6751 |
2023-12-07 06:54
|
GameCenter.exe 054c92c15c2574860d1fe07b9fad1b23 HermeticWiper Gen1 PhysicalDrive Generic Malware Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) ASPack Antivirus UPX Anti_VM PE32 PE File MZP Format OS Processor Check MachineGuid Check memory unpack itself Check virtual network interfaces AntiVM_Disk suspicious TLD VM Disk Size Check Tofsee Firmware crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
stat.gc.vkplay.ru(95.163.41.136) 95.163.41.136 23.67.53.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6752 |
2023-12-06 12:57
|
HSBC Payment Advice.xls 3a4eb467c8ee5a0661b005aa8f728c7a VBA_macro Generic Malware MSOffice File VirusTotal Malware Malicious Traffic unpack itself DNS |
1
http://172.245.208.126/SSH/MicrosfotEdgedeletedhistorycachecookieentirethingsfromthepc.Doc
|
1
|
2
ET INFO Dotted Quad Host DOC Request ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
|
|
2.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6753 |
2023-12-06 12:30
|
you.cmd 2977c8c94af8bc95f2c71f6b1b1f2633 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://3.75.162.63/ducky.ps1
|
1
|
1
ET INFO PS1 Powershell File Request
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6754 |
2023-12-06 12:26
|
cred64.dll 1afaa1fcda6635e17dce5b5bf27f3c79 Malicious Library UPX PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Malicious Traffic Checks debugger unpack itself Windows utilities sandbox evasion installed browsers check Windows Browser Email DNS Software |
2
http://brodoyouevenlift.co.za/jjuhhsa73/index.php http://185.196.8.195/u6vhSc3PPq/index.php
|
4
brodoyouevenlift.co.za(89.191.234.91) - mailcious yeahweliftbro.cz() - mailcious 185.196.8.195 - malware 89.191.234.91
|
|
|
8.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6755 |
2023-12-06 12:23
|
Ennytypip.exe eb71493b8c138d52c8baea7adaae0a22 .NET framework(MSIL) PWS SMTP DNS AntiDebug AntiVM PE32 PE File .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key |
|
1
213.139.207.234 - mailcious
|
|
|
10.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6756 |
2023-12-06 12:23
|
LjYLHSho7Xgoi1P.exe 77e7f5ee129d7a0eb6a063c6700083f6 AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
http://ip-api.com/line/?fields=hosting
|
4
api.ipify.org(64.185.227.156) ip-api.com(208.95.112.1) 173.231.16.77 208.95.112.1
|
5
ET INFO TLS Handshake Failure ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup ip-api.com ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6757 |
2023-12-06 12:21
|
autorun.exe 292eeb275937dbfc806df2b169cf61e6 Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
193.233.132.34 - mailcious 91.235.128.141
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Family Activity (Response)
|
|
7.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6758 |
2023-12-06 12:20
|
reverse.exe cedc316a75f461facb72511004041ebe Meterpreter PE File PE64 VirusTotal Malware DNS crashed |
|
1
|
|
|
3.6 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6759 |
2023-12-06 12:20
|
chromepass.exe 83deabd1a3d271493c2084cb2cc0b975 Gen1 Malicious Library UPX Anti_VM PE File PE64 OS Processor Check DLL ZIP Format ftp VirusTotal Malware Check memory Creates executable files |
|
|
|
|
2.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6760 |
2023-12-06 12:19
|
obizx.exe 12f10d15b25ffad6e27f76029516058a AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141) 91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6761 |
2023-12-06 12:18
|
clip64.dll 92adfbe29d3ddd3afe816ca7e6f183bb Amadey Malicious Library UPX PE32 PE File DLL OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
2
http://brodoyouevenlift.co.za/jjuhhsa73/index.php http://185.196.8.195/u6vhSc3PPq/index.php
|
4
brodoyouevenlift.co.za(89.191.234.91) - mailcious yeahweliftbro.cz() - mailcious 185.196.8.195 - malware 89.191.234.91
|
|
|
3.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6762 |
2023-12-06 12:17
|
microsofttoldemetheywanttodele... 08568b90661f80313579e0c16c2737f0 MS_RTF_Obfuscation_Objects RTF File doc PE32 PE File .NET EXE Malware download Malware Malicious Traffic RWX flags setting exploit crash AppData folder Windows Exploit DNS crashed |
1
http://192.3.179.162/263/wlanext.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6763 |
2023-12-06 12:15
|
runscript.ps1 c6b2f70cc5d512b714eca9c9cedb523b Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://3.75.162.63/ducky.ps1
https://cdn.discordapp.com/attachments/1049795802308018227/1058509469400715384/chromepass.exe
|
1
|
1
ET INFO PS1 Powershell File Request
|
|
10.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6764 |
2023-12-06 12:15
|
Booking_Information.exe f78c97a1a066952e9b277770e9150efa UPX AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself installed browsers check Windows Browser ComputerName DNS Cryptographic key |
|
1
|
|
|
12.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6765 |
2023-12-06 12:12
|
p.ps1 3dc32f74db9c2b56bca483d6e56316be Generic Malware Antivirus powershell Check memory unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows Gmail ComputerName Cryptographic key |
|
2
smtp.gmail.com(64.233.188.108) 142.251.8.108
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|