| 6256 |
2024-01-17 14:23
|
beautifulhjcreversehissettings... 32cd555afefc1df79dbb6e71beb05070
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
4
http://www.kizuna2.vip/jk56/?1b8dnlS=leCrdoizTUQ+QJ5EXQtRvVsDPgT0j1pDIgAfkn2RHf2wa6KVawnRipGgDGNFspvEMGyO2G4C&k2JxtP=fDHHb4Pxw
http://www.burduremlakilan.com/jk56/?1b8dnlS=vUHa4t+/cRBBs5Q3zz8uyvIDFi6LExMKoOScjnSvHWlJQBDU8Zp2dHiieB2BIH9ZoAMYVJBG&k2JxtP=fDHHb4Pxw
http://www.dx99c99.shop/jk56/?1b8dnlS=muh7UN2gfLrzbD1jkpbC4K02b4///i6ThJdcbMiEkRREE2W7KGkg9hfBJQuR6WvQrMmjsgGy&k2JxtP=fDHHb4Pxw
http://172.245.208.28/1314/conhost.exe
|
7
www.kizuna2.vip(15.197.148.33)
www.dx99c99.shop(13.213.68.107)
www.burduremlakilan.com(192.0.78.25)
192.0.78.24 - mailcious
15.197.148.33 - mailcious
13.213.68.107
172.245.208.28 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6257 |
2024-01-17 14:21
|
msworldwidenamespreadingaround... 34ac6f63ff7a32a51e98db3c21fd7b1c
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.28/3636/conhost.exe
|
3
api.ipify.org(64.185.227.156)
172.245.208.28 - mailcious
64.185.227.156
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6258 |
2024-01-17 08:25
|
 2.3.1.1.exe 7fbe056c414472cc2fcc6362bb66d212
Malicious Library PE32 PE File VirusTotal Malware MachineGuid DNS |
|
1
|
|
|
3.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6259 |
2024-01-17 08:24
|
 liva.exe fb987f700ecaba1d1bced04a45c572e8
Generic Malware EnigmaProtector Malicious Library Malicious Packer UPX Code injection AntiDebug AntiVM PE32 PE File OS Processor Check MSOffice File PNG Format ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
20
http://109.107.182.3/cost/go.exe
http://185.215.113.68/mine/amer.exe
https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0,cross/7_6o7HJ05F8.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
https://www.facebook.com/favicon.ico
https://connect.facebook.net/security/hsts-pixel.gif
https://www.facebook.com/login
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://db-ip.com/demo/home.php?s=175.208.134.152
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/QoWVNltU_ZO.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
|
16
db-ip.com(104.26.5.15)
fbsbx.com(157.240.215.35)
www.facebook.com(157.240.215.35)
static.xx.fbcdn.net(157.240.215.14)
fbcdn.net(157.240.215.35)
ipinfo.io(34.117.186.192)
connect.facebook.net(157.240.215.14)
facebook.com(157.240.215.35)
172.67.75.166
157.240.215.14
185.215.113.68 - malware
193.233.132.62 - mailcious
34.117.186.192
23.67.53.17
157.240.215.35
109.107.182.3 - mailcious
|
12
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
19.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6260 |
2024-01-17 08:23
|
 conhost.exe 431b955c96a65b12587361ef1e961c2b
AgentTesla Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.75)
173.231.16.75
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6261 |
2024-01-17 08:21
|
 RdpService.exe 1ca12d5e34d1c83ba78ad081276d53b2
Malicious Library Malicious Packer Antivirus UPX PE File PE64 ftp OS Processor Check VirusTotal Malware suspicious privilege Check memory crashed |
|
|
|
|
2.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6262 |
2024-01-17 08:19
|
 sl2_27.exe d1b1e876ea20b2e18911e8e4981f2858
PE File PE64 VirusTotal Malware DNS crashed |
|
1
|
|
|
1.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6263 |
2024-01-17 08:18
|
 build3.exe 41b883a061c95e9b9cb17d4ca50de770
[m] Generic Malware task schedule Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check VirusTotal Malware PDB Code Injection Checks debugger buffers extracted unpack itself Windows utilities WriteConsoleW Windows ComputerName |
|
|
|
|
8.0 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6264 |
2024-01-17 08:16
|
 conhost.exe be3c89dc0d88fddd3289ac9e6e72360a
AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.75)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6265 |
2024-01-17 08:16
|
 zona.exe 25ad333f2ccbfef09ac64bf488bfc5d8
EnigmaProtector Malicious Packer UPX PE32 PE File unpack itself DNS crashed |
|
1
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6266 |
2024-01-17 08:14
|
 rty27.exe 34a7dbf9c978714dd0679079c5445a10
Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
23.67.53.17
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6267 |
2024-01-17 08:14
|
 dnjupddater.exe c185fbe98786544b6f15036ba2ab7318
Hide_EXE UPX AntiDebug AntiVM PE File PE64 .NET EXE OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6268 |
2024-01-17 08:14
|
 latestrocki.exe 51a977874c9b190837bc2658396d4dfe
Generic Malware NSIS Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE32 PE File .NET EXE PNG Format OS Processor Check PE64 ZIP Format MZP Format JPEG Format BMP Format CHM Format DLL icon CAB MSOffice File W VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS crashed |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.53/syncUpd.exe - rule_id: 38939
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981
https://i.alie3ksgaa.com/sta/imagd.jpg
|
5
i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
23.67.53.17
185.172.128.90 - mailcious
185.172.128.53 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://185.172.128.53/syncUpd.exe
http://185.172.128.90/cpa/ping.php
|
13.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6269 |
2024-01-17 08:11
|
 Zxgdah.exe 54276714de008467235d06f590be7b1a
Hide_EXE UPX PE File PE64 OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6270 |
2024-01-17 08:10
|
 rty45.exe 02550318e655f52fa990158a1c709cef
Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution DNS |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
4
i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
173.44.176.41
23.32.56.80
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|