6256 |
2024-01-17 14:23
|
beautifulhjcreversehissettings... 32cd555afefc1df79dbb6e71beb05070 MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
4
http://www.kizuna2.vip/jk56/?1b8dnlS=leCrdoizTUQ+QJ5EXQtRvVsDPgT0j1pDIgAfkn2RHf2wa6KVawnRipGgDGNFspvEMGyO2G4C&k2JxtP=fDHHb4Pxw
http://www.burduremlakilan.com/jk56/?1b8dnlS=vUHa4t+/cRBBs5Q3zz8uyvIDFi6LExMKoOScjnSvHWlJQBDU8Zp2dHiieB2BIH9ZoAMYVJBG&k2JxtP=fDHHb4Pxw
http://www.dx99c99.shop/jk56/?1b8dnlS=muh7UN2gfLrzbD1jkpbC4K02b4///i6ThJdcbMiEkRREE2W7KGkg9hfBJQuR6WvQrMmjsgGy&k2JxtP=fDHHb4Pxw
http://172.245.208.28/1314/conhost.exe
|
7
www.kizuna2.vip(15.197.148.33)
www.dx99c99.shop(13.213.68.107)
www.burduremlakilan.com(192.0.78.25) 192.0.78.24 - mailcious
15.197.148.33 - mailcious
13.213.68.107
172.245.208.28 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6257 |
2024-01-17 14:21
|
msworldwidenamespreadingaround... 34ac6f63ff7a32a51e98db3c21fd7b1c MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.28/3636/conhost.exe
|
3
api.ipify.org(64.185.227.156) 172.245.208.28 - mailcious
64.185.227.156
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6258 |
2024-01-17 08:25
|
2.3.1.1.exe 7fbe056c414472cc2fcc6362bb66d212 Malicious Library PE32 PE File VirusTotal Malware MachineGuid DNS |
|
1
|
|
|
3.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6259 |
2024-01-17 08:24
|
liva.exe fb987f700ecaba1d1bced04a45c572e8 Generic Malware EnigmaProtector Malicious Library Malicious Packer UPX Code injection AntiDebug AntiVM PE32 PE File OS Processor Check MSOffice File PNG Format ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
20
http://109.107.182.3/cost/go.exe http://185.215.113.68/mine/amer.exe https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0,cross/7_6o7HJ05F8.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz https://www.facebook.com/favicon.ico https://connect.facebook.net/security/hsts-pixel.gif https://www.facebook.com/login https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://db-ip.com/demo/home.php?s=175.208.134.152 https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://fbsbx.com/security/hsts-pixel.gif?c=5 https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/QoWVNltU_ZO.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
|
16
db-ip.com(104.26.5.15) fbsbx.com(157.240.215.35) www.facebook.com(157.240.215.35) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) ipinfo.io(34.117.186.192) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 172.67.75.166 157.240.215.14 185.215.113.68 - malware 193.233.132.62 - mailcious 34.117.186.192 23.67.53.17 157.240.215.35 109.107.182.3 - mailcious
|
12
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
19.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6260 |
2024-01-17 08:23
|
conhost.exe 431b955c96a65b12587361ef1e961c2b AgentTesla Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.75) 173.231.16.75
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6261 |
2024-01-17 08:21
|
RdpService.exe 1ca12d5e34d1c83ba78ad081276d53b2 Malicious Library Malicious Packer Antivirus UPX PE File PE64 ftp OS Processor Check VirusTotal Malware suspicious privilege Check memory crashed |
|
|
|
|
2.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6262 |
2024-01-17 08:19
|
sl2_27.exe d1b1e876ea20b2e18911e8e4981f2858 PE File PE64 VirusTotal Malware DNS crashed |
|
1
|
|
|
1.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6263 |
2024-01-17 08:18
|
build3.exe 41b883a061c95e9b9cb17d4ca50de770 [m] Generic Malware task schedule Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check VirusTotal Malware PDB Code Injection Checks debugger buffers extracted unpack itself Windows utilities WriteConsoleW Windows ComputerName |
|
|
|
|
8.0 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6264 |
2024-01-17 08:16
|
conhost.exe be3c89dc0d88fddd3289ac9e6e72360a AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.75) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6265 |
2024-01-17 08:16
|
zona.exe 25ad333f2ccbfef09ac64bf488bfc5d8 EnigmaProtector Malicious Packer UPX PE32 PE File unpack itself DNS crashed |
|
1
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6266 |
2024-01-17 08:14
|
rty27.exe 34a7dbf9c978714dd0679079c5445a10 Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
23.67.53.17
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6267 |
2024-01-17 08:14
|
dnjupddater.exe c185fbe98786544b6f15036ba2ab7318 Hide_EXE UPX AntiDebug AntiVM PE File PE64 .NET EXE OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6268 |
2024-01-17 08:14
|
latestrocki.exe 51a977874c9b190837bc2658396d4dfe Generic Malware NSIS Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE32 PE File .NET EXE PNG Format OS Processor Check PE64 ZIP Format MZP Format JPEG Format BMP Format CHM Format DLL icon CAB MSOffice File W VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS crashed |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.53/syncUpd.exe - rule_id: 38939
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981
https://i.alie3ksgaa.com/sta/imagd.jpg
|
5
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
23.67.53.17
185.172.128.90 - mailcious
185.172.128.53 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://185.172.128.53/syncUpd.exe http://185.172.128.90/cpa/ping.php
|
13.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6269 |
2024-01-17 08:11
|
Zxgdah.exe 54276714de008467235d06f590be7b1a Hide_EXE UPX PE File PE64 OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6270 |
2024-01-17 08:10
|
rty45.exe 02550318e655f52fa990158a1c709cef Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution DNS |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
4
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
173.44.176.41
23.32.56.80
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|