7456 |
2023-10-26 17:14
|
teste2.jpg e41099316a6272c73e80c90972c3203e Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library UPX Antivirus AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS crashed |
|
2
marcelotatuape.ddns.net(141.255.145.44) - mailcious 141.255.145.44
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7457 |
2023-10-26 17:12
|
HTMLcacheIEsession.dOC 55588a5b96ec028485a99a5bcd648d0e MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious 45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Wrong direction first Data
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7458 |
2023-10-26 13:59
|
mohammeddroidupdatedfilebase64... 6070a1b84846a0946639a374043787d6 AgentTesla Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware Check memory Checks debugger unpack itself Windows Browser Email ComputerName crashed |
|
|
|
|
4.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7459 |
2023-10-26 13:23
|
jajajjajapapapappanananan.vbs 7e9d44a6c4367491ad178bf62548f136 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://94.156.253.236/yeyesyesyeys.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7460 |
2023-10-26 13:23
|
eveningFile.vbs 088dd62ff5ed6d7e15caab5a0bb62f10 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://185.254.37.174/mohammeddroidupdatedfilebase64.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7461 |
2023-10-26 13:22
|
aaaaa.txt.exe f7a2deae211b49311fa7f56c1e4566f2 Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7462 |
2023-10-26 10:43
|
HTMLEVENbrowser.dOC 8ff3248ebdfa3b7dd737f7bee9b9dae6 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c http://185.254.37.174/eveningFile.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.18 185.254.37.174 - mailcious 104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7463 |
2023-10-26 10:41
|
HTMLIECachesBrowser.dOC a08ca8e6fd0e7002499434aa2547d160 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c http://94.156.253.236/jajajjajapapapappanananan.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware 94.156.253.236 - mailcious 104.21.45.138 - malware 23.32.56.72
|
2
ET INFO Dotted Quad Host VBS Request SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7464 |
2023-10-26 10:40
|
foto1661.exe 7613290b26555e6b7b16131d17331960 Amadey RedLine stealer Gen1 Emotet Generic Malware Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB OS Processor Check .NET E Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
25
http://77.91.68.249/fuza/2.ps1 - rule_id: 37524 http://77.91.68.249/fuza/2.ps1 http://193.233.255.73/loghub/master - rule_id: 37500 http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.68.249/fuza/foto1661.exe http://77.91.68.249/fuza/tus.exe http://77.91.68.249/fuza/nalo.exe - rule_id: 37525 http://77.91.68.249/fuza/nalo.exe http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/index.php - rule_id: 37040 http://77.91.124.1/theme/index.php https://accounts.google.com/generate_204?KIpSmg https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzOGFzuxGAg2e3DWgR266n9r5qQR7Zrm_rptfo9RAihsFAa9lZDZl4RK6XmLN3Nk2pDoW9bUg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-268318837%3A1698283071925212 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzpjHxpq1INlvGNncWH3u8zcoYJ7-v1sB2hwU2EY24lJvyiM2sMyf-U-uZStEXfb2_J_j288Q https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?x9IqeA https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywvEr1d-fiWqWdBLl2arLIwhz5TAKS5Ub4o4j3ERjjUOyhcbjQnhhGNhoBp7mqC14wej4Mn https://www.google.com/favicon.ico https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywLm9zKARhd3TW4v_bKsXTv35Vp7b1sZNUIHBh4-R3fXErE4ApIG4xaQw9ptWyWfEi9FpYQxg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-150941688%3A1698283074308887 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
www.youtube.com(172.217.25.174) - mailcious ssl.gstatic.com(142.250.206.227) www.facebook.com(157.240.215.35) accounts.google.com(142.250.206.205) www.google.com(142.250.76.132) 142.250.204.36 142.251.220.14 216.58.200.237 77.91.124.86 216.58.203.67 193.233.255.73 - mailcious 77.91.124.1 - malware 157.240.215.35 77.91.68.249 - malware
|
18
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO PS1 Powershell File Request ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
6
http://77.91.68.249/fuza/2.ps1 http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.68.249/fuza/nalo.exe http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/index.php
|
24.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7465 |
2023-10-26 10:38
|
Main332.js c3cc912df10bafc0de538be5557710ac AntiDebug AntiVM VirusTotal Malware Code Injection Malicious Traffic wscript.exe payload download Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS |
2
http://49.13.119.73/GJDtkud/Aerot http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
3
www.ssl.com(54.87.241.101) 49.13.119.73 34.195.117.81
|
2
ET POLICY curl User-Agent Outbound ET HUNTING curl User-Agent to Dotted Quad
|
|
7.6 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7466 |
2023-10-26 10:38
|
T1.js caa023ac5ec92dd9fd17b33a448c140a AntiDebug AntiVM VirusTotal Malware Code Injection wscript.exe payload download Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS |
2
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
http://155.138.224.36/abb/unsec
|
3
www.ssl.com(54.87.241.101) 155.138.224.36 - mailcious
34.195.117.81
|
|
|
8.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7467 |
2023-10-26 10:28
|
Final rooming list.bat 98000fd6e24b741927fd81c1d61ae996 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7468 |
2023-10-26 10:24
|
987123.exe 7ed1926e1e6e2fe6390c3c6d4b8878aa Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7469 |
2023-10-26 10:23
|
tus.exe 10a17abe9f1d739be062dfa9f1730298 Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB Code Injection buffers extracted |
|
|
|
|
7.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7470 |
2023-10-26 10:23
|
davincizx.exe 9f12d35cb063268ba5e58c71c26ef0e4 .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware |
|
|
|
|
1.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|