| 7861 |
2023-10-10 17:00
|
i-5.8-6.Sakura 934037ef82e243dea200d0567604bd2e
AntiDebug AntiVM ELF VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
4.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7862 |
2023-10-10 17:00
|
 Prowf.exe 3cef8b4a9c9507c112ca5449a03b03e9
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
|
2
pmjo.fra1.cdn.digitaloceanspaces.com(205.185.216.42) - malware
205.185.216.42 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7863 |
2023-10-10 14:06
|
 setup294.exe cdab7ff04a8249fd9709106297453f03
Malicious Library UPX PE File PE32 DLL OS Processor Check Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7864 |
2023-10-10 14:04
|
 setup294.exe 3c1be0e1c425fd4f3204a6f914021210
Malicious Library UPX PE File PE32 DLL OS Processor Check Check memory Checks debugger Creates executable files unpack itself AppData folder WriteConsoleW |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7865 |
2023-10-10 10:56
|
Contract-2.msi 8e68a2869daf1ba9eaebf31d2d87973e
DarkGate Malicious Library MSOffice File CAB OS Processor Check VirusTotal Malware Buffer PE suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Windows ComputerName |
9
http://piret-wismann.com:2351/njsswd - rule_id: 37133
http://piret-wismann.com:2351/njsswd
http://piret-wismann.com:8080/ - rule_id: 37129
http://piret-wismann.com:2351/ - rule_id: 37133
http://piret-wismann.com:2351/
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt
http://piret-wismann.com:2351/cztngt - rule_id: 37133
http://piret-wismann.com:2351/cztngt
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
4
piret-wismann.com(162.33.179.65) - mailcious
www.ssl.com(54.236.82.84)
54.174.96.153
162.33.179.65 - mailcious
|
3
ET POLICY curl User-Agent Outbound
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
4
http://piret-wismann.com:2351/
http://piret-wismann.com:8080/
http://piret-wismann.com:2351/
http://piret-wismann.com:2351/
|
4.8 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7866 |
2023-10-10 10:48
|
zip.7z 180d73f995d228c51498c4bfaf674d57
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
22
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://194.169.175.232/autorun.exe - rule_id: 36817
http://171.22.28.212/2/carryspend.exe
http://isaiahbenjamin.top/calc2.exe - rule_id: 37065
http://176.113.115.84:8080/4.php - rule_id: 34795
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://schematize.pw/setup294.exe
https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/a25470dcbd60/51.bmp?extra=GeDMEoBnj5HiBH8lYCKM4E8Cdf0ZvPTo7RNEQt5rgyVqxNfQ0I1nABcSoOF-zqaJGTRo_TjvBGxRvljryGdpzuoTpkFMg9qakOHKfcy3PKJOd07O5ybrR3WWuhp7tE8ZYJj02c1Oe-7AW9Ea
https://sun6-20.userapi.com/c909218/u52355237/docs/d56/c799dfa67f83/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=8V_Gx4EM01ClICmHXir_Nyg1m47_gpkHviRFEfRfwEimSdJ7lF-rSRtzZ4lLXEDEWL0c4-UIjMfbK753vsOEAkQgoAt5gND6ezVX9FScbP3ssicE-oDCWJBeWvjxLE67DNaRE4nMetqT17G0
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a379a3d6dbcc/s328sadfg.bmp?extra=ewdYmK0WfXaphUxsYVOMtnqPtsupcKUARPvi9rMvr31eIuAz7ZOZNRG5PIDRf1OM_zfw3x7KbpMAloitO121-9yAWedpZPHVRejXt_vzKVu5BUG_kC5_eTliTWpQcpaMEku0Tw5SEAB62PFE
https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22
https://api.myip.com/
https://vk.com/doc52355237_666723625?hash=0XzYCf0Jcy2su6zuK2SNEpQd4wEUCdm2dCf3EnEbT6c&dl=GVcRiS2pf3k3AJQ40jMUWdwrMZlIpwfBRf0X8QAO9y0&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/dc55b042e028/PL_Client.bmp?extra=jUW_oRwrD9NTavRvUvJs7-AeE7YRls5T39ZVi5MifraVz98tbOwI8GPUjfeSa75bJxmiU8vIH7QDMkGrb0ecKgZ_9P3GfaMs4m7oDLVoHA5EkCVG9LefjOT1D_n4uIQjuJREJRk5KewbforM
https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk
https://vk.com/doc52355237_666740840?hash=eOQIZZkaEGIDpIMnMtScHnZo2IjU6SfEjtIRm4HjaVz&dl=RuFCA30NjDjQttzjQkMKji7OE54jkmgwhZ6q4PGRZtT&api=1&no_preview=1#1
https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1
https://sun6-21.userapi.com/c909228/u52355237/docs/d40/9713ae4da741/crypted.bmp?extra=3z2dDFxrgb3KmfY19dlv_B46b4NrqlNdYNZ3DbiQFvyuEAQXVtdjJm7Wh06D-CL1zZM7lCr2nTBOUJuQifKo9xnFcROWroQzWR5wooLm9QV99Z4qVunwmdzaBsJ3WpcGqfiqnEPzj1g67u9E
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/41178e94324b/test22.bmp?extra=50EX2Euknv-wHFrHFEnsB8am5MGHT-UOUeAN0VgDGEZSz5WsYfiPQTcTccfABNS317kmjuBB2el09vADkUL_fUZM_KrFZH1YlXJypuWL5cIaUxakmnjmKYE7dL8-TkydAD9366cw6QHsgSTr
|
24
schematize.pw(104.21.32.142)
api.myip.com(172.67.75.163)
onualituyrs.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.137.164) - mailcious
isaiahbenjamin.top(85.143.221.30) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
77.91.68.249 - malware
85.143.221.30 - malware
172.67.75.163
95.142.206.3 - mailcious
91.215.85.209 - mailcious
95.142.206.0 - mailcious
171.22.28.226 - malware
87.240.129.133 - mailcious
194.169.175.232 - malware
34.117.59.81
104.21.32.142
176.113.115.84 - mailcious
95.142.206.1 - mailcious
94.142.138.131 - mailcious
171.22.28.212
|
18
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET DNS Query to a *.pw domain - Likely Hostile
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Suspicious services.exe in URI
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
|
7
http://94.142.138.131/api/firegate.php
http://171.22.28.226/download/Services.exe
http://194.169.175.232/autorun.exe
http://isaiahbenjamin.top/calc2.exe
http://176.113.115.84:8080/4.php
http://94.142.138.131/api/tracemap.php
http://77.91.68.249/navi/kur90.exe
|
6.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7867 |
2023-10-10 10:42
|
zip.7z 854c628dca46bee73c0d90ce447d626e
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
21
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://176.113.115.84:8080/4.php - rule_id: 34795
http://171.22.28.212/2/carryspend.exe
http://isaiahbenjamin.top/calc2.exe - rule_id: 37065
http://194.169.175.232/autorun.exe - rule_id: 36817
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/a25470dcbd60/51.bmp?extra=GeDMEoBnj5HiBH8lYCKM4E8Cdf0ZvPTo7RNEQt5rgyVqxNfQ0I1nABcSoOF-zqaJGTRo_TjvBGxRvljryGdpzuoTpkFMg9qakOHKfcy3PKJOd07O5ybrR3WWuhp7tE8ZYJj02c1Oe-7AW9Ea
https://sun6-20.userapi.com/c909218/u52355237/docs/d56/c799dfa67f83/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=8V_Gx4EM01ClICmHXir_Nyg1m47_gpkHviRFEfRfwEimSdJ7lF-rSRtzZ4lLXEDEWL0c4-UIjMfbK753vsOEAkQgoAt5gND6ezVX9FScbP3ssicE-oDCWJBeWvjxLE67DNaRE4nMetqT17G0
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a379a3d6dbcc/s328sadfg.bmp?extra=ewdYmK0WfXaphUxsYVOMtnqPtsupcKUARPvi9rMvr31eIuAz7ZOZNRG5PIDRf1OM_zfw3x7KbpMAloitO121-9yAWedpZPHVRejXt_vzKVu5BUG_kC5_eTliTWpQcpaMEku0Tw5SEAB62PFE
https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22
https://api.myip.com/
https://vk.com/doc52355237_666723625?hash=0XzYCf0Jcy2su6zuK2SNEpQd4wEUCdm2dCf3EnEbT6c&dl=GVcRiS2pf3k3AJQ40jMUWdwrMZlIpwfBRf0X8QAO9y0&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/dc55b042e028/PL_Client.bmp?extra=jUW_oRwrD9NTavRvUvJs7-AeE7YRls5T39ZVi5MifraVz98tbOwI8GPUjfeSa75bJxmiU8vIH7QDMkGrb0ecKgZ_9P3GfaMs4m7oDLVoHA5EkCVG9LefjOT1D_n4uIQjuJREJRk5KewbforM
https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk
https://vk.com/doc52355237_666740840?hash=eOQIZZkaEGIDpIMnMtScHnZo2IjU6SfEjtIRm4HjaVz&dl=RuFCA30NjDjQttzjQkMKji7OE54jkmgwhZ6q4PGRZtT&api=1&no_preview=1#1
https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1
https://sun6-21.userapi.com/c909228/u52355237/docs/d40/9713ae4da741/crypted.bmp?extra=3z2dDFxrgb3KmfY19dlv_B46b4NrqlNdYNZ3DbiQFvyuEAQXVtdjJm7Wh06D-CL1zZM7lCr2nTBOUJuQifKo9xnFcROWroQzWR5wooLm9QV99Z4qVunwmdzaBsJ3WpcGqfiqnEPzj1g67u9E
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/41178e94324b/test22.bmp?extra=50EX2Euknv-wHFrHFEnsB8am5MGHT-UOUeAN0VgDGEZSz5WsYfiPQTcTccfABNS317kmjuBB2el09vADkUL_fUZM_KrFZH1YlXJypuWL5cIaUxakmnjmKYE7dL8-TkydAD9366cw6QHsgSTr
|
24
schematize.pw(172.67.152.98)
api.myip.com(104.26.9.59)
onualituyrs.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(93.186.225.194) - mailcious
isaiahbenjamin.top(85.143.221.30) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
193.42.32.118 - mailcious
77.91.68.249 - malware
85.143.221.30 - malware
104.26.9.59
95.142.206.3 - mailcious
91.215.85.209 - mailcious
95.142.206.0 - mailcious
171.22.28.226 - malware
87.240.129.133 - mailcious
194.169.175.232 - malware
34.117.59.81
104.21.32.142
176.113.115.84 - mailcious
95.142.206.1 - mailcious
171.22.28.212
|
18
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
|
7
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://176.113.115.84:8080/4.php
http://isaiahbenjamin.top/calc2.exe
http://194.169.175.232/autorun.exe
http://193.42.32.118/api/tracemap.php
http://77.91.68.249/navi/kur90.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7868 |
2023-10-10 10:37
|
xxx.jpg.ps1 afaec0cb0efc79d3c2effd5ea7c43cf9
Generic Malware Antivirus VirusTotal Malware Check memory Creates executable files unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7869 |
2023-10-10 10:36
|
 Informazioni.txt.url 0e20d831a104276c6b374d9c01cc9bde
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.73/scarica/client.url
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7870 |
2023-10-10 10:33
|
EXX.vbs 5d8410c20a0349ff3b5a346180455b76
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://94.156.161.167/tl/eg6667.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7871 |
2023-10-10 10:33
|
 ig5443.txt.exe 6de05ad93daca1b6caf769826a404975
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212)
104.237.62.212
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
6.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7872 |
2023-10-10 10:33
|
 Documenti.url b4ae0d79ac63532fcf65494e208cb940
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.72/scarica/client.exe
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7873 |
2023-10-10 10:31
|
 Cliente.url 7c1010e02c22a4beea97a9c2ebb53d1e
AntiDebug AntiVM URL Format MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.71/scarica/client.exe
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7874 |
2023-10-10 10:30
|
 cgeahsl8f7.exe 62099107e7c4a2cf1914ec1fb022db4b
Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7875 |
2023-10-10 10:30
|
 ReklamX.ps1 39aa0004099949044f6e47835101653d
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself Windows Cryptographic key |
|
|
|
|
1.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|