8626 |
2023-09-14 19:24
|
wc4aw1t506.dll e4919447b9ea5c4f02a0746ab64f8e7e UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8627 |
2023-09-14 19:22
|
hk1c9y18em.dll a6ac1a8bb63362ed7515f2ca02fb52be UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8628 |
2023-09-14 19:22
|
wininit.exe d16abef6797eb2213c83e9580a749314 Formbook .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser DNS |
18
http://www.edf23hravau.xyz/hcn4/?1mtm=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&S6-=0zUp4 - rule_id: 36403 http://www.edf23hravau.xyz/hcn4/ - rule_id: 36403 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip http://www.ekcc.xyz/hcn4/?1mtm=om4NFYT3TXA6pgTJPX84EKmZ3QuIf6Fm+NGGNTX2Njr3wYMs1PvUHqCFX1UG/yqqZ/GyGdZe8kkoP2oQdk3G5tENNPGEvkfEzBvgy4w=&S6-=0zUp4 - rule_id: 36406 http://www.ssongg12497.cfd/hcn4/ - rule_id: 36407 http://www.ekcc.xyz/hcn4/ - rule_id: 36406 http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip http://www.ssongg9873.cfd/hcn4/ http://www.igrashka.net/hcn4/ - rule_id: 36402 http://www.jedidylan.com/hcn4/ - rule_id: 36404 http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.jedidylan.com/hcn4/?1mtm=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&S6-=0zUp4 - rule_id: 36404 http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip http://www.igrashka.net/hcn4/?1mtm=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&S6-=0zUp4 - rule_id: 36402 http://www.shakcham.top/hcn4/?1mtm=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&S6-=0zUp4 - rule_id: 36405 http://www.shakcham.top/hcn4/ - rule_id: 36405 http://www.ssongg12497.cfd/hcn4/?1mtm=x2uJ4u9RM1nVLx9RY8bcWHYUZIRoQlSU64mz3eHM0QiCPE4P0FZMVIShEzgG2lVG6Gbc5vdNKYVNMWtwdeV8UK1q6UmnGIB9sfUNvKw=&S6-=0zUp4 - rule_id: 36407 http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
|
15
www.ekcc.xyz(91.195.240.94) - mailcious www.ssongg12497.cfd(101.32.68.183) - mailcious www.ssongg9873.cfd(43.135.11.21) www.jedidylan.com(204.11.56.48) - mailcious www.edf23hravau.xyz(20.247.39.217) - mailcious www.shakcham.top(203.161.62.123) - mailcious www.igrashka.net(91.206.200.88) - mailcious 203.161.62.123 - mailcious 91.195.240.94 - phishing 43.135.11.21 101.32.68.183 - mailcious 45.33.6.223 20.247.39.217 - mailcious 204.11.56.48 - phishing 91.206.200.88 - mailcious
|
2
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
12
http://www.edf23hravau.xyz/hcn4/ http://www.edf23hravau.xyz/hcn4/ http://www.ekcc.xyz/hcn4/ http://www.ssongg12497.cfd/hcn4/ http://www.ekcc.xyz/hcn4/ http://www.igrashka.net/hcn4/ http://www.jedidylan.com/hcn4/ http://www.jedidylan.com/hcn4/ http://www.igrashka.net/hcn4/ http://www.shakcham.top/hcn4/ http://www.shakcham.top/hcn4/ http://www.ssongg12497.cfd/hcn4/
|
11.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8629 |
2023-09-14 19:22
|
i9ien8gksg.dll fcbb53724b1df93a5d1fc45bb55b9069 UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8630 |
2023-09-14 19:19
|
file.exe 03e76b7a2245db6a2b342dae3fb3c7ed NSIS UPX Malicious Library PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder suspicious TLD Java Browser DNS |
26
http://www.ssongg10317.cfd/nni2/?wVaFz=ZhBTXwYBEkQY8Pa3tyDPGuCcpBILLjftdAAA3Aemihk9RwTdGCtr0bJSRWWnaiHnvNXnRueg102nb1PHjszQEedxfXplu99+XBKTN5c=&rFpf=v5EZSg1b http://www.weddingkikywahyu.cloud/nni2/ http://www.weddingkikywahyu.cloud/nni2/?wVaFz=9NQOr4MgaB3QZsh67axLq221v81JL3P8NGpuGwYrar4dBnQ5QwJrSGL/Mo/1JjKIu/3sZn42wzGuDzn79426Sxt+w4mPhUJbed/wsfk=&rFpf=v5EZSg1b http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip http://www.scweiwei.fun/nni2/ http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip http://www.a2slhfz002.cfd/nni2/?wVaFz=PSvA3LudvCkxGNFtf3im+GyDEtekXWx/rZxXbXG+gtP+N/ZqV1fm1RPMxr3lo74SJu+WpKrZHbvbK5KUKLhiLDXSos/z69KiZj9df6U=&rFpf=v5EZSg1b http://www.ssongg10317.cfd/nni2/ http://www.scweiwei.fun/nni2/?wVaFz=llEYww2d3nZRJACIEPqGszpestC9fn29o7B3rbQDSq7MpQ7pmzNhgfKHy9IMAn0ze6ynChqTu+whvvhz2OQiiYNX/EdtT8Vy8qfPt/U=&rFpf=v5EZSg1b http://www.uoymtum.top/nni2/?wVaFz=6hwNmoFD3gu2karW4UjxJLXra3L5nvtyfkuGMYXP45p47zdK12BMBVJx6mGUcuj8/so2luMFngoRGONVzhxB2cGubbnSElaRbnuC+fk=&rFpf=v5EZSg1b http://www.perros.click/nni2/?wVaFz=CgGaY7AKLHjcZH/QkZFeNrmZ2j1K6An8c91X6ul2a3GMUcgHLmQMb4EPAJw1rkiyfFhz/DclXPrQiX2q8+M1ovriq2Knf9L4oCSoy7A=&rFpf=v5EZSg1b http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip http://www.zacoin.xyz/nni2/ http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip http://www.ourservicesx.com/nni2/ http://www.qbiclesapp.com/nni2/ http://www.secondwindwhisky.com/nni2/?wVaFz=iKfRW1ciXt50TglUdGfeOsRj4BDIH2Q5WnzwQWJpewrGhKsSH8s9ZX9/ReZgFTHgc1oUzYXB4Woca1suDXsEYfgrcX9xxz1qvJ3wN9A=&rFpf=v5EZSg1b http://www.qbiclesapp.com/nni2/?wVaFz=89LDaTsiZkWzd6gBV/21YNss+loVkFgZyXtDk/To0g48YA4bmacR/nAcvw/iGyK9pGJZNFi3c6NMdTKl/KVE0RS2UouuZLpiOCgaIhw=&rFpf=v5EZSg1b http://www.sportsstump.com/nni2/ http://www.ourservicesx.com/nni2/?wVaFz=Vmxsufmpf7lWWHKJQxTcHNQ9FvHyTKCO2xLDeRSHdLkcaQSVI8GmcShxskGRFwjBPY+wXGC2XVe+XqNqvykXbiRBWrk84BVZWlKRCkc=&rFpf=v5EZSg1b http://www.a2slhfz002.cfd/nni2/ http://www.uoymtum.top/nni2/ http://www.perros.click/nni2/ http://www.sportsstump.com/nni2/?wVaFz=l2UoVUXo95P1GT/RE8xPTifpnRTZjyM1/g+kOsSpuHT2u5208My7uqCCHUYfdsUOJgRZsnP2d1M1kh4S5YE8X1HKDXPv2YawtJW+M8k=&rFpf=v5EZSg1b http://www.zacoin.xyz/nni2/?wVaFz=sEFiLqOedu/Wr2Ot5yMkULrI82x+CMUFE+lSd++47bIhnRj+aidEbvZf0eRfm3yE4+S9M7OB3uE7pHgmNV2F4X8ZbIt6yxM4AAqD9XQ=&rFpf=v5EZSg1b http://www.secondwindwhisky.com/nni2/
|
22
www.ssongg10317.cfd(43.129.73.215) www.sportsstump.com(204.11.56.48) www.qbiclesapp.com(74.208.236.47) www.secondwindwhisky.com(202.124.241.178) www.weddingkikywahyu.cloud(103.147.154.191) www.a2slhfz002.cfd(43.129.73.215) www.zacoin.xyz(203.161.62.123) www.perros.click(204.93.224.69) www.ourservicesx.com(216.40.34.41) www.uoymtum.top(154.195.192.150) www.scweiwei.fun(8.217.92.5) 45.33.6.223 203.161.62.123 - mailcious 154.195.192.150 43.129.73.215 103.147.154.191 74.208.236.47 216.40.34.41 - mailcious 8.217.92.5 202.124.241.178 - mailcious 204.11.56.48 - phishing 204.93.224.69
|
5
ET INFO HTTP Request to a *.top domain ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3 ET DNS Query to a *.top domain - Likely Hostile
|
|
5.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8631 |
2023-09-14 19:18
|
Build.exe e04f4435560f78707d402c06b8deb8dd UPX Malicious Library PWS SMTP AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response)
|
|
11.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8632 |
2023-09-14 19:15
|
6sev8udq1h.dll 3a96a42f6d6334a36d2ea26abb0a2c95 UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8633 |
2023-09-14 19:11
|
wininit.exe 2e6868ba26f8fa8bd7ee1e865165da8c Formbook .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser DNS |
16
http://www.ssongg12497.cfd/hcn4/?VIRj7u78=x2uJ4u9RM1nVLx9RY8bcWHYUZIRoQlSU64mz3eHM0QiCPE4P0FZMVIShEzgG2lVG6Gbc5vdNKYVNMWtwdeV8UK1q6UmnGIB9sfUNvKw=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36407 http://www.edf23hravau.xyz/hcn4/ - rule_id: 36403 http://www.ekcc.xyz/hcn4/?VIRj7u78=om4NFYT3TXA6pgTJPX84EKmZ3QuIf6Fm+NGGNTX2Njr3wYMs1PvUHqCFX1UG/yqqZ/GyGdZe8kkoP2oQdk3G5tENNPGEvkfEzBvgy4w=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36406 http://www.ssongg12497.cfd/hcn4/ - rule_id: 36407 http://www.ekcc.xyz/hcn4/ - rule_id: 36406 http://www.igrashka.net/hcn4/?VIRj7u78=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36402 http://www.igrashka.net/hcn4/ - rule_id: 36402 http://www.jedidylan.com/hcn4/?VIRj7u78=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36404 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip http://www.edf23hravau.xyz/hcn4/?VIRj7u78=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36403 http://www.shakcham.top/hcn4/?VIRj7u78=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36405 http://www.jedidylan.com/hcn4/ - rule_id: 36404 http://www.shakcham.top/hcn4/ - rule_id: 36405 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
|
15
www.ekcc.xyz(91.195.240.94) - mailcious www.ssongg12497.cfd(101.32.68.183) - mailcious www.ssongg9873.cfd(43.135.11.21) www.jedidylan.com(204.11.56.48) - mailcious www.edf23hravau.xyz(20.247.39.217) - mailcious www.shakcham.top(203.161.62.123) - mailcious www.igrashka.net(91.206.200.88) - mailcious 203.161.62.123 - mailcious 91.195.240.94 - phishing 43.135.11.21 101.32.68.183 - mailcious 45.33.6.223 20.247.39.217 - mailcious 204.11.56.48 - phishing 91.206.200.88 - mailcious
|
2
ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile
|
12
http://www.ssongg12497.cfd/hcn4/ http://www.edf23hravau.xyz/hcn4/ http://www.ekcc.xyz/hcn4/ http://www.ssongg12497.cfd/hcn4/ http://www.ekcc.xyz/hcn4/ http://www.igrashka.net/hcn4/ http://www.igrashka.net/hcn4/ http://www.jedidylan.com/hcn4/ http://www.edf23hravau.xyz/hcn4/ http://www.shakcham.top/hcn4/ http://www.jedidylan.com/hcn4/ http://www.shakcham.top/hcn4/
|
10.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8634 |
2023-09-14 19:11
|
jyi6mm2w2g.dll 7d2156efddf126dfb4c466da06f15e11 UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8635 |
2023-09-14 19:10
|
o0SoFtIk0o_crypted_FOX.exe 90b8030fc8d0624d93d77b6a7743ab5c UPX Malicious Library PWS SMTP AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172) 104.26.12.31 94.142.138.94 - mailcious
|
3
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8636 |
2023-09-14 19:10
|
i9ien8gksg.dll fcbb53724b1df93a5d1fc45bb55b9069 UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8637 |
2023-09-14 19:10
|
hk1c9y18em.dll a6ac1a8bb63362ed7515f2ca02fb52be UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8638 |
2023-09-14 19:09
|
wc4aw1t506.dll e4919447b9ea5c4f02a0746ab64f8e7e UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8639 |
2023-09-14 19:09
|
6sev8udq1h.dll 3a96a42f6d6334a36d2ea26abb0a2c95 UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8640 |
2023-09-14 19:08
|
main.cgi f1851b8e5b0f4eb699d0c50002385313 PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|