| 8386 |
2023-09-23 09:39
|
 Dropper.exe a5bad49c2447d6c4b7367803a505cb39
Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware unpack itself Tofsee ComputerName Remote Code Execution |
|
3
i.ibb.co(172.96.160.222) - mailcious
104.194.8.143
104.194.8.120
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8387 |
2023-09-23 09:38
|
 Bypass.bat 08c880b1f0b63680b7bdd78408bdceda
Generic Malware Downloader Antivirus UPX Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM ZIP Format PE File PE32 VirusTotal Malware Malicious Traffic Check memory buffers extracted Windows utilities suspicious process AppData folder WriteConsoleW Windows Remote Code Execution DNS |
1
http://45.66.230.113/Malware.zip
|
1
|
4
ET DROP Dshield Block Listed Source group 1
ET INFO Dotted Quad Host ZIP Request
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
4.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8388 |
2023-09-23 09:37
|
 App1234.exe e8a7ed6986b1178188c27b9761f39762
Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check PNG Format ZIP Format Browser Info Stealer VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory buffers extracted WMI Check virtual network interfaces AntiVM_Disk VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS |
3
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
http://174.138.6.99:8880/new_analytics
https://api.db-ip.com/v2/free/self
|
7
o4505838714748928.ingest.sentry.io(34.120.195.249)
api.db-ip.com(104.26.5.15)
cacerts.digicert.com(152.195.38.76)
34.120.195.249
152.195.38.76
174.138.6.99
104.26.4.15
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING PNG in HTTP POST (Outbound)
|
|
6.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8389 |
2023-09-23 09:36
|
 2ac82382-33f7-4490-a91d-e3cfe4... 3403cb537d8e1e6257068d3189705050
Gen1 Emotet Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check CAB Malware download NetWireRC RevengeRAT VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger WMI Creates executable files unpack itself AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Windows ComputerName DNS DDNS crashed |
|
2
marcelotatuape.ddns.net(141.255.151.60)
141.255.151.60
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2
|
|
8.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8390 |
2023-09-23 09:36
|
 WhiteCrypt.exe c4d37e5aeffecf5dd8728a71d204dca1
RedLine Infostealer UltraVNC Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Check memory Checks debugger WMI unpack itself anti-virtualization Windows ComputerName Cryptographic key crashed |
|
|
|
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8391 |
2023-09-23 09:34
|
 LB3.exe 0c2246bc569ddf7c9e93ccbf87aeb397
Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
1.8 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8392 |
2023-09-23 09:33
|
 WXwEfBwFojUL7Eo.exe fb6436801517f4cb1748ba4bf9df2df4
Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(132.226.8.169)
193.122.6.168
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
15.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8393 |
2023-09-23 09:32
|
 Dropper.exe a5bad49c2447d6c4b7367803a505cb39
Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 MZP Format OS Processor Check VirusTotal Malware unpack itself Tofsee ComputerName Remote Code Execution |
|
3
i.ibb.co(172.96.160.210) - mailcious
104.194.8.120
172.96.160.210
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8394 |
2023-09-23 09:31
|
clip.exe 55a7682ff0b918010481c8daa6b76a32
Downloader UPX MPRESS Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PE File PE32 VirusTotal Malware AutoRuns Code Injection Check memory Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process malicious URLs WriteConsoleW VMware anti-virtualization Windows ComputerName Remote Code Execution Firmware crashed |
|
|
|
|
10.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8395 |
2023-09-23 09:29
|
 2.exe 6d52fc20fc9abf70dcdefb26ac76a19e
RedLine stealer Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
62.72.23.19 - mailcious
172.67.75.172 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8396 |
2023-09-22 18:31
|
 UMM.exe 3240f8928a130bb155571570c563200a
SmokeLoader HermeticWiper Emotet Gen1 njRAT Generic Malware UltraVNC PhysicalDrive Suspicious_Script_Bin Buhtrap Group Downloader Malicious Library UPX Malicious Packer Antivirus Admin Tool (Sysinternals etc ...) ASPack Confuser .NET Create Service Soc Malware download VirusTotal Malware Buffer PE AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files ICMP traffic RWX flags setting unpack itself Checks Bios Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk suspicious TLD sandbox evasion China anti-virtualization VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS Downloader |
24
http://hbn42414.beget.tech/385118/setup.exe
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.InstallRox.CPI202211&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=153
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
http://link.storjshare.io/s/jw6d5ycuf7e6mtiudwapyqs22o2q/less-bucket/3la%20barra/LightCleaner.exe?download=1
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=656&tdl=656&tds=599&terr=0&tes=Status|1,ErrorCode|0,DnCount|6,HttpNum|1,DnFailCount|6,FStatus|1,P2SS|656,P2PS|0,PDMode|2&tfl=656&tp=t&tst=1&ttdl=656&ttm=1094&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS
http://sd.p.360safe.com/69D35E7CC0616D7E6B03D38F58A023C6CC8F1E80.trt
http://galandskiyher2.com/downloads/toolspub1.exe - rule_id: 34645
http://apps.identrust.com/roots/dstrootcax3.p7c
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://int.down.360safe.com/totalsecurity/360TS_Setup_Mini_WW_InstallRox_CPI202211_6.6.0.1054.exe
http://link.storjshare.io/jw6d5ycuf7e6mtiudwapyqs22o2q/less-bucket%2F3la%20barra%2FLightCleaner.exe?download=1
http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.InstallRox.CPI202211&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=9&dt=287&size=94639336&ds=329753.78
http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEIAmOtGQABAAA1m73K1636yDtnUhWdvE8i19tIgGLNpkaJjs3AcwTItHHTEc5tUGOo3oVyS4mwlyta31bJLdpNP9PkqMP0p45GR5cjyJkM7P5hTvD%2FXpYAdH08UU85WdmIj2YnyAVniFOeCHgiMCRfX6cklKUGROp8%2FWsLTUWeJ1fWXAnurP%2FPnY8NhzN%2BByFbyTHOqiLl%2BKRC6cEbWuQ7oVKRiCj3diGqzXeAL546WkQP4eZiQFyprmCokOc9rncQKbFHDlD%2FpKcyWwUu7fKbyLcJqlpSOeO7q4ciIBeT5jJd55TNCOG%2Fu1TQstTdxUwLDzsbxM8%2FAqLWduxzlJ3mQVJx5fWLSLHFikAp%2BiD1QmU%2BEdVEhcikSKIeha6%2BlHivROM9f0BD531%2BH8qTg4zA0c9%2FDlQHYPvXN6e18THM%2BQcosD2xTiyOdwz2Q4wd%2BQYOtUcEaPN6VcziSqkICyqPEs3a4F8czpYH
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=A8B8ED2D4374EE6EB6EEE5936C05691A&p2p=1&t_id=360TS_Setup.exe&tads=3505160&tdl=94639336&tds=0&terr=0&tes=Status|1,ErrorCode|0,DnCount|17,HttpNum|12,DnFailCount|16,FStatus|1,P2SS|94639336,P2PS|0,PDMode|3&tfl=94639336&tp=t&tst=1&ttdl=94639336&ttm=27672&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS
http://360devtracking.com/w3f2h5zq4s6xmfz6/ba3zag
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1042.exe
https://orion.ts.360.com/installapp?c=&ch=WW.InstallRox.CPI202211&sch=0&ver=11.0.0.1042&lan=en&os=6.1-x64&mid=fa7bb520099706f4d9615c3663eacc55&time=1695373682&checksum=17DACFCCDB55379CF2BC8597
https://connectini.net/Series/SuperNitouDisc.php - rule_id: 7619
https://pastebin.com/raw/xYhKBupz
https://link.storjshare.io/s/jwwi6qvijjcy2bytemq4e4pelcoa/installer/LightCleaner.exe?download=1
https://potatogoose.com/8d4b26a640ccdd0134a626c1089c4617/baf14778c246e15550645e30ba78ce1c.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://link.storjshare.io/jwwi6qvijjcy2bytemq4e4pelcoa/installer/LightCleaner.exe?download=1
|
54
mkbmedias.com(62.171.175.57)
sd.p.360safe.com(54.230.169.32)
galandskiyher2.com(194.169.175.127) - malware
hbn42414.beget.tech(87.236.19.5)
potatogoose.com(104.21.35.235)
z.nnnaajjjgc.com(156.236.72.121) - malware
yip.su(148.251.234.93) - mailcious
st.p.360safe.com(54.77.42.29)
iup.360safe.com(18.67.51.75)
s.360safe.com(54.255.136.181)
downloads.digitalpulsedata.com(18.67.51.83) - mailcious
jetpackdelivery.net(172.67.202.56)
360devtracking.com(37.230.138.66) - mailcious
ji.alie3ksgbb.com(104.21.90.117) - mailcious
int.down.360safe.com(99.86.207.68)
link.storjshare.io(185.244.226.4) - malware
tr.p.360safe.com(54.76.174.118)
connectini.net(91.109.116.11) - mailcious
pastebin.com(172.67.34.170) - mailcious
flyawayaero.net(172.67.216.81)
net.geo.opera.com(107.167.110.211)
orion.ts.360.com(82.145.215.152)
lycheepanel.info(172.67.187.122) - malware
148.251.234.93 - mailcious
85.217.144.143 - malware
54.77.42.29
194.169.175.127 - malware
18.67.51.97
104.21.14.50
18.67.51.75
104.20.68.143 - mailcious
18.67.51.69
91.109.116.11
99.86.207.68
99.86.207.61
185.244.226.4 - malware
54.255.136.181
104.21.90.117 - malware
54.230.169.15
104.21.32.208
23.67.53.17
18.67.51.8
107.167.110.211
156.236.72.121 - mailcious
18.67.51.39
54.76.174.118
99.86.207.16
87.236.19.5 - malware
82.145.215.152
99.86.207.15
104.21.93.225 - phishing
62.171.175.57 - mailcious
172.67.180.173
37.230.138.66 - mailcious
|
16
ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET INFO TLS Handshake Failure
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
ET INFO EXE - Served Attached HTTP
|
|
19.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8397 |
2023-09-22 18:16
|
ULK.vbs f7e89d72f44d97e96e1edc2251af39b8
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/614/895/original/rump_vbs.jpg?1695246171
https://yorkrefrigerent.md/public/poz/nhfnfg.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8398 |
2023-09-22 18:14
|
kencec.vbs 164ef3b75a4816f7eaf2c31663967a84
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/614/895/original/rump_vbs.jpg?1695246171
http://79.110.48.52/kencec.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8399 |
2023-09-22 18:14
|
 gen.txt.vbs 44a5b86106b7e15f73417ff67a4fbd2a
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://95.214.27.64:222/cod.jpg
|
1
|
|
|
9.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8400 |
2023-09-22 18:13
|
 a121c08b062c6ad1fe720bccaa16d3... a121c08b062c6ad1fe720bccaa16d3f9
njRAT backdoor PE File PE32 .NET EXE VirusTotal Malware DNS DDNS |
|
2
berlynm98.duckdns.org(46.246.82.6)
46.246.82.6
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
3.2 |
|
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|