8611 |
2023-09-15 17:30
|
obizx.exe fef91e48e37387cc64762de33c5dd522 .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
api.ipify.org(173.231.16.77) 156.236.72.121 - mailcious 104.237.62.212 5.42.65.80 - malware
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8612 |
2023-09-15 17:30
|
ZmYfQBiw.exe 4eccb4065ef0b815cd77fe425adf4aef UPX PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8613 |
2023-09-15 17:28
|
Rocks.exe a64a886a695ed5fb9273e73241fec2f7 Amadey UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check PE64 Malware download Amadey VirusTotal Malware AutoRuns PDB Malicious Traffic Check memory Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS |
2
http://5.42.65.80/8bmeVwqx/index.php - rule_id: 36023
https://z.nnnaajjjgc.com/sts/imagd.jpg
|
4
z.nnnaajjjgc.com(156.236.72.121) - malware 156.236.72.121 - mailcious
5.42.65.80 - malware
95.214.27.254 - malware
|
11
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Amadey Bot Activity (POST) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://5.42.65.80/8bmeVwqx/index.php
|
10.4 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8614 |
2023-09-15 17:28
|
macapa.pdf ecda023859fe1b0449dc23140267b39c ZIP Format VirusTotal Malware DNS |
|
1
156.236.72.121 - mailcious
|
|
|
1.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8615 |
2023-09-15 17:27
|
esgla2i5.exe 2273152b5565d0d47b6c59cb5099dc76 UPX Malicious Library PE File PE64 VirusTotal Malware PDB unpack itself Tofsee Remote Code Execution |
1
https://z.nnnaajjjgc.com/sts/imagd.jpg
|
2
z.nnnaajjjgc.com(156.236.72.121) - malware 156.236.72.121 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8616 |
2023-09-15 08:01
|
PolymodXT.exe#test_rise_sharp 686c33f353aaa476f68a8e124cf1d6af UPX Malicious Library Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check ZIP Format PNG Format DLL Browser Info Stealer Malware download Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder IP Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Cryptographic key |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://ipinfo.io/widget/demo/175.208.134.152
|
4
ipinfo.io(34.117.59.81) 23.32.56.72 34.117.59.81 171.22.28.214 - malware
|
6
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8617 |
2023-09-15 07:58
|
167.exe 215db96eeac70244addf2c1578245399 UPX Malicious Library PE File PE32 OS Processor Check PDB Remote Code Execution |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8618 |
2023-09-15 07:56
|
s1.exe 1d6a742534494f66081d5b70f44f6695 UPX Malicious Library PE File PE32 OS Processor Check PDB Remote Code Execution |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8619 |
2023-09-15 07:54
|
c.exe c2ce41232bcd0237adee4dc075136551 RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET PE File PE32 .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8620 |
2023-09-15 07:53
|
r.exe 7eec2626da27debbdef59bcb7427f8a4 Suspicious_Script_Bin Downloader UPX Malicious Library .NET framework(MSIL) Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM PE File PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution |
|
|
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8621 |
2023-09-15 07:52
|
desktopditor.exe 297dc90d62648d3f034db5ebb2e583f7 UPX Malicious Library Admin Tool (Sysinternals etc ...) PE File PE32 OS Processor Check PDB Check memory Tofsee Remote Code Execution |
|
3
wwf.org(104.18.7.142) 104.18.6.142 104.18.7.142
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8622 |
2023-09-15 07:50
|
timeSync.exe 8816dec1704461c24f7575c00f7f86d4 UPX Malicious Library PE File PE32 OS Processor Check PDB Remote Code Execution |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8623 |
2023-09-15 07:50
|
Belphegor_crypto.exe 1ae5e18c3f032578c3e8e1f2dad127ac Generic Malware UPX Malicious Library PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8624 |
2023-09-14 19:30
|
WWW14_64.exe 24fbc8705072bb32a6ac2fc995a66f17 PrivateLoader RedLine Infostealer RedLine stealer Eredel Stealer Extended Generic Malware UPX Malicious Library VMProtect Malicious Packer .NET framework(MSIL) Confuser .NET PWS SMTP AntiDebug AntiVM PE File PE64 DLL PE32 OS Processor Check .NET EX Browser Info Stealer RedLine Malware download VirusTotal Malware Microsoft Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Disables Windows Security Check virtual network interfaces suspicious process AppData folder sandbox evasion IP Check PrivateLoader Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key crashed |
24
http://193.42.32.118/api/firegate.php http://45.9.74.80/super.exe - rule_id: 36063 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://ji.alie3ksgbb.com/m/ela205.exe - rule_id: 36360 http://marrakechchoralmeeting.ma/cgi-sys/suspendedpage.cgi http://45.15.156.229/api/firegate.php - rule_id: 36052 http://apps.identrust.com/roots/dstrootcax3.p7c http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe - rule_id: 36358 https://preconcert.pw/setup294.exe - rule_id: 36162 https://sun6-20.userapi.com/c237031/u44017378/docs/d47/f53dd4d29da4/red.bmp?extra=aPmcskdA3y2ObuY7QHUX6sPMjQu36B4newP0bAW-Ly73hW3EW_bozidYJAqh73X7SUvR1gIX9uc9Cb4NNw95t2w09-_aicB8V3k2Xih1EYLcm7JY06Dr2jP135rFTycmXICkUKS8rcX-rNt7 https://sun6-21.userapi.com/c235131/u17799268/docs/d34/0d08248537eb/d3232adg.bmp?extra=MXfyziyjTKDf6ofOrhDCTKpsWkbv10mkMTRRhYIV8JRe3R-EQTQ053o3girAdfhhnn5fc1YH_S_WsBSzGbqRuEfy-bz_PCHnGFFm2ELe6Vs13UB3lsTOyfn7GTx222_mFRvKUYaEAkS6mnss https://verypayment.net/1bc7618fb98d2d4c287a4f9d42a3529b/7725eaa6592c80f8124e769b4e8a07f7.exe https://vk.com/doc17799268_667370292?hash=3zgmNBZUEabUAWsj0zIdTPreX2uOk9XZqB04AKml9Wc&dl=3EXwtWCuOk8m89Hgrb6xTH69yK7gn8gGsiaT4sE12Ls&api=1&no_preview=1#review https://vk.com/doc17799268_667356691?hash=cUASNycPr9e7ejTeXRHP4JzU43t6UAQvFbVpJRIyYfL&dl=WIcfE7rh128yHk3HTd3LfM84KN7pulppjnAcRmZGByH&api=1&no_preview=1#orig https://api.myip.com/ https://sun6-23.userapi.com/c909218/u17799268/docs/d51/a01868bc6519/OriginalBuild.bmp?extra=ubUUt1995rM2O1vMl6qK3XtVBz9_ydnjOUtvK8odosQtYQIMBBSkvaNNKqqilClao3gbzVteXVX9L9OFNSV06NdFFhqmBwxMRWCeFMALiLTI8W6Vx3d4vHYiIZ6fNIjaj-fFlB6HwOA5YYkC https://vk.com/doc44017378_669202180?hash=Qj8GmTTzSwexN5MiDhkzSBdsEuAfR50DxI5PmBbRzn8&dl=G49L5cNOoCw8qI3zZagSCyprvu5ngf5V9jZb6GDfmT8&api=1&no_preview=1#redcl https://psv4.userapi.com/c909518/u17799268/docs/d38/272bd98cd010/h27lmi0.bmp?extra=8E5LnE31GAfkun85y6q3JNHdEJ6rb3OS4of8U197zzjPBwzlcBmXiYtqfGEzAOOcBigBbtsjBtCJpKZMK3_lQTtjrrC6bCw4QqmXuSbFcrs-fVc_0h4X8B-FoNEyrA4yLWeFIUw2C7A5wlE2 https://psv4.userapi.com/c909228/u17799268/docs/d27/d584128e4c13/setup.bmp?extra=QZMNAMmYW-qEHWSBh6dZ9jyKy_PY0fq3EfQW125lr8gOTPQKKk8D6XHsyvSTOD3T7PxspO6gsaXVUJbHjY4x2FlKcs3MgJmS9q6rOCgsMt-fKwYArNbdvgjxPZr2zE35GnV0uOAIllJpHWOQ https://vk.com/doc17799268_667374166?hash=t73r7TZmjqi4mQ6K8CuchmsQ2lbq7RbjhwFx1c1Azcg&dl=HaU76slkxIDZ6fTldzxVLdSFmSzwAiccfTBkzLQsA4D&api=1&no_preview=1#u9 https://vk.com/doc17799268_667370950?hash=kmRsdqMou4vNz1YzodkAQZcJxKjXdXHF3v2Zycf1w2H&dl=i4K7yr2wzDFn7JZ4az5BAF7ZSXsQBGNbt8o8BOvxSaw&api=1&no_preview=1 https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36188 https://sun6-20.userapi.com/c237031/u17799268/docs/d44/9d7023004930/PL_Client.bmp?extra=X1aJqe75cj3wH63JyDtM4ZvEFrLEEDM9Cj69lrcSXLQLpLhAVquotaOP2hnr-i131Cw2CXTQYaZGiXrawiBA3-dvrSYSkiKl6gd5nnzy6xUssRlZdOecvfBwEwrAygIbNtWImtAz1AfD6bvt
|
39
preconcert.pw(104.21.84.222) - malware ji.alie3ksgbb.com(172.67.200.102) - mailcious psv4.userapi.com(87.240.190.76) marrakechchoralmeeting.ma(178.63.45.64) - malware api.myip.com(104.26.9.59) vk.com(93.186.225.194) - mailcious verypayment.net(172.67.148.157) sergejbukotko.com(104.21.59.53) - malware z.nnnaajjjgc.com(156.236.72.121) - malware ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) sun6-20.userapi.com(95.142.206.0) - mailcious 230907161118223.nmr.xrm42.top(94.156.35.76) - malware sun6-21.userapi.com(95.142.206.1) - mailcious iplis.ru(148.251.234.93) - mailcious 148.251.234.93 - mailcious 172.67.197.101 87.240.137.140 87.240.129.133 - mailcious 176.123.9.85 - mailcious 193.42.32.118 - mailcious 45.9.74.80 - malware 172.67.200.102 34.117.59.81 172.67.214.144 - malware 182.162.106.32 104.26.8.59 104.21.95.210 87.240.137.134 185.225.73.32 - mailcious 156.236.72.121 - mailcious 45.15.156.229 - mailcious 95.142.206.3 95.142.206.1 - mailcious 95.142.206.0 - mailcious 94.156.35.76 - malware 87.240.132.78 - mailcious 185.225.74.51 - mailcious 178.63.45.64 - mailcious
|
19
SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET DNS Query to a *.pw domain - Likely Hostile ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET INFO TLS Handshake Failure ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET DNS Query to a *.top domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET INFO Executable Download from dotted-quad Host ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
8
http://45.9.74.80/super.exe http://45.15.156.229/api/tracemap.php http://ji.alie3ksgbb.com/m/ela205.exe http://45.15.156.229/api/firegate.php http://193.42.32.118/api/tracemap.php http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe https://preconcert.pw/setup294.exe https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
18.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8625 |
2023-09-14 19:26
|
newlife.exe 69c0ce8858c37ee1e29fbeb4d0acc928 UPX Malicious Library ASPack PE File PE64 OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces DNS |
|
6
scamalert.finance(89.23.103.10) 156.236.72.121 - mailcious 87.240.137.140 94.156.35.76 - malware 87.240.129.133 - mailcious 185.225.74.51 - mailcious
|
|
|
4.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|