| 7051 |
2023-11-17 18:19
|
 ef9b73d4c7e0eb1eaf832e6b801a8d... ef9b73d4c7e0eb1eaf832e6b801a8d79
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
https://mydatayxnhzcs.tech/file/ps/1725798c41dd60c5b98d981444e0d8b4.jpg
|
|
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7052 |
2023-11-17 14:24
|
MLB_KOREAN_JOB_DESCRIPTION.pdf... 9fcea5ddaa37780e9ae0a8415ded4b84
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process human activity check Windows ComputerName Cryptographic key |
1
https://mydatayxnhzcs.tech/file/ps/ef9b73d4c7e0eb1eaf832e6b801a8d79.jpg
|
|
|
|
7.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7053 |
2023-11-17 07:57
|
 CheatWiz.exe cee8be42d8a32ec2c409c34df0158e19
Gen1 Emotet Generic Malware Malicious Library ASPack UPX Malicious Packer PE File PE64 OS Processor Check DLL ZIP Format DllRegisterServer dll Malware Check memory Creates executable files Ransomware |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7054 |
2023-11-17 07:50
|
 build.exe 127a6cc954fbbb101a902b92785d406a
Malicious Library UPX PE32 PE File OS Processor Check unpack itself Windows crashed |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7055 |
2023-11-17 07:49
|
 build.exe 8db522805e565ad411c8b713dd5558a1
Malicious Library PE32 PE File PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7056 |
2023-11-16 20:31
|
 etchCore-0.x86.dll 1f0669f13dc0545917e8397063f806db
UPX PE32 PE File DLL OS Processor Check Checks debugger unpack itself crashed |
|
|
|
|
0.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7057 |
2023-11-16 19:05
|
 Aaezheyu.exe 0a0600b53524420fff66bd37676a29be
UPX PE File PE64 OS Processor Check Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7058 |
2023-11-16 19:03
|
 need.exe e622baf0198d6821fb4e1a8a23618a17
RedLine stealer Emotet Gen1 Malicious Library UPX ScreenShot PWS Socket Steal credential DNS Code injection AntiDebug AntiVM PE32 PE File CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs AntiVM_Disk sandbox evasion anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81)
db-ip.com(172.67.75.166)
194.49.94.152
104.26.4.15
34.117.59.81
|
11
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7059 |
2023-11-16 19:03
|
 dllhostex.exe f5a7b1f998390241f5c10cbddfe88647
Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check Cryptocurrency Miner Cryptocurrency unpack itself Check virtual network interfaces |
|
4
iron.tenchier.com(194.195.223.249)
194.195.223.249
139.177.196.162
139.59.109.18
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
2.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7060 |
2023-11-16 19:02
|
 svchost.exe 54a47f6b5e09a77e61649109c6a08866
Gen1 Malicious Packer UPX PE32 PE File PDB Remote Code Execution |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7061 |
2023-11-16 19:02
|
 Morning.exe 34b8f4812ef8821f651d1f74618d54a2
Raccoon Gen1 Malicious Library UPX Malicious Packer Http API ScreenShot PWS HTTP Internet API AntiDebug AntiVM PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Malware RecordBreaker PDB MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Collect installed applications AppData folder sandbox evasion installed browsers check Stealer Windows Browser DNS |
9
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://195.20.16.35/ - rule_id: 38330
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://195.20.16.35/f7dfd24d220b20be470487526bb7e7c8
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
|
1
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
1
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7062 |
2023-11-16 18:59
|
 macherako2.1.exe 5b691330acaa3c5432b9caadbeb82003
NSIS Malicious Library UPX PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.jaliyahsboutique.site/tb8i/?Mfg=AQaGQeJtSF7XURKecA8O7yr+NlX8zRsowlAtlkToCPVC5G43PHBjCbek0+SoUA10RQeLzaXp&D6h4=O2JdRpPP8
http://www.freightlizards.com/tb8i/?Mfg=iDy6itdHrWaTfAWmWuh/mgzAS6tKx110PlwR6oB3LkHWhoHRuQXiu8dUVQqS4bUVZcTWjSMs&D6h4=O2JdRpPP8
http://www.driftlessmenofthewoods.com/tb8i/?Mfg=eqj5Z4ypABx4+RJiqSEL2pQMeiYVPR0bHgBfmB0KWoL2fjeQVwepQ8EqIXRbUYrWMehCRAoK&D6h4=O2JdRpPP8
|
7
www.freightlizards.com(15.197.148.33)
www.rykuruh.cfd()
www.driftlessmenofthewoods.com(66.96.162.130)
www.jaliyahsboutique.site(62.72.50.217)
3.33.130.190 - phishing
62.72.50.217
66.96.162.130 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7063 |
2023-11-16 18:59
|
 AWB No.5839077413pdf.exe 3192f8ad7bde4add1fd295e08176c383
AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212)
64.185.227.156
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7064 |
2023-11-16 18:57
|
 ApplicationUpdateHelper.dll 86df103101e7b6735eb8c5c305752661
Malicious Library UPX PE32 PE File DLL OS Processor Check Checks debugger unpack itself crashed |
|
|
|
|
0.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7065 |
2023-11-16 18:57
|
NOV_INQUIRY.js b22055de1a1ea49c1b4f7d64ff315471
ActiveXObject wscript.exe payload download unpack itself Check virtual network interfaces Tofsee DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://pastebin.com/raw/NVAgzFRR - rule_id: 35284
https://wtools.io/code/dl/bR6Z
|
5
wtools.io(104.21.6.247) - malware
pastebin.com(104.20.68.143) - mailcious
104.21.6.247 - malware
121.254.136.9
172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
|
1
https://pastebin.com/raw/NVAgzFRR
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|