| 7306 |
2023-11-03 12:06
|
 yulzx.exe b38dc9fdc7cb07f8ccd59ed9f1c03b69
LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
4
mail.int-logistics.com(210.2.169.195)
api.ipify.org(173.231.16.77)
104.237.62.212
210.2.169.195
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7307 |
2023-11-03 10:38
|
 macringa2.1.exe f231a02d229e5f504eacc706629ae2f1
NSIS Malicious Library UPX PE File PE32 VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself |
|
|
|
|
3.8 |
M |
51 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7308 |
2023-11-03 10:33
|
 macringa2.1.exe f231a02d229e5f504eacc706629ae2f1
NSIS Malicious Library UPX PE File PE32 VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself |
|
|
|
|
3.8 |
M |
51 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7309 |
2023-11-03 10:05
|
 marikolock2.1.exe 1b4bc7eb054142c70e87755de845e039
Formbook NSIS Malicious Library UPX PE File PE32 OS Processor Check FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself Windows utilities AppData folder Windows |
1
http://www.new-minerals.com/t6tg/?b6A=KAteo39jXhYLV1ChmFznVIk+hBqN4AymFECkKH2GQakbZ7TdByL07ntBP05Gab5nXO3C3vF7&DbG=_DKHFz - rule_id: 37226
|
4
www.hcoarrih.com()
www.commandintelhub.xyz()
www.new-minerals.com(103.146.179.167) - mailcious
103.146.179.167 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.new-minerals.com/t6tg/
|
6.4 |
M |
53 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7310 |
2023-11-03 09:33
|
 marikolock2.1.exe 1b4bc7eb054142c70e87755de845e039
NSIS Malicious Library UPX PE File PE32 VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself |
|
|
|
|
3.4 |
M |
53 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7311 |
2023-11-02 17:02
|
 Xiu2Xiu.exe 07f36f03342b3b07ecfb8498d0e078a2
Gen1 Malicious Library UPX ASPack Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ftp wget DllRegisterServer dll Malware Check memory Creates executable files unpack itself Ransomware |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7312 |
2023-11-02 14:36
|
File.rar c18fbc972354abb0fd945ffccbb93ad3
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows RisePro DNS |
40
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://91.92.243.151/api/tracemap.php
http://91.92.243.151/api/firecom.php
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://185.172.128.69/newumma.exe - rule_id: 37499
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://apps.identrust.com/roots/dstrootcax3.p7c
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://ronaldrichards.icu/e9c345fc99a4e67e.php
http://www.maxmind.com/geoip/v2.1/city/me
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://171.22.28.226/download/Services.exe - rule_id: 37064
https://sun6-23.userapi.com/c909618/u26060933/docs/d4/7caf185e1947/Risepro.bmp?extra=7FXlsGxLQIPRYANXa3bqeG3hcbsNS0dKcak4PUGs8R5-_JslfV8EU9fv6FJOQdvEaI1m1FTJU93cK7oTMfBwNuFssszLscrz9Cp-PC8h5_cL92W_KwdOMx337cegLJS56Rsdw-WyUI_Npc2h
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-21.userapi.com/c909218/u26060933/docs/d31/c926cfacc1f4/new_go.bmp?extra=HtQcuH2QjM0315WmkJdVH1mdYBSvv064tAbEOg4LDcetY4TZLtnYzavt2XLLjq0NXXZQ-680zJ-uVhjhhGOj1dze70rfMIe3a_Ln3Lk-sWoOm4TTPqeibD4bjeVEAMiqwFd9f9Ip5nM3qbmH
https://vk.com/doc26060933_667226611?hash=3AOa9zwJbxnrXLo5M1UNZwTTDvxsoWSyfwgmxISqqxL&dl=HnSve9vk6MIyt0bE2UGvnGrn7uoz7zwDsDLBVNodlP4&api=1&no_preview=1#riseK
https://vk.com/doc26060933_667223635?hash=qzxpj41H7aJKGYAkotcS9kwFdHSU9KQawZjeS9cVst4&dl=iEliVZrkZcesylYAmZs8zvhVjQpPOUAfyAIZcvJVbPH&api=1&no_preview=1#ww11
https://sun6-22.userapi.com/c237331/u493219498/docs/d54/970161281382/tmvwr.bmp?extra=i927vrM_3T63rdgS7FcQie8v-JlaGdg4vrToGaMBTqwShIMTwkEVKCvfe9GoqbuPE_z5vIJs-kAStdG0VWdxGQ9kAITbxJ2ZhF92v5EIR_XuU2MfpG0xGXk2ybTmc8Gf8fEMNTEZ1sgmkstkcA
https://api.ip.sb/ip
https://fdjbgkhjrpfvsdf.online/setup294.exe
https://vk.com/doc26060933_667223519?hash=4h0hZRp0TSlGi1za4NQqeUs4Z2Owa7H8HcgLzZogiBc&dl=4yZXwXXDHBqFHcM30tryxz8P1qRNU3LWlwbmQoruwmL&api=1&no_preview=1
https://db-ip.com/
https://vk.com/doc26060933_667234651?hash=Rv3y1hZYldejZNTzjJxgzdYVgzKs0azR7LT5gowzNJT&dl=fEH5j2bjnO3mwDbqODuUYTgMkVbKBYVrBOOWxCsJzJ0&api=1&no_preview=1
https://vk.com/doc26060933_667218383?hash=7UW057pOa1xiEe10gtJ3QSwoTJDrSVPqZuGSbstptEH&dl=yqIEoQoYSd5j0zYFeVKTzHy16DTH1wq1kX6PBuZazRX&api=1&no_preview=1#bnf
https://dzen.ru/?yredirect=true
https://vk.com/doc26060933_667215509?hash=G3Jm1EaMJVztPO45r3HxRNlS4ZgetOknNtYy2avkFPw&dl=8fjE5gX9uYKwtbhjDbbqZIfJvR8v4T4lyZisCWbPlgc&api=1&no_preview=1#1
https://sun6-20.userapi.com/c909218/u26060933/docs/d16/6de25ac9c8b9/s2as2fad.bmp?extra=93M5T4Pa8Q3v-6wCV0cMg-imldFl3M7pP9fiQWexCQVfAHR6bOaCYNmIhblaorz2ajVnq9ITftW-KCQwspVW7DbtPyDFKCTvp9SEcQHaQMAlrKO5x90RNNH-89CyjAZ03dQGY6Leo9A9oUVa
https://sun6-20.userapi.com/c237331/u825067038/docs/d49/f3d174c7d126/PL_Client.bmp?extra=XDfkwfVkwRcivpIteb_RsNhr6eqpk3Sh24NjsrJ7nR2EAq93CkJ7kmPRE49s-PptoRkiv1DlMYMm4G-EjxMy3ZKbg-9BUhc0NtHIuZM8phnB22dI5a_tz7k-BACUbK_qxxTb405WhzGYuI1t0w
https://sun6-20.userapi.com/c909218/u26060933/docs/d22/a35d812ef006/RisePro.bmp?extra=LgPIMsxlbkpwHU5tCRY0vgUUAviiE7g7nMwb1oAv7HySSrauv2XjWksVWa7ZlFA3JXksarqScqvGtt1ETuNK6vMq7PyUQYgR2vLJ_T_aOnDWK_TKXwfUgdLiFLt-hsv4qpwsSsSIRWLoQTI1
https://sun6-21.userapi.com/c235031/u26060933/docs/d60/aadf300fd920/BotClients.bmp?extra=WDt2JKhhn-eQrPHTN9X8R0bO_tJ9q0myEWR4olRZdoa3canBj-lmFAG5cGCHMWcveqzg7IA6SkZEgaXn7_yF1ZPOhbnbI4vHz0fiMpVF8qWL4pijOcDsVf6aNjPpO0eOG8p1J66TE-BKQC-h
https://sun6-21.userapi.com/c235031/u26060933/docs/d17/f2f6f33ee91f/WWW11_32.bmp?extra=YkAJ9WwBghZQCvm2tl1uLbMufgtzR6Yn6c26ciwed5aKCO-Rw-yV4cJfXn8nio3l8RYZVp2QwfyPiYJ8Q8fOOfhA000eXJmSBorA7IDhKGejIp04_2OVOLLWjtHDUIjGYHzdNUwjv2l33dHB
https://sun6-21.userapi.com/c237031/u493219498/docs/d9/c7fc8ca88f65/file291023.bmp?extra=HJE0rWNAwxwlZMpDm0nMXfYfAV0NPcx59BCa43IG_bXuChoyS7uFn7bse_58CEa8kk12QRrnh7q-Dw-GenGfCBz-k2gxOG-kXj-MvZt78r50ec_AmOipYf-TCxGK9M1dCTfKr6B4BlweimH5oA
https://vk.com/doc26060933_667166279?hash=ZwaE4tvZWFZCd2bm3WcrC9P0n7U9VIU9U93MzzIkiVg&dl=pnJSpAC8qJBqMfKXSgNNzjPf12azGKZWlyCFZ86hE2P&api=1&no_preview=1#risepro
https://sso.passport.yandex.ru/push?uuid=378496ab-5899-48b7-bf10-80f50778653f&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://vk.com/doc26060933_667204817?hash=6lgEzCTOqGu7pXY0CjbNe2FXz4rab735i6AEdl7puVw&dl=U0RHXi4KJa141aANcboV7iQspCTlmbxFsgLwQz9bGwc&api=1&no_preview=1#maff
https://sun6-21.userapi.com/c909418/u26060933/docs/d20/171a1ad09e5c/crypted.bmp?extra=USOyMI-QrVD8ahA0mCuN1w-bxZzgqjcqo6Tzt3gOhGAsI0yQDB1U4gyXEOkH9dOBYLRqxIH032ISFZcZOEZ5KTf6gzdM_yJlTG3ITv6KbMFD9NzdtpVOIBX0BWIXmrNdeuJ6DUaJj52BUDaE
https://sun6-23.userapi.com/c236331/u26060933/docs/d36/f582a2f7d651/mggkfn.bmp?extra=kXzl1fMGvZsozKZ51_V9AIUJOViBXHnvbHtPIo-fm1QSon9y47f4eu5t1tnXJsZ-9Yn_qH0wPULruDXEJv5YPVFLCVB8tJk2Mcs-BJAZWoU6geCJmdzITbv3Y6p0_tmBtcEYUqbBEK0nsfd6
https://api.2ip.ua/geo.json
|
62
db-ip.com(104.26.5.15)
dl54-broomcleaner.icu(193.106.175.190) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
yandex.ru(5.255.255.70)
dzen.ru(62.217.160.2)
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
ronaldrichards.icu(193.106.175.190)
api.2ip.ua(172.67.139.220)
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.129)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
michaelcoleman.icu(193.106.175.190) - malware
api.ip.sb(172.67.75.172)
iplogger.com(148.251.234.93) - mailcious
zexeq.com(190.139.250.133) - malware
fdjbgkhjrpfvsdf.online(172.67.139.27)
api.myip.com(104.26.9.59)
sun6-22.userapi.com(95.142.206.2) - mailcious
www.maxmind.com(104.18.145.235)
vk.com(87.240.132.78) - mailcious
iplis.ru(148.251.234.93) - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.18.146.235
93.186.225.194 - mailcious
185.225.75.171 - mailcious
172.67.139.27 - mailcious
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
208.67.104.60 - mailcious
5.255.255.70
149.154.167.99 - mailcious
213.180.204.24
121.254.136.18
185.173.38.57
194.49.94.40
194.49.94.41
171.22.28.226 - malware
34.117.59.81
148.251.234.83
104.26.8.59
95.142.206.0 - mailcious
91.92.243.151
185.172.128.69 - malware
94.142.138.131 - mailcious
94.142.138.113 - mailcious
91.215.85.209 - mailcious
45.15.156.229 - mailcious
172.67.75.172 - mailcious
104.26.4.15
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
211.168.53.110
193.106.175.190 - malware
95.142.206.1 - mailcious
|
34
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO DNS Query for Suspicious .icu Domain
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO HTTP POST Request to Suspicious *.icu domain
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
|
8
http://94.142.138.131/api/firegate.php
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://185.172.128.69/newumma.exe
http://45.15.156.229/api/firegate.php
http://zexeq.com/test2/get.php
http://94.142.138.113/api/tracemap.php
http://171.22.28.226/download/Services.exe
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7313 |
2023-11-02 10:48
|
 WJveX71agmOQ6Gw_1698762642.jpg... 83c130bed712ef7ac4297b9c9d5f70e9
Generic Malware Antivirus .NET DLL PE File DLL PE32 VirusTotal Malware PDB |
|
|
|
|
1.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7314 |
2023-11-02 10:32
|
10dsb.vbs d58c876cdf890b6b626d3018a865bbbc
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://imageupload.io/ib/WJveX71agmOQ6Gw_1698762642.jpg
|
|
|
|
5.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7315 |
2023-11-02 10:31
|
Vbs-File0008765putty.vbs 359f4448782994c2b42aa0027ee021db
LokiBot Generic Malware Antivirus Socket ScreenShot PWS DNS AntiDebug AntiVM PowerShell FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Software |
2
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
http://107.175.113.212/file/PuttyLinks.txt
|
3
imageupload.io(104.21.83.102) - malware
172.67.222.26 - malware
107.175.113.212 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
16.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7316 |
2023-11-02 10:30
|
 WJveX71agmOQ6Gw_1698762642.jpg... 83c130bed712ef7ac4297b9c9d5f70e9
Generic Malware Antivirus .NET DLL PE File DLL PE32 VirusTotal Malware PDB |
|
|
|
|
1.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7317 |
2023-11-02 10:30
|
PuttyVbs-File0008765.vbs bb57207b20e143102f4256a708c71fd7
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://107.175.113.212/file/PuttyLinks.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7318 |
2023-11-02 10:30
|
 Limebase.txt.exe 22df9b6c3a71b8dbbdef5d5bd09e445f
UPX PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
https://pastebin.com/raw/LJe9sUk5
|
3
pastebin.com(104.20.68.143) - mailcious
91.92.247.146
172.67.34.170 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7319 |
2023-11-02 10:28
|
 segun.txt.exe 35ebe9d6053db0a6fdb348068e27ef7f
Malicious Packer PE File PE32 .NET EXE |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7320 |
2023-11-02 10:12
|
 Klv-sailor-warzone123456.txt.e... 57c76226a25c44ea73d0ffd2b8258a56
Ave Maria WARZONE RAT Generic Malware Malicious Library UPX Malicious Packer Downloader PE File PE32 OS Processor Check VirusTotal Malware AutoRuns Code Injection Check memory unpack itself suspicious process WriteConsoleW Windows Remote Code Execution DNS DDNS |
|
2
segun.ddns.net(185.106.123.197)
185.106.123.197
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
7.2 |
|
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|