| 8626 |
2023-09-14 19:24
|
 wc4aw1t506.dll e4919447b9ea5c4f02a0746ab64f8e7e
UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8627 |
2023-09-14 19:22
|
 hk1c9y18em.dll a6ac1a8bb63362ed7515f2ca02fb52be
UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8628 |
2023-09-14 19:22
|
 wininit.exe d16abef6797eb2213c83e9580a749314
Formbook .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser DNS |
18
http://www.edf23hravau.xyz/hcn4/?1mtm=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&S6-=0zUp4 - rule_id: 36403
http://www.edf23hravau.xyz/hcn4/ - rule_id: 36403
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
http://www.ekcc.xyz/hcn4/?1mtm=om4NFYT3TXA6pgTJPX84EKmZ3QuIf6Fm+NGGNTX2Njr3wYMs1PvUHqCFX1UG/yqqZ/GyGdZe8kkoP2oQdk3G5tENNPGEvkfEzBvgy4w=&S6-=0zUp4 - rule_id: 36406
http://www.ssongg12497.cfd/hcn4/ - rule_id: 36407
http://www.ekcc.xyz/hcn4/ - rule_id: 36406
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.ssongg9873.cfd/hcn4/
http://www.igrashka.net/hcn4/ - rule_id: 36402
http://www.jedidylan.com/hcn4/ - rule_id: 36404
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.jedidylan.com/hcn4/?1mtm=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&S6-=0zUp4 - rule_id: 36404
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.igrashka.net/hcn4/?1mtm=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&S6-=0zUp4 - rule_id: 36402
http://www.shakcham.top/hcn4/?1mtm=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&S6-=0zUp4 - rule_id: 36405
http://www.shakcham.top/hcn4/ - rule_id: 36405
http://www.ssongg12497.cfd/hcn4/?1mtm=x2uJ4u9RM1nVLx9RY8bcWHYUZIRoQlSU64mz3eHM0QiCPE4P0FZMVIShEzgG2lVG6Gbc5vdNKYVNMWtwdeV8UK1q6UmnGIB9sfUNvKw=&S6-=0zUp4 - rule_id: 36407
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
|
15
www.ekcc.xyz(91.195.240.94) - mailcious
www.ssongg12497.cfd(101.32.68.183) - mailcious
www.ssongg9873.cfd(43.135.11.21)
www.jedidylan.com(204.11.56.48) - mailcious
www.edf23hravau.xyz(20.247.39.217) - mailcious
www.shakcham.top(203.161.62.123) - mailcious
www.igrashka.net(91.206.200.88) - mailcious
203.161.62.123 - mailcious
91.195.240.94 - phishing
43.135.11.21
101.32.68.183 - mailcious
45.33.6.223
20.247.39.217 - mailcious
204.11.56.48 - phishing
91.206.200.88 - mailcious
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
12
http://www.edf23hravau.xyz/hcn4/
http://www.edf23hravau.xyz/hcn4/
http://www.ekcc.xyz/hcn4/
http://www.ssongg12497.cfd/hcn4/
http://www.ekcc.xyz/hcn4/
http://www.igrashka.net/hcn4/
http://www.jedidylan.com/hcn4/
http://www.jedidylan.com/hcn4/
http://www.igrashka.net/hcn4/
http://www.shakcham.top/hcn4/
http://www.shakcham.top/hcn4/
http://www.ssongg12497.cfd/hcn4/
|
11.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8629 |
2023-09-14 19:22
|
 i9ien8gksg.dll fcbb53724b1df93a5d1fc45bb55b9069
UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8630 |
2023-09-14 19:19
|
 file.exe 03e76b7a2245db6a2b342dae3fb3c7ed
NSIS UPX Malicious Library PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder suspicious TLD Java Browser DNS |
26
http://www.ssongg10317.cfd/nni2/?wVaFz=ZhBTXwYBEkQY8Pa3tyDPGuCcpBILLjftdAAA3Aemihk9RwTdGCtr0bJSRWWnaiHnvNXnRueg102nb1PHjszQEedxfXplu99+XBKTN5c=&rFpf=v5EZSg1b
http://www.weddingkikywahyu.cloud/nni2/
http://www.weddingkikywahyu.cloud/nni2/?wVaFz=9NQOr4MgaB3QZsh67axLq221v81JL3P8NGpuGwYrar4dBnQ5QwJrSGL/Mo/1JjKIu/3sZn42wzGuDzn79426Sxt+w4mPhUJbed/wsfk=&rFpf=v5EZSg1b
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
http://www.scweiwei.fun/nni2/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.a2slhfz002.cfd/nni2/?wVaFz=PSvA3LudvCkxGNFtf3im+GyDEtekXWx/rZxXbXG+gtP+N/ZqV1fm1RPMxr3lo74SJu+WpKrZHbvbK5KUKLhiLDXSos/z69KiZj9df6U=&rFpf=v5EZSg1b
http://www.ssongg10317.cfd/nni2/
http://www.scweiwei.fun/nni2/?wVaFz=llEYww2d3nZRJACIEPqGszpestC9fn29o7B3rbQDSq7MpQ7pmzNhgfKHy9IMAn0ze6ynChqTu+whvvhz2OQiiYNX/EdtT8Vy8qfPt/U=&rFpf=v5EZSg1b
http://www.uoymtum.top/nni2/?wVaFz=6hwNmoFD3gu2karW4UjxJLXra3L5nvtyfkuGMYXP45p47zdK12BMBVJx6mGUcuj8/so2luMFngoRGONVzhxB2cGubbnSElaRbnuC+fk=&rFpf=v5EZSg1b
http://www.perros.click/nni2/?wVaFz=CgGaY7AKLHjcZH/QkZFeNrmZ2j1K6An8c91X6ul2a3GMUcgHLmQMb4EPAJw1rkiyfFhz/DclXPrQiX2q8+M1ovriq2Knf9L4oCSoy7A=&rFpf=v5EZSg1b
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.zacoin.xyz/nni2/
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.ourservicesx.com/nni2/
http://www.qbiclesapp.com/nni2/
http://www.secondwindwhisky.com/nni2/?wVaFz=iKfRW1ciXt50TglUdGfeOsRj4BDIH2Q5WnzwQWJpewrGhKsSH8s9ZX9/ReZgFTHgc1oUzYXB4Woca1suDXsEYfgrcX9xxz1qvJ3wN9A=&rFpf=v5EZSg1b
http://www.qbiclesapp.com/nni2/?wVaFz=89LDaTsiZkWzd6gBV/21YNss+loVkFgZyXtDk/To0g48YA4bmacR/nAcvw/iGyK9pGJZNFi3c6NMdTKl/KVE0RS2UouuZLpiOCgaIhw=&rFpf=v5EZSg1b
http://www.sportsstump.com/nni2/
http://www.ourservicesx.com/nni2/?wVaFz=Vmxsufmpf7lWWHKJQxTcHNQ9FvHyTKCO2xLDeRSHdLkcaQSVI8GmcShxskGRFwjBPY+wXGC2XVe+XqNqvykXbiRBWrk84BVZWlKRCkc=&rFpf=v5EZSg1b
http://www.a2slhfz002.cfd/nni2/
http://www.uoymtum.top/nni2/
http://www.perros.click/nni2/
http://www.sportsstump.com/nni2/?wVaFz=l2UoVUXo95P1GT/RE8xPTifpnRTZjyM1/g+kOsSpuHT2u5208My7uqCCHUYfdsUOJgRZsnP2d1M1kh4S5YE8X1HKDXPv2YawtJW+M8k=&rFpf=v5EZSg1b
http://www.zacoin.xyz/nni2/?wVaFz=sEFiLqOedu/Wr2Ot5yMkULrI82x+CMUFE+lSd++47bIhnRj+aidEbvZf0eRfm3yE4+S9M7OB3uE7pHgmNV2F4X8ZbIt6yxM4AAqD9XQ=&rFpf=v5EZSg1b
http://www.secondwindwhisky.com/nni2/
|
22
www.ssongg10317.cfd(43.129.73.215)
www.sportsstump.com(204.11.56.48)
www.qbiclesapp.com(74.208.236.47)
www.secondwindwhisky.com(202.124.241.178)
www.weddingkikywahyu.cloud(103.147.154.191)
www.a2slhfz002.cfd(43.129.73.215)
www.zacoin.xyz(203.161.62.123)
www.perros.click(204.93.224.69)
www.ourservicesx.com(216.40.34.41)
www.uoymtum.top(154.195.192.150)
www.scweiwei.fun(8.217.92.5)
45.33.6.223
203.161.62.123 - mailcious
154.195.192.150
43.129.73.215
103.147.154.191
74.208.236.47
216.40.34.41 - mailcious
8.217.92.5
202.124.241.178 - mailcious
204.11.56.48 - phishing
204.93.224.69
|
5
ET INFO HTTP Request to a *.top domain
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
ET DNS Query to a *.top domain - Likely Hostile
|
|
5.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8631 |
2023-09-14 19:18
|
 Build.exe e04f4435560f78707d402c06b8deb8dd
UPX Malicious Library PWS SMTP AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
|
|
11.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8632 |
2023-09-14 19:15
|
 6sev8udq1h.dll 3a96a42f6d6334a36d2ea26abb0a2c95
UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8633 |
2023-09-14 19:11
|
 wininit.exe 2e6868ba26f8fa8bd7ee1e865165da8c
Formbook .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser DNS |
16
http://www.ssongg12497.cfd/hcn4/?VIRj7u78=x2uJ4u9RM1nVLx9RY8bcWHYUZIRoQlSU64mz3eHM0QiCPE4P0FZMVIShEzgG2lVG6Gbc5vdNKYVNMWtwdeV8UK1q6UmnGIB9sfUNvKw=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36407
http://www.edf23hravau.xyz/hcn4/ - rule_id: 36403
http://www.ekcc.xyz/hcn4/?VIRj7u78=om4NFYT3TXA6pgTJPX84EKmZ3QuIf6Fm+NGGNTX2Njr3wYMs1PvUHqCFX1UG/yqqZ/GyGdZe8kkoP2oQdk3G5tENNPGEvkfEzBvgy4w=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36406
http://www.ssongg12497.cfd/hcn4/ - rule_id: 36407
http://www.ekcc.xyz/hcn4/ - rule_id: 36406
http://www.igrashka.net/hcn4/?VIRj7u78=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36402
http://www.igrashka.net/hcn4/ - rule_id: 36402
http://www.jedidylan.com/hcn4/?VIRj7u78=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36404
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3150000.zip
http://www.edf23hravau.xyz/hcn4/?VIRj7u78=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36403
http://www.shakcham.top/hcn4/?VIRj7u78=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&Jp9mk=ckhWXGmBftOyoVNf - rule_id: 36405
http://www.jedidylan.com/hcn4/ - rule_id: 36404
http://www.shakcham.top/hcn4/ - rule_id: 36405
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
|
15
www.ekcc.xyz(91.195.240.94) - mailcious
www.ssongg12497.cfd(101.32.68.183) - mailcious
www.ssongg9873.cfd(43.135.11.21)
www.jedidylan.com(204.11.56.48) - mailcious
www.edf23hravau.xyz(20.247.39.217) - mailcious
www.shakcham.top(203.161.62.123) - mailcious
www.igrashka.net(91.206.200.88) - mailcious
203.161.62.123 - mailcious
91.195.240.94 - phishing
43.135.11.21
101.32.68.183 - mailcious
45.33.6.223
20.247.39.217 - mailcious
204.11.56.48 - phishing
91.206.200.88 - mailcious
|
2
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
|
12
http://www.ssongg12497.cfd/hcn4/
http://www.edf23hravau.xyz/hcn4/
http://www.ekcc.xyz/hcn4/
http://www.ssongg12497.cfd/hcn4/
http://www.ekcc.xyz/hcn4/
http://www.igrashka.net/hcn4/
http://www.igrashka.net/hcn4/
http://www.jedidylan.com/hcn4/
http://www.edf23hravau.xyz/hcn4/
http://www.shakcham.top/hcn4/
http://www.jedidylan.com/hcn4/
http://www.shakcham.top/hcn4/
|
10.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8634 |
2023-09-14 19:11
|
 jyi6mm2w2g.dll 7d2156efddf126dfb4c466da06f15e11
UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8635 |
2023-09-14 19:10
|
 o0SoFtIk0o_crypted_FOX.exe 90b8030fc8d0624d93d77b6a7743ab5c
UPX Malicious Library PWS SMTP AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
94.142.138.94 - mailcious
|
3
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8636 |
2023-09-14 19:10
|
 i9ien8gksg.dll fcbb53724b1df93a5d1fc45bb55b9069
UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8637 |
2023-09-14 19:10
|
 hk1c9y18em.dll a6ac1a8bb63362ed7515f2ca02fb52be
UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8638 |
2023-09-14 19:09
|
 wc4aw1t506.dll e4919447b9ea5c4f02a0746ab64f8e7e
UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8639 |
2023-09-14 19:09
|
 6sev8udq1h.dll 3a96a42f6d6334a36d2ea26abb0a2c95
UPX Malicious Library PE File DLL PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware Remote Code Execution |
|
|
|
|
1.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8640 |
2023-09-14 19:08
|
 main.cgi f1851b8e5b0f4eb699d0c50002385313
PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
3.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|