8596 |
2023-09-16 14:09
|
upd.exe 4ea30635eed2b533a725480e326257ce RedLine stealer Downloader UPX Malicious Library MPRESS Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PE File PE32 OS Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW VMware anti-virtualization installed browsers check Kelihos Tofsee Stealer Windows Browser ComputerName Trojan Firmware DNS Cryptographic key Software crashed |
2
https://api.ip.sb/ip
http://217.196.96.130/conhost.exe
|
4
api.ip.sb(104.26.12.31) 172.67.75.172 - mailcious
94.142.138.4 - mailcious
217.196.96.130 - malware
|
11
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Possible Kelihos.F EXE Download Common Structure ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download
|
|
20.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8597 |
2023-09-16 14:09
|
PO_88392_Specifications.js 825eb25f2a710a4052d0b21dfa2ad77a Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
http://cbasep23.blogspot.com//////////////atom.xml
https://d9e1c3dd-1fee-48c1-9089-09a70580408e.usrfiles.com/ugd/d9e1c3_2876f2a9f8ad45d084ca6956bb42f653.txt
|
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8598 |
2023-09-16 14:09
|
minerxd.exe 0e9cc5c2145bae2f6ab41f186dac87d1 PE File PE64 ftp VirusTotal Malware DNS |
|
1
|
|
|
2.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8599 |
2023-09-16 14:07
|
1.exe e0ce28aad08a3286e1832c9677049bbb RedLine stealer Suspicious_Script_Bin Generic Malware UPX Malicious Library Antivirus PWS AntiDebug AntiVM BitCoin PE File PE32 OS Processor Check VirusTotal Malware Buffer PE PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW human activity check Windows ComputerName Remote Code Execution DNS Cryptographic key |
2
http://142.11.240.191:35361/ http://192.168.56.102:5357/017bd04f-b3bf-45b6-8167-9e8f41ff87bf/
|
1
|
|
|
15.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8600 |
2023-09-16 14:07
|
lnvoice#72993.js c30210ad2757650d770fe2cbe1f92034 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
3
http://192.168.56.102:5357/017bd04f-b3bf-45b6-8167-9e8f41ff87bf/
http://uzabuszssep23.blogspot.com////////////////////////////atom.xml
https://d9e1c3dd-1fee-48c1-9089-09a70580408e.usrfiles.com/ugd/d9e1c3_5e654c4e772f456d9e6217ef6ac3a96d.txt
|
|
|
|
5.2 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8601 |
2023-09-16 14:06
|
u1S4ZLAEvK7pLe4neo.exe fcc631505adee1c8b0d922049de0c493 Generic Malware .NET framework(MSIL) Antivirus DNS AntiDebug AntiVM PE File PE32 .NET EXE VirusTotal Malware powershell Buffer PE PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
12.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8602 |
2023-09-16 14:05
|
promot_s.msi 96d99e6c2e7c358b9d663595d3af5f27 Generic Malware Malicious Library CAB MSOffice File OS Processor Check VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check Tofsee ComputerName |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://www.google-analytics.com/collect?v=1&tid=UA-380480-23&cid=%7B8088027B-4BB6-456E-A8C8-37F4AC853C35%7D&t=event&ec=Session&ea=Start&an=ImBatch&av=7.6.0&ul=en-GB&sr=1024x768&sc=start&z=42773
|
7
www.highmotionsoftware.com(104.193.111.101) www.google-analytics.com(216.239.38.178) www.bolidesoft.com(104.193.111.117) 104.193.111.101 121.254.136.9 172.217.24.238 104.193.111.117
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8603 |
2023-09-16 14:04
|
igccu.exe 7792584e7661ad0c5fee992337ebf3bd NSIS UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
4.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8604 |
2023-09-15 19:12
|
promot_s.msi 96d99e6c2e7c358b9d663595d3af5f27 Generic Malware Malicious Library CAB MSOffice File OS Processor Check VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check Tofsee ComputerName |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://www.google-analytics.com/collect?v=1&tid=UA-380480-23&cid=%7B8A15A8BB-1D80-42A0-9E54-76E6BF4346F8%7D&t=event&ec=Session&ea=Start&an=ImBatch&av=7.6.0&ul=en-GB&sr=1024x768&sc=start&z=88081
|
7
www.bolidesoft.com(104.193.111.117) www.google-analytics.com(142.250.76.142) www.highmotionsoftware.com(104.193.111.101) 23.32.56.72 104.193.111.101 172.217.27.46 104.193.111.117
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8605 |
2023-09-15 18:38
|
IMG_2021_07_11_536734643256_sq... d08f9a6a665c0f7de85a106adfbcef0d Create Service Escalate priviledges AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware suspicious privilege Code Injection Creates shortcut unpack itself Tofsee Discord DNS |
1
https://cdn.discordapp.com/attachments/1151961825806667917/1151961899693514835/promot_s.msi
|
2
cdn.discordapp.com(162.159.130.233) - malware 162.159.130.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8606 |
2023-09-15 18:00
|
AYReport_EN.exe ec333982af0977d8af5a4984792a4385 PhysicalDrive Generic Malware UPX Malicious Library ASPack Malicious Packer .NET framework(MSIL) Anti_VM PE File PE32 .NET EXE OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder ComputerName |
1
|
3
ipwhois.app(103.126.138.87) log3.criminalaffair.com() 103.126.138.87
|
|
|
5.8 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8607 |
2023-09-15 17:37
|
hkcmd.exe 3950dff062247d4ac80e50a52313f198 Formbook NSIS UPX Malicious Library PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.zhperviepixie.com/sy22/?8pM0A2PH=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&Cda4=inCHhv7P - rule_id: 35635 http://www.docomo-mobileconsulting.com/sy22/?8pM0A2PH=lVM1xi/uUQcXVrGb3v1MnIj4JTU8QNZxAwtnBLuxN6GTboe8PABHdOr2nABXcw5/boXeCr4R&Cda4=inCHhv7P - rule_id: 35906 http://www.sarthaksrishticreation.com/sy22/?8pM0A2PH=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&Cda4=inCHhv7P - rule_id: 35905 http://www.vaskaworldairways.com/sy22/?8pM0A2PH=0xwPlKA6nfVb2/YVENf+IWv5xvicy/R8paHQQCrWR7ymRnci8vQj1/jQPH6Z9LiVJHGqShyE&Cda4=inCHhv7P - rule_id: 35942
|
9
www.uadmxqby.click() - mailcious www.vaskaworldairways.com(71.33.149.60) - mailcious www.docomo-mobileconsulting.com(91.195.240.109) - mailcious www.zhperviepixie.com(167.172.228.26) - mailcious www.sarthaksrishticreation.com(119.18.49.69) - mailcious 167.172.228.26 - mailcious 91.195.240.109 - mailcious 119.18.49.69 - mailcious 71.33.149.60
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.zhperviepixie.com/sy22/ http://www.docomo-mobileconsulting.com/sy22/ http://www.sarthaksrishticreation.com/sy22/ http://www.vaskaworldairways.com/sy22/
|
4.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8608 |
2023-09-15 17:34
|
expo.exe f94bf3a0e3733958d4973ef664f78927 UPX Malicious Library AntiDebug AntiVM PE File PE32 OS Processor Check Malware download VirusTotal Malware PDB Malicious Traffic unpack itself Stealc Browser DNS |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
1
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://5.42.92.211/loghub/master
|
4.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8609 |
2023-09-15 17:32
|
deluxe_crypted.exe 5200fbe07521eb001f145afb95d40283 UPX Malicious Library PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
|
6.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8610 |
2023-09-15 17:32
|
StrikeNet.exe f2c62f2ee6aa94509c39557a628534a1 .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
4.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|