| 6646 |
2024-08-13 17:14
|
madamwebbbbbbMPDW-constraints.... 3dfbd33df96998e1f6a37dc298a75ca4
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6647 |
2024-08-13 17:12
|
mondayequitosssMPDW-constraint... 1b1dd5797314342cfb948c6cfbac09b0
Generic Malware Antivirus Hide_URL PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6648 |
2024-08-13 17:11
|
sweetrosefalvourcakeandbutterb... 04f40400495c1c17270f9c71e6d40717
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS DDNS crashed |
2
http://servidorwindows.ddns.com.br/Files/vbs.jpeg - rule_id: 41854
http://107.172.31.124/xampp/knb/sweetbutterbuneatingtaste.tIF
|
3
servidorwindows.ddns.com.br(177.106.217.75) - malware
107.172.31.124 - malware
177.106.217.75 - malware
|
2
ET MALWARE Base64 Encoded MZ In Image
ET MALWARE Malicious Base64 Encoded Payload In Image
|
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6649 |
2024-08-13 17:10
|
 sahost.exe d996f588469a7a1af5ababce991b42f5
Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://reallyfreegeoip.org/xml/175.208.134.152
|
6
api.telegram.org(149.154.167.220) - mailcious
reallyfreegeoip.org(104.21.67.152)
checkip.dyndns.org(132.226.247.73)
132.226.247.73
104.21.67.152
149.154.167.220 - mailcious
|
9
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
15.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6650 |
2024-08-13 17:09
|
 sahost.exe 29e3de6b17d0fdfb360834f038b59a39
NSIS Suspicious_Script_Bin Malicious Library UPX Anti_VM PE File PE32 DLL VirusTotal Malware AppData folder |
|
|
|
|
1.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6651 |
2024-08-13 16:00
|
 NursultanClient.exe b3d8b18d332153db164df8b55c3272a4
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Check memory crashed |
|
|
|
|
1.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6652 |
2024-08-13 11:29
|
 T9.exe 762e2c938ec4a35e6b67fafb977fd05c
RedLine stealer Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
1
http://147.45.44.131/files/mservice64.exe - rule_id: 42058
|
2
94.232.249.46 - mailcious
147.45.44.131 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://147.45.44.131/files/mservice64.exe
|
11.4 |
M |
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6653 |
2024-08-13 11:22
|
 T9.exe 762e2c938ec4a35e6b67fafb977fd05c
Generic Malware AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
1
http://147.45.44.131/files/mservice64.exe - rule_id: 42058
|
2
94.232.249.46 - mailcious
147.45.44.131 - malware
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://147.45.44.131/files/mservice64.exe
|
11.4 |
M |
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6654 |
2024-08-13 11:06
|
arch1208_0924.7z f6b650c35ed4de1040e590b400db1ef3
Escalate priviledges PWS KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6655 |
2024-08-13 10:44
|
arch1208_0924.7z f6b650c35ed4de1040e590b400db1ef3
Escalate priviledges PWS KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6656 |
2024-08-13 10:27
|
240903-회국회(정) 제1차 전체회의 의사일정안(결... f5f5a585a12df9cb406dde6b3e6da23d
AntiDebug AntiVM CHM Format VirusTotal Malware Code Injection Check memory crashed |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6657 |
2024-08-13 10:23
|
240903-회국회(정) 제1차 전체회의 의사일정안(결... f5f5a585a12df9cb406dde6b3e6da23d
AntiDebug AntiVM CHM Format VirusTotal Malware Code Injection Check memory unpack itself |
|
|
|
|
2.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6658 |
2024-08-13 09:45
|
 Helpstore.exe fc2aa8460ff7dd8a4f121d75116161cf
Generic Malware Malicious Library Antivirus UPX PE File CAB PE32 OS Processor Check DLL VirusTotal Malware Creates executable files ComputerName RCE |
|
2
googlesharepoint.com(152.32.201.190)
152.32.201.190
|
|
|
4.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6659 |
2024-08-13 09:45
|
240903-회국회(정) 제1차 전체회의 의사일정안(결... f5f5a585a12df9cb406dde6b3e6da23d
AntiDebug AntiVM CHM Format VirusTotal Malware Code Injection Check memory unpack itself crashed |
|
|
|
|
2.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6660 |
2024-08-13 09:37
|
 Visual.ps1 0ceeb6420f475c07ac5f4b4783855400
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/WC.exe - rule_id: 41965
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
1
http://147.45.44.131/files/WC.exe
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|