| 8341 |
2023-12-18 07:50
|
 TierDiagnosis.exe 2e600b1ff7cd82c6402bb280720ced61
Generic Malware task schedule Downloader Malicious Library Admin Tool (Sysinternals etc ...) UPX KeyLogger Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Windows ComputerName |
|
1
KUHhhnlUmHdzjZFqZYoOtpryMyR.KUHhhnlUmHdzjZFqZYoOtpryMyR()
|
|
|
11.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8342 |
2023-12-18 07:50
|
 wlanext.exe d28a7016ca5651a4a4a270883792ebb7
Generic Malware Malicious Library UPX Antivirus PE32 PE File powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key crashed |
|
|
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8343 |
2023-12-15 19:04
|
 adobe.exe f74eaaf7cee624885219e992887a1689
Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE32 PE File MZP Format DLL OS Processor Check DllRegisterServer dll PE64 wget ZIP Format Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8344 |
2023-12-15 19:03
|
 setup294.exe c83e00b6e41e1a56fc6908e165ab4cb5
Malicious Library UPX AntiDebug AntiVM PE32 PE File DLL OS Processor Check Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8345 |
2023-12-15 19:00
|
 2.exe f89eaa7fbb0a8b2e24ad2671d833b15f
Malicious Library VMProtect PE32 PE File Remote Code Execution crashed |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8346 |
2023-12-15 18:22
|
Delivery_Data.jar eea444443394d25856661dc1cfbbff20
Malicious Library MSOffice File VirusTotal Malware Check memory heapspray unpack itself Java |
|
|
|
|
2.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8347 |
2023-12-15 18:20
|
 svchost.exe d973e5134f0a64365f35d158d23c4ba1
Malicious Packer Antivirus .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger RWX flags setting unpack itself |
|
|
|
|
2.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8348 |
2023-12-15 18:18
|
 DNS1.exe 6a23b6e2536f7027a8506c87245eea5d
PE32 PE File VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Creates executable files unpack itself suspicious TLD Windows DNS |
2
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
http://www.996-m2.xyz:1881/logng.dll
|
6
users.qzone.qq.com(43.159.233.101) - mailcious
www.996m2m2.top(163.197.245.240)
www.996-m2.xyz(163.197.245.130)
163.197.245.130
163.197.245.240
43.129.2.81
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 16
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
ET HUNTING Rejetto HTTP File Sever Response
|
|
6.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8349 |
2023-12-15 18:16
|
 Dvvyjoogg.exe 4a9119576c02d6707f5914f5ea020730
PE File PE64 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8350 |
2023-12-15 18:16
|
 tSV0dUC1pYGjOvI.exe f0b67e5a152e990ffc32d8364da1c8b2
PE32 PE File .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key crashed |
|
|
|
|
5.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8351 |
2023-12-15 17:45
|
 Voice-Ai-beta.exe db24ccd5edd193c3de7e8324af4df458
Gen1 Malicious Library UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL PNG Format ZIP Format icon VirusTotal Malware Check memory Creates executable files Ransomware |
|
|
|
|
2.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8352 |
2023-12-15 17:45
|
release.rar 57ab5e01e6e92d13ae33e587004ad918
Stealc PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Vidar Glupteba Open Directory Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Exploit Browser RisePro DNS Downloader plugin |
62
http://5.42.64.41/40d570f44e84a454.php - rule_id: 38591
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://91.92.242.146/advdlc.php
http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll
http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=eight&s=ab - rule_id: 38706
http://5.42.64.35/timeSync.exe - rule_id: 38593
http://5.42.64.35/syncUpd.exe - rule_id: 38707
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://api.ipify.org/?format=qwc
http://185.172.128.19/InstallSetup8.exe
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://still.topteamlife.com/order/tuc3.exe
http://195.20.16.45/api/firegate.php - rule_id: 38697
http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll
http://77.105.147.130/api/tracemap.php
http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300
http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll
http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll
http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll
http://91.92.254.7/scripts/plus.php?substr=one&s=two - rule_id: 38706
http://176.113.115.84:8080/4.php - rule_id: 34795
http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll
http://195.20.16.45/api/tracemap.php - rule_id: 38695
http://zen.topteamlife.com/order/adobe.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://109.107.182.3/dote/film.exe
http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll
https://vk.com/doc418490229_669576362?hash=2TYLSTWS5p3PwhTNSYwsx2GpGiyOpl6IB17qzZDTTnz&dl=R4angaiywIuZ3iAh5RqnVQxC3TmVWJZOPSt2s7ZkU94&api=1&no_preview=1
https://vk.com/doc418490229_669536405?hash=R1SzeC40xJ3N84YoN0iXk4AQPRuvygwN5sp4tBfbczD&dl=GXT1bZGxOK19LH7eZCNhRVIcrGJyQCrsbbajDN7XKHk&api=1&no_preview=1#nsd
https://sun6-20.userapi.com/c909228/u418490229/docs/d36/c87009947661/file141223.bmp?extra=riGpl1sVynSQNy7_56coUnxCg7bnPcMRbuAzvkh_ETAwlmYx6qE_ofcQ65AriUxQcf_ivxfJAJM3YADTPZpm0PQnGOn-nmQ0wfHlZF3X1ntWeFueWSrC0bm4lZU0qKMLHBkZK0r0esUhSSQUng
https://vk.com/doc418490229_669587219?hash=k77BufzomwcBsW3hPhpz2FEdZyz0nCp5svZgzAhWzX8&dl=GGiKhtZZMwWTM9cPInAZ3ZvsfBC6QLOXzRT6d5aaZ9w&api=1&no_preview=1#xin
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=HJmhL06OJea1RlhWWse3wquZZjcLEZaOXFHu4a0VKb0%3D&spr=https&se=2023-12-16T09%3A12%3A02Z&rscl=x-e2eid-07bdf5ea-b89c46ec-8622ba13-cca3d6da-session-bfed46ea-eff3416b-81f720b1-a91cee8f
https://vk.com/doc418490229_669575350?hash=vKrKQ1LNzfmk5bqDBawqJaSNYy2pPUvsVD8GKsP1go0&dl=bKf2OcMYkQVThifDdutSO1iDmr9BZ1mynSvBZGNDR74&api=1&no_preview=1#tw
https://sun6-20.userapi.com/c909518/u418490229/docs/d24/8a4941081cf4/xinxin.bmp?extra=MYqii3RlgEdZmDiKshYG4cBuSFt-4I8No-BNWthaqggg8UIboNVqio9EQKvqnDf0IwnpwaqiXtjrufIKCgD54naDTYqQKF7M8ZxG9jgvbLoxaZAboWXtmkjqHzXUIPaO1cX_tjq7DjsuoOVT1Q
https://sun6-22.userapi.com/c909218/u418490229/docs/d43/33a4d3a867cd/crypted.bmp?extra=7n1p5WXd_XA-frypoGw5NGGcH5ozP0-5aPXvPSGNWJnmWcOQyKm3XmG1A4H78VWMkEfRaxwAsjW6UtarY0Cdk2S00-TlIzTDgoGExJ2V7IUXR3iB7Oq8RmopiHVQh1hv_C_EWlY_STkxOJE2iw
https://vk.com/doc418490229_669583708?hash=eKiEuBeLlD8AVLZpMr9fKb3Fp25y6PbAZumFOSRz8Ls&dl=Dexpdq6aIxefqfmky79VED88wzPCzbXZWs8AXq2twlc&api=1&no_preview=1#test22
https://vdfgdfbfdbdfbdfgroup.sbs/setup294.exe
https://sun6-23.userapi.com/c909228/u418490229/docs/d43/b05f93b34277/irisaCrypt.bmp?extra=4bwsZcK5u5cEEHtMWABs91FQoKbo4zXJ4K4gfYbS4E4umS85yFuk5CBomenrD5NM9YfshQdl03pizbE7teLHEenSIgkV_vvzQNfWHtMMYtg94gK8eT35lVqZ2pCIzmY0OmDluTvvoGpmJj4z5A
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://domen414.com/70e35a78e758263ac94805845a3b1aa6/e0cbefcb1af40c7d4aff4aca26621a98.exe
https://api.myip.com/
https://msdl.microsoft.com/download/symbols/index2.txt
https://sun6-23.userapi.com/c909418/u418490229/docs/d39/c8967eb6f89d/PLmp.bmp?extra=4rNxN4-WGW1_vpBEh0yJ7O9mXuWiNiVfzRYTurrDDQ4puTpR49fSpaHI_fGwXIZcMw16OD6BZwIlWibKWNGNRnZP9KdPo-9HxcFrCZFI21fq_QZNl8UoJqh-BFl60eeV8xM1RFT1XYsTNcAO_w
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc418490229_669553328?hash=izexNkT0c9lubTKZrX98Bt9LyqTRtBjqbopnZwLqlgz&dl=ECg5r3GQRknKKixHOxzIu5HdJ3xcDAtCSdybIVtGzGX&api=1&no_preview=1
https://vk.com/doc418490229_669446288?hash=QFSGrfzK1NpHqTbP7orCKrs6ivw74w9NbUeXT4cVAJ8&dl=scYinNdJ0msbOFLMzJwjxC4aj2UhN7mrdx5bV4i4j1T&api=1&no_preview=1#ww11
https://vk.com/doc418490229_669446210?hash=BZ9b8Xtsn5Z8zZkSRBEdwF1W7jzCAT8GJBVEicdXS6L&dl=eA4o75IiHafzbkgdBC8nz7TmLS7uMpwJRsfDOcAnrqD&api=1&no_preview=1
https://iplis.ru/1Gemv7.mp3
https://sun6-22.userapi.com/c909618/u418490229/docs/d42/d3f4cb6b29e6/twointe.bmp?extra=i7uy3fj3_0Ze73YL3gCj-5SBktdI9fvOagbQj0A_MTiUAkHJpynsELLBxOzk_eRHirZQfV0sivxHcLQaU_1LDcnsap5U75nd8N-bK6d_DTLR2JmJwXiur__vcggTugQ_hcATc-qjTcUuqdB49g
https://api.2ip.ua/geo.json
https://vk.com/doc418490229_668982322?hash=azDCFq3LKE8SI4FuHIiO9uqD9f0NzgSZGZRfp16uXc8&dl=S8rnCmwvOvSogOT6fxEmoZZvxNehhMMaIfqIZkup0tP&api=1&no_preview=1
https://sun6-23.userapi.com/c909228/u418490229/docs/d8/82a883d0cb5c/RisePro_1_1.bmp?extra=Khx0S2q1Cc35UHPx2HuaYmrza_MbtEdOxIPETSaulwXUXV1_rOOCqrnbkChic9YVaUB54TG5UV9XzCcFaEMz9Fs-QxMSWyPh49aPdA4i6lnKfYQSEDEtz4wB7t_GWVPlUMDQdldbTLx7Ifly2A
https://sun6-21.userapi.com/c235131/u418490229/docs/d58/5c0b9e6bfbb0/WWW11_32.bmp?extra=p1oBag1URwphK9fm5j9Jq7YOyeLeYwoTlNXxy-wy5IUdSKAq5VMvZiEdPlIcLVQn8hIZLuRKmCNHWREB57Cexdl8j2qkqFJbyxi0QG7Y6MixRJdPAmBV-XZVChIxLC6qYD1souE3k5cCPKfsSA
https://mrproper.org/e0cbefcb1af40c7d4aff4aca26621a98.exe
https://vk.com/doc418490229_669431693?hash=ZJOgiMvcEt67O8ZgIQTPetDJ5TJVWChVj8OP8l7poMo&dl=l8kZtnWtBZ88utyX5ok8hBf0AvLsgVspFPCyrexPZcc&api=1&no_preview=1
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=oby3wWHlvYWWrF7NhzaeDiB4De2SzNZjlf1ujeFGLuE%3D&spr=https&se=2023-12-16T09%3A35%3A46Z&rscl=x-e2eid-da202a57-853643ff-8f0c306b-e4a3eb32-session-aa02589a-042c46e7-b900bab6-bb84b0be
https://sun6-21.userapi.com/c235031/u418490229/docs/d20/3537096df5d0/sdfj34dv.bmp?extra=-wfwzf8mggLUbLw-tDmqqwImNK4Ftwq957DguR_ZMse6BpyI5-rPV6hbhzSG2NwFqlvPZVAflEjl79RMCYIB1POUVIydbhkLkUQ6dr7fGPtpI4ydIkrZ_U79xWEv5Xk1NueG2w6-DwHLIn3DeQ
https://vk.com/doc418490229_669575445?hash=vrqpipzq5gbIf9ZzlH6eoLxWYY2GVWTdCZyZfEBDU6o&dl=vAwShLyLIswxvXKtspyKZMxVY7MZYQOz2xin63S1bXz&api=1&no_preview=1#1
https://vk.com/doc418490229_669524169?hash=inQnNfQi9pW3FIKvlWtzgZEF4L0HuZ8DIxxvcU43wrc&dl=fEEIzUN5hJ8zayr8sOcmw911iz7V6Wz6VvyTXKMFcdk&api=1&no_preview=1#risepro
https://sun6-21.userapi.com/c909328/u418490229/docs/d9/ed7e4b61a950/tmvwr.bmp?extra=8ABSpR5kzOaL11KUTp_YTUz2hMDoCUYwXHxrulWm_E5Qppp5p26G9nQBBugoFJ3FhMkU7aktVviN94njhqhJWc4jj01UDf2oKFiCQ5w1tYtq3ZQaL-VtmQiiv4NSJja4CPGU6aMHn99Tfe6lCg
https://sun6-20.userapi.com/c909518/u418490229/docs/d9/5e0d43d301bf/BotClient_WWW.bmp?extra=K4Bc2tEiqrN1_FErEK6iFLRLCk66bRPdEIg_NBxdAdEKjqBoH80jch2EATGL5aoZyV0ONQLUKsLO3xWLSK_Dqja2G9_4sN84DzErWXT52ONKiCO1heZTXPBUC44s8QXP0LO8LqIDy-hnCQNaAQ
|
75
db-ip.com(104.26.4.15)
91920b82-9195-455d-9a5f-23f11e556e53.uuid.dumperstats.org(185.82.216.111)
vanaheim.cn(91.222.236.186) - mailcious
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
server6.dumperstats.org(185.82.216.111)
api.2ip.ua(172.67.139.220)
iplogger.org(104.21.4.208) - mailcious
msdl.microsoft.com(204.79.197.219)
cdn.discordapp.com(162.159.135.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
mrproper.org(104.21.63.180)
stun1.l.google.com(172.253.56.127)
zen.topteamlife.com(172.67.138.35)
walkinglate.com(172.67.212.188) - malware
api.ipify.org(64.185.227.156)
zexeq.com(211.53.230.67) - malware
transfer.sh(144.76.136.153) - malware
domen414.com(172.67.166.192)
vsblobprodscussu5shard10.blob.core.windows.net(20.150.38.228)
iplis.ru(172.67.147.32) - mailcious
still.topteamlife.com(172.67.138.35)
sun6-22.userapi.com(95.142.206.2) - mailcious
vsblobprodscussu5shard58.blob.core.windows.net(20.150.38.228)
vdfgdfbfdbdfbdfgroup.sbs(172.67.222.70)
vk.com(87.240.132.72) - mailcious
api.myip.com(104.26.9.59)
xmr-asia1.nanopool.org(172.104.165.191) - mailcious
95.142.206.1 - mailcious
5.42.64.35 - malware
91.92.254.7 - mailcious
91.215.85.209 - mailcious
162.159.135.233 - malware
104.26.5.15
172.67.138.35
172.67.212.188
23.67.53.27
104.21.38.114
104.21.63.180
45.15.156.187
172.67.75.163
34.117.186.192
185.172.128.19 - mailcious
185.82.216.111
211.53.230.67 - malware
121.254.136.18
91.92.242.146
87.240.132.67 - mailcious
172.104.165.191 - mailcious
20.150.79.68
34.117.59.81
176.113.115.84 - mailcious
194.33.191.60 - mailcious
5.42.64.41 - mailcious
204.79.197.219
172.253.56.127
20.150.38.228
45.15.156.229 - mailcious
194.33.191.102 - malware
144.76.136.153 - mailcious
172.67.166.192
195.20.16.45 - mailcious
77.105.147.130
173.231.16.77
176.123.10.211 - mailcious
104.21.63.150
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
95.142.206.3 - mailcious
91.222.236.186
172.67.132.113
109.107.182.3 - mailcious
|
62
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 20
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET HUNTING Rejetto HTTP File Sever Response
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Redline Stealer Family Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET POLICY External IP Lookup (ipify .org)
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET MALWARE Observed Glupteba CnC Domain (dumperstats .org in TLS SNI)
ET MALWARE Amadey Bot Activity (POST)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
|
12
http://5.42.64.41/40d570f44e84a454.php
http://zexeq.com/test2/get.php
http://91.92.254.7/scripts/plus.php
http://5.42.64.35/timeSync.exe
http://5.42.64.35/syncUpd.exe
http://45.15.156.229/api/tracemap.php
http://45.15.156.229/api/firegate.php
http://195.20.16.45/api/firegate.php
http://185.172.128.19/ghsdh39s/index.php
http://91.92.254.7/scripts/plus.php
http://176.113.115.84:8080/4.php
http://195.20.16.45/api/tracemap.php
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8353 |
2023-12-15 16:22
|
 128.5.14-package.hta 715d2502c51eddfd399a63042a259634
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8354 |
2023-12-15 15:21
|
microsoftdeletedprofilehistory... 1578764a625e6b24828568abf19b591a
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware AgentTesla Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://192.3.179.162/3010/wlanext.exe
|
3
ftp.experthvac.ro(188.241.222.22)
188.241.222.22
192.3.179.162 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil via FTP
|
|
4.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8355 |
2023-12-15 15:14
|
 winpack-en-18f036cdef58fd.url 07419ec9bbd2759b58f49acd28287cd8
AntiDebug AntiVM URL Format VirusTotal Malware Code Injection Malicious Traffic unpack itself Windows utilities Windows DNS |
3
http://5.181.156.136/Downloads/128.5.14-package.hta
http://5.181.156.136/Downloads
http://5.181.156.136/
|
1
|
2
ET INFO Dotted Quad Host HTA Request
ET POLICY Possible HTA Application Download
|
|
3.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|