| 8281 |
2023-12-21 17:09
|
file.rar 6b0f8a62bc4fec439739c021445942f5
Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Open Directory Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Exploit RisePro DNS |
52
http://5.42.64.41/40d570f44e84a454.php - rule_id: 38591
http://45.15.156.229/api/bing_release.php
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=XvW4AHeGTk9BJBAfrMTJoSzL.exe&platform=0009&osver=5&isServer=0
http://77.105.147.130/api/bing_release.php
http://45.15.156.229/api/flash.php
http://109.107.182.3/hugo/rest.exe
http://195.20.16.45/api/tracemap.php - rule_id: 38695
http://185.172.128.19/latestbuild.exe
http://zen.topteamlife.com/order/adobe.exe - rule_id: 38815
http://apps.identrust.com/roots/dstrootcax3.p7c
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://5.42.64.35/timeSync.exe - rule_id: 38593
http://77.105.147.130/api/flash.php
https://vk.com/doc418490229_669821688?hash=we6BBhNerpmPCN87ImRmGXGmmNbiwaqIUE7eoga2Rxz&dl=LWFkeguGbB1zYgia1ntLjueUZO6Xo4LDzp1kwruth9L&api=1&no_preview=1#xin
https://www.youtube.com/favicon.ico
https://vk.com/doc418490229_669837378?hash=MnOFxJ6eziq0VhVwK1AJSav5Kza1nVE2q1ZBBZcGWRL&dl=9KbYwSMouDRxKm0lIB9Xdq82AMZkYdJZEamMlGg5LMk&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c909518/u418490229/docs/d22/f9bc9c314f2c/tmvwr.bmp?extra=sd0_DwktE5ym3xM-aWd3PZcQQNFY6bp3WQ5VsGllmzEMFAtmw-OyqM1eVt928NFsxWs8QHb0HsGHash_oEI6n1gh9vXdV5kFD25RzEbF90zM7p_djCfq8EJQwnCi2W-JCJQnyO9B9LG4J3GX6Q
https://db-ip.com/demo/home.php?s=175.208.134.152
https://ipinfo.io/widget/demo/175.208.134.152
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://vk.com/doc418490229_669809323?hash=kP50PMPFZEp4LI0jKiDZoizq5f0DkvKaUhxGOocg9Dc&dl=ef8AbWt2wxR8jCnafScstynLK9c6NAExi1czT8Aj7RP&api=1&no_preview=1
https://sun6-22.userapi.com/c909618/u418490229/docs/d43/4b059ba24311/jhiu.bmp?extra=l0kdKyMk_DE9orYnqcSfbjthykugKl64jxq49hWPbhbXCcBf17Opbad2ORHF8yf8kRcMyLmMAybNcazH2et0SNJTgFMvZStMaLIbhHdbSId_FkJfmDNSVrAo-6Kc03ssHd6raxj3iG2283Flmg
https://iplis.ru/1cC8u7.mp3
https://sun6-21.userapi.com/c909218/u418490229/docs/d10/086e039362d4/PL_p.bmp?extra=8F7qp6YQkCH8wV9nhVMbtZ1UkuuPcor_TcnOSrWG7itioGOoY6UpVTsjlY1C5ovb0TjNeuPFvln5OAEgHQIcB_9HA0EVPtSQVuaz_uQw3lZoDp8_oj9TWMoGkawFPDu_w_CVdmKaxp-_bS1jNA
https://fonts.googleapis.com/css?family=Roboto:400,500
https://sun6-23.userapi.com/c909328/u418490229/docs/d37/be767eccf01d/file191223.bmp?extra=8RxI2JAEk2k-tJfACQF-UAFNz5Ph76gpPikca1Ji9eC1di9N5P2da5-yC6h9er6-4brijf2n62vHQGnXQhxdtuJjS74PHA77wi2uQuN6d9lvY8lqxtaYsbdzd0Z2rYvaf2_icqKb3Hg2vVXsAA
https://DCFSDFDS2FDHFGJ.SBS/setup294.exe
https://vk.com/doc418490229_669810929?hash=moVJunUKZjhyRMc0xySkXZHSaBAL88Cc1tupiMvEEwT&dl=b94zGjzpuQj7BaXz8O1vo6cCAGPlVcVsAKcnHpZ2xlP&api=1&no_preview=1#1
https://sun6-21.userapi.com/c909628/u418490229/docs/d52/f159185b6992/BotClients.bmp?extra=slFJ7cnAm4zJ31a8gA__JV7O6Upb3oLdzWCe_2xEmcxJ-iI-vPMhq7NnhDvLjuBsukj5w8rFgXcq3blNonFLqp_PbuM_tRhTHH7rkMm_ZTCxE4XHG6L6mcES_3a2bym1Cd_D5PjIOHzO9wRCnA
https://vk.com/doc418490229_669807321?hash=VxBEaHVIT9bEVMzjUs6ZDaUDkTBi1A9bgCEvJPTLeKs&dl=ccjZxaprGX6O639lCOjRrkV8Wz9PFe6NB5IDGXdR71o&api=1&no_preview=1
https://vk.com/doc418490229_669653354?hash=l8DHCu4lEp9Sb8CTCk5eithtVIhhbBkli1pjUtPjJNP&dl=7vSjZ36UYD1hlgYVc9MzZLLGmShUHLSQatIOzo7OZBg&api=1&no_preview=1#logger_statistics
https://www.youtube.com/
https://vk.com/doc418490229_669783554?hash=BH6rDsCdPWk2J9y1TmstXOZKSIMojhaG8Fw9a8GF3Ps&dl=gYknZQrp3U8V5VDWqeRDZZgAOIRQPc5uWYpO07u16QT&api=1&no_preview=1#test22
https://vk.com/doc418490229_669674726?hash=zO6JQAo6iYaXqKxkZ7OtAgZUB0nnLHef5V5H7iZ0Erg&dl=V9sXR6aIOgK4znoIV3QEJiCPc0YxrQNplxazvg1DdAs&api=1&no_preview=1
https://psv4.userapi.com/c237031/u418490229/docs/d30/a2f18a7159cd/Sp.bmp?extra=8t27aDbP5wFBo5a9WsZ_kZ9kOVIEvgcSoR-WyoDH3eR_35CbiWZxGMvLR7K0fHTHPfVpDxBlvQzJxA4aHNSnlH4K-qnSVn4EF_Si-AlL60A3sA0eBI9gwZZPhtvDYp-tVEsJM6NhsfEJQQ0iiQ
https://sun6-21.userapi.com/c909618/u418490229/docs/d7/3c13fccecb0d/xincz.bmp?extra=ZSt5xRYqy92_IEekhgFvB1qr9i_FtOiNT51g2xpchVZfODaKJSE90n8UupLNci2RG6gzFjeSyxq0Oqb_34_93iJFW1PdnjomJAvx6CNDXguTjcnMryul_TTRv5tXoPVSIcjoOAUrYTtDfWP7TQ
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://vk.com/doc418490229_669753909?hash=WT7APgrulCXZFZTSEvdEhpp2wKrYTIZVouZnBZXB72g&dl=7ei7VkBuvhBOPmO5RJDS1eEOZh0NZgZcXNvjBcCFfJ8&api=1&no_preview=1#ww11
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://sun6-22.userapi.com/c240331/u418490229/docs/d4/5ba0427424be/WWW11_32.bmp?extra=N-N_wqY1NIwAlVfIR5pYrBcNGu-kwYAzemwNThjJIh_6xOECNLWLQmT5UTWCxQU3irEk4s0tDzSjPFWZEKQav7b9lotmLgJlMtxtS7uhKfr1gWyicC9O0Ot1dTTMTC-uuTl_XLb7ef48c4KGew
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://sun6-21.userapi.com/c237031/u418490229/docs/d18/6b546154631b/sdfhj8s.bmp?extra=C_vJLuNWCRIppkkIF6WUoUokqmaeSJqMBjrt4zjg9VnJyJhAvki5z7wZk_JX5JGRJKeGSeM8y6i0C_GOFaYmVyRvRed1FQFM0q1Kou5v6rtOgAt69h0BIEgojXsd2TuTOShLu8kzbNqW-2g7rw
https://vk.com/doc418490229_669637079?hash=VdguLglaUQxQEWy7OPzp09fMiy3JG1498Od7lJ6mEhw&dl=Z0vdo01g0fZfW08T5s4JBiEH2UzpBHOBxg4Yxkx8vU4&api=1&no_preview=1
https://api.2ip.ua/geo.json
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://sun6-23.userapi.com/c237231/u418490229/docs/d12/ececed6be1fb/LG.bmp?extra=pLNgfOmTCOoCaYarwpdyTYgqNb4VBMyPeCK1ctoGNIrUiMRz2sgnoXwnnCBPcRPNVWfRTkA0kvj3KpSooKOvyYdyemYk3kUC3gIdzVA1LdoEQVTtDW9ybLvdgW8VLXHZ3cEBSJgo8-VWwXgr8A
https://fonts.gstatic.com/s/youtubesans/v23/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://www.youtube.com/img/desktop/supported_browsers/opera.png
|
62
fonts.googleapis.com(172.217.26.234)
db-ip.com(104.26.5.15)
ipinfo.io(34.117.186.192)
sun6-23.userapi.com(95.142.206.3) - mailcious
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
psv4.userapi.com(87.240.137.134)
learn.microsoft.com(104.76.76.50)
api.2ip.ua(172.67.139.220)
iplogger.org(172.67.132.113) - mailcious
cdn.discordapp.com(162.159.134.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
zen.topteamlife.com(172.67.138.35) - malware
www.youtube.com(142.250.207.46) - mailcious
bitbucket.org(104.192.141.1) - malware
fonts.gstatic.com(172.217.25.163)
zexeq.com(175.120.254.9) - malware
www.linkedin.com(13.107.42.14)
api.myip.com(172.67.75.163)
sun6-22.userapi.com(95.142.206.2) - mailcious
vk.com(87.240.132.67) - mailcious
dcfsdfds2fdhfgj.sbs(104.21.25.43)
iplis.ru(104.21.63.150) - mailcious
95.142.206.1 - mailcious
5.42.64.35 - malware
162.159.133.233 - malware
13.107.42.14 - phishing
195.20.16.188
172.67.138.35 - malware
104.21.4.208
142.250.204.142
142.251.220.99
172.67.75.163
34.117.186.192
185.172.128.19 - mailcious
91.215.85.209 - mailcious
189.232.1.60
91.92.249.253 - mailcious
5.42.64.41 - mailcious
194.33.191.60 - mailcious
104.26.8.59
104.76.76.50
172.67.222.173
172.67.147.32
193.233.132.67
61.111.58.34 - malware
87.240.137.134
172.67.75.166
194.33.191.102 - malware
104.192.141.1 - mailcious
195.20.16.45 - mailcious
77.105.147.130
142.250.204.138
45.15.156.229 - mailcious
193.42.33.14 - malware
87.240.137.164 - mailcious
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
87.240.132.72 - mailcious
109.107.182.3 - mailcious
|
35
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Rejetto HTTP File Sever Response
ET INFO Packed Executable Download
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE Redline Stealer Family Activity (Response)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
5
http://5.42.64.41/40d570f44e84a454.php
http://195.20.16.45/api/tracemap.php
http://zen.topteamlife.com/order/adobe.exe
http://zexeq.com/test2/get.php
http://5.42.64.35/timeSync.exe
|
5.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8282 |
2023-12-21 08:06
|
 Pcpkjc.exe 25bbcd3deb0ac8de0822a74f9d91b989
Hide_EXE AntiDebug AntiVM PE File PE64 .NET EXE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8283 |
2023-12-21 08:03
|
 spfasiazx.exe aba50ae31c5df3ea0c2394c93d423afe
Formbook PE32 PE File .NET EXE PDB Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8284 |
2023-12-21 08:01
|
 alphazx.exe 1938e1ce8ff0107d18ae1972302d0060
Formbook PE32 PE File .NET EXE PDB Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8285 |
2023-12-21 08:01
|
 Mhgskyufhic.exe e5d75255dac28cd11b130b6471b258ee
Hide_EXE UPX PE File PE64 OS Processor Check Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8286 |
2023-12-21 07:59
|
Microsoftdigitalwallettechnolo... f306b23f34ca0c9d62c74d45f399d21a
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.4/2546/wlanext.exe
|
3
www.synergyinnovationgroup.com(65.60.36.22) - mailcious
65.60.36.22 - mailcious
172.245.208.4 - mailcious
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8287 |
2023-12-21 07:59
|
Microsofttechnologyunavailable... 70e00aa467b51abaa54b560b0d399010
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://198.46.178.135/2545/wlanext.exe
|
3
www.magssin.com(167.86.119.6) - mailcious
167.86.119.6 - mailcious
198.46.178.135 - malware
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8288 |
2023-12-20 23:29
|
https://www.luxuryshield.org/?...
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
https://www.luxuryshield.org/?__cf_chl_tk=MzoipA0JWISUjOClHcsQwKUHXueBNC8cKT_tsGH.M2s-1702993100-0-gaNycGzNDaU
https://www.luxuryshield.org/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=83888fe87ed83149
https://www.luxuryshield.org/cdn-cgi/styles/challenges.css
|
2
www.luxuryshield.org(172.67.149.231)
172.67.149.231
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8289 |
2023-12-20 08:03
|
 sd4.ps1 16eedcc3da8cc730941c9a2f4adaaf7a
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://45.90.58.1/index.php?id=&subid=c4gQX595
|
1
|
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8290 |
2023-12-20 08:01
|
 wlanext.exe c810e663dd2ada28c1bb8ee928f1372f
Generic Malware Malicious Library UPX Antivirus PE32 PE File powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key crashed |
|
3
www.magssin.com(167.86.119.6) - mailcious
45.90.58.1
167.86.119.6 - mailcious
|
|
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8291 |
2023-12-20 08:01
|
 sd2.ps1 b4127347d3d08d1a466289b2071e81e7
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://45.90.58.1/index.php?id=&subid=c4gQX595
|
1
|
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8292 |
2023-12-20 07:59
|
 Voiceaibeta-5.13.exe ce3cce902aecf173e8899da746b45dc3
Gen1 Malicious Library UPX Malicious Packer Anti_VM PE File PE64 ftp OS Processor Check DLL PNG Format ZIP Format icon Malware Check memory Creates executable files Ransomware |
|
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8293 |
2023-12-20 07:59
|
 helper.exe 07bf5c0cec29332eaee4559712044afa
Generic Malware Malicious Library UPX Antivirus PE32 PE File OS Processor Check PowerShell Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows Browser Advertising ComputerName DNS Cryptographic key |
1
http://45.90.58.1/config.php
|
1
|
1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8294 |
2023-12-20 07:57
|
 voice5.13sert.exe b4b6bb1999d278b1eeb19783fce5cab4
Gen1 Malicious Library UPX Malicious Packer Anti_VM PE File PE64 ftp OS Processor Check DLL PNG Format ZIP Format icon Malware Check memory Creates executable files Ransomware |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8295 |
2023-12-20 07:57
|
 agent3.ps1 274945641a4f798a13bddec960a82670
Generic Malware Antivirus Check memory Checks debugger unpack itself WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|