8656 |
2023-09-14 13:39
|
convert-pdf-359.js 5e554b41294605c0d114677cb3aec892 Generic Malware UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows |
1
https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z
|
5
restohalto.site()
www.gentotarim.com(89.163.140.12)
www.7-zip.org(49.12.202.237) 89.163.140.12
49.12.202.237
|
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8657 |
2023-09-14 13:34
|
c4f68ba4.exe f4d73b7bcfcdc85f236054d09e6ad097 UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8658 |
2023-09-14 13:29
|
F.exe be5d8aca3a377e02a7effcdc07029afd AgentTesla RedLine Infostealer UltraVNC UPX Malicious Library SMTP KeyLogger AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://194.180.49.211/D/DLLL.txt
|
3
api.ipify.org(64.185.227.156) 194.180.49.211 - malware 64.185.227.156
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING EXE Base64 Encoded potential malware
|
|
12.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8659 |
2023-09-14 13:25
|
doclam20230813.exe cb8d2cb4372947471ba2f6a7bc3a9c35 PWS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://lamba.nitrosoftwares.shop/gate
|
3
lamba.nitrosoftwares.shop(172.67.167.211) 182.162.106.33 - malware 104.21.41.247 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8660 |
2023-09-14 08:04
|
docnic20230913.exe 4b4b3b837140b27b5e762b8e89c70238 PWS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://nice.nitrosoftwares.shop/gate
|
3
nice.nitrosoftwares.shop(172.67.167.211) 121.254.136.9 104.21.41.247 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8661 |
2023-09-14 08:02
|
docyo20230813.exe ab928fbd4830f07cf7ac488dca1e746d PWS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://nitrosoftwares.shop/gate
|
5
nitrosoftwares.shop(172.67.167.211) 182.162.106.32 121.254.136.9 172.67.167.211 104.21.41.247 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8662 |
2023-09-14 07:59
|
docdav20230813.exe 3588601a591bb350581fa5a106db731f PWS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://nitrosoftwares.shop/gate
|
3
nitrosoftwares.shop(172.67.167.211) 121.254.136.18 104.21.41.247 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8663 |
2023-09-14 07:57
|
docjosh20230813.exe eac56810ae04fc2704b1b89559841ee3 PWS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://joshua6440.nitrosoftwares.shop/gate
|
3
joshua6440.nitrosoftwares.shop(104.21.41.247) 121.254.136.18 104.21.41.247 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8664 |
2023-09-14 07:55
|
docrw20230913.exe 5f9584f6c166a954bdd76b21217bf837 PWS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://nitrosoftwares.shop/gate
|
3
nitrosoftwares.shop(172.67.167.211) 121.254.136.9 172.67.167.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.8 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8665 |
2023-09-14 07:54
|
docmax20230813.exe edbe2f8eda4005da44e877b8c2c99163 PWS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://nitrosoftwares.shop/gate
|
3
nitrosoftwares.shop(172.67.167.211) 182.162.106.32 104.21.41.247 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8666 |
2023-09-14 07:51
|
foto5445.exe 0a0d272e135bf0aa2379f588b2391c84 RedLine stealer Gen1 Emotet RedLine Infostealer Browser Login Data Stealer UPX Malicious Library .NET framework(MSIL) Confuser .NET Escalate priviledges ScreenShot persistence PWS AntiDebug AntiVM PE File PE32 OS Processor Check CAB .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious 5.42.92.211 - mailcious
|
7
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://5.42.92.211/loghub/master
|
20.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8667 |
2023-09-14 07:50
|
Mar.exe 55f845c433e637594aaf872e41fda207 UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check PDB |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8668 |
2023-09-14 07:48
|
pub1.exe 655655e9b1744d3fc9c5772e7be8a48d UPX Malicious Library PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8669 |
2023-09-14 07:48
|
CB.exe f89a7590147ed0c19e142705acf490af RedLine Infostealer UltraVNC UPX Malicious Library PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://194.180.49.211/D/DLLL.txt http://194.180.49.211/D/cborinew.txt
|
3
api.ipify.org(173.231.16.77) 104.237.62.212 194.180.49.211 - malware
|
5
ET HUNTING EXE Base64 Encoded potential malware ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8670 |
2023-09-14 07:46
|
Services.exe e962e5b9badb08fa227761855fedf45f UPX Malicious Library VMProtect PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.4 |
|
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|