| 8296 |
2023-12-20 07:57
|
 1afd11ac-e4a1-428c-a564-7314eb... 125a5c30fd99f5f53b2914e9f6cf1627
Gen1 Malicious Library ASPack UPX Anti_VM PE File PE64 OS Processor Check DLL ZIP Format Check memory Creates executable files crashed |
|
|
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8297 |
2023-12-20 07:55
|
 wlanext.exe 228a21c1d3bdd03a1c3877e918913632
Generic Malware Malicious Library UPX Antivirus PE32 PE File powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key crashed |
|
|
|
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8298 |
2023-12-20 07:51
|
 spfasiazx.exe 89ebe827b46d7e08adb6aa47e3761fed
Formbook PWS AntiDebug AntiVM PE32 PE File .NET EXE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
|
2
spf-asia.com(185.38.151.11)
185.38.151.11 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8299 |
2023-12-20 07:51
|
 buildz.exe c108826f0555d4e9d6f1fcd7f0b872cd
Malicious Library UPX PE32 PE File OS Processor Check unpack itself Windows crashed |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8300 |
2023-12-20 07:49
|
 %E6%B9%96%E5%8D%97%E7%81%AB%E9... 47db8f0121da0533cbceaf3179f28b4f
UPX PE32 PE File unpack itself Remote Code Execution crashed |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8301 |
2023-12-20 07:48
|
 alex.exe 794fc2da25b437ba1f88c2276b336c4d
AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156)
64.185.227.156
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8302 |
2023-12-19 18:35
|
microsoftprofile.vbs 7469ff142c0075494c1225977f91ddf5
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/o8Evr
https://uploaddeimagens.com.br/images/004/689/631/original/new_image.jpg?1702461175
http://23.94.239.93/2544/MJB.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
104.21.84.67 - malware
121.254.136.18
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8303 |
2023-12-19 12:21
|
Updationavailableformisofficet... 1990c5debf314b3860557e285f8c00ac
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://23.94.239.93/2355/microsoftprofile.vbs
https://paste.ee/d/o8Evr
|
6
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
23.94.239.93 - mailcious
104.21.84.67 - malware
104.21.45.138 - malware
182.162.106.144
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8304 |
2023-12-19 12:21
|
Microsoftdecidedtodeleteentire... bd52f7a13aed1b9c15db012d98964c2c
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://geoplugin.net/json.gp
http://85.195.105.118/8899/wlanext.exe
|
5
geoplugin.net(178.237.33.50)
unllin.com(91.92.252.51)
178.237.33.50
85.195.105.118 - malware
91.92.252.51 - mailcious
|
6
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8305 |
2023-12-19 12:18
|
upgradedtechnologyfordeleteent... 0e760369df71ec360aed63e8363796cc
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed |
1
http://172.245.208.4/2341/wlanext.exe
|
1
172.245.208.4 - mailcious
|
1
ET INFO Executable Download from dotted-quad Host
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8306 |
2023-12-19 12:18
|
installer.msi 91096f053b15929f5ef64db5b7029f82
Generic Malware Malicious Library Antivirus MSOffice File OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
2.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8307 |
2023-12-19 09:15
|
2023_12_10_1702192534929__com.... d41d8cd98f00b204e9800998ecf8427e
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8308 |
2023-12-19 07:40
|
 lve5.exe 82182c7f430666ecd80649a3c9d4b06a
UPX PE32 PE File AutoRuns Check memory RWX flags setting AntiVM_Disk sandbox evasion VM Disk Size Check Windows Browser DNS |
|
2
www.996m2m2.top(163.197.245.130)
163.197.245.130 - mailcious
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 16
|
|
4.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8309 |
2023-12-19 07:39
|
 1.exe 2e4e7673a769c8ca39609bb6973f8a1f
Lumma Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check Browser Info Stealer Malware download Malware Cryptocurrency wallets Cryptocurrency Malicious Traffic Check memory buffers extracted Collect installed applications sandbox evasion installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware DNS |
1
http://crudeleavelegendew.fun/api - rule_id: 38802
|
3
crudeleavelegendew.fun(172.67.207.100) - mailcious
163.197.245.130 - mailcious
172.67.207.100 - mailcious
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 16
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
1
http://crudeleavelegendew.fun/api
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8310 |
2023-12-19 07:39
|
 wlanext.exe 88aa7a12dbafa9f2d059943a7e112ac3
NSIS Malicious Library UPX ASPack PE32 PE File OS Processor Check Remcos Malware AutoRuns Malicious Traffic Check memory buffers extracted Creates executable files unpack itself AppData folder Windows |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
unllin.com(91.92.252.51)
178.237.33.50
91.92.252.51 - mailcious
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|