6886 |
2023-11-29 16:00
|
file_ver_9.rar 0626f8e71d8a91fd6185df77a50b9fbc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Vidar Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro DNS plugin |
36
http://5.42.64.41/40d570f44e84a454.php http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://176.113.115.84:8080/4.php - rule_id: 34795 http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll http://apps.identrust.com/roots/dstrootcax3.p7c http://91.92.243.151/api/firegate.php http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll http://91.92.243.151/api/tracemap.php - rule_id: 37889 http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll https://sun6-22.userapi.com/c236331/u418490229/docs/d5/af51deff0236/Rise.bmp?extra=EXpRRrsiC1jWoHBXbvHHi-UWj6Grj_AkUV6kOcM6llnGcexjn5FNP-bw5dsGphz9RLFdXu9yhqgky3xkYW4oblIQTqffvix3MCOTMskXb-0k6HOQ4MwchfLG5QMetCJb-25Uj9rO2AF0wV3bkQ https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc418490229_668938366?hash=5FoUaQok0B2gtiDqcFJ4bpegTD2SPzTjKqykfkwb3zc&dl=vyAqT5Xe4xXyZ38CTECObVL4GlrQZGRjeNMqsV10szg&api=1&no_preview=1#1 https://vk.com/doc418490229_668951217?hash=0wrWsiW5bDYiOaBQlj1ut0KnfM2SerHsUNtSIA8n0BX&dl=OYYh0EDgZLGz5BRVaNfHjBWXrjyY3hvz3peQaRwCvJ0&api=1&no_preview=1#test22 https://vk.com/doc418490229_668929938?hash=ktCgmKYqoZFe4ivRZzzbNBxLkP2YROgRTvMCbGK5rtc&dl=Q00m1ouR7KqanosInfovEoKZoXQN3pn1V9bUiGxjkk0&api=1&no_preview=1 https://thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs/setup294.exe https://sun6-21.userapi.com/c909418/u418490229/docs/d33/0707ec1a9cdf/cz28.bmp?extra=sGRI4H5niz7RxILWD_zUG_ctDcTaUSYqKpF1niVRahjkUS__H9KEp1ZwCxgayUfHyz5J9Nz_aiGnRQ0XXPiLbkZhLPYOYfkejwL07zdN1voMsYNb9bZ-9a11sYdof2VMN6HvEZGjbQ-CNlvy4A https://sun6-22.userapi.com/c909218/u418490229/docs/d39/b36e581ef415/file281123.bmp?extra=bJDa7mvscY-voQdIZZUksYr44DtBJP-kJssHt6Ahl0Q3MWE0gDizV1mxjHiRYniFlTlcLPFRW15HwvmQT66uxmB5hPFhj1YM_rOkx1nDbAHpSg6gKZ6T_jczVxXuiS1oknRU7mtsN-SX-p1ujg https://vk.com/doc278414724_666785048?hash=BEECsUI0KihIsE0U0nCflKTI5jGLqnjbHrZ921hHoIo&dl=MlH2hFcAGSgijzPzzjYVJFJFj9WHHsyc0XO9FI0mX38&api=1&no_preview=1#ww11 https://api.myip.com/ https://vk.com/doc418490229_668929802?hash=JGJzKUDsQctWofQ698XiG5TtXyL4jHXW5WO9kYCx09g&dl=jnJZekjN4zWOrABguUPz6zoyi3nglzHT0X5thDnbzMX&api=1&no_preview=1#redline_rm https://sun6-23.userapi.com/c909328/u418490229/docs/d20/f3a7ad2143af/mr_Bro.bmp?extra=LeAgMHn_2s_EVvaW-K_cYV6O9innY-2Ivke0GMPWzt-Bxu8pOVe7OUztp54ANXLikgsNht2ZvFU3mutgl9UWPZP25IvV6FHhjqfrAX2L6bAqCC7SyALVe6WD2lVYAeSAh3Vn80bmEFxY13YjhQ https://vk.com/doc418490229_668929813?hash=CcrmLI7IeiRz0lU8DnAVrRG7zp1VmDOzkljV4YdvlFg&dl=fbXhUnfoCiOFBNTYzP3G4TgseWVmer9dhybO06Dbf3X&api=1&no_preview=1#risepro https://iplis.ru/1Gemv7.mp3 https://sun6-20.userapi.com/c909518/u418490229/docs/d51/4406a2506340/red_line.bmp?extra=1GONfT_9cHm8rJzJ70PLJj4VAC91m0S4Gca-QG052TIJ_-UwtxALkVaPJ0uZ1FKVXet0kJLaXAZ51JpjRgVz_JEdKGwQ8dO7nEJ5B0ilU4MZvTvhmkRuXRNbW12qcvV2G5xp2F3bcuW3WdIAhQ https://api.2ip.ua/geo.json https://vk.com/doc418490229_668931401?hash=iAFqqX4VsjibbUrFFs3uLnWGAIedldaHRjTySVZmqV0&dl=hZ7Ql2epmfz2WiO8BxGI8cdwo6AK6bLFPyI65FMR3FH&api=1&no_preview=1#maff https://sun6-21.userapi.com/c909328/u418490229/docs/d52/e20150ec5011/crypted.bmp?extra=9_uUHyTbLcXEPVRQVoDX2SVXXD5LQIa5cbmPsUZ3sANv_Z7qrNnfAbxOeHfG8kJovBnfxWwX2ooHmOeZbCi822CJMQagWtI1l_OJm3U24MjBdIRMy5fjt-zQyydy6dHJmDi4Osx0CqpLJikI0A https://vk.com/doc418490229_668767729?hash=65wAhIT5Td9Qu0SLdsQyFz8gx9sXRgxbSsg6rImiJQH&dl=ur2wv4vg3UjVwTO0wSnjKdxULtRETYEfElriZjtBG64&api=1&no_preview=1 https://sun6-21.userapi.com/c237331/u418490229/docs/d28/adfc4032e372/BotClients.bmp?extra=u6VcUNDBHlz4YtdAG5FSiCZtBVvB20an469YZyM8KYXq3Vh2UQ8YRDjgubImLSU5YyYT8TRfRocazjx4RVqpRtmvXLm18R9BiDOzCavVrvZPK5TXT1v1nS1lYeEizYUGJUOVTFeMRkJhvuR3lQ https://vk.com/doc26060933_667508201?hash=6VnuemqrvgMX7JGCKhOp7uAllSfIKzasrs7cM1fWhgL&dl=JwY775FVXYxbFspXlbElezWDzeVHhbpuZXgjGmHUTZs&api=1&no_preview=1#setup https://vk.com/doc418490229_668950817?hash=eI5j14qEZqSaw1aKlx69PDkbeE2RaV0OZkR8TCBVlkH&dl=Q3HIRdzNrrMLZtN2dhibLhc4W12UZleN44GQrBv9zQc&api=1&no_preview=1#xin https://sun6-23.userapi.com/c909328/u418490229/docs/d4/513c59e462a3/2s78sh2agf.bmp?extra=wo3J3uOiHbgaAFfUUpBiWNnQ_wa3RVUVpf16WebNgU3tW18tv009ULs2b4b8x5HTDD7XJTCRwRbunl6DgE_pXd2Bpht21e04pZ2mEDxtRrUOB_l46TDy9w7D_F8mVOCDwNW_T0c_ZlIZ8-Hh2A
|
46
medfioytrkdkcodlskeej.net(91.215.85.209) - malware zexeq.com(211.168.53.110) - malware db-ip.com(104.26.4.15) thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs(172.67.175.68) gons32cl.top() - malware iplis.ru(104.21.63.150) - mailcious api.2ip.ua(172.67.139.220) sun6-22.userapi.com(95.142.206.2) - mailcious vanaheim.cn(158.160.82.150) - mailcious iplogger.org(104.21.4.208) - mailcious ipinfo.io(34.117.59.81) api.myip.com(172.67.75.163) sun6-23.userapi.com(95.142.206.3) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious vk.com(87.240.132.72) - mailcious logisticspierias.com(162.0.215.51) - malware sun6-21.userapi.com(95.142.206.1) - mailcious 194.169.175.128 - mailcious 162.0.215.51 - mailcious 5.42.64.41 - mailcious 5.42.64.35 - malware 109.107.182.45 - mailcious 194.33.191.60 - mailcious 91.215.85.209 - mailcious 194.49.94.80 - mailcious 104.21.31.74 190.187.52.42 34.117.59.81 176.113.115.84 - mailcious 104.26.8.59 172.67.147.32 91.92.243.151 - mailcious 95.214.26.17 158.160.82.150 194.49.94.152 - mailcious 194.49.94.97 - malware 23.67.53.17 104.26.4.15 87.240.137.164 - mailcious 95.142.206.3 - mailcious 95.142.206.2 - mailcious 172.67.139.220 95.142.206.0 - mailcious 77.232.39.164 172.67.132.113 95.142.206.1 - mailcious
|
49
SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET DNS Query to a *.top domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 20 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure ET INFO EXE - Served Attached HTTP ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET DROP Spamhaus DROP Listed Traffic Inbound group 8 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET POLICY External IP Address Lookup DNS Query (2ip .ua) SURICATA HTTP unable to match response to request
|
3
http://zexeq.com/test2/get.php http://176.113.115.84:8080/4.php http://91.92.243.151/api/tracemap.php
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6887 |
2023-11-29 14:38
|
maxziflowzx.exe 5393d9e3a30269ebfed5456bf1304e92 .NET framework(MSIL) AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself AppData folder Browser DNS |
18
http://www.whistle.news/mg0g/?8cRkdL-h=8R1spc4kaDEWlEJg8vF1k1GCYe1vBR5yYH2nKF+uhpjoaiwnvSPXopyruDnDnxaAhR/ULocc2ys9QPFDsU5IyNPMGvvn4PxhaS8XNMs=&r1zVw=7GWQ_-xgU http://www.limooi.net/mg0g/?8cRkdL-h=T3pbsuGJY2WOIN03L8NlN0GJ+TqkEYwtQUA9siqBJMOxPedzPX2dfFDQxyJSNdSDLlyTl9rcnj2vOMPj0R5dBPd/+rOOG0FZdG8LRvc=&r1zVw=7GWQ_-xgU http://www.alexbruma.com/mg0g/?8cRkdL-h=TZtAOU2zJBKbLgvHulWrctMijHF9qs7DPKw5qNaDLWK8osbI5ENSukyfV0auBUHllKHlpSsKBSD+iUGqaGCnVjvmwMTcDGlPOxFYPi4=&r1zVw=7GWQ_-xgU http://www.optime19.com/mg0g/?8cRkdL-h=JX9bRfLOpqNEOOymQR7yk5dab4VR4H7R1nhebZtzBw39xumhyI7GIKzIy7fUqw87BkYQVkkGEP9iK52Y282QYE28HhvkBbptD1a7nt4=&r1zVw=7GWQ_-xgU http://www.sqlite.org/2016/sqlite-dll-win32-x86-3120000.zip http://www.e-saleshub.quest/mg0g/ http://www.lederjacke24.com/mg0g/?8cRkdL-h=j84N6G19uoXHTItTNbSgysEEiO8RF1s49C/qmX1UIYmvPN38Fpa3o2d2Xt1p2I563r+6lcLmZmkO/3Pzx/pe1VaGqpP7sGftrUNHiSE=&r1zVw=7GWQ_-xgU http://www.prospin.click/mg0g/?8cRkdL-h=AMo+Cmk3hXK3yH/KRAxEZqLdKDpgdcehN2HIFp6MhDBnwy4mJAPROf6TTmmTOHloXs1NFvilG7N23QCnTRSKlDKk5HQvSnm6aCYpbZA=&r1zVw=7GWQ_-xgU http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip http://www.shutlleross.life/mg0g/?8cRkdL-h=bJn52SPmeJrPy+67E/dcn6LDWlNMaKHrL+hLeIwBYFQegbTEhn+mauNt/7t0vTaKfTZK38m13LQUXcG77GQygy9UzHEWnrwfd1Ppjkk=&r1zVw=7GWQ_-xgU http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip http://www.zzennsensual.com/mg0g/?8cRkdL-h=UPCCUTLw89vpBj6v0OYIlyH/tXfMYDNHMqKBY3mPNZeldAdbgqjCzRL3PAAnKT02EQ0FoLgccQ5um3bZSYkyx6B1k5qp4LaFV2egdmY=&r1zVw=7GWQ_-xgU http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip http://www.cealr.link/mg0g/?8cRkdL-h=IMAy+8ATmNJk+ySFUKxdJzz5Bsi5/gWlpcldbFUltyc7U32aAYy0gH7A0aaej9oqq+Z9qC1a58M4kMl15uIwUbV5PjKosSXhQm7IMFQ=&r1zVw=7GWQ_-xgU http://www.pfannen-scholl.info/mg0g/?8cRkdL-h=VKVW22dp+OoakfKr7RHo3LVkALqaN8kis3rXbCHUw2XFas+tapQC3hmrWNln/w9IyKLzGXj0H6Jc9XLG0WdMldG9smrNtVeNBxRCR80=&r1zVw=7GWQ_-xgU http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip http://www.e-saleshub.quest/mg0g/?8cRkdL-h=bJWbZlFCpWjy/9bYbHM6H7ljbRC4b8vPK6lQdtvFTIRbdY1RUFaQDPtKpbiZ1jn13/iERNVq+PXBoNIqG1dC5GacnrVejbGpWc4QdZ0=&r1zVw=7GWQ_-xgU http://www.canlitinib.com/mg0g/?8cRkdL-h=DCRiVM6IxoWJyptv3NIe0jO5xuFlNfo/UtKdle2BPkU0htusLnDUD8TPrOe6/6WS6xDFuQW1wjE1wfPqEBFmzvzQCsnl689JFcTspE4=&r1zVw=7GWQ_-xgU
|
26
www.pfannen-scholl.info(81.169.145.160) www.shutlleross.life(66.29.142.244) www.shimakaze-83.cfd() - mailcious www.alexbruma.com(104.21.77.252) www.lederjacke24.com(81.169.145.166) www.whistle.news(84.32.84.32) - mailcious www.canlitinib.com(91.195.240.123) www.cealr.link(38.6.177.47) www.e-saleshub.quest(104.21.39.249) www.prospin.click(192.99.101.236) www.zzennsensual.com(81.169.145.84) www.optime19.com(45.33.18.44) www.limooi.net(199.59.243.225) 66.29.142.244 - mailcious 198.58.118.167 - mailcious 172.67.214.17 81.169.145.160 - mailcious 84.32.84.32 - mailcious 199.59.243.225 - mailcious 38.6.177.47 91.195.240.123 - mailcious 172.67.172.121 - phishing 81.169.145.166 - mailcious 81.169.145.84 - mailcious 45.33.6.223 192.99.101.236
|
2
ET INFO Observed DNS Query to .life TLD ET INFO HTTP Request to Suspicious *.life Domain
|
|
11.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6888 |
2023-11-29 14:33
|
123.exe 5ab89a96be7570dfe4f49e6b9a42bc88 Malicious Library UPX PE32 PE File MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns Creates executable files unpack itself AppData folder Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
2
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 http://45.125.57.96:8888/8.77.dll
|
8
docs.google.com(142.250.206.206) - mailcious xred.mooo.com() - mailcious freedns.afraid.org(69.42.215.252) www.dropbox.com(162.125.84.18) - mailcious 69.42.215.252 45.125.57.96 - mailcious 142.251.220.14 162.125.84.18 - mailcious
|
4
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET HUNTING Rejetto HTTP File Sever Response
|
|
9.6 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6889 |
2023-11-29 14:33
|
clip.dll 4194e9b8b694b1e9b672c36f0d868e32 Amadey Malicious Library UPX PE32 PE File DLL OS Processor Check VirusTotal Malware PDB Malicious Traffic Checks debugger unpack itself suspicious TLD |
1
http://tceducn.com/forum/index.php
|
4
tceducn.com(201.103.122.206) - malware arrunda.ru() - mailcious soetegem.com() 202.4.114.123
|
|
|
3.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6890 |
2023-11-29 14:33
|
index.php b13eac66431fb3332fae4527ab1b0e2e Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6891 |
2023-11-29 14:30
|
supstrim.exe eace63ea1948f012941dd4a9b3ac3c94 AntiDebug AntiVM PE File PE64 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6892 |
2023-11-29 14:30
|
microsoftdeletedEdgehistorycac... 45cc2f78479e7eb29a063a5034a962c5 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
18
http://23.95.235.10/210/wlanext.exe
http://www.brucesalyers.com/qbnf/
http://www.luciengeorge.com/qbnf/
http://www.saudiarabia-invest.com/qbnf/
http://www.vaultedjewelry.com/qbnf/?i09Z8uP_=rgPWpHOmxKlSe7EHONYdVBrmOnLu4eF6eOSzvd7TZo3R3Fo4Dd2XRg3DbQYqSiNd5R8WYW2HfYo1oy4LJvVB6tvZDWfBfjfjeCKWam8=&pq4=B_bUHOuV
http://www.brightpathtechgroups.top/qbnf/
http://www.vaultedjewelry.com/qbnf/
http://www.saudiarabia-invest.com/qbnf/?i09Z8uP_=TQw86TlhZOZGhyrotGnGA9O38tw4CjcNLRp/p2VP3ufYpIvUmIv9kKzVdrLDClRgTF6URTvKEK1oO5gHY3jB8uOZGTzekB90rbc1k/w=&pq4=B_bUHOuV
http://www.mr-u-taste.com/qbnf/
http://www.infinite-7.com/qbnf/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.brucesalyers.com/qbnf/?i09Z8uP_=pOaW0U2I6Oim8KKUbDqJDQhYI0+jOGca0ZkB2ClPUoj3GtGVG9J/gqWS9Mz6XkgBxNiuWxxBos74OtAK1fVYBccuSwjN1UL6AWuKPcU=&pq4=B_bUHOuV
http://www.luciengeorge.com/qbnf/?i09Z8uP_=0c7pTBUgqi7uIFOYjbT3SYstx1V9f1GJj9bVxgDbtFRASgICtVyP8zh8VQdSKB3ZTDJ9NwSYp2xAsrB2eli3KEKVX/ICehpktcwDvSA=&pq4=B_bUHOuV
http://www.54c7pv.top/qbnf/
http://www.brightpathtechgroups.top/qbnf/?i09Z8uP_=/XY8b2QuaMdFC0XpCgsh4GNYF4+K1Jee0ur1wuthWP34gEpbfUtO61S+Wmzh4wGYwfcaHPs6UkqbWuaiX2goUA52btrwqIRWjk6Aczs=&pq4=B_bUHOuV
http://www.54c7pv.top/qbnf/?i09Z8uP_=R40TEU5sRsOQoxxitOES9+hMTVh8b1wg2WgWpjzQt3scLF2RQpMS0y827zix4QRv7SCVfpbDXNdzS1tGlHHYZLiaPpoCE6jYgQr1YbY=&pq4=B_bUHOuV
http://www.infinite-7.com/qbnf/?i09Z8uP_=+6BF5kLU84F0bZC4snN7O//5RGhAAZcl02SXjZ/C8WDlleVZNjPdMeMs0Bth8cY5eBWoVtOkuOGyDcUeP7JOiDQXP7lXIFXFwa8Se1E=&pq4=B_bUHOuV
http://www.mr-u-taste.com/qbnf/?i09Z8uP_=mGR7ZmLmEt9yNzhj107em99ZnYgpgTedSLqstOtysWtmmDPutWYGQHPP7A/bNBdhcJI+eHBY4GrszbL+CPnGOgwl8ziMxMmXJyanig0=&pq4=B_bUHOuV
|
18
www.brucesalyers.com(91.195.240.117)
www.saudiarabia-invest.com(81.169.145.74)
www.charlotte-usa.site()
www.vaultedjewelry.com(91.195.240.19)
www.luciengeorge.com(108.128.72.146)
www.brightpathtechgroups.top(198.177.123.106)
www.infinite-7.com(91.195.240.19)
www.54c7pv.top(154.91.180.241) - mailcious
www.mr-u-taste.com(202.91.248.226) 91.195.240.19 - mailcious
202.91.248.226
91.195.240.117 - mailcious
81.169.145.74 - mailcious
154.91.180.241 - mailcious
198.177.123.106
23.95.235.10 - malware
108.128.72.146
45.33.6.223
|
7
ET INFO HTTP Request to a *.top domain ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a *.top domain - Likely Hostile
|
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6893 |
2023-11-29 14:28
|
O.ini 15909167c6a125757e0a931c7c486269 Emotet AgentTesla Malicious Library Malicious Packer UPX PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.212) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6894 |
2023-11-29 14:26
|
strim.exe 0d1e3266a1bc3b62f0523e10b5170337 PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6895 |
2023-11-29 14:24
|
Klkypmnqw.exe 6c9f3e248382f389d17d308ad5350d6d AntiDebug AntiVM PE File PE64 .NET EXE VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
8.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6896 |
2023-11-29 14:23
|
microsoftEdgedeletedentirehist... ad19c30e8fc0f89004a1f960b477707f MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed |
1
http://107.173.229.146/175/wlanext.exe
|
1
107.173.229.146 - malware
|
1
ET INFO Executable Download from dotted-quad Host
|
|
4.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6897 |
2023-11-29 11:27
|
wlanext.exe eb951bc883b87a58ffa82ab793d7e4b0 .NET framework(MSIL) PWS AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder suspicious TLD Browser ComputerName DNS |
22
http://www.infinite-7.com/qbnf/?1qPpHsU-=+6BF5kLU84F0bZC4snN7O//5RGhAAZcl02SXjZ/C8WDlleVZNjPdMeMs0Bth8cY5eBWoVtOkuOGyDcUeP7JOiDQXP7lXIFXFwa8Se1E=&4wJ=L5inFf0cTItD http://www.brightpathtechgroups.top/qbnf/ http://www.54c7pv.top/qbnf/?1qPpHsU-=R40TEU5sRsOQoxxitOES9+hMTVh8b1wg2WgWpjzQt3scLF2RQpMS0y827zix4QRv7SCVfpbDXNdzS1tGlHHYZLiaPpoCE6jYgQr1YbY=&4wJ=L5inFf0cTItD http://www.saudiarabia-invest.com/qbnf/?1qPpHsU-=TQw86TlhZOZGhyrotGnGA9O38tw4CjcNLRp/p2VP3ufYpIvUmIv9kKzVdrLDClRgTF6URTvKEK1oO5gHY3jB8uOZGTzekB90rbc1k/w=&4wJ=L5inFf0cTItD http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip http://www.swiftricz.com/qbnf/ http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip http://www.mr-u-taste.com/qbnf/ http://www.brightpathtechgroups.top/qbnf/?1qPpHsU-=/XY8b2QuaMdFC0XpCgsh4GNYF4+K1Jee0ur1wuthWP34gEpbfUtO61S+Wmzh4wGYwfcaHPs6UkqbWuaiX2goUA52btrwqIRWjk6Aczs=&4wJ=L5inFf0cTItD http://www.vaultedjewelry.com/qbnf/?1qPpHsU-=rgPWpHOmxKlSe7EHONYdVBrmOnLu4eF6eOSzvd7TZo3R3Fo4Dd2XRg3DbQYqSiNd5R8WYW2HfYo1oy4LJvVB6tvZDWfBfjfjeCKWam8=&4wJ=L5inFf0cTItD http://www.brucesalyers.com/qbnf/ http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip http://www.luciengeorge.com/qbnf/?1qPpHsU-=0c7pTBUgqi7uIFOYjbT3SYstx1V9f1GJj9bVxgDbtFRASgICtVyP8zh8VQdSKB3ZTDJ9NwSYp2xAsrB2eli3KEKVX/ICehpktcwDvSA=&4wJ=L5inFf0cTItD http://www.vaultedjewelry.com/qbnf/ http://www.brucesalyers.com/qbnf/?1qPpHsU-=pOaW0U2I6Oim8KKUbDqJDQhYI0+jOGca0ZkB2ClPUoj3GtGVG9J/gqWS9Mz6XkgBxNiuWxxBos74OtAK1fVYBccuSwjN1UL6AWuKPcU=&4wJ=L5inFf0cTItD http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip http://www.luciengeorge.com/qbnf/ http://www.saudiarabia-invest.com/qbnf/ http://www.54c7pv.top/qbnf/ http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip http://www.mr-u-taste.com/qbnf/?1qPpHsU-=mGR7ZmLmEt9yNzhj107em99ZnYgpgTedSLqstOtysWtmmDPutWYGQHPP7A/bNBdhcJI+eHBY4GrszbL+CPnGOgwl8ziMxMmXJyanig0=&4wJ=L5inFf0cTItD http://www.infinite-7.com/qbnf/
|
18
www.brucesalyers.com(91.195.240.117) www.luciengeorge.com(54.73.26.109) www.charlotte-usa.site() www.saudiarabia-invest.com(81.169.145.74) www.vaultedjewelry.com(91.195.240.19) www.swiftricz.com(91.195.240.117) www.brightpathtechgroups.top(198.177.123.106) www.infinite-7.com(91.195.240.19) www.54c7pv.top(154.91.180.241) - mailcious www.mr-u-taste.com(202.91.248.226) 91.195.240.19 - mailcious 202.91.248.226 81.169.145.74 - mailcious 154.91.180.241 - mailcious 54.73.26.109 198.177.123.106 91.195.240.117 - mailcious 45.33.6.223
|
2
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
|
11.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6898 |
2023-11-29 11:25
|
build.exe 69a2817a41b97ee8f1917646723312bf Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6899 |
2023-11-29 11:25
|
wlanext.exe 09b88ab4bf59c36094bafec7a32bafed Formbook .NET framework(MSIL) PWS AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser ComputerName DNS |
16
http://www.brls.money/zqco/?8E8fDE=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&VYr=gIPPDnH2f7x - rule_id: 38345 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip http://www.54c7pv.top/zqco/?8E8fDE=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&VYr=gIPPDnH2f7x - rule_id: 38344 http://www.zz23xw.top/zqco/?8E8fDE=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&VYr=gIPPDnH2f7x - rule_id: 38337 http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip http://www.ofupakoshi.com/zqco/?8E8fDE=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&VYr=gIPPDnH2f7x - rule_id: 38341 http://www.ezus.life/zqco/?8E8fDE=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&VYr=gIPPDnH2f7x - rule_id: 38339 http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.speedbikesglobal.com/zqco/?8E8fDE=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&VYr=gIPPDnH2f7x - rule_id: 38340 http://www.velvet-key-properties.top/zqco/?8E8fDE=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&VYr=gIPPDnH2f7x - rule_id: 38342 http://www.stprov.biz/zqco/?8E8fDE=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&VYr=gIPPDnH2f7x - rule_id: 38346 http://www.wearehydrant.com/zqco/?8E8fDE=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&VYr=gIPPDnH2f7x - rule_id: 38343 http://www.oneillspubs.com/zqco/?8E8fDE=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&VYr=gIPPDnH2f7x - rule_id: 38338 http://www.talknconvert.com/zqco/?8E8fDE=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&VYr=gIPPDnH2f7x - rule_id: 38336 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip http://www.talknconvert.com/zqco/ - rule_id: 38336
|
24
www.ofupakoshi.com(118.27.125.154) - mailcious www.talknconvert.com(34.120.137.41) - mailcious www.velvet-key-properties.top(162.0.222.119) - mailcious www.cardsfinanse.online() - mailcious www.brls.money(76.76.21.164) - mailcious www.wearehydrant.com(216.40.34.41) - mailcious www.oneillspubs.com(199.59.243.225) - mailcious www.stprov.biz(208.91.197.132) - mailcious www.speedbikesglobal.com(207.244.126.150) - mailcious www.zz23xw.top(198.44.187.121) - mailcious www.54c7pv.top(154.91.180.241) - mailcious www.ezus.life(34.96.147.60) - mailcious 34.96.147.60 - mailcious 198.44.187.121 - mailcious 207.244.126.150 - mailcious 154.91.180.241 - mailcious 199.59.243.225 - mailcious 216.40.34.41 - mailcious 45.33.6.223 208.91.197.132 - mailcious 34.120.137.41 - mailcious 118.27.125.154 - mailcious 76.76.21.98 - mailcious 162.0.222.119 - mailcious
|
5
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET INFO Observed DNS Query to .biz TLD ET INFO HTTP Request to Suspicious *.life Domain ET INFO Observed DNS Query to .life TLD
|
12
http://www.brls.money/zqco/ http://www.54c7pv.top/zqco/ http://www.zz23xw.top/zqco/ http://www.ofupakoshi.com/zqco/ http://www.ezus.life/zqco/ http://www.speedbikesglobal.com/zqco/ http://www.velvet-key-properties.top/zqco/ http://www.stprov.biz/zqco/ http://www.wearehydrant.com/zqco/ http://www.oneillspubs.com/zqco/ http://www.talknconvert.com/zqco/ http://www.talknconvert.com/zqco/
|
10.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6900 |
2023-11-29 11:23
|
wininit.exe 8ec1ce0895188a09e0f43d999cf34cac PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|