7606 |
2023-10-19 08:00
|
Ads.exe 6e781cf49af81b961d0ab465210a35f8 Generic Malware Malicious Library UPX Malicious Packer Antivirus AntiDebug AntiVM PE File PE64 PE32 OS Processor Check DLL Malware download VirusTotal Cryptocurrency Miner Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs suspicious TLD Tofsee Windows DNS Downloader CoinMiner |
10
http://apps.identrust.com/roots/dstrootcax3.p7c http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://gobo02fc.top/build.exe http://85.217.144.143/files/My2.exe - rule_id: 34643 http://galandskiyher5.com/downloads/toolspub1.exe https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
29
pastebin.com(172.67.34.170) - mailcious diplodoka.net(104.21.78.56) net.geo.opera.com(107.167.110.211) gobo02fc.top(85.143.220.63) laubenstein.space(45.130.41.101) - mailcious flyawayaero.net(172.67.216.81) - malware yip.su(148.251.234.93) - mailcious grabyourpizza.com(172.67.197.174) - malware galandskiyher5.com(194.169.175.127) - malware potatogoose.com(172.67.180.173) darianentertainment.com(65.109.26.240) lycheepanel.info(104.21.32.208) - malware pool.hashvault.pro(131.153.76.130) - mailcious 148.251.234.93 - mailcious 85.217.144.143 - malware 172.67.216.81 - malware 107.167.110.216 85.143.220.63 45.130.41.101 - mailcious 194.169.175.127 - malware 172.67.217.52 - malware 104.21.32.208 - malware 172.67.180.173 162.159.135.233 - malware 172.67.197.174 104.20.67.143 - mailcious 65.109.26.240 - mailcious 23.67.53.27 131.153.76.130 - mailcious
|
17
ET DNS Query for .su TLD (Soviet Union) Often Malware Related SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET INFO TLS Handshake Failure ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET HUNTING Possible EXE Download From Suspicious TLD ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
3
http://85.217.144.143/files/My2.exe https://pastebin.com/raw/xYhKBupz https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
13.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7607 |
2023-10-19 07:59
|
Random.exe 191febed315d7c3a620b564e99e5f3cc Gen1 Emotet Generic Malware UPX Malicious Library Malicious Packer Antivirus AntiDebug AntiVM PE File PE64 PE32 .NET EXE OS Processor Check PNG Format DLL CAB MSOffice File JPEG Format Malware download VirusTotal Cryptocurrency Miner Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed Downloader CoinMiner |
12
http://104.194.128.170/svp/Ykwrxaauw.dat http://172.86.97.117/himeffectivelyproress.exe http://85.217.144.143/files/My2.exe - rule_id: 34643 http://85.217.144.143/files/Amadey.exe - rule_id: 37253 http://galandskiyher5.com/downloads/toolspub1.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://gons01b.top/build.exe https://pastebin.com/raw/HPj0MzD6 https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
32
iplogger.com(148.251.234.93) - mailcious yip.su(148.251.234.93) - mailcious pool.hashvault.pro(131.153.76.130) - mailcious net.geo.opera.com(107.167.110.216) martvl.com(69.48.143.183) - malware laubenstein.space(45.130.41.101) - mailcious pastebin.com(104.20.68.143) - mailcious flyawayaero.net(172.67.216.81) - malware grabyourpizza.com(104.21.90.82) - malware gons01b.top(85.143.220.63) galandskiyher5.com(194.169.175.127) - malware potatogoose.com(172.67.180.173) lycheepanel.info(104.21.32.208) - malware diplodoka.net(104.21.78.56) 104.21.78.56 107.167.110.211 148.251.234.93 - mailcious 121.254.136.9 85.217.144.143 - malware 104.194.128.170 193.42.32.29 - malware 85.143.220.63 45.130.41.101 - mailcious 69.48.143.183 - malware 194.169.175.127 - malware 131.153.76.130 - mailcious 104.21.32.208 - malware 172.67.216.81 - malware 172.67.197.174 104.21.35.235 172.86.97.117 104.20.67.143 - mailcious
|
17
ET DNS Query to a *.top domain - Likely Hostile ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers ET HUNTING Possible EXE Download From Suspicious TLD ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
3
http://85.217.144.143/files/My2.exe http://85.217.144.143/files/Amadey.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
19.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7608 |
2023-10-19 07:59
|
audiodgse.exe d7bde041b821e3b3e6e3a71846cee9ef Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself DNS |
5
http://www.vaskaworldairways.com/sy22/?Dxlpd=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&mnSh=Txlhkdx - rule_id: 35942 http://www.zhperviepixie.com/sy22/?Dxlpd=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&mnSh=Txlhkdx - rule_id: 35635 http://www.gracefullytouchedartistry.com/sy22/?Dxlpd=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&mnSh=Txlhkdx - rule_id: 35940 http://www.docomo-mobileconsulting.com/sy22/?Dxlpd=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&mnSh=Txlhkdx - rule_id: 35906 http://www.vinteligencia.com/sy22/?Dxlpd=bFBzPUMpurqsSaAEhywdCFYwBQqPS0zKvFatuRp4xXu+SuvLn4C9Xg+acXGhzE1ceHoH+Iro&mnSh=Txlhkdx - rule_id: 35688
|
11
www.vaskaworldairways.com(97.118.134.29) - mailcious www.vinteligencia.com(172.67.198.50) - mailcious www.docomo-mobileconsulting.com(185.53.177.52) - mailcious www.zhperviepixie.com(167.172.228.26) - mailcious www.gracefullytouchedartistry.com(34.149.87.45) - mailcious 34.149.87.45 - phishing 172.67.198.50 167.172.228.26 - mailcious 185.53.177.52 - mailcious 97.118.134.29 131.153.76.130 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
5
http://www.vaskaworldairways.com/sy22/ http://www.zhperviepixie.com/sy22/ http://www.gracefullytouchedartistry.com/sy22/ http://www.docomo-mobileconsulting.com/sy22/ http://www.vinteligencia.com/sy22/
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7609 |
2023-10-19 07:56
|
audiodgse.exe 5f19da54cd1ddcef58de1e0bdf595459 .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7610 |
2023-10-19 07:55
|
system32.exe d1e40dfbae57e5f3205117f5c9d64a76 Vidar Gen1 Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram MachineGuid Malicious Traffic Check memory WMI Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser Email ComputerName DNS Software crashed |
4
http://5.75.212.77/ http://5.75.212.77/upgrade.zip http://5.75.212.77/f02b730f81476e82205d9d2eb21e0ef8 https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.75.41.21) - mailcious 149.154.167.99 - mailcious 5.75.212.77 104.76.78.101 - mailcious
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Dotted Quad Host ZIP Request
|
1
https://steamcommunity.com/profiles/76561199563297648
|
13.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7611 |
2023-10-19 07:54
|
audiodgse.exe 0ea00cd19382a471a5f599c54dff91f1 UPX .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7612 |
2023-10-19 07:52
|
audiodgse.exe 834f8d3c68e80cb0288dac71275bf89a Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7613 |
2023-10-19 07:52
|
undergroundzx.exe 050408a7ec8e1c0ef8a7e417fbccc299 LokiBot .NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Discord Browser Email ComputerName DNS Software crashed keylogger |
1
https://discordapp.com/api/webhooks/1163583965509197905/ZzAXRCqQ-ibE4oUwqs0NHv2AGzFsUnKD01ZpDXfNz05uyDGnR6CuWR8nGyVChCCCECqd
|
4
discordapp.com(162.159.129.233) - mailcious api.ipify.org(104.237.62.212) 173.231.16.77 162.159.135.233 - malware
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
|
13.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7614 |
2023-10-19 07:50
|
audiodgse.exe 8ed749953dfc694808ed27f1aea08b71 Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7615 |
2023-10-19 07:49
|
damianozx.exe 487fa93e89fd1ec0969e0083966714bd PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(104.237.62.212) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7616 |
2023-10-19 02:14
|
Rechung-87_PDF.js.pdf 64b82476268205bc28b7fccca5808cf0 PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7617 |
2023-10-18 18:04
|
sogn.exe b67ddf6cef57729b557a66460c0b6dd4 UPX .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7618 |
2023-10-18 18:01
|
test.exe 3939345bad08812d7dba41f064c1665d Malicious Packer PE File PE32 VirusTotal Malware unpack itself DNS |
|
2
167.172.140.132 - malware 91.235.128.141
|
|
|
3.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7619 |
2023-10-18 18:00
|
arinzezx.exe e25e15eb096d884c88cce0f4e079d2de UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141) 91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7620 |
2023-10-18 17:57
|
123.exe 62914a3d73d59716bd8dbbbd947f6a02 RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
88.99.105.150 - mailcious
|
|
|
3.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|