| 7216 |
2023-11-07 09:52
|
 SFT.zip 882e1e40bd642dac255ec144e37e06d0
ZIP Format Malware Malicious Traffic DNS |
2
http://157.90.147.198/NkE/evoca
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
3
www.ssl.com(3.209.197.161)
3.209.197.161
157.90.147.198
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7217 |
2023-11-07 09:46
|
 EHSU.zip 056f1e5e64d6246b96f5fa6b3322f3e1
ZIP Format Malware Malicious Traffic DNS |
2
http://167.235.241.120/jogX/Olluc
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
3
www.ssl.com(3.213.199.135)
3.213.199.135
167.235.241.120
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7218 |
2023-11-07 09:22
|
 owenzx.exe 8311a1beb1bde04ce733fba1f436bad6
Formbook PWS AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
1
http://www.aintrepreneurship.com/o5gu/?k2JxtP=/JjJcHpkv1C8RzmGJ51zwgl+R193dhUaufmFsVl9ygQ8D4AjpEcsS5mFMtaBfQ79nKZjIQY7&tXR=NXitvt - rule_id: 37282
|
3
www.huyangli.company()
www.aintrepreneurship.com(91.195.240.19) - mailcious
91.195.240.19 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.aintrepreneurship.com/o5gu/
|
9.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7219 |
2023-11-07 07:58
|
 InstallSetup2.exe ad27582b0ebc76918e74b90d1cbff760
NPKI HermeticWiper NSIS Generic Malware Suspicious_Script Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Blob PE File PE32 PNG Format JPEG Format OS Processor Check ZIP Format icon BMP Format PE64 CAB Malware Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Ransomware |
|
|
|
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7220 |
2023-11-07 07:58
|
 IGCC.exe a3bb5280d95d7c638240975925c013ac
AgentTesla Generic Malware Antivirus PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7221 |
2023-11-07 07:56
|
 Protected.exe a22595ce0f38b327951c42e18ad3eaaf
Formbook Raccoon Stealer Generic Malware UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 FormBook Malware download Malware Buffer PE suspicious privilege Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself |
3
http://www.girls-at-a.click/rc2i/?8pgH7lkH=E/1tO4wckFnUj5r6Mek1MK6qxqh+MNpqxX62qUo/yHILb4RDko+mEDIRwUXasmHYtjE3r6zq&2db=X4XDHTl0
http://www.frigologs.net/rc2i/?8pgH7lkH=JMuXra6KLloehiIxah32YYIrpkp4yqFQBWLG4SlpgDQ2uypTth0DZqxKn0UMZge3bEIRVVry&2db=X4XDHTl0
http://www.susanlwhite.com/rc2i/?8pgH7lkH=MaOYfyBNes/ubUN0ufXoKAAMFsk0xNTDfGl/3JxviWmCwgRY/0dIDwWxnHwhgmI11BxwuOlp&2db=X4XDHTl0
|
7
www.girls-at-a.click(192.64.119.254)
www.susanlwhite.com(15.197.148.33)
www.frigologs.net(186.24.219.13)
www.alphax.studio()
192.64.119.254 - mailcious
3.33.130.190 - phishing
186.24.219.13
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Namecheap URL Forward
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7222 |
2023-11-07 07:53
|
 damianozx.exe 7cfd00516e3d24c4b1227d6754f0aafa
PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156)
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7223 |
2023-11-07 07:52
|
 jucostam2.1.exe 1f6a213c979c6adff88e31e059d2825d
Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.zg9tywlubmftzw5ldzmzmzk.com/ju29/?BZR8DR=eJVNysqPhL/uaCM5mmKlDkK99NL0wUK/QD98X4Xi+tSElCareFrH+cf4EbqdkZtA1uTt8AGh&VRKt=vBZhWH98eHJDbf
http://www.klxcv.xyz/ju29/?BZR8DR=4JvfAS1R38BLVmeFk9DSiCnJ91CcqWw5bF+8iYbx752X4gk0kHBYwToCGZXoT3c/qcFpSYl1&VRKt=vBZhWH98eHJDbf
http://www.xpermate.com/ju29/?BZR8DR=YSdUgFSDvDomRrfxRTc82IB8KvEz5Cudp7FBenL6bBiUULPv2hucH8VGw3UW6gX6WzIP7l0c&VRKt=vBZhWH98eHJDbf - rule_id: 37946
|
8
www.zg9tywlubmftzw5ldzmzmzk.com(103.224.212.216)
www.klxcv.xyz(198.177.124.40)
www.xpermate.com(77.245.157.73) - mailcious
www.jokergiftcard.buzz()
www.merchascarpamici.com()
198.177.124.40 - mailcious
103.224.212.216 - mailcious
77.245.157.73 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.xpermate.com/ju29/
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7224 |
2023-11-07 07:51
|
 putty.exe cf3bc964f791ee22366b3277ee099329
Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7225 |
2023-11-07 07:49
|
 xinchao.exe 18e92e00cd0e14cee7e4448e8fa476ef
Malicious Library Malicious Packer PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
194.49.94.80
91.235.128.141
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7226 |
2023-11-07 07:48
|
 123.exe ceac8d319a011ba082cf1ab197d328e9
PE File PE32 .NET EXE Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7227 |
2023-11-07 07:47
|
 arinzezx.exe 0fbfa908ef2e4abb29788d67bcc9c736
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7228 |
2023-11-07 07:46
|
 Services.exe d9ce98a0b0029d26876ac86409bac27e
UPX VMProtect PE File PE32 Malware download Malware MachineGuid Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces IP Check PrivateLoader Tofsee DNS crashed |
9
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
http://94.142.138.131/api/firecom.php - rule_id: 36179
https://sso.passport.yandex.ru/push?uuid=17ee63be-a01d-4351-b836-3f7809d3449d&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://dzen.ru/?yredirect=true
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
|
24
db-ip.com(172.67.75.166)
www.maxmind.com(104.18.146.235)
ipinfo.io(34.117.59.81)
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
yandex.ru(5.255.255.70)
api.db-ip.com(104.26.4.15)
dzen.ru(62.217.160.2)
ironhost.io(104.21.57.237)
sso.passport.yandex.ru(213.180.204.24)
149.154.167.99 - mailcious
213.180.204.24
172.67.75.166
172.67.193.129
104.18.146.235
94.142.138.131 - mailcious
121.254.136.18
62.217.160.2
91.92.243.151 - mailcious
34.117.59.81
104.244.42.1 - suspicious
104.26.5.15
5.255.255.70
125.253.92.50
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO TLS Handshake Failure
|
3
http://91.92.243.151/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://94.142.138.131/api/firecom.php
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7229 |
2023-11-07 07:46
|
 3.exe 5bf9f652395cac44406e102289501e57
Malicious Library Malicious Packer PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
194.169.175.235 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7230 |
2023-11-07 07:45
|
 build.exe 37e4a5aab62b40cf415b116cb246b2e2
Malicious Library UPX PE File PE32 OS Processor Check PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|