6226 |
2024-01-19 18:18
|
nika.exe 32f08c7702a91d3f6b24aecc143bf90c PE32 PE File .NET EXE PDB suspicious privilege Check memory Checks debugger unpack itself Disables Windows Security Windows Update |
|
|
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6227 |
2024-01-19 15:00
|
Adobe_acrobat_installer.exe e2cb17fc7f799e6c39fdbe4aa2c8c06e AgentTesla Generic Malware .NET framework(MSIL) Antivirus PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Telegram PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(64.185.227.156) api.telegram.org(149.154.167.220) 64.185.227.156 149.154.167.220
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
14.2 |
|
32 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6228 |
2024-01-19 09:39
|
124eb3b6.exe c7a82687ac39dcf7ac94f0ec5f23802c Malicious Library UPX PE32 PE File OS Processor Check unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6229 |
2024-01-19 09:17
|
United Congress HD Quote.pdf 32f22f06e586a7aff7ee3c47e161bda1 PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6230 |
2024-01-19 08:09
|
Setup.exe d0071e1888f6078a4c57a89265b54d88 Malicious Library PE32 PE File Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
3
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer Family Activity (Response)
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6231 |
2024-01-19 08:07
|
conhost.exe db2097a73708c43f88d3fd6d7a017b13 Generic Malware .NET framework(MSIL) Antivirus PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.ipify.org(173.231.16.75) 64.185.227.156 121.254.136.27
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6232 |
2024-01-19 08:05
|
conhost.exe 9c477f0a3dc97e81cd2a76e339b38c7c AgentTesla UPX PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.211) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6233 |
2024-01-19 08:04
|
room.exe b716baea0866421f013912e77e5db815 EnigmaProtector Malicious Library UPX Malicious Packer Code injection Socket ScreenShot Steal credential DNS AntiDebug AntiVM PE32 PE File .NET EXE MSOffice File OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
13
http://185.215.113.68/mine/amer.exe - rule_id: 39024 http://109.107.182.3/cost/go.exe - rule_id: 39025 http://109.107.182.3/cost/nika.exe http://109.107.182.3/cost/vimu.exe https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0MrYoqgbP9QAW3euB1trnjW3nzVsSX4zXyxia8fKwg7xPv0o6RkXvohF4lTm5X6bsfBNbeyg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-939002500%3A1705618756630130 https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp1e75G1gW0DiCO0dOvUf1sNyw_eYkTsegr2M0TGYOboAyXMt2zZ3wpHZodY7fybxG3b4LbZ2w https://accounts.google.com/ https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?biSL3A https://www.google.com/favicon.ico https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
ipinfo.io(34.117.186.192) ssl.gstatic.com(142.250.76.131) db-ip.com(104.26.5.15) accounts.google.com(64.233.187.84) www.google.com(142.250.76.132) 193.233.132.62 - mailcious 104.26.4.15 185.215.113.68 - malware 142.251.222.3 34.117.186.192 142.250.199.100 142.251.8.84 154.92.15.189 - mailcious 109.107.182.3 - mailcious
|
12
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://185.215.113.68/mine/amer.exe http://109.107.182.3/cost/go.exe
|
23.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6234 |
2024-01-19 08:01
|
Zumyefllhkv.exe b3c9e1e36ec66ac0c73f24f81f231526 Hide_EXE PE File PE64 suspicious privilege MachineGuid Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6235 |
2024-01-19 07:59
|
rty45.exe bfa0a2b457d28d8805a0658b7498c639 Malicious Library UPX PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6236 |
2024-01-18 18:59
|
clip64.dll 19f0bed8cb532428c6c015b07e1f5522 Amadey Malicious Library UPX PE32 PE File DLL OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://5.42.65.44/b8sdjsdkS/index.php
|
1
|
|
|
3.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6237 |
2024-01-18 18:56
|
microbiolagicalthingshappenein... adf6b4115caf260b8f57c1fd9bb618ec MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://107.175.243.133/1521/conhost.exe
|
3
api.ipify.org(64.185.227.156) 107.175.243.133 - malware 104.237.62.211
|
9
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6238 |
2024-01-18 18:54
|
microbiolagicalthingshappenein... 6a0bc469af442ab4df602ad5af219b02 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://107.175.243.133/1522/conhost.exe
|
3
api.ipify.org(104.237.62.211) 107.175.243.133 - malware
173.231.16.75
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6239 |
2024-01-18 18:54
|
amer.exe 0a170e4d6254a773ffddeebf23e33e63 EnigmaProtector PE32 PE File VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6240 |
2024-01-18 18:52
|
JAN-17-2024-765FYDX.url 0a5062edfd1d56c273a2fa19c695a6a8 AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
3
http://5.181.159.46/ http://5.181.159.46/Downloads http://5.181.159.46/Downloads/26.url
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|