| 7081 |
2023-11-16 13:28
|
 build.exe af3b051d8a6a33705bd095b6d5608355
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7082 |
2023-11-16 13:27
|
 unsecapp.exe 7630a755b70921f9f22891035c3628e9
Malicious Library PE32 PE File Browser Info Stealer VirusTotal Malware unpack itself AppData folder suspicious TLD Browser DNS |
21
http://www.ezus.life/zqco/?wFt=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&o0Ijw=FV31C
http://www.tauruss29.click/zqco/?wFt=BXZ/xzuuMumnvtIwilHAju88nUMjodQ2L7qTmXiCbitM75fYFK9Ni/+RZPv+ooYbFCP5HCJJxbmcDVUQEF+nSIUi2tQgIq30IPYEAqs=&o0Ijw=FV31C
http://www.velvet-key-properties.top/zqco/?wFt=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&o0Ijw=FV31C
http://www.stprov.biz/zqco/?wFt=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&o0Ijw=FV31C
http://www.wearehydrant.com/zqco/?wFt=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&o0Ijw=FV31C
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.oneillspubs.com/zqco/?wFt=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&o0Ijw=FV31C
http://www.speedbikesglobal.com/zqco/?wFt=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&o0Ijw=FV31C
http://www.ofupakoshi.com/zqco/?wFt=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&o0Ijw=FV31C
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.zz23xw.top/zqco/?wFt=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&o0Ijw=FV31C
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.surcebmx.shop/zqco/?wFt=sVrFTG3ePMlGeHtN+9NOfDvz/GoZiwZc2hOKEoTgtp1zYewc+7d6IlOKQB9rGmOyetA1JhIO28lR44+yf+JFgN9FJ6btdItGqkraV1A=&o0Ijw=FV31C
http://www.brls.money/zqco/?wFt=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&o0Ijw=FV31C
http://www.54c7pv.top/zqco/?wFt=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&o0Ijw=FV31C
http://www.ayotundewrites.com/zqco/?wFt=+wI3MeD3jbNUmfUR22cpBsb5CtqXzI827TrKoKznZ2673z1g+k3Zglb4E7/i1xr4Z9cBRHIArS2WPt0us+pQAzv8dUN4XDgXBL/DreA=&o0Ijw=FV31C
http://www.izabeladesa.com/zqco/?wFt=xgP5YBHAlkZQY3zMM6zpGwRaICyRepfzD3pvdIKGHZOpNZwdZqd18fiXnD4wcHdwNOCnD+EJd+f9y7+0iF4km1rz8VJupnABKYXyGpk=&o0Ijw=FV31C
http://www.talknconvert.com/zqco/
http://www.talknconvert.com/zqco/?wFt=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&o0Ijw=FV31C
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
32
www.izabeladesa.com(192.185.223.51)
www.ofupakoshi.com(118.27.125.154)
www.tauruss29.click(198.252.99.243)
www.talknconvert.com(34.120.137.41)
www.cardsfinanse.online()
www.brls.money(76.76.21.93)
www.velvet-key-properties.top(162.0.222.119)
www.wearehydrant.com(216.40.34.41)
www.oneillspubs.com(199.59.243.225)
www.ayotundewrites.com(83.229.19.76)
www.stprov.biz(208.91.197.132)
www.surcebmx.shop(104.21.25.102)
www.speedbikesglobal.com(207.244.126.150)
www.zz23xw.top(198.44.187.121)
www.54c7pv.top(154.91.180.241)
www.ezus.life(34.96.147.60)
34.96.147.60
83.229.19.76
199.59.243.225 - mailcious
172.67.134.1
198.44.187.121
207.244.126.150 - mailcious
154.91.180.241
192.185.223.51 - mailcious
216.40.34.41 - mailcious
76.76.21.241 - mailcious
45.33.6.223
208.91.197.132 - mailcious
34.120.137.41 - mailcious
118.27.125.154
198.252.99.243
162.0.222.119
|
5
ET INFO Observed DNS Query to .biz TLD
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD
|
|
4.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7083 |
2023-11-16 13:26
|
 ama.exe 501fa03f6abac7f44696927b21cfefb5
Amadey Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware AutoRuns Malicious Traffic Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
1
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993
|
1
185.172.128.100 - mailcious
|
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
8.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7084 |
2023-11-16 13:23
|
 traffico.exe 461b8083838b2d837b19466b5acce0e4
Malicious Library Malicious Packer PE32 PE File Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
|
|
6.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7085 |
2023-11-16 07:56
|
 ama.exe a61aac13f8a4841915791fb57aa2e275
Amadey UPX PE32 PE File Malware download Amadey Malware AutoRuns Malicious Traffic Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS |
1
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993
|
4
www.dropbox.com(162.125.84.18) - mailcious
208.91.197.132 - mailcious
185.172.128.100 - mailcious
162.125.84.18 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey Bot Activity (POST)
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7086 |
2023-11-16 07:54
|
 crypted.exe 8ddb35a58ac6c397b91541620a493008
Malicious Library UPX PE32 PE File OS Processor Check PDB |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7087 |
2023-11-16 07:53
|
 unsecapp.exe 10becade76ccb8cbe488fddc823f7fbf
.NET framework(MSIL) UPX PWS SMTP AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
1
http://172.245.208.19/window/Xgqkoeinjvq.pdf
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host PDF Request
|
|
11.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7088 |
2023-11-16 07:51
|
 smss.exe 318e2272187798dbd04f0b228e2ca756
Malicious Library UPX PE32 PE File MZP Format DllRegisterServer dll unpack itself crashed |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7089 |
2023-11-16 07:49
|
 open.exe 16252016f9922916b06ba87604aaaa29
AgentTesla .NET framework(MSIL) UPX PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(173.231.16.77)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7090 |
2023-11-16 07:49
|
 amday.exe 6800e6fa797f5cf412770d6fb47d81bc
Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX Http API HTTP Code injection Internet API AntiDebug AntiVM PE32 PE File .NET EXE Lnk Format GIF Format AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Windows ComputerName DNS |
|
1
|
|
|
11.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7091 |
2023-11-15 10:50
|
pwng.ps1 a882757ac81f77747ab828a4b3e25e34
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7092 |
2023-11-15 10:49
|
 Agenzia_Entrate.url 67b426814bf2530e2de2e85d1146c594
AntiDebug AntiVM URL Format MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.111/scarica/normativa.exe
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7093 |
2023-11-15 10:49
|
 Agenzia.url e8e03b91b2802891c978c8a67999bd10
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.141.118/scarica/provvedimento.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.8 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7094 |
2023-11-15 10:48
|
 df4e69db.exe c48c58d873eacde201d14af9cad50e81
Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7095 |
2023-11-15 10:15
|
 ace.jpg.ps1 297f46ad29a838b1d721d7c0b118678b
Generic Malware Antivirus PE32 PE File DLL .NET DLL Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW PurpleFox Windows ComputerName Cryptographic key |
4
http://pzd6.ru/all.png - rule_id: 38317
http://pzd6.ru/all.png
http://pzd6.ru/i.php?i=18 - rule_id: 38316
http://pzd6.ru/i.php?i=18
|
2
pzd6.ru(104.21.69.130)
172.67.208.181
|
2
ET MALWARE Win32/PurpleFox Related Activity (GET)
ET HUNTING Suspicious Windows Installer UA for non-MSI
|
2
http://pzd6.ru/all.png
http://pzd6.ru/i.php
|
10.2 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|