8161 |
2023-09-30 13:06
|
exbo.exe 14b9d9e187fdb2f9deb0a9361a4f408d Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware download VirusTotal Malware Code Injection Malicious Traffic buffers extracted unpack itself Stealc Browser DNS crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
1
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://5.42.92.211/loghub/master
|
8.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8162 |
2023-09-30 13:05
|
asca1ex1234.exe ab42dd45f0015269d23c14792397617f Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8163 |
2023-09-30 13:05
|
UMM2.exe 16e1b0fb578bc6d4eb28a5389a8436dd PE File PE32 .NET EXE VirusTotal Malware Buffer PE PDB Check memory Checks debugger buffers extracted unpack itself Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
4.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8164 |
2023-09-30 13:04
|
Amadey.exe aebaf57299cd368f842cfa98f3b1658c Amadey Browser Login Data Stealer Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 OS Processor Check DLL JPEG Format PE64 Malware download Amadey VirusTotal Malware AutoRuns PDB Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW installed browsers check Interception Windows Browser ComputerName DNS crashed |
4
http://193.42.32.29/9bDc8sQ/Plugins/cred64.dll http://193.42.32.29/9bDc8sQ/index.php?scr=1 http://193.42.32.29/9bDc8sQ/Plugins/clip64.dll http://193.42.32.29/9bDc8sQ/index.php
|
1
|
6
ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Amadey Bot Activity (POST) M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
10.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8165 |
2023-09-30 13:04
|
toolspub1.exe 0da78f6ac7f81956c6b3b73aa43ef60d Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
2.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8166 |
2023-09-30 13:03
|
foto1221.exe 99e05ed844344417fbf1594c67054ebe RedLine stealer Gen1 Emotet RedLine Infostealer Browser Login Data Stealer Malicious Library UPX .NET framework(MSIL) Confuser .NET AntiDebug AntiVM PE File PE32 CAB .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.55 5.42.92.211 - mailcious
|
7
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
17.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8167 |
2023-09-30 13:01
|
WinDhcp.exe d381d9db9cbd1b60afdfb4f05e52a775 PE File PE64 VirusTotal Malware |
|
|
|
|
1.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8168 |
2023-09-30 12:59
|
herom.exe 38682480c0a22cc8e025f23d78bab140 Malicious Library PE File PE32 DLL VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder WriteConsoleW |
|
|
|
|
2.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8169 |
2023-09-30 12:59
|
RBY1.exe d6a782cd2e4b92e06bbc8204013f3d68 PE File PE32 .NET EXE VirusTotal Malware Buffer PE PDB Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key crashed |
|
|
|
|
4.0 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8170 |
2023-09-30 12:58
|
Services.exe b9a096baebdf8e44368e9724da8e56dd Malicious Library UPX PE File PE32 PE64 Malware download VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW IP Check PrivateLoader Tofsee Windows ComputerName DNS crashed |
8
http://193.42.32.118/api/firecom.php - rule_id: 36700 http://171.22.28.226/download/WWW14_64.exe http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://www.maxmind.com/geoip/v2.1/city/me https://sso.passport.yandex.ru/push?uuid=ad269c5f-9769-4a8d-84e7-2d5be64d35f7&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://dzen.ru/?yredirect=true https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://db-ip.com/
|
20
db-ip.com(104.26.4.15) ipinfo.io(34.117.59.81) twitter.com(104.244.42.193) telegram.org(149.154.167.99) www.maxmind.com(104.18.146.235) yandex.ru(77.88.55.88) api.db-ip.com(172.67.75.166) dzen.ru(62.217.160.2) sso.passport.yandex.ru(213.180.204.24) 149.154.167.99 - mailcious 193.42.32.118 - mailcious 172.67.75.166 62.217.160.2 104.18.146.235 213.180.204.24 171.22.28.226 - malware 34.117.59.81 104.26.5.15 5.255.255.70 104.244.42.129 - suspicious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://193.42.32.118/api/firecom.php http://193.42.32.118/api/tracemap.php
|
10.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8171 |
2023-09-30 12:57
|
birza.exe 53df0c8b56120e03e1657e366720ecd9 RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET PE File PE32 .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
194.180.49.159 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
6.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8172 |
2023-09-30 12:57
|
kus.exe acf39b9c0b1f3c9addd5dd50a8773a28 Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Code Injection buffers extracted crashed |
|
|
|
|
8.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8173 |
2023-09-30 12:54
|
clip64.dll e913b0d252d36f7c9b71268df4f634fb Amadey Malicious Library UPX Admin Tool (Sysinternals etc ...) PE File DLL PE32 OS Processor Check VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8174 |
2023-09-28 08:41
|
westcompetitiveresspro.exe 41ca6ed3ff003e205d7dae915c20eb59 Gen1 Emotet Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Creates executable files Windows Remote Code Execution |
|
|
|
|
3.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8175 |
2023-09-28 08:40
|
ly4893.txt.exe ed55b32151792a117b9c9bfe439734cc Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212) 173.231.16.77
|
4
ET INFO TLS Handshake Failure ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|