7636 |
2023-10-18 08:00
|
audiodgse.exe 68c674b8751ee53b3dcb6d6f10b0bc0c Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself suspicious TLD DNS |
1
http://www.sarthaksrishticreation.com/sy22/?nJ=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&FF=5jUlfzd8q0bt4Bo - rule_id: 35905
|
5
www.uadmxqby.click() - mailcious www.03ss.vip() - mailcious www.sofbks.top() - mailcious www.sarthaksrishticreation.com(119.18.49.69) - mailcious 119.18.49.69 - mailcious
|
2
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.sarthaksrishticreation.com/sy22/
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7637 |
2023-10-18 07:57
|
raaa.exe 67eb75a7dd7ad718359513fad929eb62 .NET framework(MSIL) PE File PE32 .NET EXE Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7638 |
2023-10-18 07:55
|
silent.exe 8e0907f52947b06a7b2f4a3ff064ec2d PE File PE64 Cryptocurrency Miner Cryptocurrency DNS |
|
6
xmr-us-east1.nanopool.org(144.217.14.139) - mailcious 142.44.242.100 - mailcious 192.99.69.170 142.44.243.6 144.217.14.139 144.217.14.109
|
2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) ET POLICY Cryptocurrency Miner Checkin
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7639 |
2023-10-18 07:55
|
Tues.....exe 4ce3fd8661138b0deadc1f3d5b8ca09b Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Software crashed keylogger |
|
|
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7640 |
2023-10-18 07:53
|
ezy.exe 68cf6b4b568cc8bcbfe7dc53607f0c90 LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7641 |
2023-10-18 07:53
|
DH.exe 98dd2038ebcfed11dd49c0e663babb41 .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7642 |
2023-10-18 07:51
|
audiodgse.exe 9b40ae8c6dc8f35af3535a7b30c51d80 Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7643 |
2023-10-18 07:51
|
txx.exe 7876bb77fa613b4bcea4b6f87330d686 .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7644 |
2023-10-18 07:49
|
PO.pdf.exe 9d1dfc2adc6e191d54bcf23a43e221f9 Malicious Library UPX .NET framework(MSIL) PE File PE32 OS Processor Check .NET EXE PNG Format VirusTotal Malware PDB Check memory Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
4.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7645 |
2023-10-18 07:49
|
aao.exe 13334f5c0eabe3d42da0645a606a1946 .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7646 |
2023-10-18 07:47
|
timeSync.exe 3a77fc04743664066168d91666d06b5f Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7647 |
2023-10-18 07:47
|
Qconngovaq.exe 9bd29cbf6a0bc205a1202a1c61ce8989 UPX .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
1
http://185.254.37.80/Wuotlbdh.jpg
|
1
185.254.37.80 - mailcious
|
|
|
6.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7648 |
2023-10-17 17:01
|
Setup.7z 72cbddd810e52a32ffed4a5db1faeb1d Stealc PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows RisePro Trojan DNS |
47
http://elijahdiego.top/e9c345fc99a4e67e.php - rule_id: 37238 http://49.12.118.149/ http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://45.9.74.80/zinda.exe - rule_id: 37063 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://49.12.118.149/13088c19c5a97b42d0d1d9573cc9f1b8 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://194.169.175.232/autorun.exe - rule_id: 36817 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://49.12.118.149/upgrade.zip http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790 http://171.22.28.213/3.exe - rule_id: 37068 http://94.142.138.113/api/firegate.php - rule_id: 36152 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://77.91.68.249/navi/kur90.exe - rule_id: 37069 https://vk.com/doc52355237_667021459?hash=JwfD1ZCA6QgwzFekXEx3DZwJrazNVwknSJ4vBCdj3Ys&dl=GOvejb9TzKE4gYCzHfWoYwfHsCK1bKByDgPNozGoPQ0&api=1&no_preview=1 https://sun6-23.userapi.com/c909518/u52355237/docs/d49/74273ccf856a/PL_Client.bmp?extra=csnf916qLySdbOnPb4QM1wJpYN_KmcpQ0uEFEG_2BbxdphBM_paLXN7TqQuhyJHVsORGU7Lwfy-9qBR2zD4xszU1xUBr__claLXF0x6sHrD1ifcltZ-58oDUrMaND0_8NAoeyAOgPC7otb_A https://sun6-22.userapi.com/c236331/u52355237/docs/d33/42ad5fd25833/red.bmp?extra=jBPpxCu8-8kHW7GkJagOOeVXeAQjqfh9RbubCoWwr1e6QBnvUiXFOpQD6-AOKdEluD9PjClWI2PdF4IE7pjgRurUidTgNX-Z5pW4fVBPn3w3ta24A1Zusw3MYV0bfl8SqeMNhko2PkzgFhL- https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc52355237_667050459?hash=NQ6HDrMciNrk8Op9e7nKqKnZP9u5xJpPRChkwNPyBm8&dl=GmBH7q7bEBk6zEfSp9MzqQBJzBwkDu0dFrhvnqw9kZX&api=1&no_preview=1#1 https://api.myip.com/ https://sun6-21.userapi.com/c909328/u52355237/docs/d47/2d1629fb7768/crypted.bmp?extra=67ZspKd_7kut6U_BdMgPfLmi-rrOqPQZg3ry0Z3nw-UpCPBi2s6Gs3v_cRKTtjcjmYcFSwZCRNI6VHoHLKEzQGK9rCbhfCs7HFqkPSTyx8jwjYinbL6-X5Bwaw38J2IoGL4FuWerVQxrbGCU https://neuralshit.net/e6545cb463abdbecb9cd0d283091d3c0/7725eaa6592c80f8124e769b4e8a07f7.exe https://sun6-23.userapi.com/c909228/u52355237/docs/d38/bd7e3c736003/d3h782af.bmp?extra=38DKfqb_w8hVm9RJN_Qn_gfteoDZJ7YQzPjblN39bGB-Bitknr4lgd3LDYR1O7LVHAF6-hZmbIGzgBwxsaZ5vMrHZr8hMpGk5u6ApIHydB_NQ8ERsWEKXcgd4qEQTxri2gFZgMgCJkV1Jw7n https://steamcommunity.com/profiles/76561199563297648 https://sun6-23.userapi.com/c909518/u52355237/docs/d48/ec8a82716932/WWW11_32.bmp?extra=_TX1F44UV3ZALg1n2AWa4_-qKufakNhMTfVuhdspFzFQRFCYWXoMm-jfuDOI_Y1mPEIdF3QRBd-YZg3Y7R9ZqYiRxeF73Pg5AywpwdKlTdb0i9gHQ1cXO2m4_9Zg9zDYrv7MBtSoz_V4C03z https://sun6-22.userapi.com/c909218/u52355237/docs/d2/f567f079ad99/RisePro.bmp?extra=83cSc7SmRJtjl8ec5OifozM_93tFy3jitg49sHNddO9i3ziQaQp3z9kjzmQmhEhbVDBaQMd-IcnziRKKHxPrBqsRJToRLDIngFoFoi58B3XLhIbZg7FoTMF2bOKk1Z3EuOtKP64u_ZIhsvDf https://dzen.ru/?yredirect=true https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11 https://vk.com/doc52355237_667058910?hash=gMtZhgmhgRDSfdoT60ZYuWDEkeRS7glwRzWLd8gGPSD&dl=vq3c6smk6NfdJIb3KZ7PfBwj29NEULFaVBD1Cs53UT0&api=1&no_preview=1 https://api.2ip.ua/geo.json https://vk.com/doc52355237_667007935?hash=kuzA3bv8gFM9aPx1xppN6S57Z5FudS8VHgMzVNpYwzD&dl=0btHZXBhsJfZuUYdw9b30BIP8DDelUCYMFbdByUZzSz&api=1&no_preview=1#redcl https://sso.passport.yandex.ru/push?uuid=056912ca-651d-41f9-9209-f91be412c310&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-23.userapi.com/c909228/u52355237/docs/d47/e2ccee6d682c/test222.bmp?extra=U4162n5729zjzlGgVMiKIwzkJSzSn6BRN_m83VHCDSL2utwpPZDW9dRU8eEsy3wfrW9-Fnnv7vUexxvyKCeW1kRRzPKq6pr-ITEC7sbkXtFyxI0n2f11UEvsmCo1nAB9Qjt2CAa662A847o7 https://sun6-20.userapi.com/c909418/u52355237/docs/d49/67dc191caaa7/Bot_Clien.bmp?extra=R7Za_Su74KEChmw7p4WuJr3aQHsGFZ2niNVfSw7b_TcPR0Sh2TQRPc3x_dKUmQJGRsRS4Xg6uck9HOypT7iZguOe0t_Bgd5pRLa3KUoDL1FvFkA_0x2K1agbjgpqkyYmkbhnAiFySCR08qqj https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-21.userapi.com/c237231/u52355237/docs/d27/97f34481b2d7/tmvwr.bmp?extra=MbgzQeRuofM3NgGPkxkb0_xwXGY1o0ISiHXbQDKdc321StSZO94IbBXMfprao9MyHL5npLe6QCtHnmMBR8O05vh1T0ga5C9dTDnASZTZANNWKwDcQpBoDq2_RwfwvphDmhc8RFjNE5yEk52g https://psv4.userapi.com/c909228/u52355237/docs/d30/4f54757f9387/A.bmp?extra=c6xP4In-uEely4pqMn_2h7WTf6bko6EEcEZ5TO_oQYHWln-qquXSXmTgnWqOSmK1uyFx9AhMO7GbFotOpoci3VxIKQfVzDsxHMcjzMI_gX6g6MuIB0tHGHNUjiOz0MEdtjlH6rj1rNAs9CH1 https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
75
neuralshit.net(172.67.134.35) - malware db-ip.com(104.26.4.15) jackantonio.top(45.132.1.20) - malware t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) elijahdiego.top(45.132.1.20) - mailcious yandex.ru(5.255.255.70) dzen.ru(62.217.160.2) sun6-23.userapi.com(95.142.206.3) - mailcious psv4.userapi.com(87.240.137.140) api.2ip.ua(172.67.139.220) steamcommunity.com(104.76.78.101) - mailcious iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.1) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.5.15) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) lakuiksong.known.co.ke(146.59.70.14) - malware onualituyrs.org(91.215.85.209) - malware zexeq.com(95.86.30.3) - malware octocrabs.com(172.67.200.10) - mailcious colisumy.com(190.224.203.37) - malware iplis.ru(148.251.234.93) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious www.maxmind.com(104.18.146.235) vk.com(93.186.225.194) - mailcious api.myip.com(104.26.8.59) 148.251.234.93 - mailcious 194.169.175.128 - mailcious 104.18.145.235 148.251.234.83 93.186.225.194 - mailcious 185.225.75.171 - mailcious 187.156.19.138 62.217.160.2 5.42.65.101 - mailcious 208.67.104.60 - mailcious 87.240.190.76 149.154.167.99 - mailcious 104.21.65.24 172.67.75.166 45.9.74.80 - malware 91.215.85.209 - mailcious 171.22.28.226 - malware 87.240.132.67 - mailcious 34.117.59.81 104.21.21.189 104.244.42.65 - suspicious 104.26.8.59 172.67.134.35 - malware 193.42.32.118 - mailcious 93.112.205.101 45.132.1.20 - mailcious 185.225.74.144 - malware 194.169.175.232 - malware 94.142.138.113 - mailcious 77.91.68.249 - malware 23.67.53.17 104.26.9.59 94.142.138.131 - mailcious 49.12.118.149 95.142.206.3 - mailcious 95.142.206.2 - mailcious 172.67.139.220 95.142.206.0 - mailcious 45.15.156.229 - mailcious 146.59.70.14 - malware 87.240.132.78 - mailcious 213.180.204.24 104.76.78.101 - mailcious 95.142.206.1 - mailcious 171.22.28.213 - malware 77.88.55.88
|
40
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DNS Query to a *.top domain - Likely Hostile ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE Win32/Vodkagats Loader Requesting Payload ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET INFO Packed Executable Download ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO Dotted Quad Host ZIP Request ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
19
http://elijahdiego.top/e9c345fc99a4e67e.php http://171.22.28.226/download/WWW14_64.exe http://45.9.74.80/zinda.exe http://zexeq.com/test2/get.php http://colisumy.com/dl/build2.exe http://45.15.156.229/api/tracemap.php http://194.169.175.232/autorun.exe http://45.15.156.229/api/firegate.php http://zexeq.com/files/1/build3.exe http://94.142.138.113/api/tracemap.php http://171.22.28.226/download/Services.exe http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/tracemap.php http://45.9.74.80/0bjdn2Z/index.php http://171.22.28.213/3.exe http://94.142.138.113/api/firegate.php http://193.42.32.118/api/firecom.php http://77.91.68.249/navi/kur90.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7649 |
2023-10-17 17:00
|
ChromeSetup.exe 7d09d9b412845150b51c52503339f52e Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7650 |
2023-10-17 16:58
|
angel.exe a6f75b1e5f8b4265869f7e5bdcaa3314 Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB Malicious Traffic Check memory buffers extracted Collect installed applications sandbox evasion installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware |
1
|
2
numpersb.fun(172.67.216.26) 104.21.53.180 - malware
|
2
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
|
|
7.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|