6451 |
2023-12-26 08:02
|
Recorder.exe a16c3e4711c591850a5fcc3f3ae8c4ea Malicious Packer PE32 PE File unpack itself DNS |
|
1
193.117.208.148 - malware
|
|
|
2.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6452 |
2023-12-26 07:59
|
Journal.exe 9b82c2db03852974a14558c6fd9f0025 Malicious Library Malicious Packer PE32 PE File unpack itself DNS |
|
1
193.117.208.148 - malware
|
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6453 |
2023-12-26 07:58
|
rundll64.exe f682862c3c888c7dcaf9d61aefe26675 Malicious Packer PE32 PE File unpack itself DNS |
|
1
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6454 |
2023-12-26 07:56
|
B13zx.exe 65ece0fb49567a607d9459e992851006 Loki LokiBot Socket PWS DNS AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://sempersim.su/b13/fre.php - rule_id: 38606
|
2
sempersim.su(104.237.252.65) - mailcious 104.237.252.65 - mailcious
|
7
ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Fake 404 Response
|
1
http://sempersim.su/b13/fre.php
|
12.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6455 |
2023-12-26 07:54
|
setup294.exe 5883c6a721eb3ba71923df4491d1a734 Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check DLL PDB Code Injection Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6456 |
2023-12-26 07:54
|
WinScp.exe 1cff16414073e9bee180d323736ce07f Generic Malware .NET framework(MSIL) UPX Antivirus PE32 PE File .NET EXE Malware powershell AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://85.209.176.59/server/bin/windowscacheloader.bin
|
1
|
1
ET HUNTING Rejetto HTTP File Sever Response
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6457 |
2023-12-26 07:52
|
473892748329d.exe 5c8c4357da5f3293b60e805e947e25d2 PE File PE64 crashed |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6458 |
2023-12-26 07:52
|
timeSync.exe e3ded33168c7758f7f04792b755ff57a Malicious Library UPX PE32 PE File OS Processor Check PDB unpack itself |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6459 |
2023-12-25 23:49
|
IMG_7005_21603pdf.exe 733a47d0689018b00e9017be3a92b4de AgentTesla .NET framework(MSIL) UPX PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://ip-api.com/line/?fields=hosting
|
6
server1.sqsendy.shop(63.250.35.178) - mailcious api.ipify.org(104.237.62.212) ip-api.com(208.95.112.1) 63.250.35.178 - mailcious 104.237.62.212 208.95.112.1
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup ip-api.com ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction
|
|
15.4 |
|
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6460 |
2023-12-24 16:17
|
DisplayDriverExt.dll 1d509cbad17fe9bc39563956aadf5d3f Generic Malware Malicious Library UPX PE32 PE File DLL DllRegisterServer dll OS Processor Check PDB Checks debugger unpack itself Remote Code Execution |
|
|
|
|
1.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6461 |
2023-12-24 12:54
|
twty.exe c7207f25a68d4179e9a07969de719eda Emotet Generic Malware Malicious Library UPX PE32 PE File PNG Format BMP Format DLL OS Processor Check Lnk Format GIF Format Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder ComputerName Firmware |
|
|
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6462 |
2023-12-24 12:53
|
Testing.dot 3dfddb91261f5565596e3f014f9c495a VBA_macro Generic Malware MSOffice File VirusTotal Malware exploit crash unpack itself Exploit crashed |
|
|
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6463 |
2023-12-24 12:50
|
launcher c6a1ab972148e30f1da590a43b107411 PE File PE64 Remote Code Execution crashed |
|
|
|
|
1.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6464 |
2023-12-24 12:48
|
a01.exe faf0d1a297e74fed509e1c473b3d2a06 Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6465 |
2023-12-23 18:31
|
Rby1.exe e0bc2140d5a10035fb6d3b4e1b46cdfe Emotet NSIS Generic Malware UPX Malicious Library Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM AntiDebug AntiVM PE File PE64 PNG Format PE32 OS Processor Check BMP Format MZP Format ZIP Format JPEG Format CHM Format DLL icon C VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk suspicious TLD IP Check VM Disk Size Check Tofsee Ransomware Windows ComputerName Firmware DNS |
17
http://47.236.140.86/s/twty.exe http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=three&s=ab - rule_id: 38706 http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://api.ipify.org/?format=wet http://5.42.64.35/InstallSetup3.exe http://5.42.64.35/syncUpd.exe - rule_id: 38707 https://iplogger.com/1gDcm4 https://iplogger.com/19hVA4 https://randomdomainname.org/2cba948feb9c53fce4409f0079aec61c.exe https://pastebin.com/raw/E0rY26ni - rule_id: 37702 https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://budgienation.net/8c35a460636521ed0deef49f6749c0e3/2cba948feb9c53fce4409f0079aec61c.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783 https://yip.su/RNWPd.exe - rule_id: 37623 https://bitbucket.org/micaorrsoft/update/downloads/a01.exe https://potatogoose.com/8c35a460636521ed0deef49f6749c0e3/baf14778c246e15550645e30ba78ce1c.exe https://bbuseruploads.s3.amazonaws.com/c653674a-68fa-46c6-b413-9e71a0a3be60/downloads/7cc5bf80-2f20-4024-8172-c47af249efe9/a01.exe?response-content-disposition=attachment%3B%20filename%3D%22a01.exe%22&AWSAccessKeyId=ASIA6KOSE3BNLFZPBG6X&Signature=k4eYmK01rl8PGp4sOTTE04lteD0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjELr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDzQD%2B3UL8xV1DvAUP2KA45yti0HItkJ7%2FZj%2BYPZQQy%2BAIgK%2BOaDvdrjmeM3oRZP0OlFI2Pl%2B7GauL9ExmwyykyfrwqpwIIQhAAGgw5ODQ1MjUxMDExNDYiDOob2cJxt3Exs6kaAiqEAh4UYnRFarCTXYvHT0WXfJIgVuJuVvzUOPIbUG1w3nq2Yphc6rTsOhGwJcQzKyRWF%2BFm10oe88IpTj4lNM0gXnjCTwZXQVKi1Uz9JNwgbaaYzUofoIP2CZjnvaRuOYs0d6gOPdtnykb2eWeS2dGifaFBhMq%2BTovxD1l5xXeH3tHvHNOaHU%2F7ARV55Dc9YfRvdX2zOOUhEp62CjCviT3FBfq3tK8eLfJ2mwSddoM%2FvxLRaudgcAE%2FiTTi0RrZN5feEmr54GKsqEohzoLCOWAVpxR0dUkQrUDuJVTdHHFSkuX%2FWnX7mWGXITM985Y282tuaPXm6LdfM5BRgxr0vV3YWCtcSJnXMLjKmqwGOp0B5x1g24OisxHRKZUaNxp9%2BSGjgOsFU3J%2Fbs39LZmb4y%2BP29AtY729%2BALyUGmbQ3ghX9X%2FHvfZiW7jkSIo533BZtqI2LeUKLMZGFRSS862V%2FwPY7aL9mQD2m03u7eiKl8%2BE2Kc5rYFMkJjjg%2BliR6dKkTaba%2FDuj%2FNE2de8W4Y9dFnibQCoicKOX5nhXD%2B3R8dFgBbmLV9RQDHhvlDPg%3D%3D&Expires=1703324736
|
35
www.kaspersky.com(185.85.15.47) flyawayaero.net(104.21.93.225) - malware budgienation.net(104.21.33.167) bitbucket.org(104.192.141.1) - malware malwarebytes.com(192.0.66.233) api.ipify.org(104.237.62.212) bbuseruploads.s3.amazonaws.com(52.217.101.204) - malware zonealarm.com(209.87.209.205) redirector.pm(194.49.94.85) - malware randomdomainname.org(104.21.30.5) pastebin.com(172.67.34.170) - mailcious iplogger.com(172.67.188.178) - mailcious net.geo.opera.com(107.167.110.216) galandskiyher5.com(158.160.130.138) - malware potatogoose.com(172.67.180.173) - malware yip.su(104.21.79.77) - mailcious 104.21.30.5 91.92.254.7 - mailcious 209.87.209.205 158.160.130.138 104.21.33.167 192.0.66.233 107.167.110.211 3.5.28.176 185.85.15.46 104.21.93.225 - phishing 104.21.79.77 - phishing 5.42.64.35 - malware 104.20.68.143 - mailcious 172.67.180.173 - malware 172.67.188.178 - mailcious 104.192.141.1 - mailcious 47.236.140.86 194.49.94.85 - malware 64.185.227.156
|
12
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup (ipify .org) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO TLS Handshake Failure
|
5
http://91.92.254.7/scripts/plus.php http://5.42.64.35/syncUpd.exe https://pastebin.com/raw/E0rY26ni https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://yip.su/RNWPd.exe
|
16.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|