7681 |
2023-10-16 18:57
|
setup.exe 3ced118256af2b36b3b07ca4af5711b6 Malicious Library PE File PE32 VirusTotal Malware WMI Creates executable files RWX flags setting Windows utilities Checks Bios anti-virtualization Windows ComputerName |
|
|
|
|
4.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7682 |
2023-10-16 18:44
|
sihost.exe 0855867efc0b10ff80a9237b8ee9ba3d .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141) 91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7683 |
2023-10-16 18:42
|
Preparing.exe 8fda57ed69bc4c9827a92f417f2caa13 Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PWS SMTP AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
94.142.138.212 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
10.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7684 |
2023-10-16 18:41
|
clip64.dll 27ff8e12b152ccf47b293d5375ea5d96 Amadey Malicious Library UPX Admin Tool (Sysinternals etc ...) PE File DLL PE32 OS Processor Check VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7685 |
2023-10-16 18:39
|
cred64.dll a83604e32360e2b32ece536021559f13 Browser Login Data Stealer Malicious Library UPX PE File DLL PE64 OS Processor Check VirusTotal Malware PDB Checks debugger unpack itself installed browsers check Browser ComputerName DNS crashed |
|
1
|
|
|
3.4 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7686 |
2023-10-16 18:38
|
Ihtfxltx.exe f3234097fc5189cd1e558550ba0617fc PE File PE64 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7687 |
2023-10-16 18:37
|
smss.exe 6e8215eee3034d6dcf18d79d397e5715 Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
3.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7688 |
2023-10-16 18:36
|
setup-lightshot.exe 416c97ae7efb1385cf83a5fd277e68ee Generic Malware PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-load.php
|
2
kenesrakishev.net(162.213.251.134) 162.213.251.134
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7689 |
2023-10-16 18:35
|
Roblox_Level_4_Exploit.exe 01af0cd59dfa4e45fc8cb5d9ecbd6de3 Generic Malware PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder Tofsee ComputerName |
1
http://kenesrakishev.net/wp-admin/admin-ajax.php
|
2
kenesrakishev.net(162.213.251.134) 162.213.251.134
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7690 |
2023-10-16 18:35
|
fuljani.exe 942dbace85ab0d41045bb37a66ccb139 Generic Malware PE File PE32 .NET EXE VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-cron.php
|
2
kenesrakishev.net(162.213.251.134) 162.213.251.134
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7691 |
2023-10-16 18:35
|
fuljani.exe 942dbace85ab0d41045bb37a66ccb139 Generic Malware PE File PE32 .NET EXE VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-cron.php
|
2
kenesrakishev.net(162.213.251.134) 162.213.251.134
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7692 |
2023-10-16 12:55
|
gate4.exe 5c6b1ca0336366662d0f444e01f96a3a PrivateLoader RedLine stealer Themida Packer Generic Malware UPX Malicious Library VMProtect ScreenShot PWS Socket DGA Http API DNS Internet API SMTP Anti_VM AntiDebug AntiVM PE File PE64 PE32 ZIP Format DLL OS Processor Check PNG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk suspicious TLD sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check PrivateLoader Tofsee Ransomware Stealer Windows Update Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
35
http://94.142.138.131/api/firegate.php - rule_id: 32650 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://194.169.175.232/autorun.exe - rule_id: 36817 http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://45.9.74.80/zinda.exe - rule_id: 37063 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://www.maxmind.com/geoip/v2.1/city/me http://77.91.68.249/navi/kur90.exe - rule_id: 37069 https://sun6-20.userapi.com/c909418/u52355237/docs/d49/167def964d1d/Bot_Clien.bmp?extra=u226KRhFNKTwHJMooCCPzPmniPztLgViu_UdzG-VjX2Hdo2VQ_csORN4_Q0LZziy1wB-axwEO9JNYx174ntsePx0FuTMM0e_GCG405SNGpQvMEhf73KuF7vrvBeRTnAAwZp-CVmWviwj4x0M https://db-ip.com/demo/home.php?s=175.208.134.152 https://sun6-23.userapi.com/c909228/u52355237/docs/d38/fa41d55bfcd2/d3h782af.bmp?extra=x2wWuvzLp9U9MFpMuHZvNeDGbtRLE0wlF7xXDQEgYuMpz0YX4nSn8o70AXGDKhvOM9YscK1wrIJ3gioKVHDTS71MBi-kHvMK6C3w00FHmTA2gPyAb3GAalPr1Iq8MFdFriiC1VsUCrdiBBIt https://vk.com/doc52355237_666953453?hash=NVFeHD1X6xxwiPyDZ4kbilHig693YsIH5g6X9HkS69s&dl=dzQeH4YkPFmuRHRZXunNV4NBh3hv5ZLppdno3QUFjqD&api=1&no_preview=1#rise https://vk.com/doc52355237_666962194?hash=6q38NEAvszC9RaRujZr6ZVjib9zBVZremmdPy8csKIw&dl=vi5dQPwpzhvYIPezYQtsimILAKZctT0T5feFndBaxT8&api=1&no_preview=1#55 https://schematize.pw/setup294.exe - rule_id: 37138 https://sun6-23.userapi.com/c909518/u52355237/docs/d48/03ed792486f2/WWW11_32.bmp?extra=BDTRbaczcnbNzBo0BOe-ypzZEprOU10IkpkSzte4_V8G371fkmp_shttiZOFe2G1ASGDl-WPX9fz5UxXrtRJAgBkbTqjDYOK0KXnwLo7S-B1oMpIKEG-z8PCsBkFTg520y7LBkTmUfiZSrtb https://sun6-23.userapi.com/c909418/u52355237/docs/d18/6dea2083151c/crypted.bmp?extra=fsba2zHpXvqaKaIs2cqbeh5vyBbuwJUz1GDJrKswAJIhi-uQ6bVTt1ZthUMWNp4RKY7PjMjHY4Ma_mmFnBFnz8T2TeqY1eHF6BqoZPrQTE5hBFV2aHat9V0upNqQz5qlhcM1Nx2yUiz1RdD4 https://db-ip.com/ https://sun6-22.userapi.com/c909218/u52355237/docs/d2/0ad6080636be/RisePro.bmp?extra=PqUzNShtdQ-VVGbOsb_U5PPXWQnmOykXCr2fivqUjiKkJwon0GTt09KEwh_9I68Dc5f0DQX1ply0EcnMJc9OgcjXAI8IkIAS0jKP-35agrJxkRrVKKABaH75pGdH6_DdpAnsxm5a-uDanq3h https://sun6-21.userapi.com/c237231/u52355237/docs/d27/febee9ba14ad/tmvwr.bmp?extra=KGmYpPVPqL1gWi9xyYdQGc9kE9zKzbY56JcAJV9iuZtoaTKYIdPjQcwEJi0bbYZccEU8xrKK9HW6FyaWz3VwbVmZxYG_2qmXrDvnZSdHp0boKwH__hcxkzXGDY-cpDrcR3ByVwRXBGUFBCA6 https://vk.com/doc52355237_667000543?hash=eKOuemWuRCZmXal2YVj4QW37gepCmLzd9U7bLDKtdnX&dl=Le3z6AAKjnE7RlnXRnVZJtvMGIu3iOAwG2df2VZCSfz&api=1&no_preview=1#test22 https://dzen.ru/?yredirect=true https://sso.passport.yandex.ru/push?uuid=0db9eca3-374f-45c1-8887-36a74b181ed4&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11 https://api.2ip.ua/geo.json https://sun6-23.userapi.com/c909228/u52355237/docs/d47/bcda7d7ba2d6/test222.bmp?extra=GzyOtEQtKTC3VoTX4BnD-XTSQBc84p66dFqVHCs6w0VNIzwoEOOArPYB4Kra3QYsCY6Q5lJRsdsoheUUeiOTRdVzlgMBxM95pEXkuMRNKZKeX0Vv4pn-zyZtwt586DxQGHtIi7RMD4sCd6BW https://vk.com/doc52355237_666996873?hash=DTmX6GpQzg0mSZJ3QBf9KMyoAQLjAN2VneVoP2TiOB8&dl=3T0LCAZCJSJEhCRk9I2GHnvey9MXQk00H3a77N9btwD&api=1&no_preview=1 https://vk.com/doc52355237_666990393?hash=FTORQeSjuGQM3QZ0VZVmUaPzzMTjiHgVozgZL1VKkLs&dl=WHDNqvgddqa5sNEafsQGa9H9myfZRZuS1RHM37yysD8&api=1&no_preview=1 https://sun6-20.userapi.com/c909228/u52355237/docs/d55/a0f4bd8121f1/PL_Client.bmp?extra=gHHzZgmQ2ix-eyDuXWWUkcOvwwyUCy5E3P9WTu6vphlfKcCiFbxuGjvCO_1EJxvkfs2bGFSfr_9PlZsRCq65LOri_c51dD0gx807OeObF3eM6u1R8XpQ0HJzY5ESz-7d2hCuHgwJqj6q2qx6 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-23.userapi.com/c909628/u52355237/docs/d45/362847a669f2/44.bmp?extra=HTogS9Udy-zScPsV8Lv4flcVw5qsSLuY9mdyAh5RRn5xhDPI8DfW9wtYF2X9SS9jhOM-3_rypQvzo-pT4vmB5SI_QdmT89HOjHvIcqqjQ3qOU-NfnB8XQLZDws7kGj9EbiGU5OrFcamzfHKn https://vk.com/doc52355237_666985371?hash=xUCdQotbw4FtZlATzAL4qnHpx7ewB6dgNtlbn7gwXm4&dl=xZf2pdqcEKVJkPKzgfXwyOhSAkzUukUObYzCFT4qurw&api=1&no_preview=1#1
|
54
api.2ip.ua(172.67.139.220) db-ip.com(104.26.4.15) telegram.org(149.154.167.99) schematize.pw(172.67.152.98) - malware iplis.ru(148.251.234.93) - mailcious www.maxmind.com(104.18.146.235) ipinfo.io(34.117.59.81) iplogger.org(148.251.234.83) - mailcious jackantonio.top(45.132.1.20) - malware onualituyrs.org(91.215.85.209) - malware sun6-22.userapi.com(95.142.206.2) - mailcious twitter.com(104.244.42.193) api.myip.com(104.26.8.59) sun6-23.userapi.com(95.142.206.3) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious yandex.ru(77.88.55.60) vk.com(87.240.132.72) - mailcious sso.passport.yandex.ru(213.180.204.24) sun6-21.userapi.com(95.142.206.1) - mailcious api.db-ip.com(104.26.5.15) dzen.ru(62.217.160.2) 148.251.234.93 - mailcious 194.169.175.128 - mailcious 104.18.146.235 87.240.129.133 - mailcious 62.217.160.2 104.244.42.1 - suspicious 104.26.5.15 149.154.167.99 - mailcious 193.42.32.118 - mailcious 172.67.75.166 91.215.85.209 - mailcious 171.22.28.226 - malware 87.240.132.67 - mailcious 34.117.59.81 77.88.55.60 148.251.234.83 185.225.75.171 - mailcious 213.180.204.24 45.132.1.20 45.9.74.80 - malware 194.169.175.232 - malware 176.123.9.142 - mailcious 77.91.68.249 - malware 104.26.9.59 45.15.156.229 - mailcious 172.67.152.98 - malware 104.26.4.15 95.142.206.3 - mailcious 95.142.206.2 - mailcious 172.67.139.220 95.142.206.0 - mailcious 95.142.206.1 - mailcious 94.142.138.131 - mailcious
|
31
SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DNS Query to a *.top domain - Likely Hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET DNS Query to a *.pw domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Packed Executable Download ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
|
|
30.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7693 |
2023-10-16 12:52
|
kenspa.txt.exe 5a41d36eb69dd4649d09163b8dd7e759 Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://villar.ftvproclad.top/_errorpages/villar/five/fre.php
|
2
villar.ftvproclad.top(104.21.19.74) 104.21.19.74
|
9
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP Request to a *.top domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
6.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7694 |
2023-10-16 12:52
|
kenjkt.txt.exe f871241fffd3002353e3ed0eea50daa5 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
3
api.ipify.org(173.231.16.77) 87.240.129.133 - mailcious 104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7695 |
2023-10-16 12:50
|
bulak.txt.exe c630301e6fa6e55bbb4eedeafb870f83 PE File PE32 .NET EXE Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName |
1
https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=8dQdVXc6Djbw
|
2
whatismyipaddressnow.co(104.21.71.78) 172.67.143.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|