8386 |
2023-09-23 09:39
|
Dropper.exe a5bad49c2447d6c4b7367803a505cb39 Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware unpack itself Tofsee ComputerName Remote Code Execution |
|
3
i.ibb.co(172.96.160.222) - mailcious 104.194.8.143 104.194.8.120
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8387 |
2023-09-23 09:38
|
Bypass.bat 08c880b1f0b63680b7bdd78408bdceda Generic Malware Downloader Antivirus UPX Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM ZIP Format PE File PE32 VirusTotal Malware Malicious Traffic Check memory buffers extracted Windows utilities suspicious process AppData folder WriteConsoleW Windows Remote Code Execution DNS |
1
http://45.66.230.113/Malware.zip
|
1
|
4
ET DROP Dshield Block Listed Source group 1 ET INFO Dotted Quad Host ZIP Request ET POLICY curl User-Agent Outbound ET HUNTING curl User-Agent to Dotted Quad
|
|
4.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8388 |
2023-09-23 09:37
|
App1234.exe e8a7ed6986b1178188c27b9761f39762 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check PNG Format ZIP Format Browser Info Stealer VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory buffers extracted WMI Check virtual network interfaces AntiVM_Disk VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS |
3
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt http://174.138.6.99:8880/new_analytics https://api.db-ip.com/v2/free/self
|
7
o4505838714748928.ingest.sentry.io(34.120.195.249) api.db-ip.com(104.26.5.15) cacerts.digicert.com(152.195.38.76) 34.120.195.249 152.195.38.76 174.138.6.99 104.26.4.15
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING PNG in HTTP POST (Outbound)
|
|
6.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8389 |
2023-09-23 09:36
|
2ac82382-33f7-4490-a91d-e3cfe4... 3403cb537d8e1e6257068d3189705050 Gen1 Emotet Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check CAB Malware download NetWireRC RevengeRAT VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger WMI Creates executable files unpack itself AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Windows ComputerName DNS DDNS crashed |
|
2
marcelotatuape.ddns.net(141.255.151.60) 141.255.151.60
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2
|
|
8.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8390 |
2023-09-23 09:36
|
WhiteCrypt.exe c4d37e5aeffecf5dd8728a71d204dca1 RedLine Infostealer UltraVNC Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Check memory Checks debugger WMI unpack itself anti-virtualization Windows ComputerName Cryptographic key crashed |
|
|
|
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8391 |
2023-09-23 09:34
|
LB3.exe 0c2246bc569ddf7c9e93ccbf87aeb397 Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
1.8 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8392 |
2023-09-23 09:33
|
WXwEfBwFojUL7Eo.exe fb6436801517f4cb1748ba4bf9df2df4 Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(132.226.8.169) 193.122.6.168
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
15.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8393 |
2023-09-23 09:32
|
Dropper.exe a5bad49c2447d6c4b7367803a505cb39 Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware unpack itself Tofsee ComputerName Remote Code Execution |
|
3
i.ibb.co(172.96.160.210) - mailcious 104.194.8.120 172.96.160.210
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8394 |
2023-09-23 09:31
|
clip.exe 55a7682ff0b918010481c8daa6b76a32 Downloader UPX MPRESS Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PE File PE32 VirusTotal Malware AutoRuns Code Injection Check memory Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName Remote Code Execution Firmware crashed |
|
|
|
|
10.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8395 |
2023-09-23 09:29
|
2.exe 6d52fc20fc9abf70dcdefb26ac76a19e RedLine stealer Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172) 62.72.23.19 - mailcious 172.67.75.172 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8396 |
2023-09-22 18:31
|
UMM.exe 3240f8928a130bb155571570c563200a SmokeLoader HermeticWiper Emotet Gen1 njRAT Generic Malware UltraVNC PhysicalDrive Suspicious_Script_Bin Buhtrap Group Downloader Malicious Library UPX Malicious Packer Antivirus Admin Tool (Sysinternals etc ...) ASPack Confuser .NET Create Service Soc Malware download VirusTotal Malware Buffer PE AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic RWX flags setting unpack itself Checks Bios Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk suspicious TLD sandbox evasion China anti-virtualization VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS Downloader |
24
http://hbn42414.beget.tech/385118/setup.exe http://85.217.144.143/files/My2.exe - rule_id: 34643 http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.InstallRox.CPI202211&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=153 http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab http://link.storjshare.io/s/jw6d5ycuf7e6mtiudwapyqs22o2q/less-bucket/3la%20barra/LightCleaner.exe?download=1 http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=656&tdl=656&tds=599&terr=0&tes=Status|1,ErrorCode|0,DnCount|6,HttpNum|1,DnFailCount|6,FStatus|1,P2SS|656,P2PS|0,PDMode|2&tfl=656&tp=t&tst=1&ttdl=656&ttm=1094&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://sd.p.360safe.com/69D35E7CC0616D7E6B03D38F58A023C6CC8F1E80.trt http://galandskiyher2.com/downloads/toolspub1.exe - rule_id: 34645 http://apps.identrust.com/roots/dstrootcax3.p7c http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://int.down.360safe.com/totalsecurity/360TS_Setup_Mini_WW_InstallRox_CPI202211_6.6.0.1054.exe http://link.storjshare.io/jw6d5ycuf7e6mtiudwapyqs22o2q/less-bucket%2F3la%20barra%2FLightCleaner.exe?download=1 http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.InstallRox.CPI202211&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=9&dt=287&size=94639336&ds=329753.78 http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEIAmOtGQABAAA1m73K1636yDtnUhWdvE8i19tIgGLNpkaJjs3AcwTItHHTEc5tUGOo3oVyS4mwlyta31bJLdpNP9PkqMP0p45GR5cjyJkM7P5hTvD%2FXpYAdH08UU85WdmIj2YnyAVniFOeCHgiMCRfX6cklKUGROp8%2FWsLTUWeJ1fWXAnurP%2FPnY8NhzN%2BByFbyTHOqiLl%2BKRC6cEbWuQ7oVKRiCj3diGqzXeAL546WkQP4eZiQFyprmCokOc9rncQKbFHDlD%2FpKcyWwUu7fKbyLcJqlpSOeO7q4ciIBeT5jJd55TNCOG%2Fu1TQstTdxUwLDzsbxM8%2FAqLWduxzlJ3mQVJx5fWLSLHFikAp%2BiD1QmU%2BEdVEhcikSKIeha6%2BlHivROM9f0BD531%2BH8qTg4zA0c9%2FDlQHYPvXN6e18THM%2BQcosD2xTiyOdwz2Q4wd%2BQYOtUcEaPN6VcziSqkICyqPEs3a4F8czpYH http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=A8B8ED2D4374EE6EB6EEE5936C05691A&p2p=1&t_id=360TS_Setup.exe&tads=3505160&tdl=94639336&tds=0&terr=0&tes=Status|1,ErrorCode|0,DnCount|17,HttpNum|12,DnFailCount|16,FStatus|1,P2SS|94639336,P2PS|0,PDMode|3&tfl=94639336&tp=t&tst=1&ttdl=94639336&ttm=27672&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://360devtracking.com/w3f2h5zq4s6xmfz6/ba3zag http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1042.exe https://orion.ts.360.com/installapp?c=&ch=WW.InstallRox.CPI202211&sch=0&ver=11.0.0.1042&lan=en&os=6.1-x64&mid=fa7bb520099706f4d9615c3663eacc55&time=1695373682&checksum=17DACFCCDB55379CF2BC8597 https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619 https://pastebin.com/raw/xYhKBupz https://link.storjshare.io/s/jwwi6qvijjcy2bytemq4e4pelcoa/installer/LightCleaner.exe?download=1 https://potatogoose.com/8d4b26a640ccdd0134a626c1089c4617/baf14778c246e15550645e30ba78ce1c.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://link.storjshare.io/jwwi6qvijjcy2bytemq4e4pelcoa/installer/LightCleaner.exe?download=1
|
54
mkbmedias.com(62.171.175.57) sd.p.360safe.com(54.230.169.32) galandskiyher2.com(194.169.175.127) - malware hbn42414.beget.tech(87.236.19.5) potatogoose.com(104.21.35.235) z.nnnaajjjgc.com(156.236.72.121) - malware yip.su(148.251.234.93) - mailcious st.p.360safe.com(54.77.42.29) iup.360safe.com(18.67.51.75) s.360safe.com(54.255.136.181) downloads.digitalpulsedata.com(18.67.51.83) - mailcious jetpackdelivery.net(172.67.202.56) 360devtracking.com(37.230.138.66) - mailcious ji.alie3ksgbb.com(104.21.90.117) - mailcious int.down.360safe.com(99.86.207.68) link.storjshare.io(185.244.226.4) - malware tr.p.360safe.com(54.76.174.118) connectini.net(91.109.116.11) - mailcious pastebin.com(172.67.34.170) - mailcious flyawayaero.net(172.67.216.81) net.geo.opera.com(107.167.110.211) orion.ts.360.com(82.145.215.152) lycheepanel.info(172.67.187.122) - malware 148.251.234.93 - mailcious 85.217.144.143 - malware 54.77.42.29 194.169.175.127 - malware 18.67.51.97 104.21.14.50 18.67.51.75 104.20.68.143 - mailcious 18.67.51.69 91.109.116.11 99.86.207.68 99.86.207.61 185.244.226.4 - malware 54.255.136.181 104.21.90.117 - malware 54.230.169.15 104.21.32.208 23.67.53.17 18.67.51.8 107.167.110.211 156.236.72.121 - mailcious 18.67.51.39 54.76.174.118 99.86.207.16 87.236.19.5 - malware 82.145.215.152 99.86.207.15 104.21.93.225 - phishing 62.171.175.57 - mailcious 172.67.180.173 37.230.138.66 - mailcious
|
16
ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET INFO TLS Handshake Failure ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false) ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false) ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true) ET INFO EXE - Served Attached HTTP
|
|
19.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8397 |
2023-09-22 18:16
|
ULK.vbs f7e89d72f44d97e96e1edc2251af39b8 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/614/895/original/rump_vbs.jpg?1695246171
https://yorkrefrigerent.md/public/poz/nhfnfg.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8398 |
2023-09-22 18:14
|
kencec.vbs 164ef3b75a4816f7eaf2c31663967a84 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/614/895/original/rump_vbs.jpg?1695246171
http://79.110.48.52/kencec.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8399 |
2023-09-22 18:14
|
gen.txt.vbs 44a5b86106b7e15f73417ff67a4fbd2a Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://95.214.27.64:222/cod.jpg
|
1
|
|
|
9.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8400 |
2023-09-22 18:13
|
a121c08b062c6ad1fe720bccaa16d3... a121c08b062c6ad1fe720bccaa16d3f9 njRAT backdoor PE File PE32 .NET EXE VirusTotal Malware DNS DDNS |
|
2
berlynm98.duckdns.org(46.246.82.6) 46.246.82.6
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
3.2 |
|
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|