| 6556 |
2024-08-17 22:30
|
 Survox.exe 06a9fb51c5455ef7c06cdad4f015c96b
Malicious Library Malicious Packer PE File .NET EXE PE32 Malware download Nanocore Cobalt Strike NetWireRC VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI unpack itself human activity check Windows RAT ComputerName |
|
2
vowquybcw.org(45.89.247.19)
45.89.247.19
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
ET MALWARE NanoCore RAT CnC 7
ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
ET MALWARE NanoCore RAT Keepalive Response 3
ET MALWARE NanoCore RAT Keepalive Response 1
|
|
7.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6557 |
2024-08-17 22:30
|
 DOC.exe 2dbdc645b9776239b18f772c30c1a626
Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 Malware download VirusTotal Malware Malicious Traffic Check memory ICMP traffic suspicious TLD CryptBot DNS |
1
http://fivexc5vt.top/v1/upload.php
|
2
fivexc5vt.top(104.21.15.43)
172.67.161.137
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
|
|
4.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6558 |
2024-08-17 22:28
|
 NorthSperm.exe ff83471ce09ebbe0da07d3001644b23c
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
4.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6559 |
2024-08-17 22:25
|
 rorukal.exe 77ecafee1b0ba32bd4e3b90b6d92a81f
PE File PE64 VirusTotal Malware Checks debugger sandbox evasion Browser crashed |
|
|
|
|
3.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6560 |
2024-08-17 22:25
|
 14082024.exe 9bba979bb2972a3214a399054242109b
RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.67 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
8.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6561 |
2024-08-17 22:23
|
 MePaxil.exe bbe6311c3e2fab459f729dc8cd6e3519
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName DNS |
|
2
104.16.184.241
104.21.44.66
|
|
|
6.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6562 |
2024-08-17 22:23
|
 5_6190317556063017550.exe eb89a69599c9d1dde409ac2b351d9a00
Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Malicious Traffic Check memory buffers extracted unpack itself Collect installed applications suspicious TLD anti-virtualization installed browsers check CryptBot Browser ComputerName DNS |
1
http://fivexc5sr.top/v1/upload.php
|
2
fivexc5sr.top(195.133.48.136)
195.133.48.136
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
|
|
6.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6563 |
2024-08-17 22:21
|
 stub.exe f48972736d07992d0cfd2b8bc7972e27
Generic Malware Malicious Library UPX Antivirus PE File PE32 OS Processor Check PE64 .NET EXE Malware download VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Checks Bios AntiVM_Disk suspicious TLD anti-virtualization VM Disk Size Check Tofsee Windows Email ComputerName DNS Cryptographic key crashed |
6
http://185.216.214.225/freedom.exe
http://185.216.214.225/Jhiidutz.exe
https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62
https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62&tsk=5F9ADF
https://solutionhub.cc/socket/?serviceCheckup - rule_id: 41399
https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62&tsk=5F9ADE
|
5
garageserviceoperation.com(172.67.202.34)
solutionhub.cc(172.67.128.126) - malware
185.216.214.225 - malware
172.67.202.34
172.67.128.126 - mailcious
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc)
ET DNS Query for .cc TLD
ET MALWARE Observed ZharkBot Domain (solutionhub .cc in TLS SNI)
ET MALWARE ZharkBot User-Agent Observed
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
|
1
https://solutionhub.cc/socket/
|
10.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6564 |
2024-08-17 22:21
|
 Armanivenntii_crypted_EASY.exe 795197155ca03f53eed7d90a2613d2a7
Generic Malware Malicious Library Malicious Packer UPX PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder DNS crashed |
|
1
162.159.135.233 - malware
|
|
|
4.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6565 |
2024-08-17 22:19
|
 Ukodbcdcl.exe 25ed0fce4a9df59b3ed88853db8206f3
Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
3.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6566 |
2024-08-17 22:18
|
tuesdayequitossssdroiudMPDW-co... 7a3fa640d6740b436c7fb40056e94edc
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
3
ia803104.us.archive.org(207.241.232.154) - malware
45.138.16.71
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6567 |
2024-08-17 22:18
|
 file1.exe a107fbd4b2549ebb3babb91cd462cec8
Generic Malware Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 PowerShell OS Processor Check PE64 DLL Browser Info Stealer Malware download VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW anti-virtualization installed browsers check Tofsee CryptBot Windows Discord Browser ComputerName DNS Cryptographic key crashed |
8
http://tvezx20pt.top/v1/upload.php
http://194.58.114.223/d/385104 - rule_id: 41929
http://58yongzhe.com/parts/setup1.exe - rule_id: 42034
http://91.121.59.207/Files/6ec431703915b7c3a66be6ef8e2bf8f9.exe
http://91.121.59.207/Files/Channel1.exe
https://pastebin.com/raw/E0rY26ni - rule_id: 37702
https://yip.su/RNWPd.exe - rule_id: 37623
https://cdn.discordapp.com/attachments/1272578305203110022/1274336696627892317/setup.exe?ex=66c1e208&is=66c09088&hm=d301fab09c009c8ddf7bbdaccf84e9e284b1d644909338534cae1eab5b7ee0ef&
|
12
tvezx20pt.top(77.232.42.234)
58yongzhe.com(62.133.62.93) - malware
pastebin.com(172.67.19.24) - mailcious
yip.su(104.21.79.77) - mailcious
cdn.discordapp.com(162.159.133.233) - malware
91.121.59.207
77.232.42.234
104.21.79.77 - phishing
162.159.135.233 - malware
62.133.62.93
194.58.114.223 - mailcious
172.67.19.24 - mailcious
|
13
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET HUNTING Redirect to Discord Attachment Download
|
4
http://194.58.114.223/d/385104
http://58yongzhe.com/parts/setup1.exe
https://pastebin.com/raw/E0rY26ni
https://yip.su/RNWPd.exe
|
19.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6568 |
2024-08-17 22:17
|
 sss.exe f93a30378f7682e1bf9f4adfbe5729be
Generic Malware Malicious Library Malicious Packer .NET framework(MSIL) UPX Anti_VM PE File .NET EXE PE32 OS Processor Check JPEG Format VirusTotal Malware Telegram Malicious Traffic Windows utilities IP Check Tofsee Windows DNS |
2
http://icanhazip.com/
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00
|
7
icanhazip.com(104.16.184.241)
api.mylnikov.org(104.21.44.66)
api.telegram.org(149.154.167.220) - mailcious
104.16.184.241
194.58.114.223 - mailcious
104.21.44.66
149.154.167.220 - mailcious
|
7
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
|
|
3.4 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6569 |
2024-08-17 22:16
|
 gsprout.exe 92ae7a1286d992e104c0072f639941f7
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic DNS |
1
http://45.138.16.71/cfg/?data=IDaJhCHdIlfHcldJAISHfgpYzZhgReLDAihcV0Oa
|
1
|
|
|
3.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6570 |
2024-08-17 22:14
|
 zzzz1.exe a5c740eb48fafb9b25d06c22b6f4a7e9
Gen1 Generic Malware Malicious Library UPX Antivirus Malicious Packer Anti_VM PE File PE64 DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
3.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|