8251 |
2023-09-26 09:28
|
5vy.lnk.lnk 86b6cf70293cde65ebf86dce611acd51 Generic Malware AntiDebug AntiVM GIF Format Lnk Format VirusTotal Malware Code Injection Malicious Traffic Creates shortcut unpack itself suspicious process WriteConsoleW DNS |
1
http://88.119.175.245/WNJD1/5vy
|
1
|
2
ET POLICY curl User-Agent Outbound ET HUNTING curl User-Agent to Dotted Quad
|
|
4.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8252 |
2023-09-26 09:23
|
Jv.xll f7a95d9853bbf73d695908480fa3ace2 PE File DLL PE64 |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8253 |
2023-09-26 07:31
|
setup.exe c5d41d92dac11a02d31cc73c5f450fa5 Malicious Library PE File PE32 VirusTotal Malware WMI Creates executable files RWX flags setting Checks Bios anti-virtualization ComputerName |
|
|
|
|
4.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8254 |
2023-09-25 18:38
|
saddsd.exe e9bbf60a02ceb5cbb6b712c1f0d18f2b Generic Malware Anti_VM AntiDebug AntiVM PE File PE32 icon Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VMWare Check virtual network interfaces WriteConsoleW VMware anti-virtualization installed browsers check Windows Browser Firmware Cryptographic key crashed |
|
|
|
|
14.6 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8255 |
2023-09-25 18:15
|
passw1234.7z 4a757eead2734a30ba2a1dfd95c3ca7f PrivateLoader Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord RisePro Trojan DNS Downloader |
57
http://hugersi.com/dl/6523.exe - rule_id: 32660 http://171.22.28.208/download/WWW14_64.exe - rule_id: 36692 http://ji.alie3ksgbb.com/m/esgla2i5.exe - rule_id: 36693 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://168.119.168.251/5c0b4a12d6c03dd98ed431d3eded2169 http://christopherantonio.top/calc2.exe - rule_id: 36694 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://45.9.74.80/super.exe - rule_id: 36063 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://fc.ftimedica.com/netTime.exe - rule_id: 36695 http://168.119.168.251/data.zip http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://bryanzachary.top/e9c345fc99a4e67e.php - rule_id: 36633 http://45.9.74.80/harbar.exe - rule_id: 36698 http://168.119.168.251/ http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://171.22.28.208/download/Services.exe - rule_id: 36699 http://94.142.138.113/api/firegate.php - rule_id: 36152 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me https://sun6-22.userapi.com/c909518/u52355237/docs/d51/adbcd4335d91/d22.bmp?extra=I9Zc-eSFjb7aniypOgKiQRv4636nhweyUT9QKpOFw7kimiw2amz8iPNPZCEGzYVz6BHk9DaB7QwiNnx_cQT_AzlsGCHoLunNSLxa9_vpSu9ggyaoAmjzXznq9mGQpqfYDNGbSYXtHaL7QCGa https://sun6-20.userapi.com/c909628/u52355237/docs/d26/3173b23b4e4e/setup.bmp?extra=VVPCXTaaKAzMHZJC5rnpXH1YWnS7xAjFbRWDFPhm2AawSriV5gL_VHTHjYu16umoAOyuhw9lfHxMhxZynVMHsCNR9XHh9CTYfxNkSlfIIRPfs9BOiSpW3GtLlh-7U7fJ7HlYYrTDJreTQaQz https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc52355237_666080029?hash=iTgT5jRzVMuMfOipzzdh910Z1eVS2zyNCF1bGoAh0jD&dl=CRGRTXz6mennztuXX6PP2YdwrEitcpcqd8JYyhjt3gs&api=1&no_preview=1#acotr https://sun6-21.userapi.com/c909328/u52355237/docs/d26/505533e1a303/Bot_Clien.bmp?extra=JRdCEMD1afNdUe2eq1tHKSkWAMPzvkV15kDEjPRy0M4SufT2M90zqE9lbWESswe3EttFy0FBJiL6OgfwMoan2s_07uHL7-8fISw2lgvZ8Jsi-psDZZ0gzfdbD12jr1p-dYl6K4_2enKRNDMw https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb https://sun6-22.userapi.com/c909228/u52355237/docs/d20/209e889de692/asca1ex.bmp?extra=Y3tHdAvxzFOEpXvEASstlcPFyrUQZW0W1S9R5_nGZbND-ilqrFXOLQgCfGmCdD7wSdYCMGcRr-3h-eKElnZc4tIkiU7j_yF0UAxYdmm6sjjed2R_PSOE7lPSyMomaQjuZFXlwLs7j8TYv40p https://vk.com/doc52355237_666136580?hash=J0ZSTJENbiReaX4ZPq5xWfmYW8FoV0xrQipVUC8lOoP&dl=kqjwZYr82vmrlMe5ySJIAnl5X3Qhnzh8T4p6Ejv1b3o&api=1&no_preview=1#utube https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=9uU3hAcIImpB%2FyOM1RYeQAPmMF5nVaTTMSzoMMepXyY%3D&spr=https&se=2023-09-26T09%3A35%3A48Z&rscl=x-e2eid-d4e1fe69-3af64970-a728748c-c9623b63-session-7139f5f0-a7b24e70-996ecbe3-744f6c2c https://api.ip.sb/ip https://preconcert.pw/setup294.exe - rule_id: 36162 https://vk.com/doc52355237_665981002?hash=5dlf3DheCq3ZynwxfclKIYSMaBUrqVsiNEQbz1ZBeez&dl=qhGcA2zWn1OHnSTesbATZlb3MbAcGMzKaqeVHxmyiH8&api=1&no_preview=1#rise https://sun6-23.userapi.com/c235131/u52355237/docs/d25/4b77b3faf410/crypted.bmp?extra=pLE6g0sVj5JzSBjFx8m0PCdIi2mz30mXNfbSsZf9HKk0VIHCoqiKcGBDgi2RzV4Jds8sDjVanxDVFZ9gF4M3zB-npb6kbrVSWsfbKhYCL8SRbYR--u3kEeU4AiH6X8-WCXcvlrkIAaRSAyrm https://api.myip.com/ https://sun6-22.userapi.com/c909218/u52355237/docs/d17/930f6551e240/red.bmp?extra=xpErrkZKyuhqhXmlpWGPYaOkV8KZk6uf2bZssDtVOaX07u-jnXlDzv7eQ9GgRp9jAKadofx0Aeym6WdKQVyqryj-ZhCNJEn0eT40XbVRZjtBfc5ULd-vAzbPnMW0pxdanSM8aNUihsyhOr2b https://msdl.microsoft.com/download/symbols/index2.txt https://vk.com/doc52355237_666116297?hash=lkXB46dcuKnkqGORfsFX2uL9WMbBX0UD71NmU7WScHL&dl=7YSPaysZzeHccUchdso6vzlhfWpyPGmhyN2t8dJd6n0&api=1&no_preview=1#1 https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb https://cdn.discordapp.com/attachments/1041078464591188050/1153365784878387221/saddsd.exe https://dzen.ru/?yredirect=true https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=jC%2FHchUGnoKnU%2F7Npr4bk0dZ3HPncEmJsdp3usAJOn0%3D&spr=https&se=2023-09-26T09%3A12%3A03Z&rscl=x-e2eid-e3031299-e353446c-bc6e4fc6-5ba8d6ce-session-cc5d13a5-463b4458-90a3ae06-41a13aa1 https://steamcommunity.com/profiles/76561199553369541 https://sun6-20.userapi.com/c240331/u52355237/docs/d58/c399ba8d11ad/GoodJOB_anketa.bmp?extra=RdKlzPD-Tnc08TwIXUdpKhcJsVLF_czyQ7deLMXMZCuYsEn1hsNWwunUZllu4Y3s8XrVQr_RxVeK9Mix6bp1dEklNqx1x55vXRxuwY-W0dazgHige4BWFMNMsNYicyz81h8L4TvM4NA6te2l https://sun6-21.userapi.com/c909628/u52355237/docs/d56/defde5a29b85/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=NLpT1E-ZXvEFBDSUkHGwYeAn3gufe8JRwAvvU3jpPTPHDkn3Lz0EVO2efphrJLAfrEcqcbeeA_vHPpFV5lLGRZGHx-hm6MmAOrZPB0NpBYG4F35GQNq4otRfdvJxn1jZBJmULgiLE0v7Hk1m https://vk.com/doc52355237_666108395?hash=jawOiYjXlHzPa18QU35xZPZzBykkkdDodQ7clEr5tKc&dl=p4xlxA2NNutBGc4VBe6MR2ujxECosZT0MnzX27IuYrL&api=1&no_preview=1#1ss https://sun6-23.userapi.com/c240331/u52355237/docs/d18/eb9207621794/PL_Client.bmp?extra=WCp76kj9ADZ52pgXZrxmINBn800eDzXuEyMTNu2TTZuW3RQud9kFeoOvcj05sKd4wAv5ZUQOTZea23LsMRB9EsiN4I9XiHzR-y4hcz1C_cGJZO6t2w-t4FEeFGXY6cQA_9Mkwu3cNH-lLgAP https://vk.com/doc52355237_666121482?hash=X7tYzzwdbYpoS3dmjILbhm0NM5SnR8w3HGGZg0cxP38&dl=0lfx33sT3g4TXZpfUQvZAsiUf6cD0lndtNWZ1RI4aC8&api=1&no_preview=1#maff https://sso.passport.yandex.ru/push?uuid=9917910e-fa55-45f9-ae62-b11c46ebc15c&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-21.userapi.com/c909518/u52355237/docs/d51/0f66b27eb25f/test22009.bmp?extra=NAVrHi9JKZutyNsJXGGmO9lYfVsk3c8KKwtn3c-jFfhm7LrHxTsETt8lwMMt9o0aMrTXLT8vB9ZgNp5Hq2kYs6aIoTtSbaHezLZKM183aDcqjU-YVj6-fD3rYys3vU6zSKS9bUAdpz7lJULa https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://neuralshit.net/0c481f030a905c2be1d7c0eb6af97e6a/7725eaa6592c80f8124e769b4e8a07f7.exe https://sun6-23.userapi.com/c909518/u52355237/docs/d47/9a58548d2219/328dj2afg.bmp?extra=P64PHSwDyVag1P8zJe1CsvJSpZzkgl0vFOicryxY6m4H0Tz8jezzPOu0pctLVqeIZYcMRW0IHtuaVjDPRSlT5REafSnK2XRDsiRf7R-EzcRQ1pwDNRALhrrffOLuhi0fyYOcjUQQcezyATjV https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
104
neuralshit.net(104.21.6.10) - malware db-ip.com(104.26.4.15) t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) wahaaudit.ps(213.6.54.58) - malware sun6-23.userapi.com(95.142.206.3) mastertryprice.com(172.67.212.103) dzen.ru(62.217.160.2) preconcert.pw(172.67.197.101) - malware api.2ip.ua(162.0.217.254) steamcommunity.com(104.75.41.21) - mailcious iplogger.org(148.251.234.83) - mailcious z.nnnaajjjgc.com(156.236.72.121) - malware twitter.com(104.244.42.65) msdl.microsoft.com(204.79.197.219) telegram.org(149.154.167.99) cdn.discordapp.com(162.159.130.233) - malware christopherantonio.top(46.173.215.72) - malware api.db-ip.com(104.26.5.15) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) 230404015907217.ism.wity21.info() yandex.ru(77.88.55.88) vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68) api.ip.sb(172.67.75.172) sun6-20.userapi.com(95.142.206.0) - mailcious ji.alie3ksgbb.com(172.67.200.102) - mailcious iplogger.com(148.251.234.93) - mailcious zexeq.com(37.34.248.24) - malware octocrabs.com(104.21.21.189) - mailcious vsblobprodscussu5shard10.blob.core.windows.net(20.150.79.68) colisumy.com(210.182.29.70) - malware ce29437f-e56b-4507-97fe-18e71b8df8a3.uuid.окрф.рф() bryanzachary.top(46.173.215.72) - mailcious iplis.ru(148.251.234.93) - mailcious hugersi.com(91.215.85.147) - malware server9.xn--j1ahhq.xn--p1ai(185.82.216.48) sun6-22.userapi.com(95.142.206.2) www.maxmind.com(104.18.145.235) vk.com(93.186.225.194) - mailcious stun.sipgate.net(69.194.172.73) api.myip.com(172.67.75.163) fc.ftimedica.com(45.130.231.6) - malware 146.59.10.173 194.169.175.128 - mailcious 104.18.145.235 182.162.106.33 - malware 93.186.225.194 - mailcious 172.67.197.101 45.130.231.6 - malware 148.251.234.93 - mailcious 204.79.197.219 91.215.85.147 - malware 20.150.70.36 104.244.42.1 - suspicious 62.217.160.2 208.67.104.60 - mailcious 5.255.255.70 172.67.200.102 149.154.167.99 - mailcious 193.42.32.118 - mailcious 172.67.75.166 213.6.54.58 - malware 172.67.75.163 37.34.248.24 - malware 171.22.28.208 - malware 23.67.53.17 172.67.212.103 46.173.215.72 - mailcious 171.22.28.222 - malware 20.150.79.68 162.0.217.254 172.67.200.10 - mailcious 148.251.234.83 104.26.8.59 104.21.6.10 - malware 104.21.90.117 - malware 213.180.204.24 104.75.41.21 - mailcious 194.55.224.41 - malware 77.232.38.234 - mailcious 34.117.59.81 45.9.74.80 - malware 194.169.175.232 - malware 176.123.9.142 - mailcious 69.194.172.73 94.142.138.113 - mailcious 168.119.168.251 185.225.73.32 - mailcious 104.26.9.59 156.236.72.121 - mailcious 45.15.156.229 - mailcious 172.67.75.172 - mailcious 162.159.129.233 - malware 104.26.4.15 87.240.137.164 - mailcious 95.142.206.3 95.142.206.2 211.119.84.111 - malware 95.142.206.0 - mailcious 185.82.216.48 31.41.244.27 - mailcious 77.91.68.239 - malware 95.142.206.1 - mailcious
|
50
SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET DNS Query to a *.pw domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Suspicious services.exe in URI ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO Dotted Quad Host ZIP Request ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
|
21
http://hugersi.com/dl/6523.exe http://171.22.28.208/download/WWW14_64.exe http://ji.alie3ksgbb.com/m/esgla2i5.exe http://zexeq.com/test2/get.php http://christopherantonio.top/calc2.exe http://45.15.156.229/api/firegate.php http://colisumy.com/dl/build2.exe http://45.9.74.80/super.exe http://45.15.156.229/api/tracemap.php http://fc.ftimedica.com/netTime.exe http://zexeq.com/files/1/build3.exe http://94.142.138.113/api/tracemap.php http://193.42.32.118/api/firegate.php http://bryanzachary.top/e9c345fc99a4e67e.php http://45.9.74.80/harbar.exe http://193.42.32.118/api/tracemap.php http://171.22.28.208/download/Services.exe http://94.142.138.113/api/firegate.php http://193.42.32.118/api/firecom.php https://preconcert.pw/setup294.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
6.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8256 |
2023-09-25 17:13
|
conhost.exe c853a830fa2530a233e4a1eaf84b4273 Malicious Library UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8257 |
2023-09-25 17:11
|
docdimt20230925.exe d151945da40824dc4231b193fe65b4fc PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
13.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8258 |
2023-09-25 17:10
|
docutc20230925.exe aa9dd2c152d86d81236ad564d3c2a078 Malicious Library UPX Malicious Packer PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
5
softwarez.online() - mailcious mail.royalcheckout.store(179.43.183.46) - mailcious api.ipify.org(104.237.62.212) 179.43.183.46 - mailcious 173.231.16.77
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction
|
|
14.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8259 |
2023-09-25 17:09
|
dochus20230925.exe 363044c48c8d035c08cddcdb22bb0838 PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(104.237.62.212) mail.product-secured.com(179.43.183.46) - mailcious 179.43.183.46 - mailcious 104.237.62.212
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
15.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8260 |
2023-09-25 17:07
|
docdad20230925.exe a2144ec73f793ed49255c96839a7a1f6 PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
4
ftp.product-secured.com(179.43.183.46) - mailcious checkip.dyndns.org(193.122.130.0) 132.226.8.169 179.43.183.46 - mailcious
|
4
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check SURICATA Applayer Detect protocol only one direction
|
|
17.0 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8261 |
2023-09-25 17:07
|
saham.apk 2678ce7e43d9ef7dd7e06d5feeea532e ZIP Format VirusTotal Malware |
|
|
|
|
0.6 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8262 |
2023-09-25 17:05
|
docrw20230925.exe be1b63ef6abc588245cdf4f346b26154 Malicious Library UPX Malicious Packer .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
8
softwarez.online() - mailcious ftp.royalcheckout.store(179.43.183.46) api.ipify.org(104.237.62.212) mail.royalcheckout.store(179.43.183.46) - mailcious checkip.dyndns.org(158.101.44.242) 179.43.183.46 - mailcious 64.185.227.156 193.122.130.0
|
8
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
|
|
16.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8263 |
2023-09-25 17:05
|
docjhny20230925.exe eaf2b6671ec5dded98f2a7fe6aa603c7 Malicious Library UPX Malicious Packer PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
5
softwarez.online() - mailcious mail.royalcheckout.store(179.43.183.46) - mailcious api.ipify.org(104.237.62.212) 179.43.183.46 - mailcious 64.185.227.156
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction
|
|
14.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8264 |
2023-09-25 17:03
|
docnic20230925.exe 010ef94907f5876e46be0ed87689fde9 Malicious Library UPX PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
5
softwarez.online() - mailcious mail.royalcheckout.store(179.43.183.46) - mailcious api.ipify.org(104.237.62.212) 179.43.183.46 - mailcious 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8265 |
2023-09-25 17:02
|
app.apk ec39111f60fb5de68e7efeefdada41ee ZIP Format VirusTotal Malware |
|
|
|
|
0.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|