| 8251 |
2023-09-26 09:28
|
5vy.lnk.lnk 86b6cf70293cde65ebf86dce611acd51
Generic Malware AntiDebug AntiVM GIF Format Lnk Format VirusTotal Malware Code Injection Malicious Traffic Creates shortcut unpack itself suspicious process WriteConsoleW DNS |
1
http://88.119.175.245/WNJD1/5vy
|
1
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
4.2 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8252 |
2023-09-26 09:23
|
 Jv.xll f7a95d9853bbf73d695908480fa3ace2
PE File DLL PE64 |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8253 |
2023-09-26 07:31
|
 setup.exe c5d41d92dac11a02d31cc73c5f450fa5
Malicious Library PE File PE32 VirusTotal Malware WMI Creates executable files RWX flags setting Checks Bios anti-virtualization ComputerName |
|
|
|
|
4.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8254 |
2023-09-25 18:38
|
 saddsd.exe e9bbf60a02ceb5cbb6b712c1f0d18f2b
Generic Malware Anti_VM AntiDebug AntiVM PE File PE32 icon Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VMWare Check virtual network interfaces WriteConsoleW VMware anti-virtualization installed browsers check Windows Browser Firmware Cryptographic key crashed |
|
|
|
|
14.6 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8255 |
2023-09-25 18:15
|
passw1234.7z 4a757eead2734a30ba2a1dfd95c3ca7f
PrivateLoader Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord RisePro Trojan DNS Downloader |
57
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://171.22.28.208/download/WWW14_64.exe - rule_id: 36692
http://ji.alie3ksgbb.com/m/esgla2i5.exe - rule_id: 36693
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://168.119.168.251/5c0b4a12d6c03dd98ed431d3eded2169
http://christopherantonio.top/calc2.exe - rule_id: 36694
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://45.9.74.80/super.exe - rule_id: 36063
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://fc.ftimedica.com/netTime.exe - rule_id: 36695
http://168.119.168.251/data.zip
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://bryanzachary.top/e9c345fc99a4e67e.php - rule_id: 36633
http://45.9.74.80/harbar.exe - rule_id: 36698
http://168.119.168.251/
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://171.22.28.208/download/Services.exe - rule_id: 36699
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
https://sun6-22.userapi.com/c909518/u52355237/docs/d51/adbcd4335d91/d22.bmp?extra=I9Zc-eSFjb7aniypOgKiQRv4636nhweyUT9QKpOFw7kimiw2amz8iPNPZCEGzYVz6BHk9DaB7QwiNnx_cQT_AzlsGCHoLunNSLxa9_vpSu9ggyaoAmjzXznq9mGQpqfYDNGbSYXtHaL7QCGa
https://sun6-20.userapi.com/c909628/u52355237/docs/d26/3173b23b4e4e/setup.bmp?extra=VVPCXTaaKAzMHZJC5rnpXH1YWnS7xAjFbRWDFPhm2AawSriV5gL_VHTHjYu16umoAOyuhw9lfHxMhxZynVMHsCNR9XHh9CTYfxNkSlfIIRPfs9BOiSpW3GtLlh-7U7fJ7HlYYrTDJreTQaQz
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc52355237_666080029?hash=iTgT5jRzVMuMfOipzzdh910Z1eVS2zyNCF1bGoAh0jD&dl=CRGRTXz6mennztuXX6PP2YdwrEitcpcqd8JYyhjt3gs&api=1&no_preview=1#acotr
https://sun6-21.userapi.com/c909328/u52355237/docs/d26/505533e1a303/Bot_Clien.bmp?extra=JRdCEMD1afNdUe2eq1tHKSkWAMPzvkV15kDEjPRy0M4SufT2M90zqE9lbWESswe3EttFy0FBJiL6OgfwMoan2s_07uHL7-8fISw2lgvZ8Jsi-psDZZ0gzfdbD12jr1p-dYl6K4_2enKRNDMw
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://sun6-22.userapi.com/c909228/u52355237/docs/d20/209e889de692/asca1ex.bmp?extra=Y3tHdAvxzFOEpXvEASstlcPFyrUQZW0W1S9R5_nGZbND-ilqrFXOLQgCfGmCdD7wSdYCMGcRr-3h-eKElnZc4tIkiU7j_yF0UAxYdmm6sjjed2R_PSOE7lPSyMomaQjuZFXlwLs7j8TYv40p
https://vk.com/doc52355237_666136580?hash=J0ZSTJENbiReaX4ZPq5xWfmYW8FoV0xrQipVUC8lOoP&dl=kqjwZYr82vmrlMe5ySJIAnl5X3Qhnzh8T4p6Ejv1b3o&api=1&no_preview=1#utube
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=9uU3hAcIImpB%2FyOM1RYeQAPmMF5nVaTTMSzoMMepXyY%3D&spr=https&se=2023-09-26T09%3A35%3A48Z&rscl=x-e2eid-d4e1fe69-3af64970-a728748c-c9623b63-session-7139f5f0-a7b24e70-996ecbe3-744f6c2c
https://api.ip.sb/ip
https://preconcert.pw/setup294.exe - rule_id: 36162
https://vk.com/doc52355237_665981002?hash=5dlf3DheCq3ZynwxfclKIYSMaBUrqVsiNEQbz1ZBeez&dl=qhGcA2zWn1OHnSTesbATZlb3MbAcGMzKaqeVHxmyiH8&api=1&no_preview=1#rise
https://sun6-23.userapi.com/c235131/u52355237/docs/d25/4b77b3faf410/crypted.bmp?extra=pLE6g0sVj5JzSBjFx8m0PCdIi2mz30mXNfbSsZf9HKk0VIHCoqiKcGBDgi2RzV4Jds8sDjVanxDVFZ9gF4M3zB-npb6kbrVSWsfbKhYCL8SRbYR--u3kEeU4AiH6X8-WCXcvlrkIAaRSAyrm
https://api.myip.com/
https://sun6-22.userapi.com/c909218/u52355237/docs/d17/930f6551e240/red.bmp?extra=xpErrkZKyuhqhXmlpWGPYaOkV8KZk6uf2bZssDtVOaX07u-jnXlDzv7eQ9GgRp9jAKadofx0Aeym6WdKQVyqryj-ZhCNJEn0eT40XbVRZjtBfc5ULd-vAzbPnMW0pxdanSM8aNUihsyhOr2b
https://msdl.microsoft.com/download/symbols/index2.txt
https://vk.com/doc52355237_666116297?hash=lkXB46dcuKnkqGORfsFX2uL9WMbBX0UD71NmU7WScHL&dl=7YSPaysZzeHccUchdso6vzlhfWpyPGmhyN2t8dJd6n0&api=1&no_preview=1#1
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://cdn.discordapp.com/attachments/1041078464591188050/1153365784878387221/saddsd.exe
https://dzen.ru/?yredirect=true
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=jC%2FHchUGnoKnU%2F7Npr4bk0dZ3HPncEmJsdp3usAJOn0%3D&spr=https&se=2023-09-26T09%3A12%3A03Z&rscl=x-e2eid-e3031299-e353446c-bc6e4fc6-5ba8d6ce-session-cc5d13a5-463b4458-90a3ae06-41a13aa1
https://steamcommunity.com/profiles/76561199553369541
https://sun6-20.userapi.com/c240331/u52355237/docs/d58/c399ba8d11ad/GoodJOB_anketa.bmp?extra=RdKlzPD-Tnc08TwIXUdpKhcJsVLF_czyQ7deLMXMZCuYsEn1hsNWwunUZllu4Y3s8XrVQr_RxVeK9Mix6bp1dEklNqx1x55vXRxuwY-W0dazgHige4BWFMNMsNYicyz81h8L4TvM4NA6te2l
https://sun6-21.userapi.com/c909628/u52355237/docs/d56/defde5a29b85/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=NLpT1E-ZXvEFBDSUkHGwYeAn3gufe8JRwAvvU3jpPTPHDkn3Lz0EVO2efphrJLAfrEcqcbeeA_vHPpFV5lLGRZGHx-hm6MmAOrZPB0NpBYG4F35GQNq4otRfdvJxn1jZBJmULgiLE0v7Hk1m
https://vk.com/doc52355237_666108395?hash=jawOiYjXlHzPa18QU35xZPZzBykkkdDodQ7clEr5tKc&dl=p4xlxA2NNutBGc4VBe6MR2ujxECosZT0MnzX27IuYrL&api=1&no_preview=1#1ss
https://sun6-23.userapi.com/c240331/u52355237/docs/d18/eb9207621794/PL_Client.bmp?extra=WCp76kj9ADZ52pgXZrxmINBn800eDzXuEyMTNu2TTZuW3RQud9kFeoOvcj05sKd4wAv5ZUQOTZea23LsMRB9EsiN4I9XiHzR-y4hcz1C_cGJZO6t2w-t4FEeFGXY6cQA_9Mkwu3cNH-lLgAP
https://vk.com/doc52355237_666121482?hash=X7tYzzwdbYpoS3dmjILbhm0NM5SnR8w3HGGZg0cxP38&dl=0lfx33sT3g4TXZpfUQvZAsiUf6cD0lndtNWZ1RI4aC8&api=1&no_preview=1#maff
https://sso.passport.yandex.ru/push?uuid=9917910e-fa55-45f9-ae62-b11c46ebc15c&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-21.userapi.com/c909518/u52355237/docs/d51/0f66b27eb25f/test22009.bmp?extra=NAVrHi9JKZutyNsJXGGmO9lYfVsk3c8KKwtn3c-jFfhm7LrHxTsETt8lwMMt9o0aMrTXLT8vB9ZgNp5Hq2kYs6aIoTtSbaHezLZKM183aDcqjU-YVj6-fD3rYys3vU6zSKS9bUAdpz7lJULa
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://neuralshit.net/0c481f030a905c2be1d7c0eb6af97e6a/7725eaa6592c80f8124e769b4e8a07f7.exe
https://sun6-23.userapi.com/c909518/u52355237/docs/d47/9a58548d2219/328dj2afg.bmp?extra=P64PHSwDyVag1P8zJe1CsvJSpZzkgl0vFOicryxY6m4H0Tz8jezzPOu0pctLVqeIZYcMRW0IHtuaVjDPRSlT5REafSnK2XRDsiRf7R-EzcRQ1pwDNRALhrrffOLuhi0fyYOcjUQQcezyATjV
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
104
neuralshit.net(104.21.6.10) - malware
db-ip.com(104.26.4.15)
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
wahaaudit.ps(213.6.54.58) - malware
sun6-23.userapi.com(95.142.206.3)
mastertryprice.com(172.67.212.103)
dzen.ru(62.217.160.2)
preconcert.pw(172.67.197.101) - malware
api.2ip.ua(162.0.217.254)
steamcommunity.com(104.75.41.21) - mailcious
iplogger.org(148.251.234.83) - mailcious
z.nnnaajjjgc.com(156.236.72.121) - malware
twitter.com(104.244.42.65)
msdl.microsoft.com(204.79.197.219)
telegram.org(149.154.167.99)
cdn.discordapp.com(162.159.130.233) - malware
christopherantonio.top(46.173.215.72) - malware
api.db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
230404015907217.ism.wity21.info()
yandex.ru(77.88.55.88)
vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68)
api.ip.sb(172.67.75.172)
sun6-20.userapi.com(95.142.206.0) - mailcious
ji.alie3ksgbb.com(172.67.200.102) - mailcious
iplogger.com(148.251.234.93) - mailcious
zexeq.com(37.34.248.24) - malware
octocrabs.com(104.21.21.189) - mailcious
vsblobprodscussu5shard10.blob.core.windows.net(20.150.79.68)
colisumy.com(210.182.29.70) - malware
ce29437f-e56b-4507-97fe-18e71b8df8a3.uuid.окрф.рф()
bryanzachary.top(46.173.215.72) - mailcious
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
server9.xn--j1ahhq.xn--p1ai(185.82.216.48)
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.18.145.235)
vk.com(93.186.225.194) - mailcious
stun.sipgate.net(69.194.172.73)
api.myip.com(172.67.75.163)
fc.ftimedica.com(45.130.231.6) - malware
146.59.10.173
194.169.175.128 - mailcious
104.18.145.235
182.162.106.33 - malware
93.186.225.194 - mailcious
172.67.197.101
45.130.231.6 - malware
148.251.234.93 - mailcious
204.79.197.219
91.215.85.147 - malware
20.150.70.36
104.244.42.1 - suspicious
62.217.160.2
208.67.104.60 - mailcious
5.255.255.70
172.67.200.102
149.154.167.99 - mailcious
193.42.32.118 - mailcious
172.67.75.166
213.6.54.58 - malware
172.67.75.163
37.34.248.24 - malware
171.22.28.208 - malware
23.67.53.17
172.67.212.103
46.173.215.72 - mailcious
171.22.28.222 - malware
20.150.79.68
162.0.217.254
172.67.200.10 - mailcious
148.251.234.83
104.26.8.59
104.21.6.10 - malware
104.21.90.117 - malware
213.180.204.24
104.75.41.21 - mailcious
194.55.224.41 - malware
77.232.38.234 - mailcious
34.117.59.81
45.9.74.80 - malware
194.169.175.232 - malware
176.123.9.142 - mailcious
69.194.172.73
94.142.138.113 - mailcious
168.119.168.251
185.225.73.32 - mailcious
104.26.9.59
156.236.72.121 - mailcious
45.15.156.229 - mailcious
172.67.75.172 - mailcious
162.159.129.233 - malware
104.26.4.15
87.240.137.164 - mailcious
95.142.206.3
95.142.206.2
211.119.84.111 - malware
95.142.206.0 - mailcious
185.82.216.48
31.41.244.27 - mailcious
77.91.68.239 - malware
95.142.206.1 - mailcious
|
50
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO Dotted Quad Host ZIP Request
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
|
21
http://hugersi.com/dl/6523.exe
http://171.22.28.208/download/WWW14_64.exe
http://ji.alie3ksgbb.com/m/esgla2i5.exe
http://zexeq.com/test2/get.php
http://christopherantonio.top/calc2.exe
http://45.15.156.229/api/firegate.php
http://colisumy.com/dl/build2.exe
http://45.9.74.80/super.exe
http://45.15.156.229/api/tracemap.php
http://fc.ftimedica.com/netTime.exe
http://zexeq.com/files/1/build3.exe
http://94.142.138.113/api/tracemap.php
http://193.42.32.118/api/firegate.php
http://bryanzachary.top/e9c345fc99a4e67e.php
http://45.9.74.80/harbar.exe
http://193.42.32.118/api/tracemap.php
http://171.22.28.208/download/Services.exe
http://94.142.138.113/api/firegate.php
http://193.42.32.118/api/firecom.php
https://preconcert.pw/setup294.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
6.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8256 |
2023-09-25 17:13
|
 conhost.exe c853a830fa2530a233e4a1eaf84b4273
Malicious Library UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8257 |
2023-09-25 17:11
|
 docdimt20230925.exe d151945da40824dc4231b193fe65b4fc
PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
13.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8258 |
2023-09-25 17:10
|
 docutc20230925.exe aa9dd2c152d86d81236ad564d3c2a078
Malicious Library UPX Malicious Packer PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
5
softwarez.online() - mailcious
mail.royalcheckout.store(179.43.183.46) - mailcious
api.ipify.org(104.237.62.212)
179.43.183.46 - mailcious
173.231.16.77
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
14.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8259 |
2023-09-25 17:09
|
 dochus20230925.exe 363044c48c8d035c08cddcdb22bb0838
PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(104.237.62.212)
mail.product-secured.com(179.43.183.46) - mailcious
179.43.183.46 - mailcious
104.237.62.212
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
15.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8260 |
2023-09-25 17:07
|
 docdad20230925.exe a2144ec73f793ed49255c96839a7a1f6
PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
4
ftp.product-secured.com(179.43.183.46) - mailcious
checkip.dyndns.org(193.122.130.0)
132.226.8.169
179.43.183.46 - mailcious
|
4
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
SURICATA Applayer Detect protocol only one direction
|
|
17.0 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8261 |
2023-09-25 17:07
|
 saham.apk 2678ce7e43d9ef7dd7e06d5feeea532e
ZIP Format VirusTotal Malware |
|
|
|
|
0.6 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8262 |
2023-09-25 17:05
|
 docrw20230925.exe be1b63ef6abc588245cdf4f346b26154
Malicious Library UPX Malicious Packer .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
8
softwarez.online() - mailcious
ftp.royalcheckout.store(179.43.183.46)
api.ipify.org(104.237.62.212)
mail.royalcheckout.store(179.43.183.46) - mailcious
checkip.dyndns.org(158.101.44.242)
179.43.183.46 - mailcious
64.185.227.156
193.122.130.0
|
8
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
|
|
16.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8263 |
2023-09-25 17:05
|
 docjhny20230925.exe eaf2b6671ec5dded98f2a7fe6aa603c7
Malicious Library UPX Malicious Packer PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
5
softwarez.online() - mailcious
mail.royalcheckout.store(179.43.183.46) - mailcious
api.ipify.org(104.237.62.212)
179.43.183.46 - mailcious
64.185.227.156
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
14.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8264 |
2023-09-25 17:03
|
 docnic20230925.exe 010ef94907f5876e46be0ed87689fde9
Malicious Library UPX PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
5
softwarez.online() - mailcious
mail.royalcheckout.store(179.43.183.46) - mailcious
api.ipify.org(104.237.62.212)
179.43.183.46 - mailcious
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8265 |
2023-09-25 17:02
|
 app.apk ec39111f60fb5de68e7efeefdada41ee
ZIP Format VirusTotal Malware |
|
|
|
|
0.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|