| 6346 |
2024-01-13 18:51
|
 costa.exe 623e41eaeb69f117691080e4ac4cd1bc
PE32 PE File .NET EXE Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6347 |
2024-01-13 02:03
|
 PtzObsPluginInstaller.exe cdad3cdfd93b23b07ad59be8cf406af6
Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware PDB Check memory Remote Code Execution crashed |
|
|
|
|
2.0 |
|
32 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6348 |
2024-01-12 15:59
|
 InstallSetup8.exe 90c84cef9f4f1a5eb8d0393904f508da
NPKI HermeticWiper NSIS Generic Malware Suspicious_Script Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM Javascript_Blob PE32 PE File PNG Format JPEG Format OS Processor Check MZP Format ZIP Format icon BMP For VirusTotal Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk IP Check VM Disk Size Check Tofsee Ransomware Windows DNS |
3
http://api.ipify.org/?format=dfg
http://185.172.128.53/syncUpd.exe - rule_id: 38939
https://iplogger.com/19bVA4
|
6
api.ipify.org(173.231.16.76)
iplogger.com(104.21.76.57) - mailcious
91.92.255.226
64.185.227.156
172.67.188.178 - mailcious
185.172.128.53 - malware
|
10
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY External IP Lookup (ipify .org)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://185.172.128.53/syncUpd.exe
|
9.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6349 |
2024-01-12 15:58
|
 love.exe d84ddf7e3d38eb30d74875aef7bdf829
Emotet Gen1 EnigmaProtector Malicious Library UPX Malicious Packer AntiDebug AntiVM PE32 PE File CAB PNG Format MSOffice File JPEG Format OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee Windows Update Exploit ComputerName Remote Code Execution DNS crashed |
2
https://instagram.com/accounts/login/
https://instagram.com/accounts/login
|
3
instagram.com(157.240.215.174)
www.instagram.com(157.240.215.174)
157.240.215.174
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
12.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6350 |
2024-01-12 15:56
|
 ppt1.hta 5b96beafe91b18688f3a3da85ab1627a
Generic Malware Antivirus UPX Hide_URL PowerShell PE File PE64 Lnk Format GIF Format ZIP Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows Exploit Email ComputerName DNS Cryptographic key crashed |
1
http://194.33.191.248:7287/ssdf.pptx
|
1
194.33.191.248 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host PPTX Request
|
|
14.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6351 |
2024-01-12 15:55
|
 qfqe.docx 8972149b5dabf81f7a446a230aac0c96
ZIP Format Word 2007 file format(docx) VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6352 |
2024-01-12 15:54
|
 docx1.hta f57918785e7cd4f430555e6efb00ff0f
Generic Malware Antivirus UPX Hide_URL PowerShell PE File PE64 ZIP Format Word 2007 file format(docx) Lnk Format GIF Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key |
1
http://194.33.191.248:7287/qfqe.docx
|
1
194.33.191.248 - mailcious
|
6
ET INFO Dotted Quad Host DOCX Request
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
14.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6353 |
2024-01-12 15:53
|
 adb.dll 335b8d0ffa6dffa06bce23b5ad0cf9d6
Malicious Packer PE File DLL PE64 VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6354 |
2024-01-12 08:05
|
 tuc5.exe eb7073f79738bc3871d8fdcdda2f6d07
Emotet Gen1 Generic Malware Malicious Library UPX Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) PE32 PE File MZP Format DLL DllRegisterServer dll OS Processor Check PE64 ZIP Format VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder WriteConsoleW Windows ComputerName DNS crashed |
|
1
|
|
|
5.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6355 |
2024-01-12 08:05
|
 plugins.exe d1a6f9be6f046fcdd20d871cec0e1a42
Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX Http API PWS Code injection AntiDebug AntiVM PE32 PE File .NET EXE DLL OS Processor Check VirusTotal Malware Telegram Buffer PE PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder malicious URLs Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://steamcommunity.com/profiles/76561199601319247
https://t.me/bg3goty
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.75.41.21) - mailcious
149.154.167.99 - mailcious
23.74.21.196
95.217.25.10
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6356 |
2024-01-12 08:05
|
 leru.exe 099556734bde76d46c677c726cbf2538
Generic Malware Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory Windows utilities Disables Windows Security suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
6
ipinfo.io(34.117.186.192)
db-ip.com(104.26.5.15)
193.233.132.62 - mailcious
172.67.75.166
34.117.186.192
156.251.17.97
|
7
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
11.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6357 |
2024-01-12 08:02
|
 cryptedgoldqwesasd.exe f1a9f0cd8b3aa83f0843360c8647cca1
ScreenShot AntiDebug AntiVM PE32 PE File .NET EXE VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows |
|
|
|
|
9.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6358 |
2024-01-12 08:01
|
 11.exe 2f1d3f866fde60fc8337a92dce82e15b
Emotet Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check BMP Format DLL VirusTotal Malware Check memory Creates shortcut Creates executable files RWX flags setting unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser ComputerName Remote Code Execution |
1
http://laoqianppp.com/97.bin
|
2
laoqianppp.com(156.251.17.97)
156.251.17.97
|
3
SURICATA Applayer Protocol detection skipped
ET HUNTING Suspicious Empty User-Agent
ET HUNTING Rejetto HTTP File Sever Response
|
|
6.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6359 |
2024-01-12 08:00
|
 dwm2.exe cdb5da91ed9624691148563d0c234e06
Malicious Library Antivirus UPX PE32 PE File OS Processor Check VirusTotal Malware PDB |
|
|
|
|
2.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6360 |
2024-01-12 07:59
|
 love.exe d3420ffb07677d83ab1fd50b1c45c96d
Emotet Gen1 EnigmaProtector Malicious Library UPX Malicious Packer AntiDebug AntiVM PE32 PE File CAB OS Processor Check PNG Format MSOffice File JPEG Format VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee Windows Update Exploit ComputerName Remote Code Execution DNS crashed |
2
https://instagram.com/accounts/login/
https://instagram.com/accounts/login
|
3
instagram.com(157.240.215.174)
www.instagram.com(157.240.215.174)
157.240.215.174
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
12.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|