| 7621 |
2023-10-18 17:55
|
 abun.exe 85b7d14c272f7d0ad66a74ec947b7677
UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mymobileorder.com(162.0.232.65)
api.ipify.org(64.185.227.156)
104.237.62.212
162.0.232.65 - phishing
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7622 |
2023-10-18 17:55
|
 obizx.exe d08792fa3031b847d0fd6bd56d10ee93
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7623 |
2023-10-18 15:20
|
Archive.7z 14cf80a7fd8a77c3eaed98b8ec615eb4
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealer Discord DNS |
6
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://193.42.32.118/api/tracemap.php - rule_id: 36180
https://cdn.discordapp.com/attachments/1162840103530528921/1163757886992814141/setup.exe
https://vk.com/doc52355237_667082058?hash=SCtt4ltNCbu3lnYUwPGvIGmMakZCTQ0Yuj5qiGj1Uc0&dl=hil1F6PzYlnVsXsKpXdnyCyI9zVoEp3fH0XkDiKEhgk&api=1&no_preview=1
https://sun6-23.userapi.com/c909628/u52355237/docs/d52/6076404f60cf/ses.bmp?extra=vfnVMTyJ0z5oRRioQq5a4Ra-175lPx2RCYBIotPnmMhApvMMpHNxSEiuf3yMM4CorYaMFxQs-9DkKKFN4lsr5mu9vCvcF8W8b8fZhd4C_vKIeW8tIByAbMv_YKl3iV7Wq6s56P6Y96mO2chN
https://api.myip.com/
|
18
iplis.ru(148.251.234.93) - mailcious
sun6-23.userapi.com(95.142.206.3) - mailcious
iplogger.org(148.251.234.83) - mailcious
ipinfo.io(34.117.59.81)
cdn.discordapp.com(162.159.129.233) - malware
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.8.59)
87.240.137.164 - mailcious
148.251.234.83
148.251.234.93 - mailcious
104.26.9.59
193.42.32.118 - mailcious
95.142.206.3 - mailcious
51.254.67.186
34.117.59.81
91.103.253.6
208.67.104.60 - mailcious
162.159.129.233 - malware
|
15
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO TLS Handshake Failure
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
2
http://193.42.32.118/api/firegate.php
http://193.42.32.118/api/tracemap.php
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7624 |
2023-10-18 11:00
|
 1 609c656c5caf4dadf68d74817b292b9f
UPX Downloader PE File PE32 VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7625 |
2023-10-18 10:01
|
audiodgse.vbs 338b7c96e85cbe30dd4f196461fc4ba4
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.52.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7626 |
2023-10-18 10:00
|
eggoflife.vbs 5cb5b67ebd7c01a2476d96153d26b45a
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7627 |
2023-10-18 09:59
|
RBLnetwork.vbs 393a35d56ac8e0403f5e37a0ab0bba4b
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7628 |
2023-10-18 09:57
|
 Managing.ps1 7bbd630da159177a21f5ce10f73fb571
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself Windows Cryptographic key |
|
|
|
|
1.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7629 |
2023-10-18 09:54
|
 ltd.txt.ps1 76a88901ca572ebb907813bc9a8c75db
Generic Malware Antivirus VirusTotal Malware unpack itself WriteConsoleW Windows DNS Cryptographic key |
1
http://185.81.157.25:222/A.txt
|
1
|
|
|
1.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7630 |
2023-10-18 09:52
|
HTMLcache.doc ab0a2dc85b78848f7f2bb5e3fab1abea
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://101.99.75.183/MfoGYZkxZIl205.bin
http://103.186.65.80/79/audiodgse.exe
http://geoplugin.net/json.gp
|
5
geoplugin.net(178.237.33.50)
178.237.33.50
103.186.65.80 - malware
2.59.254.111 - mailcious
101.99.75.183
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET JA3 Hash - Remcos 3.x TLS Connection
ET HUNTING Generic .bin download from Dotted Quad
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7631 |
2023-10-18 09:51
|
 Setup.exe a3b5e1774d3b1a182ca4bcfc100f3606
Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
7.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7632 |
2023-10-18 09:51
|
 Order.pdf.exe 16ef2ceaac7e55803f35f33d84645e31
Malicious Library UPX .NET framework(MSIL) PE File PE32 OS Processor Check PNG Format .NET EXE VirusTotal Malware PDB Check memory Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
4.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7633 |
2023-10-18 09:50
|
HTMLcache.dOC 5694fc60fe6d3e04dc6ac4e6b05b9a7a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.108.47/iso/audiodgse.vbs
|
3
wallpapercave.com(104.22.52.71) - malware
104.22.52.71
192.3.108.47 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7634 |
2023-10-18 09:49
|
 d-8 dc62653f9e2468f587b27fb7bb8857e2
Malicious Library Downloader PE File DLL PE32 Malware download VirusTotal Malware Malicious Traffic Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check GameoverP2P Zeus Windows DNS Downloader |
1
http://143.92.58.180:8000/1
|
1
|
9
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SURICATA HTTP Request abnormal Content-Encoding header
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE OneLouder EXE download possibly installing Zeus P2P
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M6
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
4.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7635 |
2023-10-18 09:48
|
HTMLcache.doc 0926d64a5e274efd84980e0a42963ef6
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
1
|
2
i8.ae(104.21.60.158) - mailcious
104.21.60.158
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|