| 8521 |
2023-09-19 07:51
|
 meccazx.exe 73621af47a6b6943527d85fda07b3bc6
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Software crashed |
|
|
|
|
11.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8522 |
2023-09-19 07:50
|
 nc.exe 96ffbb3eb8bd80a57e50c729a758d747
PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
2.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8523 |
2023-09-19 07:49
|
 StealerClient_Cpp1.exe 1a2eababee42c294eed0e17642da1faa
UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8524 |
2023-09-19 07:47
|
 TiWorker.exe 18d6a7766721121d4b54f2b5eef76e17
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8525 |
2023-09-19 07:45
|
 ku923.exe f03c25342a4f23536b6782dfbf7130cf
UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8526 |
2023-09-19 07:42
|
 build.exe 902232f52e9bb0172665b12183564b1b
UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB Remote Code Execution DNS |
|
1
54.250.156.221 - mailcious
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8527 |
2023-09-19 07:42
|
 StealerClient_Sharp1.exe dc8a3cef06ec620efa88e5ae67e3f134
UPX Malicious Library Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself WriteConsoleW ComputerName Remote Code Execution |
|
|
|
|
2.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8528 |
2023-09-19 07:40
|
 fb0c1501dedf6c1dd0c279d9c6000d... b333686e53b5a06296a5c958c22ba5d2
PE File PE64 ftp VirusTotal Cryptocurrency Miner Malware unpack itself DNS DDNS CoinMiner |
|
6
pastebin.com(172.67.34.170) - mailcious
remotes1338.hopto.org(172.105.234.48)
gulf.moneroocean.stream(54.250.156.221) - mailcious
54.250.156.221 - mailcious
172.105.234.48
172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
3.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8529 |
2023-09-19 07:40
|
 wininit.exe 62f0e84a989f520db3b1463e02b24a91
Formbook .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder suspicious TLD Browser DNS |
14
http://www.edf23hravau.xyz/hcn4/ - rule_id: 36403
http://www.jedidylan.com/hcn4/ - rule_id: 36404
http://www.shakcham.top/hcn4/ - rule_id: 36405
http://www.ssongg12497.cfd/hcn4/?YgGA=x2uJ4u9RM1nVLx9RY8bcWHYUZIRoQlSU64mz3eHM0QiCPE4P0FZMVIShEzgG2lVG6Gbc5vdNKYVNMWtwdeV8UK1q6UmnGIB9sfUNvKw=&2S=JFNslx5Vi - rule_id: 36407
http://www.edf23hravau.xyz/hcn4/?YgGA=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&2S=JFNslx5Vi - rule_id: 36403
http://www.igrashka.net/hcn4/ - rule_id: 36402
http://www.shakcham.top/hcn4/?YgGA=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&2S=JFNslx5Vi - rule_id: 36405
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.jedidylan.com/hcn4/?YgGA=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&2S=JFNslx5Vi - rule_id: 36404
http://www.ssongg12497.cfd/hcn4/ - rule_id: 36407
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.igrashka.net/hcn4/?YgGA=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&2S=JFNslx5Vi - rule_id: 36402
|
13
www.ekcc.xyz() - mailcious
www.ssongg12497.cfd(101.32.68.183) - mailcious
www.jedidylan.com(204.11.56.48) - mailcious
www.edf23hravau.xyz(20.247.39.217) - mailcious
www.shakcham.top(203.161.62.123) - mailcious
www.igrashka.net(91.206.200.88) - mailcious
203.161.62.123 - mailcious
185.225.75.68
101.32.68.183 - mailcious
45.33.6.223
20.247.39.217 - mailcious
204.11.56.48 - phishing
91.206.200.88 - mailcious
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
10
http://www.edf23hravau.xyz/hcn4/
http://www.jedidylan.com/hcn4/
http://www.shakcham.top/hcn4/
http://www.ssongg12497.cfd/hcn4/
http://www.edf23hravau.xyz/hcn4/
http://www.igrashka.net/hcn4/
http://www.shakcham.top/hcn4/
http://www.jedidylan.com/hcn4/
http://www.ssongg12497.cfd/hcn4/
http://www.igrashka.net/hcn4/
|
11.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8530 |
2023-09-19 07:38
|
 mar3.exe f22632a300878ae7ab5bc865e8b4b804
UPX Malicious Library Malicious Packer PE File PE32 ftp OS Processor Check PE64 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Tofsee |
1
https://z.nnnaajjjgc.com/sts/imagd.jpg
|
2
z.nnnaajjjgc.com(156.236.72.121) - malware
156.236.72.121 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8531 |
2023-09-19 07:38
|
 Betro.exe 1c9f3c0258e923c07e1943498c789a3d
Gen1 Downloader UPX Malicious Packer Malicious Library Create Service Socket DGA Escalate priviledges PWS Sniff Audio SMTP DNS ScreenShot Code injection Internet API KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Ransomware BitRAT Windows Browser Email ComputerName DNS Cryptographic key Software keylogger Password |
|
3
www.xenarmor.com(69.64.94.128) - mailcious
185.225.75.68
69.64.94.128 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)
ET POLICY XenArmor Password Recovery License Check
|
|
20.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8532 |
2023-09-19 07:34
|
 1.exe ee88a284fb166e55f13a75ea3096d22c
RedLine stealer UPX Malicious Library AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.13.31)
62.72.23.19 - mailcious
172.67.75.172 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8533 |
2023-09-19 06:22
|
IMG_0497.heic 4032b689f4329ceeba53ef017eb3f6fc
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8534 |
2023-09-19 02:12
|
IMG_1613.jpeg 159afcf4f6e9feb71f6af5f34a60872e
JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8535 |
2023-09-19 01:44
|
IMG_3371.HEIC 7ba7ad5e13f96d1cdecfe0f926705585
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|