| 7801 |
2023-10-11 18:10
|
 Olfumi.exe eb05d45ff60a5fd5ea43ed782e967600
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
1
http://82.115.209.180/1941
|
1
|
|
|
4.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7802 |
2023-10-11 18:10
|
0iuoioooUIOIOiiiu0u0uioiui0iui... 3289a3401f78873c39e10465d77be4df
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
18
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://www.prosourcegraniteinc.com/kniu/?9UU4WiQ1=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&XT=9LS9sDj_UX - rule_id: 36717
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.onlyleona.com/kniu/?9UU4WiQ1=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&XT=9LS9sDj_UX - rule_id: 36720
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.theartboxslidell.com/kniu/?9UU4WiQ1=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&XT=9LS9sDj_UX - rule_id: 36718
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.xxkxcfkujyeft.xyz/kniu/?9UU4WiQ1=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&XT=9LS9sDj_UX - rule_id: 36719
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.tsygy.com/kniu/?9UU4WiQ1=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&XT=9LS9sDj_UX - rule_id: 36721
http://www.frefire.top/kniu/ - rule_id: 36723
http://23.95.106.3/479/Kodviywuey.mp3
http://23.95.106.3/479/qw/Ooseha.exe
http://23.95.106.3/479/process.exe
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.poultry-symposium.com/kniu/?9UU4WiQ1=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&XT=9LS9sDj_UX - rule_id: 36722
http://www.frefire.top/kniu/?9UU4WiQ1=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&XT=9LS9sDj_UX - rule_id: 36723
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
|
21
www.onlyleona.com(172.67.132.228) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.prosourcegraniteinc.com(216.239.32.21) - mailcious
www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious
www.frefire.top(67.223.117.37) - mailcious
www.8956kjw1.com(103.71.154.243)
www.theartboxslidell.com(199.59.243.225) - mailcious
www.tsygy.com(23.104.137.185) - mailcious
www.siteapp.fun() - mailcious
www.pengeloladata.click() - mailcious
216.239.38.21 - phishing
23.104.137.185 - mailcious
104.21.13.143
23.95.106.3 - mailcious
199.59.243.225
67.223.117.37 - mailcious
85.128.134.237 - mailcious
216.240.130.67 - mailcious
103.71.154.243
45.33.6.223
185.225.75.8 - malware
|
15
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SURICATA HTTP unable to match response to request
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET 3CORESec Poor Reputation IP group 16
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
14
http://www.onlyleona.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.onlyleona.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.theartboxslidell.com/kniu/
http://www.tsygy.com/kniu/
http://www.frefire.top/kniu/
http://www.tsygy.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.frefire.top/kniu/
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7803 |
2023-10-11 18:09
|
 Nmyp2y0F.ps1 2eeab273293d358d548a3aeb7f8b7033
Generic Malware Antivirus .NET DLL PE File DLL PE32 VirusTotal Malware Checks debugger Creates executable files unpack itself Windows utilities AppData folder Windows Cryptographic key crashed |
|
|
|
|
3.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7804 |
2023-10-11 18:08
|
 Setup.exe aac23ff6c2cc93769600e060ab7cfca9
Generic Malware Malicious Library UPX Malicious Packer .NET framework(MSIL) Antivirus Anti_VM PE File PE32 OS Processor Check ZIP Format BMP Format CHM Format DLL .NET EXE PE64 MSOffice File JPEG Format Word 2007 file format(docx) VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency Telegram PDB Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Auto service Check virtual network interfaces AppData folder IP Check Tofsee Ransomware Windows Email ComputerName Firmware DNS |
10
http://185.225.75.8/stryzon/cleanse.exe
http://185.225.75.8/stryzon/build.exe
http://api.ipify.org/
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO
http://185.225.75.8/stryzon/typhon.exe
http://ip-api.com/line/?fields=hosting
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2J1aWxkLmV4ZQ==
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL3R5cGhvbi5leGU=
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2NsZWFuc2UuZXhl
https://ipapi.co/175.208.134.152/json
|
9
api.telegram.org(149.154.167.220)
api.ipify.org(104.237.62.212)
ipapi.co(104.26.9.44)
ip-api.com(208.95.112.1)
104.26.9.44 - mailcious
149.154.167.220
64.185.227.156
208.95.112.1
185.225.75.8 - malware
|
15
ET POLICY External IP Lookup ip-api.com
ET 3CORESec Poor Reputation IP group 16
ET POLICY curl User-Agent Outbound
ET INFO Executable Download from dotted-quad Host
ET HUNTING curl User-Agent to Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET HUNTING Telegram API Domain in DNS Lookup
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
ET POLICY External IP Lookup api.ipify.org
ET POLICY Cryptocurrency Miner Checkin
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
12.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7805 |
2023-10-11 18:08
|
 sihost.exe 551c449271f2c0a9d4dea541a009bc80
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
9.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7806 |
2023-10-11 18:06
|
 audiodgse.exe 4efcfa2947ffd17dc6eec46cce944ca8
LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
8.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7807 |
2023-10-11 17:01
|
zip_pass1234.7z 902a9838f4e815e995103aa9d5ec3108
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
17
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://176.113.115.84:8080/4.php - rule_id: 34795
http://194.169.175.232/autorun.exe - rule_id: 36817
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
http://171.22.28.212/carryspend.exe - rule_id: 37179
http://94.142.138.113/api/tracemap.php - rule_id: 28877
https://schematize.pw/setup294.exe - rule_id: 37138
https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxhiYr7j1_0fqQ6mBVVKqaCGfPpqwAg3i-
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_maTffLw-7sBSGpkSUaD6LX6hWcw-l4GHW
https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1
https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUMaj83_ObjaFQepb-ppl7lDqLmoMojbx2
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5md_y5SVg89O6jgA5qLQfQ-z1AuQowoyj
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2Tov5hzqfyAbrB3AF-XrwOdI8NwGE1hBbA
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQE7JndCjMFugsVh7HxIoogAaG3UIsWGdB
https://api.myip.com/
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5x8k_bC5GVV3LMEZpaq9hbJJpwEd5EZC7
|
25
schematize.pw(104.21.32.142) - malware
api.myip.com(104.26.8.59)
ipinfo.io(34.117.59.81)
sun6-20.userapi.com(95.142.206.0) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
sun6-23.userapi.com(95.142.206.3) - mailcious
onualituyrs.org(91.215.85.209) - malware
vk.com(87.240.137.164) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
77.91.68.249 - malware
172.67.152.98 - malware
172.67.75.163
95.142.206.3 - mailcious
95.142.206.2 - mailcious
91.215.85.209 - mailcious
95.142.206.0 - mailcious
171.22.28.226 - malware
194.169.175.232 - malware
87.240.132.72 - mailcious
34.117.59.81
94.142.138.113 - mailcious
208.67.104.60 - mailcious
176.113.115.84 - mailcious
95.142.206.1 - mailcious
171.22.28.212 - malware
|
14
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET HUNTING Suspicious services.exe in URI
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
|
8
http://171.22.28.226/download/Services.exe
http://176.113.115.84:8080/4.php
http://194.169.175.232/autorun.exe
http://94.142.138.113/api/firegate.php
http://77.91.68.249/navi/kur90.exe
http://171.22.28.212/carryspend.exe
http://94.142.138.113/api/tracemap.php
https://schematize.pw/setup294.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7808 |
2023-10-11 15:48
|
OI0ioioOI0I0I0oioioi0oiOI0oi00... 2a932891e36958c4509cf7b54d3cf43b
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic ICMP traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
18
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://www.frefire.top/kniu/?-3E-P=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&buPns=-YhUz8pH8JO - rule_id: 36723
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.theartboxslidell.com/kniu/?-3E-P=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&buPns=-YhUz8pH8JO - rule_id: 36718
http://www.poultry-symposium.com/kniu/?-3E-P=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&buPns=-YhUz8pH8JO - rule_id: 36722
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.onlyleona.com/kniu/?-3E-P=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&buPns=-YhUz8pH8JO - rule_id: 36720
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.xxkxcfkujyeft.xyz/kniu/?-3E-P=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&buPns=-YhUz8pH8JO - rule_id: 36719
http://www.frefire.top/kniu/ - rule_id: 36723
http://www.tsygy.com/kniu/?-3E-P=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&buPns=-YhUz8pH8JO - rule_id: 36721
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.prosourcegraniteinc.com/kniu/?-3E-P=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&buPns=-YhUz8pH8JO - rule_id: 36717
http://23.95.106.3/350/sihost.exe
http://23.95.106.3/350/122/Ekcflzifpij.mp3
http://23.95.106.3/350/122/process.exe
|
20
www.onlyleona.com(104.21.13.143) - mailcious
www.prosourcegraniteinc.com(216.239.38.21) - mailcious
www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious
www.siteapp.fun() - mailcious
www.theartboxslidell.com(199.59.243.225) - mailcious
www.8956kjw1.com(103.71.154.243)
www.tsygy.com(156.234.127.118) - mailcious
www.frefire.top(67.223.117.37) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.pengeloladata.click() - mailcious
216.239.38.21 - phishing
23.104.137.185 - mailcious
23.95.106.3 - mailcious
199.59.243.225
67.223.117.37 - mailcious
85.128.134.237 - mailcious
216.240.130.67 - mailcious
104.21.13.143
103.71.154.243
45.33.6.223
|
14
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO HTTP Request to a *.top domain
SURICATA HTTP unable to match response to request
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers
|
14
http://www.onlyleona.com/kniu/
http://www.frefire.top/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.onlyleona.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.frefire.top/kniu/
http://www.tsygy.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.tsygy.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
|
5.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7809 |
2023-10-11 15:46
|
zip1_09.7z cc7af56986cf3d93d33a92bd4a2962f1
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Lumma Stealer Windows RisePro DNS |
37
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://194.169.175.232/autorun.exe - rule_id: 36817
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://45.9.74.80/super.exe - rule_id: 36063
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://176.113.115.84:8080/4.php - rule_id: 34795
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://94.142.138.131/api/firecom.php - rule_id: 36179
http://172.86.98.101/xs12pro/Vdthrdd.pdf - rule_id: 37111
http://45.9.74.80/zinda.exe - rule_id: 37063
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://www.maxmind.com/geoip/v2.1/city/me
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
http://www.google.com/
http://bytecloudasa.website/api
https://vk.com/doc52355237_666782820?hash=ArroX66l9eYl49eAHc8hpGG9y4ueo0YcyAXCK6pwb68&dl=kNiFdjjHEiGZauYFHzX4HcInvoKLFcTYwmBCbWjJoNw&api=1&no_preview=1
https://schematize.pw/setup294.exe - rule_id: 37138
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQH75ndCjMFugsVh7Hldwu1lHUjEssXTAV
https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxiior7j1_0fqQ6mBVUqbACDeY8atU2Czs
https://db-ip.com/
https://vk.com/doc52355237_666772349?hash=hYVRMj3VXZEN6TuoRIyuNJBsp1uaaX2imFKbcIG1Vfg&dl=9cyMlTApKcbHG0TjdzdQvAAFPBW96Jc1btF9S5guV48&api=1&no_preview=1#rise
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_mZTvfLw-7sBSGpkSUZ2zaDqxVcAGn4TCN
https://dzen.ru/?yredirect=true
https://api.2ip.ua/geo.json
https://sun6-20.userapi.com/c909618/u52355237/docs/d14/c31569dfbdeb/tmvwr.bmp?extra=yxC_ij_BEaCeg17_3RBMDQ1BNAZNk2h_OM7eSsW8UFjriQQEuPjhkmx7r0l5RwikTTTaRs8JC_WeZ6J1ia9pemH-qujCGGdFQ4qt1HjhdnUs91Pu9zHKbqwz31PEAhQxeOFJQPN_beZxT45a
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5y8U_bC5GVV3LMEZpPK42aJxtw0YqR8a7
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2TrvJhzqfyAbrB3AF-DLwMdohQlTY21hLG
https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1
https://sso.passport.yandex.ru/push?uuid=b09af16e-2e62-4304-9cf5-7f2d1c90ff55&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUPaT83_ObjaFQepb-p8krkTffz9kq27hz
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5ldPy5SVg89O6jgA587BEQuCjUOJ_mYqg
|
77
watson.microsoft.com(104.208.16.93)
db-ip.com(104.26.5.15)
vanaheim.cn(193.106.174.220) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
yandex.ru(5.255.255.70)
dzen.ru(62.217.160.2)
schematize.pw(104.21.32.142) - malware
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.75.41.21) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
bytecloudasa.website(172.67.212.39)
69d9414d-87e8-4ca5-945d-204bdc8124d9.uuid.zaoshanghao.su(185.82.216.48)
onualituyrs.org(91.215.85.209) - malware
zexeq.com(109.175.29.39) - malware
colisumy.com(2.88.121.8) - malware
www.google.com(142.250.76.132)
iplis.ru(148.251.234.93) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
www.maxmind.com(104.18.145.235)
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.9.59)
104.21.61.162
148.251.234.93 - mailcious
193.106.174.220
104.18.146.235
148.251.234.83
185.225.75.171
194.169.175.128 - mailcious
62.122.184.92 - mailcious
172.86.98.101 - mailcious
62.217.160.2
149.154.167.99 - mailcious
104.21.65.24
172.67.75.166
80.66.75.4 - mailcious
51.255.152.132 - mailcious
91.215.85.209 - mailcious
142.250.204.100
171.22.28.226 - malware
34.117.59.81
77.91.68.249 - malware
176.113.115.84 - mailcious
176.113.115.85 - mailcious
77.88.55.60
104.244.42.65 - suspicious
104.26.8.59
193.42.32.118 - mailcious
176.113.115.135 - mailcious
176.113.115.136 - mailcious
45.143.201.238 - mailcious
45.9.74.80 - malware
194.169.175.232 - malware
176.123.9.142 - mailcious
104.208.16.93
45.15.156.229 - mailcious
172.67.152.98 - malware
104.26.4.15
2.88.121.8
95.142.206.2 - mailcious
211.119.84.111 - malware
95.142.206.0 - mailcious
95.142.206.3 - mailcious
94.142.138.131 - mailcious
213.180.204.24
62.122.184.58 - mailcious
87.240.132.72 - mailcious
95.142.206.1 - mailcious
104.76.78.101 - mailcious
171.22.28.212 - malware
|
37
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Packed Executable Download
ET INFO Dotted Quad Host PDF Request
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
17
http://94.142.138.131/api/firegate.php
http://194.169.175.232/autorun.exe
http://colisumy.com/dl/build2.exe
http://45.9.74.80/super.exe
http://171.22.28.226/download/Services.exe
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://171.22.28.226/download/WWW14_64.exe
http://94.142.138.131/api/firecom.php
http://172.86.98.101/xs12pro/
http://45.9.74.80/zinda.exe
http://45.15.156.229/api/firegate.php
http://94.142.138.131/api/tracemap.php
http://zexeq.com/files/1/build3.exe
http://zexeq.com/test2/get.php
http://77.91.68.249/navi/kur90.exe
https://schematize.pw/setup294.exe
|
8.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7810 |
2023-10-11 15:44
|
 yam.com cba85534bde3fb07415e32b156011a87
PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
9.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7811 |
2023-10-11 15:44
|
 gncd.exe 83410598ff9829688f54886ba98d6fee
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7812 |
2023-10-11 15:30
|
 oshandokij.txt.exe 5796315d4909f06ae1b74d4b6035445e
AgentTesla Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName crashed |
|
|
|
|
3.8 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7813 |
2023-10-11 14:25
|
 Min1.exe 6178b26f7cf49fbb0e917a965068edfb
PE File PE64 VirusTotal Malware |
|
|
|
|
1.6 |
M |
55 |
malware123
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7814 |
2023-10-11 14:24
|
 Min.exe 6d1b84686d5dd7d8b6d0ab310b5481d1
PE File PE64 VirusTotal Malware |
|
|
|
|
1.6 |
M |
55 |
malware123
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7815 |
2023-10-11 14:15
|
 Min.exe 6d1b84686d5dd7d8b6d0ab310b5481d1
PE File PE64 VirusTotal Malware |
|
|
|
|
1.6 |
M |
55 |
malware123
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|