7081 |
2023-11-16 13:28
|
build.exe af3b051d8a6a33705bd095b6d5608355 Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7082 |
2023-11-16 13:27
|
unsecapp.exe 7630a755b70921f9f22891035c3628e9 Malicious Library PE32 PE File Browser Info Stealer VirusTotal Malware unpack itself AppData folder suspicious TLD Browser DNS |
21
http://www.ezus.life/zqco/?wFt=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&o0Ijw=FV31C http://www.tauruss29.click/zqco/?wFt=BXZ/xzuuMumnvtIwilHAju88nUMjodQ2L7qTmXiCbitM75fYFK9Ni/+RZPv+ooYbFCP5HCJJxbmcDVUQEF+nSIUi2tQgIq30IPYEAqs=&o0Ijw=FV31C http://www.velvet-key-properties.top/zqco/?wFt=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&o0Ijw=FV31C http://www.stprov.biz/zqco/?wFt=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&o0Ijw=FV31C http://www.wearehydrant.com/zqco/?wFt=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&o0Ijw=FV31C http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip http://www.oneillspubs.com/zqco/?wFt=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&o0Ijw=FV31C http://www.speedbikesglobal.com/zqco/?wFt=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&o0Ijw=FV31C http://www.ofupakoshi.com/zqco/?wFt=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&o0Ijw=FV31C http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip http://www.zz23xw.top/zqco/?wFt=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&o0Ijw=FV31C http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.surcebmx.shop/zqco/?wFt=sVrFTG3ePMlGeHtN+9NOfDvz/GoZiwZc2hOKEoTgtp1zYewc+7d6IlOKQB9rGmOyetA1JhIO28lR44+yf+JFgN9FJ6btdItGqkraV1A=&o0Ijw=FV31C http://www.brls.money/zqco/?wFt=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&o0Ijw=FV31C http://www.54c7pv.top/zqco/?wFt=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&o0Ijw=FV31C http://www.ayotundewrites.com/zqco/?wFt=+wI3MeD3jbNUmfUR22cpBsb5CtqXzI827TrKoKznZ2673z1g+k3Zglb4E7/i1xr4Z9cBRHIArS2WPt0us+pQAzv8dUN4XDgXBL/DreA=&o0Ijw=FV31C http://www.izabeladesa.com/zqco/?wFt=xgP5YBHAlkZQY3zMM6zpGwRaICyRepfzD3pvdIKGHZOpNZwdZqd18fiXnD4wcHdwNOCnD+EJd+f9y7+0iF4km1rz8VJupnABKYXyGpk=&o0Ijw=FV31C http://www.talknconvert.com/zqco/ http://www.talknconvert.com/zqco/?wFt=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&o0Ijw=FV31C http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
32
www.izabeladesa.com(192.185.223.51) www.ofupakoshi.com(118.27.125.154) www.tauruss29.click(198.252.99.243) www.talknconvert.com(34.120.137.41) www.cardsfinanse.online() www.brls.money(76.76.21.93) www.velvet-key-properties.top(162.0.222.119) www.wearehydrant.com(216.40.34.41) www.oneillspubs.com(199.59.243.225) www.ayotundewrites.com(83.229.19.76) www.stprov.biz(208.91.197.132) www.surcebmx.shop(104.21.25.102) www.speedbikesglobal.com(207.244.126.150) www.zz23xw.top(198.44.187.121) www.54c7pv.top(154.91.180.241) www.ezus.life(34.96.147.60) 34.96.147.60 83.229.19.76 199.59.243.225 - mailcious 172.67.134.1 198.44.187.121 207.244.126.150 - mailcious 154.91.180.241 192.185.223.51 - mailcious 216.40.34.41 - mailcious 76.76.21.241 - mailcious 45.33.6.223 208.91.197.132 - mailcious 34.120.137.41 - mailcious 118.27.125.154 198.252.99.243 162.0.222.119
|
5
ET INFO Observed DNS Query to .biz TLD ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET INFO HTTP Request to Suspicious *.life Domain ET INFO Observed DNS Query to .life TLD
|
|
4.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7083 |
2023-11-16 13:26
|
ama.exe 501fa03f6abac7f44696927b21cfefb5 Amadey Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware AutoRuns Malicious Traffic Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
1
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993
|
1
185.172.128.100 - mailcious
|
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
8.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7084 |
2023-11-16 13:23
|
traffico.exe 461b8083838b2d837b19466b5acce0e4 Malicious Library Malicious Packer PE32 PE File Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response)
|
|
6.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7085 |
2023-11-16 07:56
|
ama.exe a61aac13f8a4841915791fb57aa2e275 Amadey UPX PE32 PE File Malware download Amadey Malware AutoRuns Malicious Traffic Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS |
1
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993
|
4
www.dropbox.com(162.125.84.18) - mailcious 208.91.197.132 - mailcious 185.172.128.100 - mailcious 162.125.84.18 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Amadey Bot Activity (POST)
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7086 |
2023-11-16 07:54
|
crypted.exe 8ddb35a58ac6c397b91541620a493008 Malicious Library UPX PE32 PE File OS Processor Check PDB |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7087 |
2023-11-16 07:53
|
unsecapp.exe 10becade76ccb8cbe488fddc823f7fbf .NET framework(MSIL) UPX PWS SMTP AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
1
http://172.245.208.19/window/Xgqkoeinjvq.pdf
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host PDF Request
|
|
11.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7088 |
2023-11-16 07:51
|
smss.exe 318e2272187798dbd04f0b228e2ca756 Malicious Library UPX PE32 PE File MZP Format DllRegisterServer dll unpack itself crashed |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7089 |
2023-11-16 07:49
|
open.exe 16252016f9922916b06ba87604aaaa29 AgentTesla .NET framework(MSIL) UPX PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(173.231.16.77) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7090 |
2023-11-16 07:49
|
amday.exe 6800e6fa797f5cf412770d6fb47d81bc Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX Http API HTTP Code injection Internet API AntiDebug AntiVM PE32 PE File .NET EXE Lnk Format GIF Format AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Windows ComputerName DNS |
|
1
|
|
|
11.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7091 |
2023-11-15 10:50
|
pwng.ps1 a882757ac81f77747ab828a4b3e25e34 Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7092 |
2023-11-15 10:49
|
Agenzia_Entrate.url 67b426814bf2530e2de2e85d1146c594 AntiDebug AntiVM URL Format MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.111/scarica/normativa.exe
|
1
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7093 |
2023-11-15 10:49
|
Agenzia.url e8e03b91b2802891c978c8a67999bd10 AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.141.118/scarica/provvedimento.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.8 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7094 |
2023-11-15 10:48
|
df4e69db.exe c48c58d873eacde201d14af9cad50e81 Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7095 |
2023-11-15 10:15
|
ace.jpg.ps1 297f46ad29a838b1d721d7c0b118678b Generic Malware Antivirus PE32 PE File DLL .NET DLL Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW PurpleFox Windows ComputerName Cryptographic key |
4
http://pzd6.ru/all.png - rule_id: 38317 http://pzd6.ru/all.png http://pzd6.ru/i.php?i=18 - rule_id: 38316 http://pzd6.ru/i.php?i=18
|
2
pzd6.ru(104.21.69.130) 172.67.208.181
|
2
ET MALWARE Win32/PurpleFox Related Activity (GET) ET HUNTING Suspicious Windows Installer UA for non-MSI
|
2
http://pzd6.ru/all.png http://pzd6.ru/i.php
|
10.2 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|