6721 |
2023-12-11 15:28
|
ma.exe c1ca2440bbc8d8e5928e7d28eb4d24ca UPX PE File PE64 .NET EXE VirusTotal Malware unpack itself Windows Remote Code Execution crashed |
|
|
|
|
2.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6722 |
2023-12-11 15:25
|
Pfvtwoys.exe eeca722283938a812fd6670b34ec5e29 Hide_EXE .NET framework(MSIL) UPX PWS AntiDebug AntiVM PE File PE64 .NET EXE OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
8.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6723 |
2023-12-11 15:24
|
Nnyphhamc.exe 7f5108b2158d537f11fd88886c1c047c Hide_EXE UPX PE File PE64 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
5.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6724 |
2023-12-11 15:23
|
Zocymkpxeu.exe b9922787936c8e2ed028b5bd652d7ee9 Create Service Socket Escalate priviledges PWS DNS persistence AntiDebug AntiVM PE File PE64 URL Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself malicious URLs Windows Cryptographic key |
1
http://ip.allproxy.io/json
|
7
connv2.proxies.tv(51.79.32.112) bing.com(13.107.21.200) ip.allproxy.io(104.21.58.128) conn.pandaking2016.xyz(198.23.233.111) 51.79.32.112 198.23.233.111 172.67.159.225
|
1
ET USER_AGENTS Go HTTP Client User-Agent
|
|
12.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6725 |
2023-12-11 15:23
|
Edbwgnrp.exe 27b354807eeeeacddfeab9532165a5d8 Hide_EXE .NET framework(MSIL) UPX PWS AntiDebug AntiVM PE File PE64 .NET EXE OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6726 |
2023-12-11 14:24
|
release_ver9.rar a64249c49fd7686653154060beaa68dc Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Vidar Open Directory Malware c&c suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Exploit Browser RisePro DNS Downloader plugin |
15
http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll http://5.42.64.41/40d570f44e84a454.php - rule_id: 38591 http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll http://195.20.16.45/api/tracemap.php http://apps.identrust.com/roots/dstrootcax3.p7c http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll http://5.42.64.35/timeSync.exe - rule_id: 38593 http://195.20.16.45/api/firegate.php http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll https://db-ip.com/demo/home.php?s=175.208.134.152 https://api.myip.com/ https://iplis.ru/1Gemv7.mp3
|
28
medfioytrkdkcodlskeej.net(91.215.85.209) - malware db-ip.com(172.67.75.166) iplis.ru(104.21.63.150) - mailcious ioiouoiuououiyjgroup.sbs(172.67.212.175) - malware iplogger.org(172.67.132.113) - mailcious never.hitsturbo.com(172.67.168.30) - malware ipinfo.io(34.117.59.81) vk.com(87.240.132.72) - mailcious api.myip.com(104.26.8.59) 194.49.94.97 - malware 5.42.64.41 - mailcious 5.42.64.35 - malware 104.26.9.59 104.21.63.150 193.233.132.34 - mailcious 185.216.70.235 23.43.165.105 104.21.37.196 193.233.132.51 - mailcious 87.240.132.67 - mailcious 91.215.85.209 - mailcious 34.117.59.81 104.26.5.15 104.21.46.59 - malware 195.20.16.45 172.67.132.113 109.107.182.3 - mailcious 87.240.132.72 - mailcious
|
36
SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO EXE - Served Attached HTTP ET HUNTING Rejetto HTTP File Sever Response ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://5.42.64.41/40d570f44e84a454.php http://5.42.64.35/timeSync.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6727 |
2023-12-11 14:18
|
release_ver9.rar a64249c49fd7686653154060beaa68dc Escalate priviledges PWS KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6728 |
2023-12-11 14:17
|
tuc5.exe e6a2e949c740c3e5c4763b6ab7e13d7c Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE32 PE File MZP Format DLL OS Processor Check DllRegisterServer dll PE64 wget ZIP Format Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6729 |
2023-12-11 14:14
|
Vbewgil.exe 752d19f58c4bcb8ced90460032b693e4 Hide_EXE .NET framework(MSIL) PE File PE64 .NET EXE MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6730 |
2023-12-11 13:24
|
hv.exe 59d1fa3b93c1cbbe665017060c8140aa Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX Malicious Library PWS AntiDebug AntiVM PE32 PE File .NET EXE PNG Format DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder installed browsers check SectopRAT Windows Browser Backdoor ComputerName DNS Cryptographic key Software crashed |
|
1
|
1
ET MALWARE Arechclient2 Backdoor CnC Init
|
|
15.2 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6731 |
2023-12-11 11:08
|
pdf.exe e7ff90c3f9326d57e42e276d0afb4c48 UPX Malicious Library AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
3
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer Family Activity (Response)
|
|
14.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6732 |
2023-12-08 18:40
|
microsoftdecidedtodeleteentire... 49ad634e1dfd465013beb3ce092015de MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c http://66.228.43.8/300/MicrosoftHealthcheck.vbs
|
4
uploaddeimagens.com.br(104.21.45.138) - malware 66.228.43.8 - mailcious 23.32.56.80 172.67.215.45 - malware
|
2
ET INFO Dotted Quad Host VBS Request SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6733 |
2023-12-08 18:38
|
Microsoftdecidedtodeleteentire... 684c997cc1b2dc1290b00576e884f425 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Windows Exploit DNS crashed |
|
3
www.synergyinnovationgroup.com(65.60.36.22) 172.245.208.126 - mailcious 65.60.36.22
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure
|
|
4.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6734 |
2023-12-08 18:38
|
index.php 8801830b87729b1843ff56584d9f34a0 Malicious Library PE32 PE File PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6735 |
2023-12-08 18:36
|
chrome.exe c0af31044fcaa756f32f13007d50724f Gen1 Generic Malware Malicious Library UPX Antivirus Malicious Packer PE32 PE File MZP Format URL Format DLL PE64 Remcos VirusTotal Malware Malicious Traffic Check memory Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows DNS keylogger |
2
http://geoplugin.net/json.gp http://84.252.120.161/yakfileloadsonedrivedocumentsuploadgoogleapclouddownloads/211_Irzhkxyxtsv
|
4
geoplugin.net(178.237.33.50) 178.237.33.50 84.252.120.161 - mailcious 20.84.117.57
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
6.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|