| 6886 |
2023-11-29 16:00
|
file_ver_9.rar 0626f8e71d8a91fd6185df77a50b9fbc
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Vidar Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro DNS plugin |
36
http://5.42.64.41/40d570f44e84a454.php
http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll
http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://176.113.115.84:8080/4.php - rule_id: 34795
http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll
http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll
http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll
http://apps.identrust.com/roots/dstrootcax3.p7c
http://91.92.243.151/api/firegate.php
http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll
https://sun6-22.userapi.com/c236331/u418490229/docs/d5/af51deff0236/Rise.bmp?extra=EXpRRrsiC1jWoHBXbvHHi-UWj6Grj_AkUV6kOcM6llnGcexjn5FNP-bw5dsGphz9RLFdXu9yhqgky3xkYW4oblIQTqffvix3MCOTMskXb-0k6HOQ4MwchfLG5QMetCJb-25Uj9rO2AF0wV3bkQ
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc418490229_668938366?hash=5FoUaQok0B2gtiDqcFJ4bpegTD2SPzTjKqykfkwb3zc&dl=vyAqT5Xe4xXyZ38CTECObVL4GlrQZGRjeNMqsV10szg&api=1&no_preview=1#1
https://vk.com/doc418490229_668951217?hash=0wrWsiW5bDYiOaBQlj1ut0KnfM2SerHsUNtSIA8n0BX&dl=OYYh0EDgZLGz5BRVaNfHjBWXrjyY3hvz3peQaRwCvJ0&api=1&no_preview=1#test22
https://vk.com/doc418490229_668929938?hash=ktCgmKYqoZFe4ivRZzzbNBxLkP2YROgRTvMCbGK5rtc&dl=Q00m1ouR7KqanosInfovEoKZoXQN3pn1V9bUiGxjkk0&api=1&no_preview=1
https://thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs/setup294.exe
https://sun6-21.userapi.com/c909418/u418490229/docs/d33/0707ec1a9cdf/cz28.bmp?extra=sGRI4H5niz7RxILWD_zUG_ctDcTaUSYqKpF1niVRahjkUS__H9KEp1ZwCxgayUfHyz5J9Nz_aiGnRQ0XXPiLbkZhLPYOYfkejwL07zdN1voMsYNb9bZ-9a11sYdof2VMN6HvEZGjbQ-CNlvy4A
https://sun6-22.userapi.com/c909218/u418490229/docs/d39/b36e581ef415/file281123.bmp?extra=bJDa7mvscY-voQdIZZUksYr44DtBJP-kJssHt6Ahl0Q3MWE0gDizV1mxjHiRYniFlTlcLPFRW15HwvmQT66uxmB5hPFhj1YM_rOkx1nDbAHpSg6gKZ6T_jczVxXuiS1oknRU7mtsN-SX-p1ujg
https://vk.com/doc278414724_666785048?hash=BEECsUI0KihIsE0U0nCflKTI5jGLqnjbHrZ921hHoIo&dl=MlH2hFcAGSgijzPzzjYVJFJFj9WHHsyc0XO9FI0mX38&api=1&no_preview=1#ww11
https://api.myip.com/
https://vk.com/doc418490229_668929802?hash=JGJzKUDsQctWofQ698XiG5TtXyL4jHXW5WO9kYCx09g&dl=jnJZekjN4zWOrABguUPz6zoyi3nglzHT0X5thDnbzMX&api=1&no_preview=1#redline_rm
https://sun6-23.userapi.com/c909328/u418490229/docs/d20/f3a7ad2143af/mr_Bro.bmp?extra=LeAgMHn_2s_EVvaW-K_cYV6O9innY-2Ivke0GMPWzt-Bxu8pOVe7OUztp54ANXLikgsNht2ZvFU3mutgl9UWPZP25IvV6FHhjqfrAX2L6bAqCC7SyALVe6WD2lVYAeSAh3Vn80bmEFxY13YjhQ
https://vk.com/doc418490229_668929813?hash=CcrmLI7IeiRz0lU8DnAVrRG7zp1VmDOzkljV4YdvlFg&dl=fbXhUnfoCiOFBNTYzP3G4TgseWVmer9dhybO06Dbf3X&api=1&no_preview=1#risepro
https://iplis.ru/1Gemv7.mp3
https://sun6-20.userapi.com/c909518/u418490229/docs/d51/4406a2506340/red_line.bmp?extra=1GONfT_9cHm8rJzJ70PLJj4VAC91m0S4Gca-QG052TIJ_-UwtxALkVaPJ0uZ1FKVXet0kJLaXAZ51JpjRgVz_JEdKGwQ8dO7nEJ5B0ilU4MZvTvhmkRuXRNbW12qcvV2G5xp2F3bcuW3WdIAhQ
https://api.2ip.ua/geo.json
https://vk.com/doc418490229_668931401?hash=iAFqqX4VsjibbUrFFs3uLnWGAIedldaHRjTySVZmqV0&dl=hZ7Ql2epmfz2WiO8BxGI8cdwo6AK6bLFPyI65FMR3FH&api=1&no_preview=1#maff
https://sun6-21.userapi.com/c909328/u418490229/docs/d52/e20150ec5011/crypted.bmp?extra=9_uUHyTbLcXEPVRQVoDX2SVXXD5LQIa5cbmPsUZ3sANv_Z7qrNnfAbxOeHfG8kJovBnfxWwX2ooHmOeZbCi822CJMQagWtI1l_OJm3U24MjBdIRMy5fjt-zQyydy6dHJmDi4Osx0CqpLJikI0A
https://vk.com/doc418490229_668767729?hash=65wAhIT5Td9Qu0SLdsQyFz8gx9sXRgxbSsg6rImiJQH&dl=ur2wv4vg3UjVwTO0wSnjKdxULtRETYEfElriZjtBG64&api=1&no_preview=1
https://sun6-21.userapi.com/c237331/u418490229/docs/d28/adfc4032e372/BotClients.bmp?extra=u6VcUNDBHlz4YtdAG5FSiCZtBVvB20an469YZyM8KYXq3Vh2UQ8YRDjgubImLSU5YyYT8TRfRocazjx4RVqpRtmvXLm18R9BiDOzCavVrvZPK5TXT1v1nS1lYeEizYUGJUOVTFeMRkJhvuR3lQ
https://vk.com/doc26060933_667508201?hash=6VnuemqrvgMX7JGCKhOp7uAllSfIKzasrs7cM1fWhgL&dl=JwY775FVXYxbFspXlbElezWDzeVHhbpuZXgjGmHUTZs&api=1&no_preview=1#setup
https://vk.com/doc418490229_668950817?hash=eI5j14qEZqSaw1aKlx69PDkbeE2RaV0OZkR8TCBVlkH&dl=Q3HIRdzNrrMLZtN2dhibLhc4W12UZleN44GQrBv9zQc&api=1&no_preview=1#xin
https://sun6-23.userapi.com/c909328/u418490229/docs/d4/513c59e462a3/2s78sh2agf.bmp?extra=wo3J3uOiHbgaAFfUUpBiWNnQ_wa3RVUVpf16WebNgU3tW18tv009ULs2b4b8x5HTDD7XJTCRwRbunl6DgE_pXd2Bpht21e04pZ2mEDxtRrUOB_l46TDy9w7D_F8mVOCDwNW_T0c_ZlIZ8-Hh2A
|
46
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
zexeq.com(211.168.53.110) - malware
db-ip.com(104.26.4.15)
thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs(172.67.175.68)
gons32cl.top() - malware
iplis.ru(104.21.63.150) - mailcious
api.2ip.ua(172.67.139.220)
sun6-22.userapi.com(95.142.206.2) - mailcious
vanaheim.cn(158.160.82.150) - mailcious
iplogger.org(104.21.4.208) - mailcious
ipinfo.io(34.117.59.81)
api.myip.com(172.67.75.163)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.72) - mailcious
logisticspierias.com(162.0.215.51) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
194.169.175.128 - mailcious
162.0.215.51 - mailcious
5.42.64.41 - mailcious
5.42.64.35 - malware
109.107.182.45 - mailcious
194.33.191.60 - mailcious
91.215.85.209 - mailcious
194.49.94.80 - mailcious
104.21.31.74
190.187.52.42
34.117.59.81
176.113.115.84 - mailcious
104.26.8.59
172.67.147.32
91.92.243.151 - mailcious
95.214.26.17
158.160.82.150
194.49.94.152 - mailcious
194.49.94.97 - malware
23.67.53.17
104.26.4.15
87.240.137.164 - mailcious
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
77.232.39.164
172.67.132.113
95.142.206.1 - mailcious
|
49
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 20
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET INFO EXE - Served Attached HTTP
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
SURICATA HTTP unable to match response to request
|
3
http://zexeq.com/test2/get.php
http://176.113.115.84:8080/4.php
http://91.92.243.151/api/tracemap.php
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6887 |
2023-11-29 14:38
|
 maxziflowzx.exe 5393d9e3a30269ebfed5456bf1304e92
.NET framework(MSIL) AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself AppData folder Browser DNS |
18
http://www.whistle.news/mg0g/?8cRkdL-h=8R1spc4kaDEWlEJg8vF1k1GCYe1vBR5yYH2nKF+uhpjoaiwnvSPXopyruDnDnxaAhR/ULocc2ys9QPFDsU5IyNPMGvvn4PxhaS8XNMs=&r1zVw=7GWQ_-xgU
http://www.limooi.net/mg0g/?8cRkdL-h=T3pbsuGJY2WOIN03L8NlN0GJ+TqkEYwtQUA9siqBJMOxPedzPX2dfFDQxyJSNdSDLlyTl9rcnj2vOMPj0R5dBPd/+rOOG0FZdG8LRvc=&r1zVw=7GWQ_-xgU
http://www.alexbruma.com/mg0g/?8cRkdL-h=TZtAOU2zJBKbLgvHulWrctMijHF9qs7DPKw5qNaDLWK8osbI5ENSukyfV0auBUHllKHlpSsKBSD+iUGqaGCnVjvmwMTcDGlPOxFYPi4=&r1zVw=7GWQ_-xgU
http://www.optime19.com/mg0g/?8cRkdL-h=JX9bRfLOpqNEOOymQR7yk5dab4VR4H7R1nhebZtzBw39xumhyI7GIKzIy7fUqw87BkYQVkkGEP9iK52Y282QYE28HhvkBbptD1a7nt4=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3120000.zip
http://www.e-saleshub.quest/mg0g/
http://www.lederjacke24.com/mg0g/?8cRkdL-h=j84N6G19uoXHTItTNbSgysEEiO8RF1s49C/qmX1UIYmvPN38Fpa3o2d2Xt1p2I563r+6lcLmZmkO/3Pzx/pe1VaGqpP7sGftrUNHiSE=&r1zVw=7GWQ_-xgU
http://www.prospin.click/mg0g/?8cRkdL-h=AMo+Cmk3hXK3yH/KRAxEZqLdKDpgdcehN2HIFp6MhDBnwy4mJAPROf6TTmmTOHloXs1NFvilG7N23QCnTRSKlDKk5HQvSnm6aCYpbZA=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.shutlleross.life/mg0g/?8cRkdL-h=bJn52SPmeJrPy+67E/dcn6LDWlNMaKHrL+hLeIwBYFQegbTEhn+mauNt/7t0vTaKfTZK38m13LQUXcG77GQygy9UzHEWnrwfd1Ppjkk=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.zzennsensual.com/mg0g/?8cRkdL-h=UPCCUTLw89vpBj6v0OYIlyH/tXfMYDNHMqKBY3mPNZeldAdbgqjCzRL3PAAnKT02EQ0FoLgccQ5um3bZSYkyx6B1k5qp4LaFV2egdmY=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.cealr.link/mg0g/?8cRkdL-h=IMAy+8ATmNJk+ySFUKxdJzz5Bsi5/gWlpcldbFUltyc7U32aAYy0gH7A0aaej9oqq+Z9qC1a58M4kMl15uIwUbV5PjKosSXhQm7IMFQ=&r1zVw=7GWQ_-xgU
http://www.pfannen-scholl.info/mg0g/?8cRkdL-h=VKVW22dp+OoakfKr7RHo3LVkALqaN8kis3rXbCHUw2XFas+tapQC3hmrWNln/w9IyKLzGXj0H6Jc9XLG0WdMldG9smrNtVeNBxRCR80=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
http://www.e-saleshub.quest/mg0g/?8cRkdL-h=bJWbZlFCpWjy/9bYbHM6H7ljbRC4b8vPK6lQdtvFTIRbdY1RUFaQDPtKpbiZ1jn13/iERNVq+PXBoNIqG1dC5GacnrVejbGpWc4QdZ0=&r1zVw=7GWQ_-xgU
http://www.canlitinib.com/mg0g/?8cRkdL-h=DCRiVM6IxoWJyptv3NIe0jO5xuFlNfo/UtKdle2BPkU0htusLnDUD8TPrOe6/6WS6xDFuQW1wjE1wfPqEBFmzvzQCsnl689JFcTspE4=&r1zVw=7GWQ_-xgU
|
26
www.pfannen-scholl.info(81.169.145.160)
www.shutlleross.life(66.29.142.244)
www.shimakaze-83.cfd() - mailcious
www.alexbruma.com(104.21.77.252)
www.lederjacke24.com(81.169.145.166)
www.whistle.news(84.32.84.32) - mailcious
www.canlitinib.com(91.195.240.123)
www.cealr.link(38.6.177.47)
www.e-saleshub.quest(104.21.39.249)
www.prospin.click(192.99.101.236)
www.zzennsensual.com(81.169.145.84)
www.optime19.com(45.33.18.44)
www.limooi.net(199.59.243.225)
66.29.142.244 - mailcious
198.58.118.167 - mailcious
172.67.214.17
81.169.145.160 - mailcious
84.32.84.32 - mailcious
199.59.243.225 - mailcious
38.6.177.47
91.195.240.123 - mailcious
172.67.172.121 - phishing
81.169.145.166 - mailcious
81.169.145.84 - mailcious
45.33.6.223
192.99.101.236
|
2
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
|
|
11.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6888 |
2023-11-29 14:33
|
 123.exe 5ab89a96be7570dfe4f49e6b9a42bc88
Malicious Library UPX PE32 PE File MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns Creates executable files unpack itself AppData folder Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
2
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
http://45.125.57.96:8888/8.77.dll
|
8
docs.google.com(142.250.206.206) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious
69.42.215.252
45.125.57.96 - mailcious
142.251.220.14
162.125.84.18 - mailcious
|
4
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET HUNTING Rejetto HTTP File Sever Response
|
|
9.6 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6889 |
2023-11-29 14:33
|
 clip.dll 4194e9b8b694b1e9b672c36f0d868e32
Amadey Malicious Library UPX PE32 PE File DLL OS Processor Check VirusTotal Malware PDB Malicious Traffic Checks debugger unpack itself suspicious TLD |
1
http://tceducn.com/forum/index.php
|
4
tceducn.com(201.103.122.206) - malware
arrunda.ru() - mailcious
soetegem.com()
202.4.114.123
|
|
|
3.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6890 |
2023-11-29 14:33
|
 index.php b13eac66431fb3332fae4527ab1b0e2e
Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6891 |
2023-11-29 14:30
|
 supstrim.exe eace63ea1948f012941dd4a9b3ac3c94
AntiDebug AntiVM PE File PE64 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6892 |
2023-11-29 14:30
|
microsoftdeletedEdgehistorycac... 45cc2f78479e7eb29a063a5034a962c5
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
18
http://23.95.235.10/210/wlanext.exe
http://www.brucesalyers.com/qbnf/
http://www.luciengeorge.com/qbnf/
http://www.saudiarabia-invest.com/qbnf/
http://www.vaultedjewelry.com/qbnf/?i09Z8uP_=rgPWpHOmxKlSe7EHONYdVBrmOnLu4eF6eOSzvd7TZo3R3Fo4Dd2XRg3DbQYqSiNd5R8WYW2HfYo1oy4LJvVB6tvZDWfBfjfjeCKWam8=&pq4=B_bUHOuV
http://www.brightpathtechgroups.top/qbnf/
http://www.vaultedjewelry.com/qbnf/
http://www.saudiarabia-invest.com/qbnf/?i09Z8uP_=TQw86TlhZOZGhyrotGnGA9O38tw4CjcNLRp/p2VP3ufYpIvUmIv9kKzVdrLDClRgTF6URTvKEK1oO5gHY3jB8uOZGTzekB90rbc1k/w=&pq4=B_bUHOuV
http://www.mr-u-taste.com/qbnf/
http://www.infinite-7.com/qbnf/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.brucesalyers.com/qbnf/?i09Z8uP_=pOaW0U2I6Oim8KKUbDqJDQhYI0+jOGca0ZkB2ClPUoj3GtGVG9J/gqWS9Mz6XkgBxNiuWxxBos74OtAK1fVYBccuSwjN1UL6AWuKPcU=&pq4=B_bUHOuV
http://www.luciengeorge.com/qbnf/?i09Z8uP_=0c7pTBUgqi7uIFOYjbT3SYstx1V9f1GJj9bVxgDbtFRASgICtVyP8zh8VQdSKB3ZTDJ9NwSYp2xAsrB2eli3KEKVX/ICehpktcwDvSA=&pq4=B_bUHOuV
http://www.54c7pv.top/qbnf/
http://www.brightpathtechgroups.top/qbnf/?i09Z8uP_=/XY8b2QuaMdFC0XpCgsh4GNYF4+K1Jee0ur1wuthWP34gEpbfUtO61S+Wmzh4wGYwfcaHPs6UkqbWuaiX2goUA52btrwqIRWjk6Aczs=&pq4=B_bUHOuV
http://www.54c7pv.top/qbnf/?i09Z8uP_=R40TEU5sRsOQoxxitOES9+hMTVh8b1wg2WgWpjzQt3scLF2RQpMS0y827zix4QRv7SCVfpbDXNdzS1tGlHHYZLiaPpoCE6jYgQr1YbY=&pq4=B_bUHOuV
http://www.infinite-7.com/qbnf/?i09Z8uP_=+6BF5kLU84F0bZC4snN7O//5RGhAAZcl02SXjZ/C8WDlleVZNjPdMeMs0Bth8cY5eBWoVtOkuOGyDcUeP7JOiDQXP7lXIFXFwa8Se1E=&pq4=B_bUHOuV
http://www.mr-u-taste.com/qbnf/?i09Z8uP_=mGR7ZmLmEt9yNzhj107em99ZnYgpgTedSLqstOtysWtmmDPutWYGQHPP7A/bNBdhcJI+eHBY4GrszbL+CPnGOgwl8ziMxMmXJyanig0=&pq4=B_bUHOuV
|
18
www.brucesalyers.com(91.195.240.117)
www.saudiarabia-invest.com(81.169.145.74)
www.charlotte-usa.site()
www.vaultedjewelry.com(91.195.240.19)
www.luciengeorge.com(108.128.72.146)
www.brightpathtechgroups.top(198.177.123.106)
www.infinite-7.com(91.195.240.19)
www.54c7pv.top(154.91.180.241) - mailcious
www.mr-u-taste.com(202.91.248.226)
91.195.240.19 - mailcious
202.91.248.226
91.195.240.117 - mailcious
81.169.145.74 - mailcious
154.91.180.241 - mailcious
198.177.123.106
23.95.235.10 - malware
108.128.72.146
45.33.6.223
|
7
ET INFO HTTP Request to a *.top domain
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.top domain - Likely Hostile
|
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6893 |
2023-11-29 14:28
|
 O.ini 15909167c6a125757e0a931c7c486269
Emotet AgentTesla Malicious Library Malicious Packer UPX PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.212)
173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6894 |
2023-11-29 14:26
|
 strim.exe 0d1e3266a1bc3b62f0523e10b5170337
PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6895 |
2023-11-29 14:24
|
 Klkypmnqw.exe 6c9f3e248382f389d17d308ad5350d6d
AntiDebug AntiVM PE File PE64 .NET EXE VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
8.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6896 |
2023-11-29 14:23
|
microsoftEdgedeletedentirehist... ad19c30e8fc0f89004a1f960b477707f
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed |
1
http://107.173.229.146/175/wlanext.exe
|
1
107.173.229.146 - malware
|
1
ET INFO Executable Download from dotted-quad Host
|
|
4.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6897 |
2023-11-29 11:27
|
 wlanext.exe eb951bc883b87a58ffa82ab793d7e4b0
.NET framework(MSIL) PWS AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder suspicious TLD Browser ComputerName DNS |
22
http://www.infinite-7.com/qbnf/?1qPpHsU-=+6BF5kLU84F0bZC4snN7O//5RGhAAZcl02SXjZ/C8WDlleVZNjPdMeMs0Bth8cY5eBWoVtOkuOGyDcUeP7JOiDQXP7lXIFXFwa8Se1E=&4wJ=L5inFf0cTItD
http://www.brightpathtechgroups.top/qbnf/
http://www.54c7pv.top/qbnf/?1qPpHsU-=R40TEU5sRsOQoxxitOES9+hMTVh8b1wg2WgWpjzQt3scLF2RQpMS0y827zix4QRv7SCVfpbDXNdzS1tGlHHYZLiaPpoCE6jYgQr1YbY=&4wJ=L5inFf0cTItD
http://www.saudiarabia-invest.com/qbnf/?1qPpHsU-=TQw86TlhZOZGhyrotGnGA9O38tw4CjcNLRp/p2VP3ufYpIvUmIv9kKzVdrLDClRgTF6URTvKEK1oO5gHY3jB8uOZGTzekB90rbc1k/w=&4wJ=L5inFf0cTItD
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
http://www.swiftricz.com/qbnf/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.mr-u-taste.com/qbnf/
http://www.brightpathtechgroups.top/qbnf/?1qPpHsU-=/XY8b2QuaMdFC0XpCgsh4GNYF4+K1Jee0ur1wuthWP34gEpbfUtO61S+Wmzh4wGYwfcaHPs6UkqbWuaiX2goUA52btrwqIRWjk6Aczs=&4wJ=L5inFf0cTItD
http://www.vaultedjewelry.com/qbnf/?1qPpHsU-=rgPWpHOmxKlSe7EHONYdVBrmOnLu4eF6eOSzvd7TZo3R3Fo4Dd2XRg3DbQYqSiNd5R8WYW2HfYo1oy4LJvVB6tvZDWfBfjfjeCKWam8=&4wJ=L5inFf0cTItD
http://www.brucesalyers.com/qbnf/
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.luciengeorge.com/qbnf/?1qPpHsU-=0c7pTBUgqi7uIFOYjbT3SYstx1V9f1GJj9bVxgDbtFRASgICtVyP8zh8VQdSKB3ZTDJ9NwSYp2xAsrB2eli3KEKVX/ICehpktcwDvSA=&4wJ=L5inFf0cTItD
http://www.vaultedjewelry.com/qbnf/
http://www.brucesalyers.com/qbnf/?1qPpHsU-=pOaW0U2I6Oim8KKUbDqJDQhYI0+jOGca0ZkB2ClPUoj3GtGVG9J/gqWS9Mz6XkgBxNiuWxxBos74OtAK1fVYBccuSwjN1UL6AWuKPcU=&4wJ=L5inFf0cTItD
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.luciengeorge.com/qbnf/
http://www.saudiarabia-invest.com/qbnf/
http://www.54c7pv.top/qbnf/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.mr-u-taste.com/qbnf/?1qPpHsU-=mGR7ZmLmEt9yNzhj107em99ZnYgpgTedSLqstOtysWtmmDPutWYGQHPP7A/bNBdhcJI+eHBY4GrszbL+CPnGOgwl8ziMxMmXJyanig0=&4wJ=L5inFf0cTItD
http://www.infinite-7.com/qbnf/
|
18
www.brucesalyers.com(91.195.240.117)
www.luciengeorge.com(54.73.26.109)
www.charlotte-usa.site()
www.saudiarabia-invest.com(81.169.145.74)
www.vaultedjewelry.com(91.195.240.19)
www.swiftricz.com(91.195.240.117)
www.brightpathtechgroups.top(198.177.123.106)
www.infinite-7.com(91.195.240.19)
www.54c7pv.top(154.91.180.241) - mailcious
www.mr-u-taste.com(202.91.248.226)
91.195.240.19 - mailcious
202.91.248.226
81.169.145.74 - mailcious
154.91.180.241 - mailcious
54.73.26.109
198.177.123.106
91.195.240.117 - mailcious
45.33.6.223
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
|
11.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6898 |
2023-11-29 11:25
|
 build.exe 69a2817a41b97ee8f1917646723312bf
Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6899 |
2023-11-29 11:25
|
 wlanext.exe 09b88ab4bf59c36094bafec7a32bafed
Formbook .NET framework(MSIL) PWS AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser ComputerName DNS |
16
http://www.brls.money/zqco/?8E8fDE=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&VYr=gIPPDnH2f7x - rule_id: 38345
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.54c7pv.top/zqco/?8E8fDE=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&VYr=gIPPDnH2f7x - rule_id: 38344
http://www.zz23xw.top/zqco/?8E8fDE=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&VYr=gIPPDnH2f7x - rule_id: 38337
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
http://www.ofupakoshi.com/zqco/?8E8fDE=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&VYr=gIPPDnH2f7x - rule_id: 38341
http://www.ezus.life/zqco/?8E8fDE=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&VYr=gIPPDnH2f7x - rule_id: 38339
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.speedbikesglobal.com/zqco/?8E8fDE=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&VYr=gIPPDnH2f7x - rule_id: 38340
http://www.velvet-key-properties.top/zqco/?8E8fDE=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&VYr=gIPPDnH2f7x - rule_id: 38342
http://www.stprov.biz/zqco/?8E8fDE=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&VYr=gIPPDnH2f7x - rule_id: 38346
http://www.wearehydrant.com/zqco/?8E8fDE=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&VYr=gIPPDnH2f7x - rule_id: 38343
http://www.oneillspubs.com/zqco/?8E8fDE=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&VYr=gIPPDnH2f7x - rule_id: 38338
http://www.talknconvert.com/zqco/?8E8fDE=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&VYr=gIPPDnH2f7x - rule_id: 38336
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.talknconvert.com/zqco/ - rule_id: 38336
|
24
www.ofupakoshi.com(118.27.125.154) - mailcious
www.talknconvert.com(34.120.137.41) - mailcious
www.velvet-key-properties.top(162.0.222.119) - mailcious
www.cardsfinanse.online() - mailcious
www.brls.money(76.76.21.164) - mailcious
www.wearehydrant.com(216.40.34.41) - mailcious
www.oneillspubs.com(199.59.243.225) - mailcious
www.stprov.biz(208.91.197.132) - mailcious
www.speedbikesglobal.com(207.244.126.150) - mailcious
www.zz23xw.top(198.44.187.121) - mailcious
www.54c7pv.top(154.91.180.241) - mailcious
www.ezus.life(34.96.147.60) - mailcious
34.96.147.60 - mailcious
198.44.187.121 - mailcious
207.244.126.150 - mailcious
154.91.180.241 - mailcious
199.59.243.225 - mailcious
216.40.34.41 - mailcious
45.33.6.223
208.91.197.132 - mailcious
34.120.137.41 - mailcious
118.27.125.154 - mailcious
76.76.21.98 - mailcious
162.0.222.119 - mailcious
|
5
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .biz TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD
|
12
http://www.brls.money/zqco/
http://www.54c7pv.top/zqco/
http://www.zz23xw.top/zqco/
http://www.ofupakoshi.com/zqco/
http://www.ezus.life/zqco/
http://www.speedbikesglobal.com/zqco/
http://www.velvet-key-properties.top/zqco/
http://www.stprov.biz/zqco/
http://www.wearehydrant.com/zqco/
http://www.oneillspubs.com/zqco/
http://www.talknconvert.com/zqco/
http://www.talknconvert.com/zqco/
|
10.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6900 |
2023-11-29 11:23
|
 wininit.exe 8ec1ce0895188a09e0f43d999cf34cac
PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|