7336 |
2023-11-01 18:46
|
htmlIREcontentwritingcache.doc 0e17386f4c9bd1dc872a1b00a5ec1ce0 MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS DDNS crashed |
2
http://geoplugin.net/json.gp
http://146.70.78.28/3500/IGCC.exe
|
5
geoplugin.net(178.237.33.50)
sembe.duckdns.org(194.187.251.115) 178.237.33.50
146.70.78.28 - malware
194.187.251.115
|
8
ET JA3 Hash - Remcos 3.x TLS Connection ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7337 |
2023-11-01 18:42
|
Archive.rar 8988dd76e0075a66d1030daa58d220f1 Escalate priviledges PWS KeyLogger AntiDebug AntiVM ftp Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee DNS |
5
http://94.142.138.113/api/firegate.php - rule_id: 36152 http://94.142.138.113/api/tracemap.php - rule_id: 28877 https://vk.com/doc26060933_667173484?hash=A1dmV4pq2EY7qgmQUNzGLIsxaMexd8IeIWU9C4qfGWs&dl=HW3dyNuyU3NU5OenwscyGVYZxNCzBaTesYkhsTpR8qs&api=1&no_preview=1 https://sun6-21.userapi.com/c237231/u26060933/docs/d41/b01ef5bd7b4a/Setup.bmp?extra=fPPLkVjVVeEJBIi4Of7fAGBCJkUgPJP0zTNhqwXCyZxyqQK-ShKZ5pV0Q9N_iwIsrcQGex6idPQM1iCflk3FKizdrZfEwMM53QuRuvk2p_dEZymICGeJzS0sCUFyDI0lpF31qoWurBw1MNPi https://api.myip.com/
|
13
iplis.ru(148.251.234.93) - mailcious iplogger.org(148.251.234.83) - mailcious ipinfo.io(34.117.59.81) api.myip.com(172.67.75.163) vk.com(87.240.132.72) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious 148.251.234.83 148.251.234.93 - mailcious 104.26.9.59 95.142.206.1 - mailcious 87.240.137.164 - mailcious 94.142.138.113 - mailcious 34.117.59.81
|
8
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SURICATA Applayer Mismatch protocol both directions ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO TLS Handshake Failure ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI)
|
2
http://94.142.138.113/api/firegate.php http://94.142.138.113/api/tracemap.php
|
5.0 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7338 |
2023-11-01 18:39
|
IGCC.exe d49b62e60e0e42b43f32adf23acfd369 UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7339 |
2023-11-01 09:58
|
questionnaire.exe 065f0871b6025b8e61f35a188bca1d5c Generic Malware Malicious Library Anti_VM PE File PE64 ftp OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself Check virtual network interfaces DNS crashed |
2
http://146.70.149.61:8008/access/JWrapper-Windows64JRE-00084000053-archive.p2.l2 http://146.70.149.61:8008/access/JWrapper-Windows64JRE-version.txt?time=2322853908
|
1
|
|
|
3.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7340 |
2023-11-01 09:58
|
document_issued_ticket.bat 36615e952d3d0230e01c4aa0007c5cfa Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
3.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7341 |
2023-11-01 09:48
|
settings.md.ps1 d4a8463332d11c465c311485626a089e Lnk Format GIF Format VirusTotal Malware powershell AutoRuns MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://www.dropbox.com/scl/fi/xomwf87h5an20v2gilmvv/m.zip?rlkey=xg1osj3s43fl9pagr7zgj6y70&dl=1
|
4
www.dropbox.com(162.125.84.18) - mailcious
ambjulio.com(154.56.63.216) - mailcious 154.56.63.216 - mailcious
162.125.84.18 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7342 |
2023-11-01 09:47
|
vpke8.js 64fb844512400c176e18d956894663ddcrashed |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7343 |
2023-11-01 09:44
|
CNOZ1237_3680420.js 8bc1516039ff6f4e48087ae01613c98aVirusTotal Malware WMI ComputerName |
|
|
|
|
1.4 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7344 |
2023-11-01 09:40
|
pwdw54.js 13d3bf04f274c2d9282623217acbbb5eunpack itself crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7345 |
2023-11-01 09:39
|
3mmusbi9y.js e6e3eb6eddb12bdddc85bb59707dd4e4crashed |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7346 |
2023-11-01 09:37
|
jli.txt.exe 4a0d3c937e2ecb5ddc198d431901efef Generic Malware Malicious Library UPX Malicious Packer Antivirus PE File DLL PE32 MZP Format OS Processor Check VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
5.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7347 |
2023-11-01 07:48
|
build.exe 908ffa6f05e09995c1d3d51b08ccaa89 Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7348 |
2023-11-01 07:47
|
700.exe 450783b6304d896d217b0a816a3f4853 Hide_EXE Suspicious_Script_Bin Malicious Library UPX Socket Http API ScreenShot Escalate priviledges Steal credential HTTP DNS Code injection Internet API KeyLogger AntiDebug AntiVM PE File PE32 MZP Format OS Processor Check Lnk Format GIF Format ZIP Form Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
6
ipinfo.io(34.117.59.81) db-ip.com(104.26.5.15) KXKQBfogIOh.KXKQBfogIOh() 172.67.75.166 91.103.253.146 34.117.59.81
|
6
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
|
|
20.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7349 |
2023-10-31 20:43
|
index.ps1 d41d8cd98f00b204e9800998ecf8427e Generic Malware Antivirus unpack itself |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7350 |
2023-10-31 18:06
|
droidlokiiiiiiiiiiiibase64.txt... 58c5addb4156542d91c8ba18d4acc5d9 Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
1
http://sweetwhore.dolphinair.top/_errorpages/sweetwhore/five/fre.php
|
2
sweetwhore.dolphinair.top(172.67.135.120) 172.67.135.120
|
9
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP Request to a *.top domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|