7276 |
2023-11-04 10:53
|
1 2dc7034a89baf7a87c7423ae0e685a7e UPX Downloader PE File PE32 VirusTotal Malware Check memory crashed |
|
|
|
|
1.6 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7277 |
2023-11-04 10:53
|
TEST32.exe 993c85b5b1c94bfa3b7f45117f567d09 Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Check memory buffers extracted IP Check installed browsers check Tofsee Ransomware Browser Email ComputerName Trojan Banking DNS |
|
3
api.ipify.org(64.185.227.156) 149.40.62.171 64.185.227.156
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Protocol detection skipped
|
|
12.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7278 |
2023-11-04 10:52
|
build2.exe 1199c88022b133b321ed8e9c5f4e6739 RedlineStealer RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
4.2 |
|
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7279 |
2023-11-04 10:44
|
Word_.doc 75d7d706c41a6eb2d5a5161a24733999 VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting exploit crash unpack itself Exploit DNS crashed |
|
1
|
|
|
4.0 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7280 |
2023-11-04 10:42
|
hn-1 a04b173e5b0cb462684e646d91b14683 Malicious Library Downloader PE File DLL PE32 Malware download VirusTotal Malware Malicious Traffic Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check GameoverP2P Zeus Windows DNS Downloader |
1
http://154.211.22.56:8000/1
|
1
|
9
SURICATA HTTP Request abnormal Content-Encoding header ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE OneLouder EXE download possibly installing Zeus P2P ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2 ET MALWARE JS/WSF Downloader Dec 08 2016 M6 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP
|
|
4.8 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7281 |
2023-11-04 10:41
|
vah50.exe 03f92deb14398467ee6f9ac147c5b97a Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PWS ScreenShot AntiDebug AntiVM PE File PE32 CAB OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
4
http://193.233.255.73/loghub/master - rule_id: 37500 http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/index.php - rule_id: 37040
|
3
193.233.255.73 - mailcious 77.91.124.1 - malware 77.91.124.86
|
12
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.124.1/theme/index.php
|
24.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7282 |
2023-11-04 10:38
|
d-6 82eae0084a91983e3730b537982b0d82 Malicious Library UPX Downloader PE File DLL PE32 JPEG Format ZIP Format Malware download VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself AppData folder sandbox evasion Windows Browser ComputerName DNS Downloader |
4
http://202.79.172.241:8000/4 http://202.79.172.241:8000/2 http://202.79.172.241:8000/3 http://202.79.172.241:8000/1
|
2
feetifu.net() 202.79.172.241
|
6
ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE JS/WSF Downloader Dec 08 2016 M7 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
8.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7283 |
2023-11-04 10:35
|
Wpqcpff.exe e533f71c253551d1be4ad5ffd52fb793 PE File PE32 .NET EXE VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7284 |
2023-11-04 10:33
|
TrueCrypt_BcCqcw.exe bf85e5d13200077c89650c3c2fb48a84 Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7285 |
2023-11-04 10:33
|
ams.exe 5d26beb8eae1bcf1ba1fc82359f06df2 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files RWX flags setting unpack itself |
|
|
|
|
4.2 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7286 |
2023-11-04 10:30
|
주요도시 시장가격 조사2023.xlsx.lnk... d1dc2db2956803de7eef7a76a6ac5cb2 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM Lnk Format GIF Format PowerShell ZIP Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
9.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7287 |
2023-11-04 10:26
|
Kuteiisd.exe 0bb98a8a1597245e3c0c37fbf2c0f94b Hide_EXE PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7288 |
2023-11-03 18:29
|
Amadey.exe 5d0310efbb0ea7ead8624b0335b21b7b Amadey RedLine stealer Browser Login Data Stealer RedlineStealer RedLine Infostealer Gen1 Emotet Generic Malware Hide_EXE Malicious Library UPX Malicious Packer .NET framework(MSIL) ScreenShot PWS Anti_VM Javascript_B Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW IP Check VM Disk Size Check human activity check installed browsers check Kelihos Tofsee Stealc Stealer Windows Update Browser ComputerName Trojan DNS Cryptographic key Software crashed Downloader |
65
http://185.196.8.176/7jshasdS/index.php?scr=1 - rule_id: 37683 http://5.182.86.30/TEST32.exe http://185.196.8.176/7jshasdS/index.php - rule_id: 37683 http://193.233.255.73/loghub/master - rule_id: 37500 http://185.196.8.176/7jshasdS/Plugins/clip64.dll - rule_id: 37685 http://167.235.20.126/bjdm32DP/index.php - rule_id: 37786 http://167.235.20.126/bjdm32DP/index.php?scr=1 - rule_id: 37786 http://171.22.28.213/build2.exe http://185.196.8.176/7jshasdS/Plugins/cred64.dll - rule_id: 37684 http://171.22.28.213/TEST32.exe http://109.107.182.2/race/lom30.exe http://77.91.124.1/theme/index.php - rule_id: 37040 https://www.google.com/favicon.ico https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Regular.ttf?v=4.015 https://community.cloudflare.steamstatic.com/public/shared/css/login.css?v=0H1th98etnSV&l=english&_cdn=cloudflare https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&load=effects,controls,slider,dragdrop https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&_cdn=cloudflare https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016 https://fonts.googleapis.com/css?family=Roboto:400,500 https://fonts.gstatic.com/s/youtubesans/v22/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Bold.ttf?v=4.015 https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Fd2aj_zaBVQV&l=english&_cdn=cloudflare https://static-assets-prod.unrealengine.com/account-portal/static/static/js/main.10a25667.chunk.js https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=RL7hpFRFPE4A&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png https://www.youtube.com/ https://accounts.google.com/generate_204?dap48w https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Thin.ttf?v=4.015 https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&_cdn=cloudflare https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://www.epicgames.com/id/login https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Medium.ttf?v=4.015 https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://www.youtube.com/img/desktop/supported_browsers/opera.png https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=uR_4hRD_HUln&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://static-assets-prod.unrealengine.com/account-portal/static/static/js/3.520a7eda.chunk.js https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://accounts.google.com/_/bscframe https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=E78TCC6Eu4d1&l=english&_cdn=cloudflare https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywXMRymWtXksqblJvlUYJFlJpIBYOvVGbAuX2Ek1p_KKsKWal2mSwVOyZ7Kxhsq7qREHNHDmw https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png https://steamcommunity.com/openid/loginform/ https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-RegularItalic.ttf?v=4.015 https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=F9Ougyu-CyG3&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Light.ttf?v=4.015 https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=eYJYuhv32ILn&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/css/skin_1/home.css?v=-6qQi3rZclGf&l=english&_cdn=cloudflare https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzuEIb-UEcUXM-N1dV2w2UTTKTYT6Y4L2bfCbNf3HMq8VmgW-zlcvm_lgIXTMSD6nIc8SElCQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-771307111%3A1699002903738664 https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=3Pb1f2YLp788&l=english&_cdn=cloudflare https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://static-assets-prod.unrealengine.com/account-portal/static/epic-favicon-96x96.png https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/shared/javascript/login.js?v=gYtbaAKt6bwQ&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunfWg&l=english&_cdn=cloudflare
|
41
www.paypal.com(151.101.193.21) ssl.gstatic.com(142.250.207.99) www.google.com(142.250.76.132) store.steampowered.com(23.40.44.77) steamcommunity.com(104.76.78.101) - mailcious www.youtube.com(172.217.175.238) - mailcious fonts.googleapis.com(142.251.222.42) api.ipify.org(173.231.16.77) static-assets-prod.unrealengine.com(18.64.8.108) twitter.com(104.244.42.65) accounts.google.com(142.250.206.205) community.cloudflare.steamstatic.com(172.64.145.151) fonts.gstatic.com(142.250.207.99) www.epicgames.com(34.198.71.3) 149.40.62.171 142.250.207.99 23.40.44.77 167.235.20.126 - malware 18.64.8.109 77.91.124.1 - malware 64.185.227.156 193.233.255.73 - mailcious 104.244.42.129 - suspicious 142.250.76.132 142.251.222.42 85.209.176.171 172.64.145.151 77.91.124.86 194.169.175.118 - mailcious 194.169.175.235 185.196.9.171 - mailcious 192.229.232.89 142.250.206.205 - suspicious 142.250.207.46 171.22.28.239 - mailcious 104.76.78.101 - mailcious 5.182.86.30 185.196.8.176 - malware 54.175.89.124 109.107.182.2 - malware 171.22.28.213 - malware
|
26
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Possible Kelihos.F EXE Download Common Structure ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Amadey Bot Activity (POST) M1 ET INFO Dotted Quad Host DLL Request ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Amadey Bot Activity (POST) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO TLS Handshake Failure
|
8
http://185.196.8.176/7jshasdS/index.php http://185.196.8.176/7jshasdS/index.php http://193.233.255.73/loghub/master http://185.196.8.176/7jshasdS/Plugins/clip64.dll http://167.235.20.126/bjdm32DP/index.php http://167.235.20.126/bjdm32DP/index.php http://185.196.8.176/7jshasdS/Plugins/cred64.dll http://77.91.124.1/theme/index.php
|
25.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7289 |
2023-11-03 18:20
|
timeSync.exe c5413f26ad9d6a74ed7e649f8001da14 Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7290 |
2023-11-03 18:18
|
macoptic2.1.exe d6c5df23371399eb60055b93d7b80ea7 NSIS Malicious Library UPX PE File PE32 OS Processor Check Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|