7216 |
2023-11-07 09:52
|
SFT.zip 882e1e40bd642dac255ec144e37e06d0 ZIP Format Malware Malicious Traffic DNS |
2
http://157.90.147.198/NkE/evoca http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
3
www.ssl.com(3.209.197.161) 3.209.197.161 157.90.147.198
|
2
ET POLICY curl User-Agent Outbound ET HUNTING curl User-Agent to Dotted Quad
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7217 |
2023-11-07 09:46
|
EHSU.zip 056f1e5e64d6246b96f5fa6b3322f3e1 ZIP Format Malware Malicious Traffic DNS |
2
http://167.235.241.120/jogX/Olluc http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
3
www.ssl.com(3.213.199.135) 3.213.199.135 167.235.241.120
|
2
ET POLICY curl User-Agent Outbound ET HUNTING curl User-Agent to Dotted Quad
|
|
1.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7218 |
2023-11-07 09:22
|
owenzx.exe 8311a1beb1bde04ce733fba1f436bad6 Formbook PWS AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
1
http://www.aintrepreneurship.com/o5gu/?k2JxtP=/JjJcHpkv1C8RzmGJ51zwgl+R193dhUaufmFsVl9ygQ8D4AjpEcsS5mFMtaBfQ79nKZjIQY7&tXR=NXitvt - rule_id: 37282
|
3
www.huyangli.company() www.aintrepreneurship.com(91.195.240.19) - mailcious 91.195.240.19 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.aintrepreneurship.com/o5gu/
|
9.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7219 |
2023-11-07 07:58
|
InstallSetup2.exe ad27582b0ebc76918e74b90d1cbff760 NPKI HermeticWiper NSIS Generic Malware Suspicious_Script Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Blob PE File PE32 PNG Format JPEG Format OS Processor Check ZIP Format icon BMP Format PE64 CAB Malware Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Ransomware |
|
|
|
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7220 |
2023-11-07 07:58
|
IGCC.exe a3bb5280d95d7c638240975925c013ac AgentTesla Generic Malware Antivirus PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7221 |
2023-11-07 07:56
|
Protected.exe a22595ce0f38b327951c42e18ad3eaaf Formbook Raccoon Stealer Generic Malware UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 FormBook Malware download Malware Buffer PE suspicious privilege Code Injection Malicious Traffic buffers extracted RWX flags setting unpack itself |
3
http://www.girls-at-a.click/rc2i/?8pgH7lkH=E/1tO4wckFnUj5r6Mek1MK6qxqh+MNpqxX62qUo/yHILb4RDko+mEDIRwUXasmHYtjE3r6zq&2db=X4XDHTl0 http://www.frigologs.net/rc2i/?8pgH7lkH=JMuXra6KLloehiIxah32YYIrpkp4yqFQBWLG4SlpgDQ2uypTth0DZqxKn0UMZge3bEIRVVry&2db=X4XDHTl0 http://www.susanlwhite.com/rc2i/?8pgH7lkH=MaOYfyBNes/ubUN0ufXoKAAMFsk0xNTDfGl/3JxviWmCwgRY/0dIDwWxnHwhgmI11BxwuOlp&2db=X4XDHTl0
|
7
www.girls-at-a.click(192.64.119.254) www.susanlwhite.com(15.197.148.33) www.frigologs.net(186.24.219.13) www.alphax.studio() 192.64.119.254 - mailcious 3.33.130.190 - phishing 186.24.219.13
|
2
ET MALWARE FormBook CnC Checkin (GET) ET INFO Namecheap URL Forward
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7222 |
2023-11-07 07:53
|
damianozx.exe 7cfd00516e3d24c4b1227d6754f0aafa PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156) 104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7223 |
2023-11-07 07:52
|
jucostam2.1.exe 1f6a213c979c6adff88e31e059d2825d Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.zg9tywlubmftzw5ldzmzmzk.com/ju29/?BZR8DR=eJVNysqPhL/uaCM5mmKlDkK99NL0wUK/QD98X4Xi+tSElCareFrH+cf4EbqdkZtA1uTt8AGh&VRKt=vBZhWH98eHJDbf http://www.klxcv.xyz/ju29/?BZR8DR=4JvfAS1R38BLVmeFk9DSiCnJ91CcqWw5bF+8iYbx752X4gk0kHBYwToCGZXoT3c/qcFpSYl1&VRKt=vBZhWH98eHJDbf http://www.xpermate.com/ju29/?BZR8DR=YSdUgFSDvDomRrfxRTc82IB8KvEz5Cudp7FBenL6bBiUULPv2hucH8VGw3UW6gX6WzIP7l0c&VRKt=vBZhWH98eHJDbf - rule_id: 37946
|
8
www.zg9tywlubmftzw5ldzmzmzk.com(103.224.212.216) www.klxcv.xyz(198.177.124.40) www.xpermate.com(77.245.157.73) - mailcious www.jokergiftcard.buzz() www.merchascarpamici.com() 198.177.124.40 - mailcious 103.224.212.216 - mailcious 77.245.157.73 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
1
http://www.xpermate.com/ju29/
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7224 |
2023-11-07 07:51
|
putty.exe cf3bc964f791ee22366b3277ee099329 Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7225 |
2023-11-07 07:49
|
xinchao.exe 18e92e00cd0e14cee7e4448e8fa476ef Malicious Library Malicious Packer PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
194.49.94.80 91.235.128.141
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response)
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7226 |
2023-11-07 07:48
|
123.exe ceac8d319a011ba082cf1ab197d328e9 PE File PE32 .NET EXE Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7227 |
2023-11-07 07:47
|
arinzezx.exe 0fbfa908ef2e4abb29788d67bcc9c736 .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141) 91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7228 |
2023-11-07 07:46
|
Services.exe d9ce98a0b0029d26876ac86409bac27e UPX VMProtect PE File PE32 Malware download Malware MachineGuid Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces IP Check PrivateLoader Tofsee DNS crashed |
9
http://91.92.243.151/api/tracemap.php - rule_id: 37889 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://94.142.138.131/api/firecom.php - rule_id: 36179 https://sso.passport.yandex.ru/push?uuid=17ee63be-a01d-4351-b836-3f7809d3449d&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://dzen.ru/?yredirect=true https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://db-ip.com/
|
24
db-ip.com(172.67.75.166) www.maxmind.com(104.18.146.235) ipinfo.io(34.117.59.81) twitter.com(104.244.42.1) telegram.org(149.154.167.99) yandex.ru(5.255.255.70) api.db-ip.com(104.26.4.15) dzen.ru(62.217.160.2) ironhost.io(104.21.57.237) sso.passport.yandex.ru(213.180.204.24) 149.154.167.99 - mailcious 213.180.204.24 172.67.75.166 172.67.193.129 104.18.146.235 94.142.138.131 - mailcious 121.254.136.18 62.217.160.2 91.92.243.151 - mailcious 34.117.59.81 104.244.42.1 - suspicious 104.26.5.15 5.255.255.70 125.253.92.50
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO TLS Handshake Failure
|
3
http://91.92.243.151/api/tracemap.php http://94.142.138.131/api/tracemap.php http://94.142.138.131/api/firecom.php
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7229 |
2023-11-07 07:46
|
3.exe 5bf9f652395cac44406e102289501e57 Malicious Library Malicious Packer PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
194.169.175.235 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7230 |
2023-11-07 07:45
|
build.exe 37e4a5aab62b40cf415b116cb246b2e2 Malicious Library UPX PE File PE32 OS Processor Check PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|