| 7471 |
2023-10-26 10:23
|
 timeSync.exe ab629ce2f730accf1ccfe3c5054d6c1b
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7472 |
2023-10-25 18:27
|
File.7z 86f0e6986a754d96179b2c20d8db49b6
PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Cryptocurrency Miner Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser Trojan DNS Downloader CoinMiner |
80
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://109.107.182.2/race/bus50.exe - rule_id: 37496
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://85.217.144.143/files/townpublishing.exe
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://49.12.116.189/upload.zip
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.69/newumma.exe - rule_id: 37499
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://49.12.116.189/58f391d2f33b9f5a2ddb51a3516986eb
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://171.22.28.221/files/Ads.exe - rule_id: 37468
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://77.91.124.1/theme/index.php - rule_id: 37040
http://gons3fc.top/build.exe
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://176.113.115.84:8080/4.php - rule_id: 34795
http://193.233.255.73/loghub/master - rule_id: 37500
http://gobo04fc.top/build.exe
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://171.22.28.221/files/Random.exe - rule_id: 37434
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://171.22.28.213/3.exe - rule_id: 37068
http://www.google.com/
https://sun6-22.userapi.com/c909328/u52355237/docs/d36/94e70066ac80/PL_Client.bmp?extra=GYu9pTC-Wl1Sg_fchSUawzC7SOJQ5mf6X2A3Lm8ZE1bmn4F7iqzq_0_-pgTnEnf4Z8ETAumkli_vcaYV1Z_ULFP_mNBGwhECBvqkXysXuH9Sz8e5J6_7zGC5Vyj2-tcbfXz3qBeXxZZmpG6k
https://vk.com/doc52355237_667343838?hash=zdFRocOdJtT0IyxFdnygjsrvYEitfza6BvyL25bGpZD&dl=sHDqrRzc8uNalY3nwHHztHxEdFCN6CpN55OVgGQqijL&api=1&no_preview=1#1
https://steamcommunity.com/profiles/76561199564671869
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397
https://accounts.google.com/generate_204?CDdS5w
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://potatogoose.com/976b26ee384bf2dcf27abfc3b8d028eb/baf14778c246e15550645e30ba78ce1c.exe
https://www.google.com/favicon.ico
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://api.ip.sb/ip
https://experiment.pw/setup294.exe - rule_id: 37436
https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=hjMZy0D95eSFxb%2FYE%2Fdrj5C6tndz19A2RfpDONXthx4%3D&spr=https&se=2023-10-26T09%3A35%3A45Z&rscl=x-e2eid-cd83c9d1-11ee493e-8ec461f2-562aef4b-session-3b3dacd9-31504d5f-bf9a4f83-796fb600
https://vk.com/doc52355237_667339795?hash=Vr6hZn5xlDzZsz30TpnTzHAO4DHKke3DmD4kGhoeqoH&dl=6fzaZ8xtsOzOd75auvzL1Z7h0auXHva7GD7UyQqxDDo&api=1&no_preview=1
https://sun6-22.userapi.com/c909618/u52355237/docs/d51/b8b9a3f0dc19/RisePro_0_9.bmp?extra=S_Pw_XtG5PO3pErgyMk8rmhNNVpFLN7JZFRZb7P0DQbCvb25kgrWOiITEqnQ1DrUrLRqlEiLjGGyyXplnWiQQv40Gxo9KL6bmVJWDYrct0qqfiD8S9zjDR328l71NfIg7q089wragM-LuguC
https://vk.com/doc52355237_667363057?hash=EFGn7JDa1yL3d80vbqsB9WZH2w3XpT5V6LPR4VEBzc4&dl=QJPdu5Tzl9CEda3jy8BmjsTGIU8RaodEGQVRlC2jmdD&api=1&no_preview=1#all
https://sun6-22.userapi.com/c909328/u52355237/docs/d39/fea02e6516ef/all.bmp?extra=1jLtQoDZlkXee5oo1ICc_9GEajaJa4WgEW2aW76jh1X4r0G8nBKsO1fC-UITCjUotA9USMbQHx2E534DFNgrHG_ven327gh2BTuXaBkk_4hLBUxns9Tv5eHEyBEemy9O9cRIt33iy9__px79
https://api.myip.com/
https://sun6-22.userapi.com/c909618/u52355237/docs/d26/cc55b2954aea/crypted.bmp?extra=xLNs08HOc2FVnDJsDb3fD8GFoFKmCU7QJz_fRbm4cuX-Ud8sbS3ZYM4raB86hLMg30wxZWxsHLUDDk07eXkgw1zAbBCXdaTfzZ9SmqURbHH51SmXU4eNGjrBU_f7Jo6Q2J1vJSYawZTYv0pt
https://msdl.microsoft.com/download/symbols/index2.txt
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://yip.su/RNWPd.exe
https://diplodoka.net/976b26ee384bf2dcf27abfc3b8d028eb/7a54bdb20779c4359694feaa1398dd25.exe
https://sun6-22.userapi.com/c909518/u52355237/docs/d5/1aa2c5f38718/test23.bmp?extra=9FhCUwRY0gis9rghwSNws5CZNzCYS1cFvSzMovIC4R9pgAu6f-6BHFvxk7A3VnUhzurcljGxSjA3h1u1s_urlUUF8X-lH3axsr1NmjA9bVbhXg_8fAna1HNi9FXqmBMzfYbdJ8NBaWlajfQ7
https://vk.com/doc52355237_667363160?hash=90eo1ggSa79KsVZPaYy6x9lScec24zb12wdY8O5unQk&dl=m7LLs87D1wJQyUxzU3MK1qZzpMIcxisi2LpUtD1jlOs&api=1&no_preview=1#test22
https://dzen.ru/?yredirect=true
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/9072feeb59e1/2.bmp?extra=anTEO8FrVGu00Q5VjCfBzfV6wA1wHhJ4v3kJhx0qWWZQbBF7ZjM9pGJCaiS-ZPprUSRJiLz6BgcrTKyf9D1xg2NvZAKTna40r0l84UKOHs6o-eobD5J99sFFPZGpyzmim2vkG5mjF5IJtf23
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyykJNODYDpIHqhOifsHXhwJQmK8zndb5lyvjBtQuk9jZeMf94g9TWw4WX1eVNV9XYlWLO5icg
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://sun6-22.userapi.com/c909218/u52355237/docs/d42/60d05adee2f0/WWW11_32.bmp?extra=C65rMG9a2ZLgS4-qRwSgkiSxHJ3RAaH3KFKeI6EmSeeje_84SPUwWXjC_3sPq8LlWHKSPAXwi3EVIIkD0RFllrJ7VuliWNF78K0_YqEAepb9uoFHLsXGRl9gQ5Yenv5OHgw81aIn24dCy__n
https://vk.com/doc828628200_671409039?hash=0yEYLUUztkFa1eCd0vT01xEQlMXCn20q2EbUpZXcuIP&dl=Mz4XiECwpxCz6uTiBkS3szJG5kfAHZDNnQub6U5y8Do&api=1&no_preview=1
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://sun6-23.userapi.com/c909518/u52355237/docs/d59/b2220ffab81c/d432j89adg.bmp?extra=fPb2B9ko9Mhx2DzFJ1UkjS4bmg5SfYI4NNWBqcF0aiYSAU5AZdPLvdhQqhn8ujfkWsa5z86DgnzoIkQaGeBFjxxg_BisIc9O5Kwa1JhnN-RSdiZG-vmmpRjn_ZaVPz_ccs1EJjKOIIEUE1Ns
https://sun6-20.userapi.com/c237231/u52355237/docs/d30/24459ebe9485/crypted.bmp?extra=G9O9Z5VhCwn1IjHZMEeC96bT7TZPJN8bQD-u_isK9maVUv8bgsaMkkehRuoCWJvCMzxY1RJKKn6oA1e40Wf5bbv_o9I-NxdvV3Mk7krC79T7DX_qSTi5qr4ZLmbvRGkLp-Bll9JOEJ1Kahsn
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywL3WvaP67WC1xBgQHpszVeSkZSzqgvgWBUNZ5eG5Ei8Y5pss0d4jN2xMG0ZtU8qv0vxabvug&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1291519739%3A1698225333762439
https://vk.com/doc52355237_667352314?hash=zEDslzmi2iqzNrxct8lDgzwviJyAQH0HNgf3d1Rmh6P&dl=fusKtwAsyn4UnIwHaxljeG8aYAZah7k5j7DwacWhYAc&api=1&no_preview=1#cryp
https://sso.passport.yandex.ru/push?uuid=b4b5387a-4dc9-40ae-a50c-088ac025b446&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://vk.com/doc52355237_667345691?hash=b2GSJerzQ21MGzq3fbxSH4ZU7wFsRgdMXupM5JVGGe8&dl=CHVE21CiJhK5KnfhOr6bKYBVGnvTZozjOitXlACAFDc&api=1&no_preview=1#rise
https://vk.com/doc52355237_667323207?hash=ZkIwTTYNTwNDXLt5Gs5EEchtp6n7cf7VmKRYfvfVcZc&dl=ZTGusJZiietYLrS13VtWmnhjrFLGcXrZJST1wXSwTtP&api=1&no_preview=1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-21.userapi.com/c909218/u828628200/docs/d43/026941298ed6/a.bmp?extra=9KmCzHW6FEZN4c_hjWXF-FgWhxDqAhwzrh1sL_mdkgUFjkoB_oENhSPtaYj_XCrlpK5zdeuq4i-I9q8tGp5lrf4wvZp6ESTPthD-L5d66fICr_NCQ0Jh4CWCK83G052Fl_ju4E8t7KE5wq0g8Q
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=JmV9CYXdjSQ9qTNp1k5Pntqf0mOYcgNbYjV92kz0qm4%3D&spr=https&se=2023-10-26T09%3A12%3A04Z&rscl=x-e2eid-dfe33115-46c74920-9c682d65-9c3d827d-session-005fb60a-442d420e-a210e886-3c4ce8d3
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://vk.com/doc52355237_667299917?hash=ZBXZXgvR0VGrrHhRL8ouG0pmaOgq5CMqSVSg07KQ3kD&dl=VP4eeCrZnI7ZSJlYk7MTGWNlWtWgIwQmPzfjoXznkSD&api=1&no_preview=1#ww11
https://api.2ip.ua/geo.json
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
|
153
neuralshit.net(104.21.6.10) - malware
db-ip.com(104.26.4.15)
telegram.org(149.154.167.99)
lakuiksong.known.co.ke(146.59.70.14) - malware
vanaheim.cn(84.201.152.220) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
gobo04fc.top(85.143.220.63)
accounts.google.com(142.250.206.205)
sun6-23.userapi.com(95.142.206.3) - mailcious
galandskiyher5.com(95.214.26.34) - malware
potatogoose.com(104.21.35.235) - malware
www.snipes.com(104.16.223.69)
dzen.ru(62.217.160.2)
insuport.com(69.90.162.0)
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.75.41.21) - mailcious
iplogger.org(148.251.234.83) - mailcious
laubenstein.space() - mailcious
jamesjordan.top() - malware
twitter.com(104.244.42.129)
msdl.microsoft.com(204.79.197.219)
yip.su(172.67.169.89) - mailcious
cdn.discordapp.com(162.159.135.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(172.67.75.166)
server13.thestatsfiles.ru(185.82.216.96)
sun6-21.userapi.com(95.142.206.1) - mailcious
a8b8fc1f-3586-4658-b72f-0e583b0d00e8.uuid.thestatsfiles.ru(185.82.216.96)
lrefjviufewmcd.org(91.215.85.209) - malware
pool.hashvault.pro(131.153.76.130) - mailcious
walkinglate.com(104.21.23.184) - malware
stun2.l.google.com(74.125.197.127)
diplodoka.net(172.67.217.52) - malware
experiment.pw(104.21.34.37) - malware
www.nakedcph.com(104.16.129.120)
ssl.gstatic.com(142.250.206.227)
api.ip.sb(172.67.75.172)
www.sivasdescalzo.com(104.18.233.222)
iplogger.com(148.251.234.93) - mailcious
gons3fc.top(85.143.220.63)
colisumy.com(181.170.86.159) - malware
zexeq.com(123.213.233.131) - malware
octocrabs.com(104.21.21.189) - mailcious
vsblobprodscussu5shard58.blob.core.windows.net(20.150.70.36)
vsblobprodscussu5shard10.blob.core.windows.net(20.150.70.36)
yandex.ru(5.255.255.70)
net.geo.opera.com(107.167.110.216)
iplis.ru(148.251.234.93) - mailcious
www.google.com(142.250.76.132)
www.maxmind.com(104.18.145.235)
sun6-22.userapi.com(95.142.206.2) - mailcious
pastebin.com(104.20.67.143) - mailcious
flyawayaero.net(172.67.216.81) - malware
grabyourpizza.com(172.67.197.174) - malware
vk.com(87.240.132.67) - mailcious
sso.passport.yandex.ru(213.180.204.24)
api.myip.com(104.26.8.59)
lycheepanel.info(104.21.32.208) - malware
148.251.234.93 - mailcious
85.217.144.143 - malware
62.122.184.92 - mailcious
62.217.160.2
85.143.220.63 - malware
149.154.167.99 - mailcious
193.42.32.118 - mailcious
172.67.75.163
172.67.187.122 - malware
83.97.73.44
142.250.76.132
185.82.216.96
176.113.115.84 - mailcious
104.21.35.235
104.16.222.69
104.75.41.21 - mailcious
121.254.136.9
74.125.197.127
49.12.116.189
45.143.201.238 - mailcious
87.240.132.78 - mailcious
109.107.182.2 - malware
171.22.28.236 - mailcious
194.169.175.128 - mailcious
162.159.135.233 - malware
84.201.152.220
87.240.129.133 - mailcious
193.233.255.73 - mailcious
104.244.42.129 - suspicious
104.21.65.24
104.21.34.37 - phishing
171.22.28.226 - malware
87.240.132.67 - mailcious
171.22.28.221 - malware
104.26.8.59
104.21.6.10 - malware
104.18.233.222
194.169.175.233 - malware
181.170.86.159
95.142.206.3 - mailcious
95.142.206.2 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
172.67.217.52 - malware
104.21.93.225 - phishing
104.21.90.82 - malware
80.66.75.77 - mailcious
69.90.162.0
142.250.204.35
104.18.145.235
95.214.26.34
77.91.124.1 - malware
104.20.68.143 - mailcious
20.150.70.36
94.142.138.113 - mailcious
104.26.5.15
208.67.104.60 - mailcious
131.153.76.130 - mailcious
80.66.75.4 - mailcious
104.26.12.31
104.21.79.77 - phishing
77.91.124.86
176.113.115.135 - mailcious
176.113.115.136 - mailcious
185.172.128.69 - malware
45.15.156.229 - mailcious
172.67.216.81 - malware
91.215.85.209 - mailcious
107.167.110.211
172.67.139.220
146.59.70.14 - malware
104.21.23.184 - malware
104.16.128.120
123.213.233.131
172.67.167.220 - malware
5.42.65.101 - mailcious
5.255.255.70
104.20.67.143 - mailcious
213.180.204.24
142.251.130.13
20.150.79.68
34.117.59.81
104.21.21.189
148.251.234.83
185.225.75.171 - mailcious
204.79.197.219
77.232.38.234 - mailcious
23.200.75.26
104.21.32.208 - malware
172.67.197.174
23.200.75.28
104.21.78.56 - malware
91.103.252.189 - malware
171.22.28.213 - malware
|
51
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET INFO Dotted Quad Host ZIP Request
|
29
http://171.22.28.226/download/WWW14_64.exe
http://109.107.182.2/race/bus50.exe
http://zexeq.com/test2/get.php
http://colisumy.com/dl/build2.exe
http://85.217.144.143/files/My2.exe
http://185.172.128.69/newumma.exe
http://45.15.156.229/api/firegate.php
http://zexeq.com/files/1/build3.exe
http://171.22.28.221/files/Ads.exe
http://94.142.138.113/api/tracemap.php
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://galandskiyher5.com/downloads/toolspub1.exe
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://77.91.124.1/theme/index.php
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://193.233.255.73/loghub/master
http://94.142.138.113/api/firegate.php
http://171.22.28.221/files/Random.exe
http://193.42.32.118/api/firecom.php
http://171.22.28.213/3.exe
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
https://experiment.pw/setup294.exe
https://pastebin.com/raw/HPj0MzD6
https://pastebin.com/raw/xYhKBupz
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7473 |
2023-10-25 16:50
|
 up.ps1 21440931518ff0df59af9b94e52a7c84
Lnk Format GIF Format VirusTotal Malware powershell AutoRuns MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
4
www.dropbox.com(162.125.84.18) - mailcious
ambjulio.com(62.72.22.30) - mailcious
62.72.22.30 - mailcious
162.125.84.18 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7474 |
2023-10-25 16:42
|
 logsconversationtelegramgukiws... 12e353c522471d522f64e0c3541a1b7d
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM WriteConsoleW |
1
https://raw.githubusercontent.com/btse3/2410/main/about.md
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7475 |
2023-10-25 13:55
|
 xK9nHGYUpDXC.exe b5953f71d7caba8a79db276bc0d15b55
AsyncRAT task schedule Downloader Malicious Library UPX Malicious Packer .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDe VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
5.6 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7476 |
2023-10-25 13:52
|
qasx.vbs ff2a2bc8850b1ad61236bd460eb61e01
Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee EXPLOIT_KIT Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://193.42.33.51/myn.txt
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
|
3
imageupload.io(104.21.83.102) - malware
172.67.222.26 - malware
193.42.33.51 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
15.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7477 |
2023-10-25 13:52
|
 SAN.txt.exe 6bdb7a11d0eaa407e7a7f34d794fb567
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS crashed |
|
4
api.ipify.org(64.185.227.156)
api.telegram.org(149.154.167.220)
173.231.16.77
149.154.167.220
|
6
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
4.6 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7478 |
2023-10-25 13:33
|
 MAH.txt.exe 7ea06a0e6c1e5707a23364ae6984b4f3
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
4
api.ipify.org(104.237.62.212)
api.telegram.org(149.154.167.220)
64.185.227.156
149.154.167.220
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
5.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7479 |
2023-10-25 13:32
|
IGCC.vbs 42bc2a9470984d793673d9aae1a933b8
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://192.3.232.37/windows/HMT.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7480 |
2023-10-25 13:32
|
 KK.txt.ps1 671cd3920752aa4da1d0d0130fb79085
Generic Malware Antivirus VirusTotal Malware powershell Check memory unpack itself powershell.exe wrote WriteConsoleW Windows Cryptographic key |
1
http://194.180.48.14:222/.RTX/cod.pdf
|
|
|
|
2.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7481 |
2023-10-25 13:19
|
HTMLobject.vbs 74a3ea36669a5bdbeff3775545527a92
LokiBot Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
http://141.98.6.91/windows/HNB.txt
|
8
mail.egyptscientific.com(192.185.51.90) - mailcious
imageupload.io(172.67.222.26) - malware
api.ipify.org(64.185.227.156)
104.21.83.102
141.98.6.91 - mailcious
192.185.51.90 - mailcious
64.185.227.156
23.67.53.27
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
20.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7482 |
2023-10-25 13:18
|
HTMLbrowser.vbs 80c07cfd04a28aa0b03f1396fdf81b2d
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://141.98.6.91/2150/1/MHM.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7483 |
2023-10-25 13:18
|
 HNB.txt.exe 43ec3cc0836bd759260e8cf120b79a7b
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
mail.egyptscientific.com(192.185.51.90) - mailcious
api.ipify.org(64.185.227.156)
192.185.51.90 - mailcious
104.237.62.212
23.209.95.50
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
8.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7484 |
2023-10-25 12:19
|
Comprobante_transfer.pdf.js c8bb8a34766ec04c304597c76d179f4b
ActiveXObject VirusTotal Malware wscript.exe payload download Check virtual network interfaces Tofsee DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://pastebin.com/raw/NVAgzFRR - rule_id: 35284
https://wtools.io/code/dl/bOoA
|
5
wtools.io(104.21.6.247) - malware
pastebin.com(104.20.68.143) - mailcious
172.67.135.130 - malware
121.254.136.9
172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
|
1
https://pastebin.com/raw/NVAgzFRR
|
3.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7485 |
2023-10-25 12:19
|
cod.pdf.vbs b5ef73339bacf531b3d122ebd9509468
Antivirus VirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|