| 6751 |
2023-12-07 06:54
|
 GameCenter.exe 054c92c15c2574860d1fe07b9fad1b23
HermeticWiper Gen1 PhysicalDrive Generic Malware Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) ASPack Antivirus UPX Anti_VM PE32 PE File MZP Format OS Processor Check MachineGuid Check memory unpack itself Check virtual network interfaces AntiVM_Disk suspicious TLD VM Disk Size Check Tofsee Firmware crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
stat.gc.vkplay.ru(95.163.41.136)
95.163.41.136
23.67.53.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6752 |
2023-12-06 12:57
|
 HSBC Payment Advice.xls 3a4eb467c8ee5a0661b005aa8f728c7a
VBA_macro Generic Malware MSOffice File VirusTotal Malware Malicious Traffic unpack itself DNS |
1
http://172.245.208.126/SSH/MicrosfotEdgedeletedhistorycachecookieentirethingsfromthepc.Doc
|
1
|
2
ET INFO Dotted Quad Host DOC Request
ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
|
|
2.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6753 |
2023-12-06 12:30
|
 you.cmd 2977c8c94af8bc95f2c71f6b1b1f2633
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://3.75.162.63/ducky.ps1
|
1
|
1
ET INFO PS1 Powershell File Request
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6754 |
2023-12-06 12:26
|
 cred64.dll 1afaa1fcda6635e17dce5b5bf27f3c79
Malicious Library UPX PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Malicious Traffic Checks debugger unpack itself Windows utilities sandbox evasion installed browsers check Windows Browser Email DNS Software |
2
http://brodoyouevenlift.co.za/jjuhhsa73/index.php
http://185.196.8.195/u6vhSc3PPq/index.php
|
4
brodoyouevenlift.co.za(89.191.234.91) - mailcious
yeahweliftbro.cz() - mailcious
185.196.8.195 - malware
89.191.234.91
|
|
|
8.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6755 |
2023-12-06 12:23
|
 Ennytypip.exe eb71493b8c138d52c8baea7adaae0a22
.NET framework(MSIL) PWS SMTP DNS AntiDebug AntiVM PE32 PE File .NET EXE VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key |
|
1
213.139.207.234 - mailcious
|
|
|
10.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6756 |
2023-12-06 12:23
|
 LjYLHSho7Xgoi1P.exe 77e7f5ee129d7a0eb6a063c6700083f6
AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
http://ip-api.com/line/?fields=hosting
|
4
api.ipify.org(64.185.227.156)
ip-api.com(208.95.112.1)
173.231.16.77
208.95.112.1
|
5
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY External IP Lookup ip-api.com
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6757 |
2023-12-06 12:21
|
 autorun.exe 292eeb275937dbfc806df2b169cf61e6
Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
193.233.132.34 - mailcious
91.235.128.141
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Family Activity (Response)
|
|
7.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6758 |
2023-12-06 12:20
|
 reverse.exe cedc316a75f461facb72511004041ebe
Meterpreter PE File PE64 VirusTotal Malware DNS crashed |
|
1
|
|
|
3.6 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6759 |
2023-12-06 12:20
|
 chromepass.exe 83deabd1a3d271493c2084cb2cc0b975
Gen1 Malicious Library UPX Anti_VM PE File PE64 OS Processor Check DLL ZIP Format ftp VirusTotal Malware Check memory Creates executable files |
|
|
|
|
2.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6760 |
2023-12-06 12:19
|
 obizx.exe 12f10d15b25ffad6e27f76029516058a
AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6761 |
2023-12-06 12:18
|
 clip64.dll 92adfbe29d3ddd3afe816ca7e6f183bb
Amadey Malicious Library UPX PE32 PE File DLL OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
2
http://brodoyouevenlift.co.za/jjuhhsa73/index.php
http://185.196.8.195/u6vhSc3PPq/index.php
|
4
brodoyouevenlift.co.za(89.191.234.91) - mailcious
yeahweliftbro.cz() - mailcious
185.196.8.195 - malware
89.191.234.91
|
|
|
3.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6762 |
2023-12-06 12:17
|
microsofttoldemetheywanttodele... 08568b90661f80313579e0c16c2737f0
MS_RTF_Obfuscation_Objects RTF File doc PE32 PE File .NET EXE Malware download Malware Malicious Traffic RWX flags setting exploit crash AppData folder Windows Exploit DNS crashed |
1
http://192.3.179.162/263/wlanext.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6763 |
2023-12-06 12:15
|
 runscript.ps1 c6b2f70cc5d512b714eca9c9cedb523b
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://3.75.162.63/ducky.ps1
https://cdn.discordapp.com/attachments/1049795802308018227/1058509469400715384/chromepass.exe
|
1
|
1
ET INFO PS1 Powershell File Request
|
|
10.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6764 |
2023-12-06 12:15
|
 Booking_Information.exe f78c97a1a066952e9b277770e9150efa
UPX AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself installed browsers check Windows Browser ComputerName DNS Cryptographic key |
|
1
|
|
|
12.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6765 |
2023-12-06 12:12
|
 p.ps1 3dc32f74db9c2b56bca483d6e56316be
Generic Malware Antivirus powershell Check memory unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows Gmail ComputerName Cryptographic key |
|
2
smtp.gmail.com(64.233.188.108)
142.251.8.108
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|