| 7681 |
2023-10-16 18:57
|
 setup.exe 3ced118256af2b36b3b07ca4af5711b6
Malicious Library PE File PE32 VirusTotal Malware WMI Creates executable files RWX flags setting Windows utilities Checks Bios anti-virtualization Windows ComputerName |
|
|
|
|
4.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7682 |
2023-10-16 18:44
|
 sihost.exe 0855867efc0b10ff80a9237b8ee9ba3d
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7683 |
2023-10-16 18:42
|
 Preparing.exe 8fda57ed69bc4c9827a92f417f2caa13
Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PWS SMTP AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
94.142.138.212 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
10.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7684 |
2023-10-16 18:41
|
 clip64.dll 27ff8e12b152ccf47b293d5375ea5d96
Amadey Malicious Library UPX Admin Tool (Sysinternals etc ...) PE File DLL PE32 OS Processor Check VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7685 |
2023-10-16 18:39
|
 cred64.dll a83604e32360e2b32ece536021559f13
Browser Login Data Stealer Malicious Library UPX PE File DLL PE64 OS Processor Check VirusTotal Malware PDB Checks debugger unpack itself installed browsers check Browser ComputerName DNS crashed |
|
1
|
|
|
3.4 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7686 |
2023-10-16 18:38
|
 Ihtfxltx.exe f3234097fc5189cd1e558550ba0617fc
PE File PE64 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7687 |
2023-10-16 18:37
|
 smss.exe 6e8215eee3034d6dcf18d79d397e5715
Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
3.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7688 |
2023-10-16 18:36
|
 setup-lightshot.exe 416c97ae7efb1385cf83a5fd277e68ee
Generic Malware PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-load.php
|
2
kenesrakishev.net(162.213.251.134)
162.213.251.134
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7689 |
2023-10-16 18:35
|
 Roblox_Level_4_Exploit.exe 01af0cd59dfa4e45fc8cb5d9ecbd6de3
Generic Malware PE File PE32 .NET EXE VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder Tofsee ComputerName |
1
http://kenesrakishev.net/wp-admin/admin-ajax.php
|
2
kenesrakishev.net(162.213.251.134)
162.213.251.134
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7690 |
2023-10-16 18:35
|
 fuljani.exe 942dbace85ab0d41045bb37a66ccb139
Generic Malware PE File PE32 .NET EXE VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-cron.php
|
2
kenesrakishev.net(162.213.251.134)
162.213.251.134
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7691 |
2023-10-16 18:35
|
 fuljani.exe 942dbace85ab0d41045bb37a66ccb139
Generic Malware PE File PE32 .NET EXE VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-cron.php
|
2
kenesrakishev.net(162.213.251.134)
162.213.251.134
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7692 |
2023-10-16 12:55
|
 gate4.exe 5c6b1ca0336366662d0f444e01f96a3a
PrivateLoader RedLine stealer Themida Packer Generic Malware UPX Malicious Library VMProtect ScreenShot PWS Socket DGA Http API DNS Internet API SMTP Anti_VM AntiDebug AntiVM PE File PE64 PE32 ZIP Format DLL OS Processor Check PNG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk suspicious TLD sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check PrivateLoader Tofsee Ransomware Stealer Windows Update Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
35
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://194.169.175.232/autorun.exe - rule_id: 36817
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://45.9.74.80/zinda.exe - rule_id: 37063
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://www.maxmind.com/geoip/v2.1/city/me
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/167def964d1d/Bot_Clien.bmp?extra=u226KRhFNKTwHJMooCCPzPmniPztLgViu_UdzG-VjX2Hdo2VQ_csORN4_Q0LZziy1wB-axwEO9JNYx174ntsePx0FuTMM0e_GCG405SNGpQvMEhf73KuF7vrvBeRTnAAwZp-CVmWviwj4x0M
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/fa41d55bfcd2/d3h782af.bmp?extra=x2wWuvzLp9U9MFpMuHZvNeDGbtRLE0wlF7xXDQEgYuMpz0YX4nSn8o70AXGDKhvOM9YscK1wrIJ3gioKVHDTS71MBi-kHvMK6C3w00FHmTA2gPyAb3GAalPr1Iq8MFdFriiC1VsUCrdiBBIt
https://vk.com/doc52355237_666953453?hash=NVFeHD1X6xxwiPyDZ4kbilHig693YsIH5g6X9HkS69s&dl=dzQeH4YkPFmuRHRZXunNV4NBh3hv5ZLppdno3QUFjqD&api=1&no_preview=1#rise
https://vk.com/doc52355237_666962194?hash=6q38NEAvszC9RaRujZr6ZVjib9zBVZremmdPy8csKIw&dl=vi5dQPwpzhvYIPezYQtsimILAKZctT0T5feFndBaxT8&api=1&no_preview=1#55
https://schematize.pw/setup294.exe - rule_id: 37138
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/03ed792486f2/WWW11_32.bmp?extra=BDTRbaczcnbNzBo0BOe-ypzZEprOU10IkpkSzte4_V8G371fkmp_shttiZOFe2G1ASGDl-WPX9fz5UxXrtRJAgBkbTqjDYOK0KXnwLo7S-B1oMpIKEG-z8PCsBkFTg520y7LBkTmUfiZSrtb
https://sun6-23.userapi.com/c909418/u52355237/docs/d18/6dea2083151c/crypted.bmp?extra=fsba2zHpXvqaKaIs2cqbeh5vyBbuwJUz1GDJrKswAJIhi-uQ6bVTt1ZthUMWNp4RKY7PjMjHY4Ma_mmFnBFnz8T2TeqY1eHF6BqoZPrQTE5hBFV2aHat9V0upNqQz5qlhcM1Nx2yUiz1RdD4
https://db-ip.com/
https://sun6-22.userapi.com/c909218/u52355237/docs/d2/0ad6080636be/RisePro.bmp?extra=PqUzNShtdQ-VVGbOsb_U5PPXWQnmOykXCr2fivqUjiKkJwon0GTt09KEwh_9I68Dc5f0DQX1ply0EcnMJc9OgcjXAI8IkIAS0jKP-35agrJxkRrVKKABaH75pGdH6_DdpAnsxm5a-uDanq3h
https://sun6-21.userapi.com/c237231/u52355237/docs/d27/febee9ba14ad/tmvwr.bmp?extra=KGmYpPVPqL1gWi9xyYdQGc9kE9zKzbY56JcAJV9iuZtoaTKYIdPjQcwEJi0bbYZccEU8xrKK9HW6FyaWz3VwbVmZxYG_2qmXrDvnZSdHp0boKwH__hcxkzXGDY-cpDrcR3ByVwRXBGUFBCA6
https://vk.com/doc52355237_667000543?hash=eKOuemWuRCZmXal2YVj4QW37gepCmLzd9U7bLDKtdnX&dl=Le3z6AAKjnE7RlnXRnVZJtvMGIu3iOAwG2df2VZCSfz&api=1&no_preview=1#test22
https://dzen.ru/?yredirect=true
https://sso.passport.yandex.ru/push?uuid=0db9eca3-374f-45c1-8887-36a74b181ed4&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11
https://api.2ip.ua/geo.json
https://sun6-23.userapi.com/c909228/u52355237/docs/d47/bcda7d7ba2d6/test222.bmp?extra=GzyOtEQtKTC3VoTX4BnD-XTSQBc84p66dFqVHCs6w0VNIzwoEOOArPYB4Kra3QYsCY6Q5lJRsdsoheUUeiOTRdVzlgMBxM95pEXkuMRNKZKeX0Vv4pn-zyZtwt586DxQGHtIi7RMD4sCd6BW
https://vk.com/doc52355237_666996873?hash=DTmX6GpQzg0mSZJ3QBf9KMyoAQLjAN2VneVoP2TiOB8&dl=3T0LCAZCJSJEhCRk9I2GHnvey9MXQk00H3a77N9btwD&api=1&no_preview=1
https://vk.com/doc52355237_666990393?hash=FTORQeSjuGQM3QZ0VZVmUaPzzMTjiHgVozgZL1VKkLs&dl=WHDNqvgddqa5sNEafsQGa9H9myfZRZuS1RHM37yysD8&api=1&no_preview=1
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/a0f4bd8121f1/PL_Client.bmp?extra=gHHzZgmQ2ix-eyDuXWWUkcOvwwyUCy5E3P9WTu6vphlfKcCiFbxuGjvCO_1EJxvkfs2bGFSfr_9PlZsRCq65LOri_c51dD0gx807OeObF3eM6u1R8XpQ0HJzY5ESz-7d2hCuHgwJqj6q2qx6
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-23.userapi.com/c909628/u52355237/docs/d45/362847a669f2/44.bmp?extra=HTogS9Udy-zScPsV8Lv4flcVw5qsSLuY9mdyAh5RRn5xhDPI8DfW9wtYF2X9SS9jhOM-3_rypQvzo-pT4vmB5SI_QdmT89HOjHvIcqqjQ3qOU-NfnB8XQLZDws7kGj9EbiGU5OrFcamzfHKn
https://vk.com/doc52355237_666985371?hash=xUCdQotbw4FtZlATzAL4qnHpx7ewB6dgNtlbn7gwXm4&dl=xZf2pdqcEKVJkPKzgfXwyOhSAkzUukUObYzCFT4qurw&api=1&no_preview=1#1
|
54
api.2ip.ua(172.67.139.220)
db-ip.com(104.26.4.15)
telegram.org(149.154.167.99)
schematize.pw(172.67.152.98) - malware
iplis.ru(148.251.234.93) - mailcious
www.maxmind.com(104.18.146.235)
ipinfo.io(34.117.59.81)
iplogger.org(148.251.234.83) - mailcious
jackantonio.top(45.132.1.20) - malware
onualituyrs.org(91.215.85.209) - malware
sun6-22.userapi.com(95.142.206.2) - mailcious
twitter.com(104.244.42.193)
api.myip.com(104.26.8.59)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
yandex.ru(77.88.55.60)
vk.com(87.240.132.72) - mailcious
sso.passport.yandex.ru(213.180.204.24)
sun6-21.userapi.com(95.142.206.1) - mailcious
api.db-ip.com(104.26.5.15)
dzen.ru(62.217.160.2)
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.18.146.235
87.240.129.133 - mailcious
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
149.154.167.99 - mailcious
193.42.32.118 - mailcious
172.67.75.166
91.215.85.209 - mailcious
171.22.28.226 - malware
87.240.132.67 - mailcious
34.117.59.81
77.88.55.60
148.251.234.83
185.225.75.171 - mailcious
213.180.204.24
45.132.1.20
45.9.74.80 - malware
194.169.175.232 - malware
176.123.9.142 - mailcious
77.91.68.249 - malware
104.26.9.59
45.15.156.229 - mailcious
172.67.152.98 - malware
104.26.4.15
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
95.142.206.1 - mailcious
94.142.138.131 - mailcious
|
31
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DNS Query to a *.pw domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
|
|
30.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7693 |
2023-10-16 12:52
|
 kenspa.txt.exe 5a41d36eb69dd4649d09163b8dd7e759
Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://villar.ftvproclad.top/_errorpages/villar/five/fre.php
|
2
villar.ftvproclad.top(104.21.19.74)
104.21.19.74
|
9
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
6.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7694 |
2023-10-16 12:52
|
 kenjkt.txt.exe f871241fffd3002353e3ed0eea50daa5
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
3
api.ipify.org(173.231.16.77)
87.240.129.133 - mailcious
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7695 |
2023-10-16 12:50
|
 bulak.txt.exe c630301e6fa6e55bbb4eedeafb870f83
PE File PE32 .NET EXE Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName |
1
https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=8dQdVXc6Djbw
|
2
whatismyipaddressnow.co(104.21.71.78)
172.67.143.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|