7051 |
2023-11-17 18:19
|
ef9b73d4c7e0eb1eaf832e6b801a8d... ef9b73d4c7e0eb1eaf832e6b801a8d79 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key |
1
https://mydatayxnhzcs.tech/file/ps/1725798c41dd60c5b98d981444e0d8b4.jpg
|
|
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7052 |
2023-11-17 14:24
|
MLB_KOREAN_JOB_DESCRIPTION.pdf... 9fcea5ddaa37780e9ae0a8415ded4b84 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process human activity check Windows ComputerName Cryptographic key |
1
https://mydatayxnhzcs.tech/file/ps/ef9b73d4c7e0eb1eaf832e6b801a8d79.jpg
|
|
|
|
7.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7053 |
2023-11-17 07:57
|
CheatWiz.exe cee8be42d8a32ec2c409c34df0158e19 Gen1 Emotet Generic Malware Malicious Library ASPack UPX Malicious Packer PE File PE64 OS Processor Check DLL ZIP Format DllRegisterServer dll Malware Check memory Creates executable files Ransomware |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7054 |
2023-11-17 07:50
|
build.exe 127a6cc954fbbb101a902b92785d406a Malicious Library UPX PE32 PE File OS Processor Check unpack itself Windows crashed |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7055 |
2023-11-17 07:49
|
build.exe 8db522805e565ad411c8b713dd5558a1 Malicious Library PE32 PE File PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7056 |
2023-11-16 20:31
|
etchCore-0.x86.dll 1f0669f13dc0545917e8397063f806db UPX PE32 PE File DLL OS Processor Check Checks debugger unpack itself crashed |
|
|
|
|
0.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7057 |
2023-11-16 19:05
|
Aaezheyu.exe 0a0600b53524420fff66bd37676a29be UPX PE File PE64 OS Processor Check Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7058 |
2023-11-16 19:03
|
need.exe e622baf0198d6821fb4e1a8a23618a17 RedLine stealer Emotet Gen1 Malicious Library UPX ScreenShot PWS Socket Steal credential DNS Code injection AntiDebug AntiVM PE32 PE File CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs AntiVM_Disk sandbox evasion anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81) db-ip.com(172.67.75.166) 194.49.94.152 104.26.4.15 34.117.59.81
|
11
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7059 |
2023-11-16 19:03
|
dllhostex.exe f5a7b1f998390241f5c10cbddfe88647 Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check Cryptocurrency Miner Cryptocurrency unpack itself Check virtual network interfaces |
|
4
iron.tenchier.com(194.195.223.249) 194.195.223.249 139.177.196.162 139.59.109.18
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
2.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7060 |
2023-11-16 19:02
|
svchost.exe 54a47f6b5e09a77e61649109c6a08866 Gen1 Malicious Packer UPX PE32 PE File PDB Remote Code Execution |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7061 |
2023-11-16 19:02
|
Morning.exe 34b8f4812ef8821f651d1f74618d54a2 Raccoon Gen1 Malicious Library UPX Malicious Packer Http API ScreenShot PWS HTTP Internet API AntiDebug AntiVM PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Malware RecordBreaker PDB MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Collect installed applications AppData folder sandbox evasion installed browsers check Stealer Windows Browser DNS |
9
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll http://195.20.16.35/ - rule_id: 38330 http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll http://195.20.16.35/f7dfd24d220b20be470487526bb7e7c8 http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
|
1
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1 ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING Possible Generic Stealer Sending System Information
|
1
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7062 |
2023-11-16 18:59
|
macherako2.1.exe 5b691330acaa3c5432b9caadbeb82003 NSIS Malicious Library UPX PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.jaliyahsboutique.site/tb8i/?Mfg=AQaGQeJtSF7XURKecA8O7yr+NlX8zRsowlAtlkToCPVC5G43PHBjCbek0+SoUA10RQeLzaXp&D6h4=O2JdRpPP8 http://www.freightlizards.com/tb8i/?Mfg=iDy6itdHrWaTfAWmWuh/mgzAS6tKx110PlwR6oB3LkHWhoHRuQXiu8dUVQqS4bUVZcTWjSMs&D6h4=O2JdRpPP8 http://www.driftlessmenofthewoods.com/tb8i/?Mfg=eqj5Z4ypABx4+RJiqSEL2pQMeiYVPR0bHgBfmB0KWoL2fjeQVwepQ8EqIXRbUYrWMehCRAoK&D6h4=O2JdRpPP8
|
7
www.freightlizards.com(15.197.148.33) www.rykuruh.cfd() www.driftlessmenofthewoods.com(66.96.162.130) www.jaliyahsboutique.site(62.72.50.217) 3.33.130.190 - phishing 62.72.50.217 66.96.162.130 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7063 |
2023-11-16 18:59
|
AWB No.5839077413pdf.exe 3192f8ad7bde4add1fd295e08176c383 AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212) 64.185.227.156
|
4
ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7064 |
2023-11-16 18:57
|
ApplicationUpdateHelper.dll 86df103101e7b6735eb8c5c305752661 Malicious Library UPX PE32 PE File DLL OS Processor Check Checks debugger unpack itself crashed |
|
|
|
|
0.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7065 |
2023-11-16 18:57
|
NOV_INQUIRY.js b22055de1a1ea49c1b4f7d64ff315471 ActiveXObject wscript.exe payload download unpack itself Check virtual network interfaces Tofsee DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://pastebin.com/raw/NVAgzFRR - rule_id: 35284
https://wtools.io/code/dl/bR6Z
|
5
wtools.io(104.21.6.247) - malware
pastebin.com(104.20.68.143) - mailcious 104.21.6.247 - malware
121.254.136.9
172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
|
1
https://pastebin.com/raw/NVAgzFRR
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|