| 7456 |
2023-10-26 17:14
|
 teste2.jpg e41099316a6272c73e80c90972c3203e
Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library UPX Antivirus AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS crashed |
|
2
marcelotatuape.ddns.net(141.255.145.44) - mailcious
141.255.145.44
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
14.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7457 |
2023-10-26 17:12
|
HTMLcacheIEsession.dOC 55588a5b96ec028485a99a5bcd648d0e
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious
45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7458 |
2023-10-26 13:59
|
 mohammeddroidupdatedfilebase64... 6070a1b84846a0946639a374043787d6
AgentTesla Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware Check memory Checks debugger unpack itself Windows Browser Email ComputerName crashed |
|
|
|
|
4.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7459 |
2023-10-26 13:23
|
jajajjajapapapappanananan.vbs 7e9d44a6c4367491ad178bf62548f136
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://94.156.253.236/yeyesyesyeys.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7460 |
2023-10-26 13:23
|
eveningFile.vbs 088dd62ff5ed6d7e15caab5a0bb62f10
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://185.254.37.174/mohammeddroidupdatedfilebase64.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7461 |
2023-10-26 13:22
|
 aaaaa.txt.exe f7a2deae211b49311fa7f56c1e4566f2
Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7462 |
2023-10-26 10:43
|
HTMLEVENbrowser.dOC 8ff3248ebdfa3b7dd737f7bee9b9dae6
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.254.37.174/eveningFile.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.18
185.254.37.174 - mailcious
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7463 |
2023-10-26 10:41
|
 HTMLIECachesBrowser.dOC a08ca8e6fd0e7002499434aa2547d160
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.156.253.236/jajajjajapapapappanananan.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware
94.156.253.236 - mailcious
104.21.45.138 - malware
23.32.56.72
|
2
ET INFO Dotted Quad Host VBS Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7464 |
2023-10-26 10:40
|
 foto1661.exe 7613290b26555e6b7b16131d17331960
Amadey RedLine stealer Gen1 Emotet Generic Malware Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB OS Processor Check .NET E Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
25
http://77.91.68.249/fuza/2.ps1 - rule_id: 37524
http://77.91.68.249/fuza/2.ps1
http://193.233.255.73/loghub/master - rule_id: 37500
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.68.249/fuza/foto1661.exe
http://77.91.68.249/fuza/tus.exe
http://77.91.68.249/fuza/nalo.exe - rule_id: 37525
http://77.91.68.249/fuza/nalo.exe
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/index.php - rule_id: 37040
http://77.91.124.1/theme/index.php
https://accounts.google.com/generate_204?KIpSmg
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzOGFzuxGAg2e3DWgR266n9r5qQR7Zrm_rptfo9RAihsFAa9lZDZl4RK6XmLN3Nk2pDoW9bUg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-268318837%3A1698283071925212
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzpjHxpq1INlvGNncWH3u8zcoYJ7-v1sB2hwU2EY24lJvyiM2sMyf-U-uZStEXfb2_J_j288Q
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/generate_204?x9IqeA
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywvEr1d-fiWqWdBLl2arLIwhz5TAKS5Ub4o4j3ERjjUOyhcbjQnhhGNhoBp7mqC14wej4Mn
https://www.google.com/favicon.ico
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywLm9zKARhd3TW4v_bKsXTv35Vp7b1sZNUIHBh4-R3fXErE4ApIG4xaQw9ptWyWfEi9FpYQxg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-150941688%3A1698283074308887
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
www.youtube.com(172.217.25.174) - mailcious
ssl.gstatic.com(142.250.206.227)
www.facebook.com(157.240.215.35)
accounts.google.com(142.250.206.205)
www.google.com(142.250.76.132)
142.250.204.36
142.251.220.14
216.58.200.237
77.91.124.86
216.58.203.67
193.233.255.73 - mailcious
77.91.124.1 - malware
157.240.215.35
77.91.68.249 - malware
|
18
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO PS1 Powershell File Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
6
http://77.91.68.249/fuza/2.ps1
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.68.249/fuza/nalo.exe
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/index.php
|
24.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7465 |
2023-10-26 10:38
|
 Main332.js c3cc912df10bafc0de538be5557710ac
AntiDebug AntiVM VirusTotal Malware Code Injection Malicious Traffic wscript.exe payload download Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS |
2
http://49.13.119.73/GJDtkud/Aerot
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
3
www.ssl.com(54.87.241.101)
49.13.119.73
34.195.117.81
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
7.6 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7466 |
2023-10-26 10:38
|
 T1.js caa023ac5ec92dd9fd17b33a448c140a
AntiDebug AntiVM VirusTotal Malware Code Injection wscript.exe payload download Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS |
2
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
http://155.138.224.36/abb/unsec
|
3
www.ssl.com(54.87.241.101)
155.138.224.36 - mailcious
34.195.117.81
|
|
|
8.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7467 |
2023-10-26 10:28
|
 Final rooming list.bat 98000fd6e24b741927fd81c1d61ae996
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7468 |
2023-10-26 10:24
|
 987123.exe 7ed1926e1e6e2fe6390c3c6d4b8878aa
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7469 |
2023-10-26 10:23
|
 tus.exe 10a17abe9f1d739be062dfa9f1730298
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB Code Injection buffers extracted |
|
|
|
|
7.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7470 |
2023-10-26 10:23
|
 davincizx.exe 9f12d35cb063268ba5e58c71c26ef0e4
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware |
|
|
|
|
1.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|