7471 |
2023-10-26 10:23
|
timeSync.exe ab629ce2f730accf1ccfe3c5054d6c1b Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7472 |
2023-10-25 18:27
|
File.7z 86f0e6986a754d96179b2c20d8db49b6 PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Cryptocurrency Miner Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser Trojan DNS Downloader CoinMiner |
80
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://109.107.182.2/race/bus50.exe - rule_id: 37496 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://85.217.144.143/files/townpublishing.exe http://colisumy.com/dl/build2.exe - rule_id: 31026 http://49.12.116.189/upload.zip http://85.217.144.143/files/My2.exe - rule_id: 34643 http://apps.identrust.com/roots/dstrootcax3.p7c http://185.172.128.69/newumma.exe - rule_id: 37499 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://49.12.116.189/58f391d2f33b9f5a2ddb51a3516986eb http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://171.22.28.221/files/Ads.exe - rule_id: 37468 http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://77.91.124.1/theme/index.php - rule_id: 37040 http://gons3fc.top/build.exe http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://176.113.115.84:8080/4.php - rule_id: 34795 http://193.233.255.73/loghub/master - rule_id: 37500 http://gobo04fc.top/build.exe http://94.142.138.113/api/firegate.php - rule_id: 36152 http://171.22.28.221/files/Random.exe - rule_id: 37434 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://www.maxmind.com/geoip/v2.1/city/me http://171.22.28.213/3.exe - rule_id: 37068 http://www.google.com/ https://sun6-22.userapi.com/c909328/u52355237/docs/d36/94e70066ac80/PL_Client.bmp?extra=GYu9pTC-Wl1Sg_fchSUawzC7SOJQ5mf6X2A3Lm8ZE1bmn4F7iqzq_0_-pgTnEnf4Z8ETAumkli_vcaYV1Z_ULFP_mNBGwhECBvqkXysXuH9Sz8e5J6_7zGC5Vyj2-tcbfXz3qBeXxZZmpG6k https://vk.com/doc52355237_667343838?hash=zdFRocOdJtT0IyxFdnygjsrvYEitfza6BvyL25bGpZD&dl=sHDqrRzc8uNalY3nwHHztHxEdFCN6CpN55OVgGQqijL&api=1&no_preview=1#1 https://steamcommunity.com/profiles/76561199564671869 https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397 https://accounts.google.com/generate_204?CDdS5w https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://potatogoose.com/976b26ee384bf2dcf27abfc3b8d028eb/baf14778c246e15550645e30ba78ce1c.exe https://www.google.com/favicon.ico https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://api.ip.sb/ip https://experiment.pw/setup294.exe - rule_id: 37436 https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403 https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=hjMZy0D95eSFxb%2FYE%2Fdrj5C6tndz19A2RfpDONXthx4%3D&spr=https&se=2023-10-26T09%3A35%3A45Z&rscl=x-e2eid-cd83c9d1-11ee493e-8ec461f2-562aef4b-session-3b3dacd9-31504d5f-bf9a4f83-796fb600 https://vk.com/doc52355237_667339795?hash=Vr6hZn5xlDzZsz30TpnTzHAO4DHKke3DmD4kGhoeqoH&dl=6fzaZ8xtsOzOd75auvzL1Z7h0auXHva7GD7UyQqxDDo&api=1&no_preview=1 https://sun6-22.userapi.com/c909618/u52355237/docs/d51/b8b9a3f0dc19/RisePro_0_9.bmp?extra=S_Pw_XtG5PO3pErgyMk8rmhNNVpFLN7JZFRZb7P0DQbCvb25kgrWOiITEqnQ1DrUrLRqlEiLjGGyyXplnWiQQv40Gxo9KL6bmVJWDYrct0qqfiD8S9zjDR328l71NfIg7q089wragM-LuguC https://vk.com/doc52355237_667363057?hash=EFGn7JDa1yL3d80vbqsB9WZH2w3XpT5V6LPR4VEBzc4&dl=QJPdu5Tzl9CEda3jy8BmjsTGIU8RaodEGQVRlC2jmdD&api=1&no_preview=1#all https://sun6-22.userapi.com/c909328/u52355237/docs/d39/fea02e6516ef/all.bmp?extra=1jLtQoDZlkXee5oo1ICc_9GEajaJa4WgEW2aW76jh1X4r0G8nBKsO1fC-UITCjUotA9USMbQHx2E534DFNgrHG_ven327gh2BTuXaBkk_4hLBUxns9Tv5eHEyBEemy9O9cRIt33iy9__px79 https://api.myip.com/ https://sun6-22.userapi.com/c909618/u52355237/docs/d26/cc55b2954aea/crypted.bmp?extra=xLNs08HOc2FVnDJsDb3fD8GFoFKmCU7QJz_fRbm4cuX-Ud8sbS3ZYM4raB86hLMg30wxZWxsHLUDDk07eXkgw1zAbBCXdaTfzZ9SmqURbHH51SmXU4eNGjrBU_f7Jo6Q2J1vJSYawZTYv0pt https://msdl.microsoft.com/download/symbols/index2.txt https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb https://yip.su/RNWPd.exe https://diplodoka.net/976b26ee384bf2dcf27abfc3b8d028eb/7a54bdb20779c4359694feaa1398dd25.exe https://sun6-22.userapi.com/c909518/u52355237/docs/d5/1aa2c5f38718/test23.bmp?extra=9FhCUwRY0gis9rghwSNws5CZNzCYS1cFvSzMovIC4R9pgAu6f-6BHFvxk7A3VnUhzurcljGxSjA3h1u1s_urlUUF8X-lH3axsr1NmjA9bVbhXg_8fAna1HNi9FXqmBMzfYbdJ8NBaWlajfQ7 https://vk.com/doc52355237_667363160?hash=90eo1ggSa79KsVZPaYy6x9lScec24zb12wdY8O5unQk&dl=m7LLs87D1wJQyUxzU3MK1qZzpMIcxisi2LpUtD1jlOs&api=1&no_preview=1#test22 https://dzen.ru/?yredirect=true https://sun6-23.userapi.com/c235131/u52355237/docs/d29/9072feeb59e1/2.bmp?extra=anTEO8FrVGu00Q5VjCfBzfV6wA1wHhJ4v3kJhx0qWWZQbBF7ZjM9pGJCaiS-ZPprUSRJiLz6BgcrTKyf9D1xg2NvZAKTna40r0l84UKOHs6o-eobD5J99sFFPZGpyzmim2vkG5mjF5IJtf23 https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyykJNODYDpIHqhOifsHXhwJQmK8zndb5lyvjBtQuk9jZeMf94g9TWw4WX1eVNV9XYlWLO5icg https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://sun6-22.userapi.com/c909218/u52355237/docs/d42/60d05adee2f0/WWW11_32.bmp?extra=C65rMG9a2ZLgS4-qRwSgkiSxHJ3RAaH3KFKeI6EmSeeje_84SPUwWXjC_3sPq8LlWHKSPAXwi3EVIIkD0RFllrJ7VuliWNF78K0_YqEAepb9uoFHLsXGRl9gQ5Yenv5OHgw81aIn24dCy__n https://vk.com/doc828628200_671409039?hash=0yEYLUUztkFa1eCd0vT01xEQlMXCn20q2EbUpZXcuIP&dl=Mz4XiECwpxCz6uTiBkS3szJG5kfAHZDNnQub6U5y8Do&api=1&no_preview=1 https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783 https://sun6-23.userapi.com/c909518/u52355237/docs/d59/b2220ffab81c/d432j89adg.bmp?extra=fPb2B9ko9Mhx2DzFJ1UkjS4bmg5SfYI4NNWBqcF0aiYSAU5AZdPLvdhQqhn8ujfkWsa5z86DgnzoIkQaGeBFjxxg_BisIc9O5Kwa1JhnN-RSdiZG-vmmpRjn_ZaVPz_ccs1EJjKOIIEUE1Ns https://sun6-20.userapi.com/c237231/u52355237/docs/d30/24459ebe9485/crypted.bmp?extra=G9O9Z5VhCwn1IjHZMEeC96bT7TZPJN8bQD-u_isK9maVUv8bgsaMkkehRuoCWJvCMzxY1RJKKn6oA1e40Wf5bbv_o9I-NxdvV3Mk7krC79T7DX_qSTi5qr4ZLmbvRGkLp-Bll9JOEJ1Kahsn https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywL3WvaP67WC1xBgQHpszVeSkZSzqgvgWBUNZ5eG5Ei8Y5pss0d4jN2xMG0ZtU8qv0vxabvug&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1291519739%3A1698225333762439 https://vk.com/doc52355237_667352314?hash=zEDslzmi2iqzNrxct8lDgzwviJyAQH0HNgf3d1Rmh6P&dl=fusKtwAsyn4UnIwHaxljeG8aYAZah7k5j7DwacWhYAc&api=1&no_preview=1#cryp https://sso.passport.yandex.ru/push?uuid=b4b5387a-4dc9-40ae-a50c-088ac025b446&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://vk.com/doc52355237_667345691?hash=b2GSJerzQ21MGzq3fbxSH4ZU7wFsRgdMXupM5JVGGe8&dl=CHVE21CiJhK5KnfhOr6bKYBVGnvTZozjOitXlACAFDc&api=1&no_preview=1#rise https://vk.com/doc52355237_667323207?hash=ZkIwTTYNTwNDXLt5Gs5EEchtp6n7cf7VmKRYfvfVcZc&dl=ZTGusJZiietYLrS13VtWmnhjrFLGcXrZJST1wXSwTtP&api=1&no_preview=1 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-21.userapi.com/c909218/u828628200/docs/d43/026941298ed6/a.bmp?extra=9KmCzHW6FEZN4c_hjWXF-FgWhxDqAhwzrh1sL_mdkgUFjkoB_oENhSPtaYj_XCrlpK5zdeuq4i-I9q8tGp5lrf4wvZp6ESTPthD-L5d66fICr_NCQ0Jh4CWCK83G052Fl_ju4E8t7KE5wq0g8Q https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=JmV9CYXdjSQ9qTNp1k5Pntqf0mOYcgNbYjV92kz0qm4%3D&spr=https&se=2023-10-26T09%3A12%3A04Z&rscl=x-e2eid-dfe33115-46c74920-9c682d65-9c3d827d-session-005fb60a-442d420e-a210e886-3c4ce8d3 https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716 https://vk.com/doc52355237_667299917?hash=ZBXZXgvR0VGrrHhRL8ouG0pmaOgq5CMqSVSg07KQ3kD&dl=VP4eeCrZnI7ZSJlYk7MTGWNlWtWgIwQmPzfjoXznkSD&api=1&no_preview=1#ww11 https://api.2ip.ua/geo.json https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
|
153
neuralshit.net(104.21.6.10) - malware db-ip.com(104.26.4.15) telegram.org(149.154.167.99) lakuiksong.known.co.ke(146.59.70.14) - malware vanaheim.cn(84.201.152.220) - mailcious t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) gobo04fc.top(85.143.220.63) accounts.google.com(142.250.206.205) sun6-23.userapi.com(95.142.206.3) - mailcious galandskiyher5.com(95.214.26.34) - malware potatogoose.com(104.21.35.235) - malware www.snipes.com(104.16.223.69) dzen.ru(62.217.160.2) insuport.com(69.90.162.0) api.2ip.ua(104.21.65.24) steamcommunity.com(104.75.41.21) - mailcious iplogger.org(148.251.234.83) - mailcious laubenstein.space() - mailcious jamesjordan.top() - malware twitter.com(104.244.42.129) msdl.microsoft.com(204.79.197.219) yip.su(172.67.169.89) - mailcious cdn.discordapp.com(162.159.135.233) - malware sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(172.67.75.166) server13.thestatsfiles.ru(185.82.216.96) sun6-21.userapi.com(95.142.206.1) - mailcious a8b8fc1f-3586-4658-b72f-0e583b0d00e8.uuid.thestatsfiles.ru(185.82.216.96) lrefjviufewmcd.org(91.215.85.209) - malware pool.hashvault.pro(131.153.76.130) - mailcious walkinglate.com(104.21.23.184) - malware stun2.l.google.com(74.125.197.127) diplodoka.net(172.67.217.52) - malware experiment.pw(104.21.34.37) - malware www.nakedcph.com(104.16.129.120) ssl.gstatic.com(142.250.206.227) api.ip.sb(172.67.75.172) www.sivasdescalzo.com(104.18.233.222) iplogger.com(148.251.234.93) - mailcious gons3fc.top(85.143.220.63) colisumy.com(181.170.86.159) - malware zexeq.com(123.213.233.131) - malware octocrabs.com(104.21.21.189) - mailcious vsblobprodscussu5shard58.blob.core.windows.net(20.150.70.36) vsblobprodscussu5shard10.blob.core.windows.net(20.150.70.36) yandex.ru(5.255.255.70) net.geo.opera.com(107.167.110.216) iplis.ru(148.251.234.93) - mailcious www.google.com(142.250.76.132) www.maxmind.com(104.18.145.235) sun6-22.userapi.com(95.142.206.2) - mailcious pastebin.com(104.20.67.143) - mailcious flyawayaero.net(172.67.216.81) - malware grabyourpizza.com(172.67.197.174) - malware vk.com(87.240.132.67) - mailcious sso.passport.yandex.ru(213.180.204.24) api.myip.com(104.26.8.59) lycheepanel.info(104.21.32.208) - malware 148.251.234.93 - mailcious 85.217.144.143 - malware 62.122.184.92 - mailcious 62.217.160.2 85.143.220.63 - malware 149.154.167.99 - mailcious 193.42.32.118 - mailcious 172.67.75.163 172.67.187.122 - malware 83.97.73.44 142.250.76.132 185.82.216.96 176.113.115.84 - mailcious 104.21.35.235 104.16.222.69 104.75.41.21 - mailcious 121.254.136.9 74.125.197.127 49.12.116.189 45.143.201.238 - mailcious 87.240.132.78 - mailcious 109.107.182.2 - malware 171.22.28.236 - mailcious 194.169.175.128 - mailcious 162.159.135.233 - malware 84.201.152.220 87.240.129.133 - mailcious 193.233.255.73 - mailcious 104.244.42.129 - suspicious 104.21.65.24 104.21.34.37 - phishing 171.22.28.226 - malware 87.240.132.67 - mailcious 171.22.28.221 - malware 104.26.8.59 104.21.6.10 - malware 104.18.233.222 194.169.175.233 - malware 181.170.86.159 95.142.206.3 - mailcious 95.142.206.2 - mailcious 95.142.206.1 - mailcious 95.142.206.0 - mailcious 172.67.217.52 - malware 104.21.93.225 - phishing 104.21.90.82 - malware 80.66.75.77 - mailcious 69.90.162.0 142.250.204.35 104.18.145.235 95.214.26.34 77.91.124.1 - malware 104.20.68.143 - mailcious 20.150.70.36 94.142.138.113 - mailcious 104.26.5.15 208.67.104.60 - mailcious 131.153.76.130 - mailcious 80.66.75.4 - mailcious 104.26.12.31 104.21.79.77 - phishing 77.91.124.86 176.113.115.135 - mailcious 176.113.115.136 - mailcious 185.172.128.69 - malware 45.15.156.229 - mailcious 172.67.216.81 - malware 91.215.85.209 - mailcious 107.167.110.211 172.67.139.220 146.59.70.14 - malware 104.21.23.184 - malware 104.16.128.120 123.213.233.131 172.67.167.220 - malware 5.42.65.101 - mailcious 5.255.255.70 104.20.67.143 - mailcious 213.180.204.24 142.251.130.13 20.150.79.68 34.117.59.81 104.21.21.189 148.251.234.83 185.225.75.171 - mailcious 204.79.197.219 77.232.38.234 - mailcious 23.200.75.26 104.21.32.208 - malware 172.67.197.174 23.200.75.28 104.21.78.56 - malware 91.103.252.189 - malware 171.22.28.213 - malware
|
51
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 19 SURICATA Applayer Mismatch protocol both directions ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Executable Download from dotted-quad Host ET DNS Query to a *.top domain - Likely Hostile ET HUNTING Suspicious services.exe in URI ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a *.pw domain - Likely Hostile ET INFO EXE - Served Attached HTTP ET INFO TLS Handshake Failure ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port) ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers ET HUNTING Possible EXE Download From Suspicious TLD ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET INFO Dotted Quad Host ZIP Request
|
29
http://171.22.28.226/download/WWW14_64.exe http://109.107.182.2/race/bus50.exe http://zexeq.com/test2/get.php http://colisumy.com/dl/build2.exe http://85.217.144.143/files/My2.exe http://185.172.128.69/newumma.exe http://45.15.156.229/api/firegate.php http://zexeq.com/files/1/build3.exe http://171.22.28.221/files/Ads.exe http://94.142.138.113/api/tracemap.php http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://galandskiyher5.com/downloads/toolspub1.exe http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://77.91.124.1/theme/index.php http://45.15.156.229/api/tracemap.php http://176.113.115.84:8080/4.php http://193.233.255.73/loghub/master http://94.142.138.113/api/firegate.php http://171.22.28.221/files/Random.exe http://193.42.32.118/api/firecom.php http://171.22.28.213/3.exe https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe https://experiment.pw/setup294.exe https://pastebin.com/raw/HPj0MzD6 https://pastebin.com/raw/xYhKBupz https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7473 |
2023-10-25 16:50
|
up.ps1 21440931518ff0df59af9b94e52a7c84 Lnk Format GIF Format VirusTotal Malware powershell AutoRuns MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
4
www.dropbox.com(162.125.84.18) - mailcious ambjulio.com(62.72.22.30) - mailcious 62.72.22.30 - mailcious 162.125.84.18 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7474 |
2023-10-25 16:42
|
logsconversationtelegramgukiws... 12e353c522471d522f64e0c3541a1b7d Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM WriteConsoleW |
1
https://raw.githubusercontent.com/btse3/2410/main/about.md
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7475 |
2023-10-25 13:55
|
xK9nHGYUpDXC.exe b5953f71d7caba8a79db276bc0d15b55 AsyncRAT task schedule Downloader Malicious Library UPX Malicious Packer .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDe VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
5.6 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7476 |
2023-10-25 13:52
|
qasx.vbs ff2a2bc8850b1ad61236bd460eb61e01 Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee EXPLOIT_KIT Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://193.42.33.51/myn.txt https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
|
3
imageupload.io(104.21.83.102) - malware 172.67.222.26 - malware 193.42.33.51 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
15.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7477 |
2023-10-25 13:52
|
SAN.txt.exe 6bdb7a11d0eaa407e7a7f34d794fb567 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS crashed |
|
4
api.ipify.org(64.185.227.156) api.telegram.org(149.154.167.220) 173.231.16.77 149.154.167.220
|
6
ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET HUNTING Telegram API Domain in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
4.6 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7478 |
2023-10-25 13:33
|
MAH.txt.exe 7ea06a0e6c1e5707a23364ae6984b4f3 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
4
api.ipify.org(104.237.62.212) api.telegram.org(149.154.167.220) 64.185.227.156 149.154.167.220
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
5.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7479 |
2023-10-25 13:32
|
IGCC.vbs 42bc2a9470984d793673d9aae1a933b8 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://192.3.232.37/windows/HMT.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7480 |
2023-10-25 13:32
|
KK.txt.ps1 671cd3920752aa4da1d0d0130fb79085 Generic Malware Antivirus VirusTotal Malware powershell Check memory unpack itself powershell.exe wrote WriteConsoleW Windows Cryptographic key |
1
http://194.180.48.14:222/.RTX/cod.pdf
|
|
|
|
2.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7481 |
2023-10-25 13:19
|
HTMLobject.vbs 74a3ea36669a5bdbeff3775545527a92 LokiBot Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
http://141.98.6.91/windows/HNB.txt
|
8
mail.egyptscientific.com(192.185.51.90) - mailcious
imageupload.io(172.67.222.26) - malware
api.ipify.org(64.185.227.156) 104.21.83.102
141.98.6.91 - mailcious
192.185.51.90 - mailcious
64.185.227.156
23.67.53.27
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
20.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7482 |
2023-10-25 13:18
|
HTMLbrowser.vbs 80c07cfd04a28aa0b03f1396fdf81b2d Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://141.98.6.91/2150/1/MHM.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7483 |
2023-10-25 13:18
|
HNB.txt.exe 43ec3cc0836bd759260e8cf120b79a7b Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
mail.egyptscientific.com(192.185.51.90) - mailcious api.ipify.org(64.185.227.156) 192.185.51.90 - mailcious 104.237.62.212 23.209.95.50
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction
|
|
8.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7484 |
2023-10-25 12:19
|
Comprobante_transfer.pdf.js c8bb8a34766ec04c304597c76d179f4b ActiveXObject VirusTotal Malware wscript.exe payload download Check virtual network interfaces Tofsee DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://pastebin.com/raw/NVAgzFRR - rule_id: 35284
https://wtools.io/code/dl/bOoA
|
5
wtools.io(104.21.6.247) - malware
pastebin.com(104.20.68.143) - mailcious 172.67.135.130 - malware
121.254.136.9
172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
|
1
https://pastebin.com/raw/NVAgzFRR
|
3.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7485 |
2023-10-25 12:19
|
cod.pdf.vbs b5ef73339bacf531b3d122ebd9509468 Antivirus VirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|