| 8176 |
2023-09-28 08:38
|
 bestunderstandingresspro.exe c64258c1d7fef95b76f9aca64d707ac7
Gen1 Emotet Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Creates executable files Windows Remote Code Execution |
|
|
|
|
3.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8177 |
2023-09-28 08:37
|
 dyke.txt.exe 5b3c222b7554df5dd2dfe06f4ac288e8
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName crashed |
|
|
|
|
5.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8178 |
2023-09-28 08:27
|
 imolight2.1.exe 56a626b9244c18ac768b5d3db7e014ed
NSIS Malicious Library UPX Anti_VM PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder human activity check Windows ComputerName DNS |
|
1
194.180.48.119 - mailcious
|
|
|
10.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8179 |
2023-09-28 08:26
|
 unqgl.txt.exe af158ce8c4950113f3886aa922725b50
Malicious Packer PE File PE32 .NET EXE |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8180 |
2023-09-28 03:01
|
 Szun-ce - A háború művészete.p... 7fcb7c5a54d6e7aeee4f3c4cc80c7cb0
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8181 |
2023-09-27 18:45
|
gate9_pass1234.7z fb744c58353b153a548fd04fd959b232
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader |
44
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://xsk295c2.beget.tech/525403/setup.exe - rule_id: 36854
http://171.22.28.208/download/WWW14_64.exe - rule_id: 36692
http://ji.alie3ksgbb.com/m/esgla2i5.exe - rule_id: 36693
http://christopherantonio.top/calc2.exe - rule_id: 36694
http://45.9.74.80/super.exe - rule_id: 36063
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://194.169.175.232/autorun.exe - rule_id: 36817
http://fc.ftimedica.com/netTime.exe - rule_id: 36695
http://5.42.92.211/loghub/master - rule_id: 36282
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://45.9.74.80/harbar.exe - rule_id: 36698
http://230926170958727.kmj.xne26.cfd/f/fikim0926727.exe
http://171.22.28.222/3.exe - rule_id: 36819
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://171.22.28.208/download/Services.exe - rule_id: 36699
http://176.113.115.84:8080/4.php - rule_id: 34795
http://77.91.68.239/wase/zor40.exe - rule_id: 36821
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=QdxoMRgBiPBlQIidwJrjL2PzBr7lIkeGc6EhAO0P6m4%3D&spr=https&se=2023-09-28T10%3A35%3A48Z&rscl=x-e2eid-705510e0-bd7b47ae-a5e876ec-aa96616b-session-70430784-a7b24e70-996ecbe3-744f6c2c
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://sun6-20.userapi.com/c909218/u52355237/docs/d16/5d0c4daa5259/crypted.bmp?extra=zdJvqwXZDa8_UiT0CZkexuzamnA3vGRlqUCNSeV2re5ViYefGQXE-s2XyeiWHMWIWKihhjzFbVx8b-AhzTMnVv1bOjWdfeLqlT9r8TsjJ0AP2GI09Lli1MDOrZRhRqMRf8mx_2PK8T0YD8mn
https://sun6-21.userapi.com/c909418/u52355237/docs/d13/911be371f0c0/r1.bmp?extra=oWOmWiP64UIJiSCefnNude-l_2SrMu7fcUjIfHBHew1wrBQvuiTTUTrKfHz6yY7V7We9U9PBmQx9jFPC1J4P3M9qIDjbFa8Z0uKW1yIkD3KFawgEcPTsQjxBnE3pTGHWOHttvUj-LRW2n-Yg
https://preconcert.pw/setup294.exe - rule_id: 36162
https://neuralshit.net/7c467608943063cf2ce14a0d7be36ad5/7725eaa6592c80f8124e769b4e8a07f7.exe
https://api.myip.com/
https://msdl.microsoft.com/download/symbols/index2.txt
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://sun6-21.userapi.com/c909628/u52355237/docs/d56/ecd474467072/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=VSMMPHzYfzhCEpRVmMEKMEF8s0Pf7BKVDv-7xy6dDQBx1KyO3-8hTO6YuKHOjQ-Pg5vq7E-ITVnT2FH9w-IGGXKUlNNTBg56UHPr-mj809AdTNTnzqIF7JT9vv0b2Xi7I6Zyc21RN4srGpt5
https://dzen.ru/?yredirect=true
https://vk.com/doc52355237_666216113?hash=9p2AYlk8zwbC1pvEZPQBKzQhzl3oRzLZPdIHhe6p664&dl=cslpZZMp7VLHk2zTPNYIuOvrqDOXg4V4He4DdoaGlzo&api=1&no_preview=1#acotr
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=hm32OqAt9lsZB1fYwq4K5gZaGtF99zAvthdX3gJ2HgE%3D&spr=https&se=2023-09-28T10%3A12%3A04Z&rscl=x-e2eid-14d10539-bb364a73-b6ac8354-a3e84c30-session-d0adb591-3a6f4337-a2e83faf-1d58b0f4
https://sun6-21.userapi.com/c909628/u52355237/docs/d4/d83307b38fc0/PL_Client.bmp?extra=z3Lt_zd6Ph0zNrYgbhR7VxTfTSY73wjsMQd--sPaubZaZsMzCBR1GNoOQhnrH8HBEpLifv3b8t-WJcSxi4h5ZUY9LPzkW0vTQyDGtqLcYWBES37AQqbSJ6K8codv63r-_00AGPHrJJCl_A2u
https://sun6-21.userapi.com/c237031/u52355237/docs/d27/3acc0367b01b/asca1ex.bmp?extra=QVhameGd0VGJO_jouh9BCdw2T5ubEhKTYsuT20gOSz_2T1WKexK1igJKLpdLlpy0Z3Z13z06kclCgARHhHqiVQgSMPyMWbCWBayiXqs_HedsPcHdhAGwf7H9wpdfzb_wP45PgVmEB_orql9C
https://sun6-20.userapi.com/c909228/u52355237/docs/d44/c0e13179ad83/test2.bmp?extra=FRiWShW93DWsuiDd8DMk6E3A8FNgmmKQA0s3Hex7US-8REQiMPFomVj7Qhqd1yFwQfJZQ9tF7jSGUOC5HJSyT_qRGb0A0es_wx-c1InV3LR1OmQmPbWUNgKG4EhdvHXJ5EbmyXWG3RP7qg8c
https://vk.com/doc52355237_666234015?hash=jC8k9uZNDwpIzHryeQnmi9pC0nHf4JLz2m1bJdWIZeD&dl=hRM2hk5MgfZVhMzLzxpzfwqDj4yDsI3PzHnkqlAJNJL&api=1&no_preview=1#test22
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://sso.passport.yandex.ru/push?uuid=5cdb7085-4e7c-499d-9406-152dc4e400b8&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
|
89
neuralshit.net(172.67.134.35) - malware
db-ip.com(104.26.5.15)
vanaheim.cn(45.135.233.58) - mailcious
ipinfo.io(34.117.59.81)
0476fa47-9285-4c60-8419-baac6d5e2796.uuid.окрф.рф()
yandex.ru(5.255.255.77)
wahaaudit.ps(213.6.54.58) - malware
dzen.ru(62.217.160.2)
preconcert.pw(172.67.197.101) - malware
api.2ip.ua(162.0.217.254)
iplogger.org(148.251.234.83) - mailcious
z.nnnaajjjgc.com(156.236.72.121) - malware
twitter.com(104.244.42.65)
msdl.microsoft.com(204.79.197.219)
telegram.org(149.154.167.99)
christopherantonio.top(46.173.215.72) - malware
octocrabs.com(104.21.21.189) - mailcious
230926170958727.kmj.xne26.cfd(94.156.35.76)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
230404015907217.ism.wity21.info()
xsk295c2.beget.tech(87.236.19.185) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
ji.alie3ksgbb.com(104.21.90.117) - mailcious
iplogger.com(148.251.234.93) - mailcious
api.db-ip.com(104.26.5.15)
vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68)
vsblobprodscussu5shard10.blob.core.windows.net(20.150.38.228)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
www.maxmind.com(104.18.146.235)
vk.com(87.240.132.72) - mailcious
api.myip.com(172.67.75.163)
fc.ftimedica.com(45.130.231.6) - malware
146.59.10.173 - mailcious
194.169.175.128 - mailcious
104.18.145.235
172.67.197.101
45.130.231.6 - malware
148.251.234.93 - mailcious
77.91.124.55
176.123.4.46 - mailcious
87.240.129.133 - mailcious
20.150.70.36
62.217.160.2
179.43.158.2
87.236.19.185 - mailcious
5.255.255.70
23.67.53.27
5.42.92.211 - mailcious
149.154.167.99 - mailcious
193.42.32.118 - mailcious
172.67.75.166
172.67.75.163
45.9.74.80 - malware
204.79.197.219
31.41.244.27 - mailcious
46.173.215.72 - mailcious
171.22.28.208 - malware
20.150.79.68
162.0.217.254
45.129.14.83 - malware
176.113.115.84 - mailcious
45.135.233.58
148.251.234.83
104.26.8.59
104.21.6.10 - malware
104.21.90.117 - malware
213.180.204.24
171.22.28.222 - malware
34.117.59.81
23.67.53.17
194.169.175.232 - malware
176.123.9.142 - mailcious
156.236.72.121 - mailcious
213.6.54.58 - malware
104.26.9.59
104.26.4.15
104.21.21.189
95.142.206.1 - mailcious
95.142.206.0 - mailcious
91.215.85.147 - malware
45.15.156.229 - mailcious
104.244.42.193 - suspicious
87.240.132.78 - mailcious
62.122.184.58 - mailcious
87.240.132.72 - mailcious
77.91.68.239 - malware
94.142.138.131 - mailcious
|
41
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING Possible EXE Download From Suspicious TLD
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
22
http://hugersi.com/dl/6523.exe
http://xsk295c2.beget.tech/525403/setup.exe
http://171.22.28.208/download/WWW14_64.exe
http://ji.alie3ksgbb.com/m/esgla2i5.exe
http://christopherantonio.top/calc2.exe
http://45.9.74.80/super.exe
http://45.15.156.229/api/tracemap.php
http://194.169.175.232/autorun.exe
http://fc.ftimedica.com/netTime.exe
http://5.42.92.211/loghub/master
http://45.15.156.229/api/firegate.php
http://94.142.138.131/api/firegate.php
http://45.9.74.80/harbar.exe
http://171.22.28.222/3.exe
http://94.142.138.131/api/tracemap.php
http://193.42.32.118/api/tracemap.php
http://171.22.28.208/download/Services.exe
http://176.113.115.84:8080/4.php
http://77.91.68.239/wase/zor40.exe
http://193.42.32.118/api/firecom.php
https://preconcert.pw/setup294.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8182 |
2023-09-27 17:39
|
 asca1ex.exe bf58b6afac98febc716a85be5b8e9d9e
Malicious Library PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
176.123.9.142 - mailcious
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
|
|
6.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8183 |
2023-09-27 17:36
|
 rh111.exe 1b87684768db892932be3f0661c54251
UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check FlawedAmmyy VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8184 |
2023-09-27 17:34
|
 rh_0.4.9rc1123.exe 1cf749dd7209e826e36d8ece08aa6a7a
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware WMI RWX flags setting unpack itself ComputerName crashed |
|
|
|
|
4.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8185 |
2023-09-27 17:34
|
 clean.exe 9fa10337d494e4b832b790bd53352fc4
Gen1 Emotet Malicious Library UPX PE File PE32 CAB VirusTotal Malware unpack itself AntiVM_Disk VM Disk Size Check Remote Code Execution crashed |
|
|
|
|
2.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8186 |
2023-09-27 16:26
|
 Hu.pdf 59f3ad81657e7bf282b2f89f6f238185
PDF Suspicious Link PDF |
1
https://themarijuanashow.com/uiu/
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8187 |
2023-09-27 14:42
|
 ff2177c078dfed4b10a0214acefabf... 4df9fa7cef7bd7e19456e219b135ae69
Malicious Library UPX .NET framework(MSIL) Socket ScreenShot Steal credential DNS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications malicious URLs AntiVM_Disk sandbox evasion anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Browser RisePro Email ComputerName DNS |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81)
db-ip.com(172.67.75.166)
104.26.5.15
34.117.59.81
95.214.25.235
|
6
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
|
|
14.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8188 |
2023-09-27 14:25
|
GXQ.pdf.lnk a86dd3a01720be4344548792139aa419
Generic Malware AntiDebug AntiVM Lnk Format GIF Format Malware Code Injection Malicious Traffic Creates shortcut unpack itself suspicious process WriteConsoleW DNS crashed |
1
http://95.164.17.59/ZIbr7/lM
|
1
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8189 |
2023-09-27 14:25
|
UTA.pdf.lnk 1bce56d959ee53f48cc0cced5acbfa2c
Generic Malware AntiDebug AntiVM Lnk Format GIF Format Malware Code Injection Malicious Traffic Check memory Creates shortcut unpack itself suspicious process WriteConsoleW DNS crashed |
1
http://135.125.177.95/syK/2
|
1
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8190 |
2023-09-27 14:24
|
OT.pdf.lnk 220870fa38f822a0403218114a08b31d
Generic Malware AntiDebug AntiVM Lnk Format GIF Format Code Injection Creates shortcut ICMP traffic suspicious process WriteConsoleW DNS |
1
http://135.125.177.82/UMYApd4/uD
|
1
135.125.177.82 - mailcious
|
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|