7621 |
2023-10-18 17:55
|
abun.exe 85b7d14c272f7d0ad66a74ec947b7677 UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mymobileorder.com(162.0.232.65) api.ipify.org(64.185.227.156) 104.237.62.212 162.0.232.65 - phishing
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7622 |
2023-10-18 17:55
|
obizx.exe d08792fa3031b847d0fd6bd56d10ee93 PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7623 |
2023-10-18 15:20
|
Archive.7z 14cf80a7fd8a77c3eaed98b8ec615eb4 Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealer Discord DNS |
6
http://193.42.32.118/api/firegate.php - rule_id: 36458 http://193.42.32.118/api/tracemap.php - rule_id: 36180 https://cdn.discordapp.com/attachments/1162840103530528921/1163757886992814141/setup.exe https://vk.com/doc52355237_667082058?hash=SCtt4ltNCbu3lnYUwPGvIGmMakZCTQ0Yuj5qiGj1Uc0&dl=hil1F6PzYlnVsXsKpXdnyCyI9zVoEp3fH0XkDiKEhgk&api=1&no_preview=1 https://sun6-23.userapi.com/c909628/u52355237/docs/d52/6076404f60cf/ses.bmp?extra=vfnVMTyJ0z5oRRioQq5a4Ra-175lPx2RCYBIotPnmMhApvMMpHNxSEiuf3yMM4CorYaMFxQs-9DkKKFN4lsr5mu9vCvcF8W8b8fZhd4C_vKIeW8tIByAbMv_YKl3iV7Wq6s56P6Y96mO2chN https://api.myip.com/
|
18
iplis.ru(148.251.234.93) - mailcious sun6-23.userapi.com(95.142.206.3) - mailcious iplogger.org(148.251.234.83) - mailcious ipinfo.io(34.117.59.81) cdn.discordapp.com(162.159.129.233) - malware vk.com(87.240.129.133) - mailcious api.myip.com(104.26.8.59) 87.240.137.164 - mailcious 148.251.234.83 148.251.234.93 - mailcious 104.26.9.59 193.42.32.118 - mailcious 95.142.206.3 - mailcious 51.254.67.186 34.117.59.81 91.103.253.6 208.67.104.60 - mailcious 162.159.129.233 - malware
|
15
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET INFO TLS Handshake Failure ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
2
http://193.42.32.118/api/firegate.php http://193.42.32.118/api/tracemap.php
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7624 |
2023-10-18 11:00
|
1 609c656c5caf4dadf68d74817b292b9f UPX Downloader PE File PE32 VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7625 |
2023-10-18 10:01
|
audiodgse.vbs 338b7c96e85cbe30dd4f196461fc4ba4 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware 104.22.52.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7626 |
2023-10-18 10:00
|
eggoflife.vbs 5cb5b67ebd7c01a2476d96153d26b45a Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware 104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7627 |
2023-10-18 09:59
|
RBLnetwork.vbs 393a35d56ac8e0403f5e37a0ab0bba4b Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware 104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7628 |
2023-10-18 09:57
|
Managing.ps1 7bbd630da159177a21f5ce10f73fb571 Generic Malware Antivirus VirusTotal Malware Check memory unpack itself Windows Cryptographic key |
|
|
|
|
1.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7629 |
2023-10-18 09:54
|
ltd.txt.ps1 76a88901ca572ebb907813bc9a8c75db Generic Malware Antivirus VirusTotal Malware unpack itself WriteConsoleW Windows DNS Cryptographic key |
1
http://185.81.157.25:222/A.txt
|
1
|
|
|
1.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7630 |
2023-10-18 09:52
|
HTMLcache.doc ab0a2dc85b78848f7f2bb5e3fab1abea MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://101.99.75.183/MfoGYZkxZIl205.bin
http://103.186.65.80/79/audiodgse.exe
http://geoplugin.net/json.gp
|
5
geoplugin.net(178.237.33.50) 178.237.33.50
103.186.65.80 - malware
2.59.254.111 - mailcious
101.99.75.183
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET JA3 Hash - Remcos 3.x TLS Connection ET HUNTING Generic .bin download from Dotted Quad
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7631 |
2023-10-18 09:51
|
Setup.exe a3b5e1774d3b1a182ca4bcfc100f3606 Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
|
7.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7632 |
2023-10-18 09:51
|
Order.pdf.exe 16ef2ceaac7e55803f35f33d84645e31 Malicious Library UPX .NET framework(MSIL) PE File PE32 OS Processor Check PNG Format .NET EXE VirusTotal Malware PDB Check memory Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
4.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7633 |
2023-10-18 09:50
|
HTMLcache.dOC 5694fc60fe6d3e04dc6ac4e6b05b9a7a MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.108.47/iso/audiodgse.vbs
|
3
wallpapercave.com(104.22.52.71) - malware 104.22.52.71 192.3.108.47 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7634 |
2023-10-18 09:49
|
d-8 dc62653f9e2468f587b27fb7bb8857e2 Malicious Library Downloader PE File DLL PE32 Malware download VirusTotal Malware Malicious Traffic Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check GameoverP2P Zeus Windows DNS Downloader |
1
http://143.92.58.180:8000/1
|
1
|
9
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 SURICATA HTTP Request abnormal Content-Encoding header ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE OneLouder EXE download possibly installing Zeus P2P ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2 ET MALWARE JS/WSF Downloader Dec 08 2016 M6 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP
|
|
4.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7635 |
2023-10-18 09:48
|
HTMLcache.doc 0926d64a5e274efd84980e0a42963ef6 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
1
|
2
i8.ae(104.21.60.158) - mailcious 104.21.60.158
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|