8521 |
2023-09-19 07:51
|
meccazx.exe 73621af47a6b6943527d85fda07b3bc6 .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Software crashed |
|
|
|
|
11.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8522 |
2023-09-19 07:50
|
nc.exe 96ffbb3eb8bd80a57e50c729a758d747 PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
2.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8523 |
2023-09-19 07:49
|
StealerClient_Cpp1.exe 1a2eababee42c294eed0e17642da1faa UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8524 |
2023-09-19 07:47
|
TiWorker.exe 18d6a7766721121d4b54f2b5eef76e17 .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8525 |
2023-09-19 07:45
|
ku923.exe f03c25342a4f23536b6782dfbf7130cf UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8526 |
2023-09-19 07:42
|
build.exe 902232f52e9bb0172665b12183564b1b UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware PDB Remote Code Execution DNS |
|
1
54.250.156.221 - mailcious
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8527 |
2023-09-19 07:42
|
StealerClient_Sharp1.exe dc8a3cef06ec620efa88e5ae67e3f134 UPX Malicious Library Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself WriteConsoleW ComputerName Remote Code Execution |
|
|
|
|
2.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8528 |
2023-09-19 07:40
|
fb0c1501dedf6c1dd0c279d9c6000d... b333686e53b5a06296a5c958c22ba5d2 PE File PE64 ftp VirusTotal Cryptocurrency Miner Malware unpack itself DNS DDNS CoinMiner |
|
6
pastebin.com(172.67.34.170) - mailcious remotes1338.hopto.org(172.105.234.48) gulf.moneroocean.stream(54.250.156.221) - mailcious 54.250.156.221 - mailcious 172.105.234.48 172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
3.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8529 |
2023-09-19 07:40
|
wininit.exe 62f0e84a989f520db3b1463e02b24a91 Formbook .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder suspicious TLD Browser DNS |
14
http://www.edf23hravau.xyz/hcn4/ - rule_id: 36403 http://www.jedidylan.com/hcn4/ - rule_id: 36404 http://www.shakcham.top/hcn4/ - rule_id: 36405 http://www.ssongg12497.cfd/hcn4/?YgGA=x2uJ4u9RM1nVLx9RY8bcWHYUZIRoQlSU64mz3eHM0QiCPE4P0FZMVIShEzgG2lVG6Gbc5vdNKYVNMWtwdeV8UK1q6UmnGIB9sfUNvKw=&2S=JFNslx5Vi - rule_id: 36407 http://www.edf23hravau.xyz/hcn4/?YgGA=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&2S=JFNslx5Vi - rule_id: 36403 http://www.igrashka.net/hcn4/ - rule_id: 36402 http://www.shakcham.top/hcn4/?YgGA=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&2S=JFNslx5Vi - rule_id: 36405 http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip http://www.jedidylan.com/hcn4/?YgGA=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&2S=JFNslx5Vi - rule_id: 36404 http://www.ssongg12497.cfd/hcn4/ - rule_id: 36407 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip http://www.igrashka.net/hcn4/?YgGA=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&2S=JFNslx5Vi - rule_id: 36402
|
13
www.ekcc.xyz() - mailcious www.ssongg12497.cfd(101.32.68.183) - mailcious www.jedidylan.com(204.11.56.48) - mailcious www.edf23hravau.xyz(20.247.39.217) - mailcious www.shakcham.top(203.161.62.123) - mailcious www.igrashka.net(91.206.200.88) - mailcious 203.161.62.123 - mailcious 185.225.75.68 101.32.68.183 - mailcious 45.33.6.223 20.247.39.217 - mailcious 204.11.56.48 - phishing 91.206.200.88 - mailcious
|
2
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
10
http://www.edf23hravau.xyz/hcn4/ http://www.jedidylan.com/hcn4/ http://www.shakcham.top/hcn4/ http://www.ssongg12497.cfd/hcn4/ http://www.edf23hravau.xyz/hcn4/ http://www.igrashka.net/hcn4/ http://www.shakcham.top/hcn4/ http://www.jedidylan.com/hcn4/ http://www.ssongg12497.cfd/hcn4/ http://www.igrashka.net/hcn4/
|
11.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8530 |
2023-09-19 07:38
|
mar3.exe f22632a300878ae7ab5bc865e8b4b804 UPX Malicious Library Malicious Packer PE File PE32 ftp OS Processor Check PE64 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Tofsee |
1
https://z.nnnaajjjgc.com/sts/imagd.jpg
|
2
z.nnnaajjjgc.com(156.236.72.121) - malware 156.236.72.121 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8531 |
2023-09-19 07:38
|
Betro.exe 1c9f3c0258e923c07e1943498c789a3d Gen1 Downloader UPX Malicious Packer Malicious Library Create Service Socket DGA Escalate priviledges PWS Sniff Audio SMTP DNS ScreenShot Code injection Internet API KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Ransomware BitRAT Windows Browser Email ComputerName DNS Cryptographic key Software keylogger Password |
|
3
www.xenarmor.com(69.64.94.128) - mailcious 185.225.75.68 69.64.94.128 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT) ET POLICY XenArmor Password Recovery License Check
|
|
20.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8532 |
2023-09-19 07:34
|
1.exe ee88a284fb166e55f13a75ea3096d22c RedLine stealer UPX Malicious Library AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.13.31) 62.72.23.19 - mailcious 172.67.75.172 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8533 |
2023-09-19 06:22
|
IMG_0497.heic 4032b689f4329ceeba53ef017eb3f6fc AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8534 |
2023-09-19 02:12
|
IMG_1613.jpeg 159afcf4f6e9feb71f6af5f34a60872e JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8535 |
2023-09-19 01:44
|
IMG_3371.HEIC 7ba7ad5e13f96d1cdecfe0f926705585 AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|