| 7516 |
2023-10-24 07:48
|
 nalo.exe 35ec78636adb2e2094fc506736d9ffe1
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware download VirusTotal Malware PDB Code Injection Malicious Traffic buffers extracted unpack itself Stealc Browser DNS |
1
http://193.233.255.73/loghub/master - rule_id: 37500
|
1
193.233.255.73 - mailcious
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://193.233.255.73/loghub/master
|
8.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7517 |
2023-10-24 07:48
|
 newmar.exe 6020dace849357f1667a1943c8db7291
Emotet Gen1 Malicious Library UPX Confuser .NET AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check icon PE64 DllRegisterServer dll MZP Format DLL VirusTotal Cryptocurrency Miner Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS crashed CoinMiner |
|
7
xmr-eu1.nanopool.org(135.125.238.108) - mailcious
pastebin.com(104.20.67.143) - mailcious
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
51.68.143.81
51.15.193.130
172.67.34.170 - mailcious
|
6
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
11.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7518 |
2023-10-24 07:46
|
 2.exe ad122be61ff9f19db11fd4ff53178d09
Malicious Library UPX PE File PE32 MZP Format Remote Code Execution |
|
1
|
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7519 |
2023-10-24 07:46
|
 timeSync.exe 7c67bbeaf13309161aa474205259692f
Malicious Library UPX PE File PE32 OS Processor Check PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7520 |
2023-10-23 17:08
|
 sus.exe 2e3f17e7e9001ff7b7cf8ab412462a48
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB Code Injection buffers extracted |
|
|
|
|
7.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7521 |
2023-10-23 16:58
|
 foto2552.exe 4cdb3ee7e130e01a02d7b8a7d8dae6ec
Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File DLL OS Processor Check Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://193.233.255.73/loghub/master - rule_id: 37500
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/index.php - rule_id: 37040
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://www.google.com/favicon.ico
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywD2xgLxszRIN_7MaKSoUaoYTMvRFg50b2S5b8UluthbcUsGRE-8e1g-xdevGcqP20z4uow
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://accounts.google.com/
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://accounts.google.com/_/bscframe
https://accounts.google.com/generate_204?S178ZQ
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywTlS8RSTMSloorftkjj1lY_2tWmEzy5429BwqOoerpQlAzoTk3QhoMS2hENHZmnLEtBloUjQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023002296%3A1698047601366063
https://www.youtube.com/img/desktop/supported_browsers/opera.png
https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://fonts.googleapis.com/css?family=Roboto:400,500
|
17
ssl.gstatic.com(142.250.206.227)
www.facebook.com(157.240.215.35)
www.google.com(142.250.76.132)
www.youtube.com(142.250.207.14) - mailcious
fonts.googleapis.com(142.250.206.234)
accounts.google.com(142.250.206.205)
fonts.gstatic.com(142.250.207.99)
142.250.207.67
157.240.31.35
142.250.204.109
142.250.66.132
193.233.255.73 - mailcious
109.107.182.133
172.217.31.3
77.91.124.1 - malware
172.217.24.110
142.250.66.106
|
13
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.124.1/theme/index.php
|
20.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7522 |
2023-10-23 16:52
|
 nalo.exe 99187f5197d70ceccc4e0fde10fc7f30
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware download VirusTotal Malware PDB Code Injection Malicious Traffic buffers extracted unpack itself Stealc Browser DNS |
1
http://193.233.255.73/loghub/master - rule_id: 37500
|
1
193.233.255.73 - mailcious
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://193.233.255.73/loghub/master
|
9.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7523 |
2023-10-23 16:50
|
 herom.exe 979c731d6aee4715335cd65dd1bcc21e
Malicious Library PE File PE32 DLL Check memory Checks debugger Creates executable files unpack itself AppData folder WriteConsoleW |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7524 |
2023-10-23 16:47
|
 cbchr.exe d88a06a393582a79ab6da48982ec87ae
Generic Malware Downloader Malicious Library UPX Malicious Packer Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 OS P VirusTotal Malware AutoRuns Code Injection Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
4.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7525 |
2023-10-23 16:08
|
setup.7z a4e3febc2031d844ad89ed5f3ed2c206
Stealc PrivateLoader Amadey Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c powershell Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader |
57
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://gobo03fc.top/build.exe
http://wyattsebastian.top/e9c345fc99a4e67e.php - rule_id: 37497
http://109.107.182.2/race/bus50.exe - rule_id: 37496
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://77.91.68.249/fuza/sus.exe
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://77.91.68.249/fuza/foto2552.exe
http://185.172.128.69/newumma.exe - rule_id: 37499
http://jackantonio.top/timeSync.exe - rule_id: 37357
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://77.91.68.249/zoom/angi.exe
http://171.22.28.221/files/Ads.exe - rule_id: 37468
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://77.91.68.249/fuza/2.ps1
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://77.91.68.249/fuza/nalo.exe
http://77.91.124.1/theme/index.php - rule_id: 37040
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://176.113.115.84:8080/4.php - rule_id: 34795
http://193.233.255.73/loghub/master - rule_id: 37500
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://171.22.28.213/3.exe - rule_id: 37068
http://www.google.com/
https://db-ip.com/demo/home.php?s=175.208.134.152
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://diplodoka.net/16d7385732355adc773732b0327e9c0c/7a54bdb20779c4359694feaa1398dd25.exe
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397
https://experiment.pw/setup294.exe - rule_id: 37436
https://potatogoose.com/16d7385732355adc773732b0327e9c0c/baf14778c246e15550645e30ba78ce1c.exe
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/5c0d068b2eac/PL_Client.bmp?extra=b8v6B06HpzoI3tSK0mTSwwXQMXnLc3q1jWsNUxfrUhg37IPgrTLUxJuXVjoqdaD6wxqd5omwvfT1I4ifIHPUpzMI6CdiRlp1tMXpPcZQCoixxWWU44eu8GW5XHCV-7gyuNDh4krMD77l0Vqy
https://api.myip.com/
https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
https://sun6-20.userapi.com/c909518/u52355237/docs/d7/9d03fcd9d5bd/test2222.bmp?extra=Wry9QF8NRzHXFhuAyX10K2cUiDS0DTKoIRmO3Gdqy2Pqlg5wpKdUMJGOb4-PdzAqr5weQJRr6xl0yQWHUlmTdrUW1y_n1wiM2ewm5-R5m1ExpU4IOhw5iaaLryf706xSvx5M-MQjL18eDFOc
https://sun6-23.userapi.com/c909618/u52355237/docs/d9/334aaa965d98/tmvwr.bmp?extra=8vKP1hUU8FXC9Qe8mMCGvUfa8Cp8pOwsD2JU4mCuyllGkHmKNdLdm5pJBH5n8fLgBYOEugKzlYD-S8BALhWt6cB4_4dQu6dsu8wxVcZgawhp4z7JO3yqL-PS8fMBHOwRaKfmmF-W_XhYYWdH
https://sun6-23.userapi.com/c909228/u52355237/docs/d50/f10f18a7f79c/RisePro.bmp?extra=Xyda-uNNyJmyTQ5S8ByoXlhlokLU9vlSrjsRGgjAiDtxiqFtWK4WlDj9f-W0msD9rV2oEuDwnqK7I8iKgaM_YsJkIyFSOZrP_X0lYZZwVAEqwL_9-ZsHTgq9slIJgndIgavwE7f4PVOoEQjB
https://dzen.ru/?yredirect=true
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://api.2ip.ua/geo.json
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/5c0d068b2eac/PL_Client.bmp?extra=b8v6B06HpzoI3tSK0mTSwwXQMXnLc3q1jWsNUxfrUhg37IPgrTLUxJuXVjoqdaD6wxqd5omwvfT1I4ifIHPUpzMI6CdiRlp1tMXpPcZQCoixxWWU5YWu8GW5XHCV-7gyvoe17RzAXLzj21i0
https://neuralshit.net/bd7fce869cc9dad0938390c13f85c712/7725eaa6592c80f8124e769b4e8a07f7.exe
https://sun6-23.userapi.com/c235031/u52355237/docs/d21/7cb744cd40e6/crypted.bmp?extra=ijasbvJahzXSeNdqXSXLMGpGHvjz4jGBIbrjMTotAwPSDg7ZJWoTCMEgnrXhoT-UPrEIyIsw-zYLJvngWwPvMPOtEmMltl6PXIlTO5aNN0Qq0AxSsWwHuMhtvwLx9L6tGIXloB7OODUZzlM9
https://sun6-23.userapi.com/c909228/u52355237/docs/d50/f10f18a7f79c/RisePro.bmp?extra=Xyda-uNNyJmyTQ5S8ByoXlhlokLU9vlSrjsRGgjAiDtxiqFtWK4WlDj9f-W0msD9rV2oEuDwnqK7I8iKgaM_YsJkIyFSOZrP_X0lYZZwVAEqwL_9_5kHTgq9slIJgndI1KD0Q-CqPlv7RQef
https://sun6-20.userapi.com/c237131/u52355237/docs/d23/7cd7043f8e90/New_crypt_test.bmp?extra=vYj8TsuI4Mh2GARpTfNUmOIhtAIFlk_aV6rN4fuV8RoazN2oSjvkW3gF0yYbSbvEdEIhlBKvLFNzrDhjXjuLtzBxm3t7UAjcRP6wVkJIC2mfq9v9-q12np5vLrprxlhFhALs6yun22McEsNj
https://sso.passport.yandex.ru/push?uuid=9d27acac-cdcd-4aed-b07a-81869e366ae7&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/d447d9047e01/2.bmp?extra=G5NjMO4sTn6SbCFGk7CD_SOlopWCbJMwNATWfk18b8h6W5KpzIWtQpereK3vm9yQmMyGT0c1IH0TTJppN4VFVi2l828xcy6v8sK2jl4z9PQdlNlCBd13ABRJJbdaK_NhKXaUEg0AhxvYwqFU
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
110
neuralshit.net(172.67.134.35) - malware
db-ip.com(172.67.75.166)
jackantonio.top(37.139.129.88) - malware
dzen.ru(62.217.160.2)
vanaheim.cn(45.11.27.150) - mailcious
t.me(149.154.167.99) - mailcious
lrefjviufewmcd.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
iplogger.org(148.251.234.83) - mailcious
potatogoose.com(172.67.180.173) - malware
diplodoka.net(172.67.217.52) - malware
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.76.78.101) - mailcious
grabyourpizza.com(104.21.90.82) - malware
laubenstein.space(45.130.41.101) - mailcious
twitter.com(104.244.42.193)
telegram.org(149.154.167.99)
yip.su(104.21.79.77) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
octocrabs.com(172.67.200.10) - mailcious
www.instagram.com(157.240.11.174)
sso.passport.yandex.ru(213.180.204.24)
lakuiksong.known.co.ke(146.59.70.14) - malware
experiment.pw(104.21.34.37) - malware
yandex.ru(5.255.255.77)
net.geo.opera.com(107.167.110.211)
gobo03fc.top(85.143.220.63)
iplogger.com(148.251.234.93) - mailcious
zexeq.com(123.213.233.131) - malware
wyattsebastian.top(37.139.129.88) - mailcious
api.db-ip.com(104.26.4.15)
colisumy.com(187.18.108.158) - malware
www.google.com(142.250.76.132)
iplis.ru(148.251.234.93) - mailcious
i.instagram.com(31.13.82.52)
pastebin.com(104.20.68.143) - mailcious
flyawayaero.net(104.21.93.225) - malware
www.maxmind.com(104.18.145.235)
vk.com(93.186.225.194) - mailcious
api.myip.com(104.26.9.59)
lycheepanel.info(172.67.187.122) - malware
148.251.234.93 - mailcious
194.169.175.128 - mailcious
37.139.129.88 - mailcious
104.18.146.235
142.250.66.132
171.22.28.213 - malware
172.67.167.220 - malware
157.240.31.63
77.91.124.1 - malware
62.122.184.92 - mailcious
193.233.255.73 - mailcious
104.26.5.15
85.217.144.143 - malware
85.143.220.63 - malware
149.154.167.99 - mailcious
104.21.65.24
61.111.58.34 - malware
104.21.34.37 - phishing
62.217.160.2
172.67.75.163
83.97.73.44
172.67.75.166
121.254.136.18
171.22.28.239 - mailcious
45.11.27.150
172.67.187.122 - malware
104.21.79.77 - phishing
171.22.28.226 - malware
87.240.132.78 - mailcious
171.22.28.221 - malware
34.117.59.81
77.91.68.249 - malware
172.67.200.10 - mailcious
176.113.115.84 - mailcious
172.67.34.170 - mailcious
148.251.234.83
104.26.8.59
104.21.6.10 - malware
45.130.41.101 - mailcious
193.42.32.118 - mailcious
176.113.115.135 - mailcious
176.113.115.136 - mailcious
185.172.128.69 - malware
109.107.182.133
77.88.55.88
80.66.75.4 - mailcious
172.67.197.174
91.215.85.209 - mailcious
169.148.95.39
45.15.156.229 - mailcious
157.240.31.174
107.167.110.216
95.142.206.3 - mailcious
195.158.3.162
45.143.201.238 - mailcious
172.67.217.52 - malware
104.21.93.225 - phishing
146.59.70.14 - malware
104.244.42.193 - suspicious
193.42.33.68 - malware
213.180.204.24
172.67.180.173 - malware
95.142.206.0 - mailcious
80.66.75.77 - mailcious
109.107.182.2 - malware
171.22.28.236 - mailcious
104.76.78.101 - mailcious
94.142.138.131 - mailcious
|
53
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING Suspicious services.exe in URI
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO TLS Handshake Failure
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO Packed Executable Download
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO PS1 Powershell File Request
ET MALWARE Redline Stealer Activity (Response)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
28
http://171.22.28.226/download/WWW14_64.exe
http://wyattsebastian.top/e9c345fc99a4e67e.php
http://109.107.182.2/race/bus50.exe
http://zexeq.com/test2/get.php
http://45.15.156.229/api/firegate.php
http://colisumy.com/dl/build2.exe
http://85.217.144.143/files/My2.exe
http://185.172.128.69/newumma.exe
http://jackantonio.top/timeSync.exe
http://zexeq.com/files/1/build3.exe
http://171.22.28.221/files/Ads.exe
http://94.142.138.131/api/firegate.php
http://171.22.28.226/download/Services.exe
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://77.91.124.1/theme/index.php
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://193.233.255.73/loghub/master
http://94.142.138.131/api/tracemap.php
http://193.42.32.118/api/firecom.php
http://171.22.28.213/3.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
https://experiment.pw/setup294.exe
https://steamcommunity.com/profiles/76561199563297648
https://pastebin.com/raw/xYhKBupz
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7526 |
2023-10-23 16:01
|
 7725eaa6592c80f8124e769b4e8a07... 5ac8db8e129863d0a9aaa7534cc644ff
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7527 |
2023-10-23 15:35
|
setup.7z bf2d71ede12b007cdabbf513b081fcb7
PrivateLoader Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader |
41
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://jackantonio.top/timeSync.exe - rule_id: 37357
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://apps.identrust.com/roots/dstrootcax3.p7c
http://wyattsebastian.top/e9c345fc99a4e67e.php
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://171.22.28.221/files/Ads.exe - rule_id: 37468
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://176.113.115.84:8080/4.php - rule_id: 34795
http://193.233.255.73/loghub/master
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://www.maxmind.com/geoip/v2.1/city/me
http://171.22.28.213/3.exe - rule_id: 37068
http://www.google.com/
https://sun6-23.userapi.com/c235031/u52355237/docs/d21/7cb744cd40e6/crypted.bmp?extra=ijasbvJahzXSeNdqXSXLMGpGHvjz4jGBIbrjMTotAwPSDg7ZJWoTCMEgnrXhoT-UPrEIyIsw-zYLJvngWwPvMPOtEmMltl6PXIlTO5aNN0Qq0AxSs2IHuMhtvwLx9L6tHIS68UidODUbnFg9
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-20.userapi.com/c909518/u52355237/docs/d7/9d03fcd9d5bd/test2222.bmp?extra=Wry9QF8NRzHXFhuAyX10K2cUiDS0DTKoIRmO3Gdqy2Pqlg5wpKdUMJGOb4-PdzAqr5weQJRr6xl0yQWHUlmTdrUW1y_n1wiM2ewm5-R5m1ExpU4IOBI5iaaLryf706xSsUxP-5VzIAtPBVSa
https://sun6-20.userapi.com/c237131/u52355237/docs/d23/7cd7043f8e90/New_crypt_test.bmp?extra=vYj8TsuI4Mh2GARpTfNUmOIhtAIFlk_aV6rN4fuV8RoazN2oSjvkW3gF0yYbSbvEdEIhlBKvLFNzrDhjXjuLtzBxm3t7UAjcRP6wVkJIC2mfq9v9-KN2np5vLrprxlhF01Lp6ir3imRMRJdu
https://experiment.pw/setup294.exe - rule_id: 37436
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/d447d9047e01/2.bmp?extra=G5NjMO4sTn6SbCFGk7CD_SOlopWCbJMwNATWfk18b8h6W5KpzIWtQpereK3vm9yQmMyGT0c1IH0TTJppN4VFVi2l828xcy6v8sK2jl4z9PQdlNlCAdF3ABRJJbdaK_NhK3WUEg1Xih3dkvYN
https://api.myip.com/
https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
https://vk.com/doc52355237_667233820?hash=ksqvnpPOTVnZUBQvgNWMHz7b34SlhrJYzyLwhjI3p2w&dl=9z5K5NGG8CQyYYjYV1UsyBwEjOrCNpWsf0ZuYRFDUpz&api=1&no_preview=1#1
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/5c0d068b2eac/PL_Client.bmp?extra=b8v6B06HpzoI3tSK0mTSwwXQMXnLc3q1jWsNUxfrUhg37IPgrTLUxJuXVjoqdaD6wxqd5omwvfT1I4ifIHPUpzMI6CdiRlp1tMXpPcZQCoixxWWU54uu8GW5XHCV-7gyutSx4UrNDbW1iV20
https://dzen.ru/?yredirect=true
https://vk.com/doc52355237_667205062?hash=Svqj7zCdrED1hyD81lRt9NeObuiSXNy8bJzdPsMUx1w&dl=zCXthZXeky7MxZ1PAEfvkLNfEWm2gZlF4zhzbI8exz4&api=1&no_preview=1
https://vk.com/doc52355237_667276452?hash=wkBRUPYuo43rYtxIzQc6pAfTM1sBDD9zNWcmfsnUyZk&dl=pSqUmbLaVdyliolYK30HXXznJ7HpQH0ZxzieEabZe7k&api=1&no_preview=1#zxc
https://sso.passport.yandex.ru/push?uuid=33a6194a-fa11-4731-a21f-ec40a5c9dbcf&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://api.2ip.ua/geo.json
https://sun6-23.userapi.com/c909228/u52355237/docs/d50/f10f18a7f79c/RisePro.bmp?extra=Xyda-uNNyJmyTQ5S8ByoXlhlokLU9vlSrjsRGgjAiDtxiqFtWK4WlDj9f-W0msD9rV2oEuDwnqK7I8iKgaM_YsJkIyFSOZrP_X0lYZZwVAEqwL_9-5UHTgq9slIJgndIgK_zQLX_bwz3QVfA
https://vk.com/doc52355237_667260318?hash=5fIVbEMD7QFCeMOR3scNeKxSNfqeBg9KoduBU4Y3tID&dl=koAos1zT2zeVbUu3VEeFdVGaQOOEBZEWHNqrz2p7C1k&api=1&no_preview=1#rise
https://neuralshit.net/c31ff1e4370f1f902d97430832cc5f56/7725eaa6592c80f8124e769b4e8a07f7.exe
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-23.userapi.com/c909618/u52355237/docs/d9/334aaa965d98/tmvwr.bmp?extra=8vKP1hUU8FXC9Qe8mMCGvUfa8Cp8pOwsD2JU4mCuyllGkHmKNdLdm5pJBH5n8fLgBYOEugKzlYD-S8BALhWt6cB4_4dQu6dsu8wxVcZgawhp4z7JOXKqL-PS8fMBHOwRaKXgnQ3G9H9UZ2cQ
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
84
neuralshit.net(172.67.134.35) - malware
db-ip.com(104.26.4.15)
jackantonio.top(37.139.129.88) - malware
vanaheim.cn(45.11.27.150) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
dzen.ru(62.217.160.2)
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.76.78.101) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.129)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
lrefjviufewmcd.org(91.215.85.209) - malware
lakuiksong.known.co.ke(146.59.70.14) - malware
experiment.pw(104.21.34.37) - malware
iplogger.com(148.251.234.93) - mailcious
colisumy.com(181.170.86.159) - malware
zexeq.com(186.13.17.220) - malware
wyattsebastian.top(37.139.129.88)
octocrabs.com(104.21.21.189) - mailcious
yandex.ru(77.88.55.88)
www.google.com(142.250.76.132)
iplis.ru(148.251.234.93) - mailcious
i.instagram.com(31.13.82.52)
pastebin.com(104.20.67.143) - mailcious
www.maxmind.com(104.18.145.235)
vk.com(87.240.132.67) - mailcious
sso.passport.yandex.ru(213.180.204.24)
api.myip.com(104.26.9.59)
148.251.234.93 - mailcious
194.169.175.128 - mailcious
37.139.129.88
104.18.145.235
182.162.106.33 - malware
93.186.225.194 - mailcious
172.67.167.220 - malware
62.217.160.2
62.122.184.92 - mailcious
193.233.255.73
104.26.5.15
149.154.167.99 - mailcious
193.42.32.118 - mailcious
91.215.85.209 - mailcious
157.240.215.63
80.66.75.77 - mailcious
104.244.42.193 - suspicious
45.11.27.150
171.22.28.226 - malware
87.240.132.67 - mailcious
171.22.28.221 - malware
34.117.59.81
172.67.200.10 - mailcious
176.113.115.84 - mailcious
172.67.34.170 - mailcious
148.251.234.83
104.26.8.59
104.21.6.10 - malware
83.97.73.44
213.180.204.24
176.113.115.135 - mailcious
104.75.41.21 - mailcious
176.113.115.136 - mailcious
185.172.128.69 - malware
45.143.201.238 - mailcious
193.42.33.68 - malware
181.170.86.159
190.12.87.61
45.15.156.229 - mailcious
104.26.9.59
104.26.4.15
95.142.206.3 - mailcious
172.67.139.220
95.142.206.0 - mailcious
80.66.75.4 - mailcious
146.59.70.14 - malware
171.22.28.239 - mailcious
172.217.24.228
77.88.55.60
109.107.182.2 - malware
171.22.28.236 - mailcious
171.22.28.213 - malware
|
46
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.pw domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer Activity (Response)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO Packed Executable Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
|
18
http://171.22.28.226/download/WWW14_64.exe
http://zexeq.com/test2/get.php
http://jackantonio.top/timeSync.exe
http://colisumy.com/dl/build2.exe
http://45.15.156.229/api/tracemap.php
http://45.15.156.229/api/firegate.php
http://zexeq.com/files/1/build3.exe
http://171.22.28.221/files/Ads.exe
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://176.113.115.84:8080/4.php
http://193.42.32.118/api/firecom.php
http://171.22.28.213/3.exe
https://experiment.pw/setup294.exe
https://steamcommunity.com/profiles/76561199563297648
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7528 |
2023-10-23 13:24
|
 xCvecthUdXEH.exe 0b6133d5b36cd98c3391f03ae97633d7
Browser Login Data Stealer Generic Malware Malicious Library UPX Malicious Packer Downloader PE File PE32 OS Processor Check Malware download Remcos VirusTotal Malware Malicious Traffic Check memory Windows DNS DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
fortuna777.duckdns.org(46.246.82.16)
178.237.33.50
46.246.82.16 - mailcious
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Remcos 3.x Unencrypted Checkin
ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
3.8 |
|
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7529 |
2023-10-23 13:24
|
 nix.txt.exe c01e90db99bcc939f829a181aef2c348
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mail.industrialgh.com(68.70.164.13)
api.ipify.org(104.237.62.212)
68.70.164.13 - mailcious
173.231.16.77
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
7.4 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7530 |
2023-10-23 13:15
|
nicko.vbs 9693079116e9abb7ac2160191c8164af
LokiBot Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
http://193.42.33.51/nix.txt
|
7
imageupload.io(172.67.222.26) - malware
api.ipify.org(104.237.62.212)
mail.industrialgh.com(68.70.164.13)
68.70.164.13 - mailcious
104.21.83.102
64.185.227.156
193.42.33.51 - malware
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
19.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|