| 7501 |
2023-10-25 09:50
|
HTMLCachesClear.dOC ae797eafb49080484af9350259e7920a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226)
45.33.42.226
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
2.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7502 |
2023-10-25 09:49
|
 timeSync.exe b493dabf9da2cf24146955b3c9aeb7be
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7503 |
2023-10-24 14:55
|
 build.exe 3ed791d0d3ef43adf351275e0e2d5eb1
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7504 |
2023-10-24 14:41
|
 mashilao.txt.exe da5957bd18549edc1c451f1ab98aa4c5
AgentTesla Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName crashed |
|
|
|
|
3.8 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7505 |
2023-10-24 10:03
|
setup.7z 4c65dedbb73fbb8d9daae8179d67082b
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Lumma Stealer DNS |
8
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://dannyleagy.fun/api
http://volkels.fun/api
https://volkels.fun/api
https://psv4.userapi.com/c909328/u52355237/docs/d47/c541f110e091/Installation.bmp?extra=UgwBGkMcfjcRXxJpAN_ASDuA0Ulq2C1OYolHMcvZH2Z240wWgFPur2bYY2ipG1c__XCmg7VaCVjAHzDdCrA1S8XNsrR_lsV0QDzjRvhM0brwyhjZhKAOz1A4_7Q9pVPYoNMU8ICt2QCICYFC
https://vk.com/doc52355237_667317398?hash=Nzo9Lpy2lnkLk0e9i3sM5Q7Rmhu0skEqTijVFqSmRV4&dl=zTGHW6YEQC0elKjKTCqYaLRzYnULI1fc07ZVd4bICGH&api=1&no_preview=1
https://api.myip.com/
|
13
psv4.userapi.com(87.240.190.89)
api.myip.com(172.67.75.163)
ipinfo.io(34.117.59.81)
dannyleagy.fun(104.21.92.100)
volkels.fun(104.21.42.158)
vk.com(87.240.132.67) - mailcious
104.21.92.100 - mailcious
172.67.163.133 - malware
172.67.75.163
87.240.190.89
87.240.129.133 - mailcious
94.142.138.131 - mailcious
34.117.59.81
|
6
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
2
http://94.142.138.131/api/firegate.php
http://94.142.138.131/api/tracemap.php
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7506 |
2023-10-24 09:41
|
luoves.vbs 0ce3fdcbefda30517ac10b2fdf96f426
AgentTesla Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee EXPLOIT_KIT Windows Exploit Browser Email ComputerName DNS Cryptographic key crashed |
2
http://95.214.27.121/mashilao.txt
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
|
3
imageupload.io(104.21.83.102) - malware
172.67.222.26 - malware
95.214.27.121 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
15.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7507 |
2023-10-24 09:37
|
 stodio.ps1 0c98e19efb1135d07bb79af8bee0956d
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself Windows Cryptographic key |
|
|
|
|
1.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7508 |
2023-10-24 09:37
|
millianozx.doc b394ab992ac85ab0fefc4a7d3d181bbd
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash suspicious TLD Windows Exploit DNS crashed |
11
http://www.kectapp.xyz/qbru/
http://www.jantanslot.xyz/qbru/
http://www.micsites.com/qbru/?11=mDZ2amPM8lWqbeAYWcDKqdpiecTJ9prCGyOd2oWqi+yKbAV58Q/8VgXtpTMQ/k9YpjQqe6WeoDmxmXaptUBmMq6sDIRlbyaAuf4h15w=&LQk=H8uqa
http://www.0857.bet/qbru/
http://www.thefulfilleddog.net/qbru/?11=1EPu3c3qpncBWw5AsPbmO/uk1IuylEz0DkrYlvCIwqSSQ2S5BpR/UJA6bHVgZ1CeA3nqd3Tiw9yI3Ym4nbGMG+qDHZJm8eYC1fBVsac=&LQk=H8uqa
http://www.thefulfilleddog.net/qbru/
http://www.micsites.com/qbru/
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip
http://www.0857.bet/qbru/?11=k1gkcJ6tXVBJWcfD5JFdj9jh1GwKScxeJP6VCK1BK8ixvV5VgN0eYG6gTrvugstFS6wF93GzuEqrlILkxAhWglV5VSYx8lCBsUKmTZc=&LQk=H8uqa
http://www.jantanslot.xyz/qbru/?11=kMrvYXKBNwaF4E5tRezPj5SMX6XQ+ILaa8SXqvb1iySbFntGTH4YGFtALrA4UwFGSL+bmisufUZFVXdWgTdYvXpvkIKAL06RY9IgoHM=&LQk=H8uqa
http://fresh1.ironoreprod.top/_errorpages/millianozx.exe
|
12
www.thefulfilleddog.net(91.195.240.19)
www.rinconesdetenerife.com()
www.micsites.com(162.241.63.76)
www.jantanslot.xyz(91.195.240.19)
www.kectapp.xyz(162.0.233.82)
www.0857.bet(91.195.240.19)
fresh1.ironoreprod.top(172.67.166.168) - mailcious
91.195.240.19 - mailcious
172.67.166.168 - mailcious
162.0.233.82
162.241.63.76
45.33.6.223
|
5
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7509 |
2023-10-24 09:36
|
 2.txt.ps1 aadf28a8133c1568c175e89318d94c7c
Generic Malware Antivirus VirusTotal Malware unpack itself WriteConsoleW Windows Cryptographic key |
1
http://185.81.157.105:555/T.jpg
|
|
|
|
1.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7510 |
2023-10-24 07:55
|
 sus.exe 7412fa29d56312aeba1f8b6270233b3c
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware PDB Code Injection buffers extracted DNS |
|
1
|
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7511 |
2023-10-24 07:54
|
 millianozx.exe 457727c9b8dd78217d49bea020449909
AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser DNS |
14
http://www.kectapp.xyz/qbru/?anOq=AKv6Sx9RVd6z2/31a4gR3Wgyc3JtU8qKmPe7+UrIL8TjLxsJecLezwQjuZ98RUtGdoqXoCw2Dq51ZBZibaR07jPp//OuLsnn2xhjFf8=&3a2x=2fb-JND6m3
http://www.lobbytoto.monster/qbru/?anOq=iQ92ur2Sdw35d14MbXAly4d2Faqd60R4I1Dw/Tl8gFH8stlpyoNHbAizaH+Bw3DHRGVIsqMgKgbAqfkREWr/tUz6nTc7E4egZH6ltrM=&3a2x=2fb-JND6m3
http://www.thefulfilleddog.net/qbru/?anOq=1EPu3c3qpncBWw5AsPbmO/uk1IuylEz0DkrYlvCIwqSSQ2S5BpR/UJA6bHVgZ1CeA3nqd3Tiw9yI3Ym4nbGMG+qDHZJm8eYC1fBVsac=&3a2x=2fb-JND6m3
http://www.jantanslot.xyz/qbru/
http://www.noobblaster.com/qbru/?anOq=JwUQbw9gdYZct0LJFqgQhomntkVU4J4oJl17WXJ+AFRyfT4sHnCJTE/q+g/8FXC2UPAGWJVVrTRCX1X2jmb+aDKdlWJFqx0qGNhg4lw=&3a2x=2fb-JND6m3
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.micsites.com/qbru/?anOq=mDZ2amPM8lWqbeAYWcDKqdpiecTJ9prCGyOd2oWqi+yKbAV58Q/8VgXtpTMQ/k9YpjQqe6WeoDmxmXaptUBmMq6sDIRlbyaAuf4h15w=&3a2x=2fb-JND6m3
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.investpenedes.cat/qbru/?anOq=YZJFXZ9xfpf30tJgDxxTGEGE+KMVd/EzeWPkmUEDc5guDi5jW3/N8gPEof6kX9EypdrpCcrqioTdxt2KvHn8uye9Hb50fauqm3W9FDg=&3a2x=2fb-JND6m3
http://www.jantanslot.xyz/qbru/?anOq=kMrvYXKBNwaF4E5tRezPj5SMX6XQ+ILaa8SXqvb1iySbFntGTH4YGFtALrA4UwFGSL+bmisufUZFVXdWgTdYvXpvkIKAL06RY9IgoHM=&3a2x=2fb-JND6m3
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
http://www.0857.bet/qbru/?anOq=k1gkcJ6tXVBJWcfD5JFdj9jh1GwKScxeJP6VCK1BK8ixvV5VgN0eYG6gTrvugstFS6wF93GzuEqrlILkxAhWglV5VSYx8lCBsUKmTZc=&3a2x=2fb-JND6m3
|
17
www.lobbytoto.monster(91.195.240.123)
www.thefulfilleddog.net(91.195.240.19)
www.rinconesdetenerife.com()
www.micsites.com(162.241.63.76)
www.jantanslot.xyz(91.195.240.19)
www.kectapp.xyz(162.0.233.82)
www.0857.bet(91.195.240.19)
www.investpenedes.cat(137.135.184.158)
www.noobblaster.com(167.172.228.26)
91.195.240.19 - mailcious
137.135.184.158
162.0.233.82
91.195.240.123 - mailcious
167.172.228.26 - mailcious
162.241.63.76
45.33.6.223
157.240.215.35
|
|
|
10.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7512 |
2023-10-24 07:51
|
 angi.exe f281b31a99932f0d6c1fa3dd0649a36a
Gen1 Generic Malware Malicious Library UPX Antivirus PE File PE64 OS Processor Check DLL PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AppData folder sandbox evasion Ransomware Lumma Stealer Browser ComputerName |
1
|
2
bluesaks.fun(104.21.34.166)
172.67.163.21
|
2
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
|
|
7.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7513 |
2023-10-24 07:50
|
 texaszx.exe 2aaebe44a0a2a7f2512f13a45a979406
PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
6
api.ipify.org(64.185.227.156)
142.251.220.78
162.0.232.65 - phishing
64.185.227.156
172.217.31.10
142.250.66.67
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7514 |
2023-10-24 07:50
|
 foto2552.exe 5e967436bbe28a1b2b6d4016ae7b5024
Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File DLL OS Processor Check Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://193.233.255.73/loghub/master - rule_id: 37500
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/index.php - rule_id: 37040
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyz5YVxzRBWdpyuUtppgdvRy2Tw194Av0LWqrv008iX9c7bZnoHLo250QAw7Iz6oyudGemXR1A
https://accounts.google.com/_/bscframe
https://accounts.google.com/generate_204?6-E0fA
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://accounts.google.com/
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxQBLRrENNzDGU7Qlkoss48yKJ12ueLob1lnUSvITk9Wdk0c8W1-KA6F38Oypk5hTx5sGjsKg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S470064247%3A1698101077522125
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.google.com/favicon.ico
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://www.youtube.com/img/desktop/supported_browsers/opera.png
https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://fonts.googleapis.com/css?family=Roboto:400,500
|
18
ssl.gstatic.com(142.250.206.227)
www.facebook.com(157.240.31.35)
www.google.com(142.250.76.132)
www.youtube.com(142.251.222.14) - mailcious
fonts.googleapis.com(172.217.161.234)
accounts.google.com(142.250.206.205)
fonts.gstatic.com(142.250.207.99)
142.251.220.78
142.251.220.45
77.91.124.86
172.217.27.36
51.68.143.81
193.233.255.73 - mailcious
77.91.124.1 - malware
172.217.24.227
172.217.31.10
157.240.215.35
142.250.66.67
|
13
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.124.1/theme/index.php
|
20.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7515 |
2023-10-24 07:48
|
 snow.exe bd136d61e094dd46fae5f3fda5d18d48
LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mymobileorder.com(162.0.232.65) - mailcious
api.ipify.org(64.185.227.156)
162.0.232.65 - phishing
64.185.227.156
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
14.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|