a3adeacdf0627 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6222 |
2024-01-20 18:04
|
Sjupttbqke.exe afabc3587df98b14b379e68b532c40d2 Hide_EXE PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6223 |
2024-01-20 18:03
|
conhost.exe 591dac333aff7739bf01a4c9d3e838a5 Formbook .NET framework(MSIL) AntiDebug AntiVM PE32 PE File .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
3
http://www.jpedwardscoaching.com/he09/?GFNL6=J0rZNCGgqBuOcPi6jo5klUavYHikY0sXv/Xz2k6X4AbHrcSx6bhwqQyERI1ftla2AmT/C8vw&mlvx=fZU8pNxPWXppdj http://www.nahanttowing.top/he09/?GFNL6=tTem8GlEomBe/gQIXYajZ4LmI38bmbiSHuSIbs3stVgT3O0rYBhk8L/2KHhJryPrlQiCHLKY&mlvx=fZU8pNxPWXppdj http://www.360bedroom.com/he09/?GFNL6=ivXZRRAkpCxCXaiKqhV0zhZAF3LEhZuFftcbp4Y9/P+ipI+dv9O/d2RZN4bxL5M4jaU3FwSE&mlvx=fZU8pNxPWXppdj
|
7
www.jpedwardscoaching.com(15.197.148.33) www.nahanttowing.top(172.67.223.17) www.360bedroom.com(3.94.41.167) www.clhear.com() 104.21.70.110 15.197.148.33 - mailcious 52.86.6.113 - mailcious
|
4
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET) ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers
|
|
9.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6224 |
2024-01-20 18:02
|
Ylcqwdizkq.exe 3e48ec4a687a12d4da0fbcde8fe923da Hide_EXE UPX PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6225 |
2024-01-19 18:19
|
vimu.exe 520050ab79ad5b13e6de5d3d7941d4d2 Malicious Packer UPX Anti_VM PE32 PE File Malware download Malware AutoRuns MachineGuid buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 172.67.75.166 34.117.186.192 193.233.132.62 - mailcious
|
5
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|