| 8671 |
2023-11-30 09:08
|
 chungzx.doc 32df679e7f2b7ddb0fab5275e968c10d
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself suspicious TLD Windows Exploit DNS DDNS crashed |
1
http://fresh1.ironoreprod.top/_errorpages/chungzx.exe
|
4
fresh1.ironoreprod.top(104.21.16.60) - mailcious
ascoitaliasasummer.duckdns.org(194.147.140.212) - mailcious
194.147.140.212
172.67.166.168 - mailcious
|
7
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8672 |
2023-11-30 09:06
|
 1 45ae0455fdcb1ceb6e1d3eed8ba7ffaf
Downloader UPX PE32 PE File VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8673 |
2023-11-30 07:18
|
 webplugin.exe 174a99ce7fd9e7cfe4634a0125a2ecb2
Emotet NSIS Malicious Library UPX PE32 PE File DLL OS Processor Check Lnk Format GIF Format VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself suspicious process |
|
|
|
|
2.4 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8674 |
2023-11-30 07:15
|
 hjk.exe 95ee9a372c00b4fbb86fc4cab7af8739
Generic Malware Malicious Library UPX PWS SMTP DNS AntiDebug AntiVM PE File PE64 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
8.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8675 |
2023-11-30 07:13
|
 B13zx.exe 93fcdbdc88b1331060cd070f569e3e93
LokiBot North Korea Socket PWS DNS AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
1
http://sempersim.su/b13/fre.php
|
2
sempersim.su(104.237.252.65) - mailcious
104.237.252.65 - mailcious
|
7
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8676 |
2023-11-30 07:11
|
 987123.exe e2557e6dc21ccdfb9c2004f97fe03a57
Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
3.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8677 |
2023-11-30 07:11
|
 Usmgboc.exe 491310d10c0ea2d217c90a2403c20bea
Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8678 |
2023-11-30 07:10
|
 zackzx.exe 88b0c932e404501921d7e88757bf82b2
.NET framework(MSIL) PWS AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder Browser |
9
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.book2110.com/q0a9/
http://www.myvicesweats.com/q0a9/
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.myvicesweats.com/q0a9/?fG-En0Op=kT8vlbrJQaLSvujwD2rol+kqiMKODeNAKEOKqANkU9lz+d5BqiEiaoGVwIaoM+gLIJg+RScmlk791V9THbL6+wui9MqSvATkHuM+9Ak=&Qv=i5Dux0HsBbADdlg
http://www.book2110.com/q0a9/?fG-En0Op=QjSgibKxvwzbRlRnma6INToqY/OPeko/3dKfcNic3/5B/KT4XkCX2/nzPpQDDMhbwqZ20zjeQpT79mRAD0H5kn0tpP/D80jiM/oMjuU=&Qv=i5Dux0HsBbADdlg
|
8
www.aviatales.com()
www.myvicesweats.com(154.223.114.39)
www.book2110.com(172.252.46.4)
www.vfhnyjgr.cyou(43.153.170.86)
45.33.6.223
43.153.170.86
154.223.114.39
172.252.46.4
|
|
|
12.2 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8679 |
2023-11-30 07:09
|
 eta.exe d96ad0c55fdda0eedebc56b4a2f1d3b8
Generic Malware Malicious Library UPX PWS SMTP DNS AntiDebug AntiVM PE File PE64 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
7.8 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8680 |
2023-11-30 00:39
|
 libier_3402.pdf eaafeaa8f30f2eba91cdd62af7acdd1a
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8681 |
2023-11-29 16:00
|
file_ver_9.rar 0626f8e71d8a91fd6185df77a50b9fbc
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Vidar Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro DNS plugin |
36
http://5.42.64.41/40d570f44e84a454.php
http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll
http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://176.113.115.84:8080/4.php - rule_id: 34795
http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll
http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll
http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll
http://apps.identrust.com/roots/dstrootcax3.p7c
http://91.92.243.151/api/firegate.php
http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll
https://sun6-22.userapi.com/c236331/u418490229/docs/d5/af51deff0236/Rise.bmp?extra=EXpRRrsiC1jWoHBXbvHHi-UWj6Grj_AkUV6kOcM6llnGcexjn5FNP-bw5dsGphz9RLFdXu9yhqgky3xkYW4oblIQTqffvix3MCOTMskXb-0k6HOQ4MwchfLG5QMetCJb-25Uj9rO2AF0wV3bkQ
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc418490229_668938366?hash=5FoUaQok0B2gtiDqcFJ4bpegTD2SPzTjKqykfkwb3zc&dl=vyAqT5Xe4xXyZ38CTECObVL4GlrQZGRjeNMqsV10szg&api=1&no_preview=1#1
https://vk.com/doc418490229_668951217?hash=0wrWsiW5bDYiOaBQlj1ut0KnfM2SerHsUNtSIA8n0BX&dl=OYYh0EDgZLGz5BRVaNfHjBWXrjyY3hvz3peQaRwCvJ0&api=1&no_preview=1#test22
https://vk.com/doc418490229_668929938?hash=ktCgmKYqoZFe4ivRZzzbNBxLkP2YROgRTvMCbGK5rtc&dl=Q00m1ouR7KqanosInfovEoKZoXQN3pn1V9bUiGxjkk0&api=1&no_preview=1
https://thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs/setup294.exe
https://sun6-21.userapi.com/c909418/u418490229/docs/d33/0707ec1a9cdf/cz28.bmp?extra=sGRI4H5niz7RxILWD_zUG_ctDcTaUSYqKpF1niVRahjkUS__H9KEp1ZwCxgayUfHyz5J9Nz_aiGnRQ0XXPiLbkZhLPYOYfkejwL07zdN1voMsYNb9bZ-9a11sYdof2VMN6HvEZGjbQ-CNlvy4A
https://sun6-22.userapi.com/c909218/u418490229/docs/d39/b36e581ef415/file281123.bmp?extra=bJDa7mvscY-voQdIZZUksYr44DtBJP-kJssHt6Ahl0Q3MWE0gDizV1mxjHiRYniFlTlcLPFRW15HwvmQT66uxmB5hPFhj1YM_rOkx1nDbAHpSg6gKZ6T_jczVxXuiS1oknRU7mtsN-SX-p1ujg
https://vk.com/doc278414724_666785048?hash=BEECsUI0KihIsE0U0nCflKTI5jGLqnjbHrZ921hHoIo&dl=MlH2hFcAGSgijzPzzjYVJFJFj9WHHsyc0XO9FI0mX38&api=1&no_preview=1#ww11
https://api.myip.com/
https://vk.com/doc418490229_668929802?hash=JGJzKUDsQctWofQ698XiG5TtXyL4jHXW5WO9kYCx09g&dl=jnJZekjN4zWOrABguUPz6zoyi3nglzHT0X5thDnbzMX&api=1&no_preview=1#redline_rm
https://sun6-23.userapi.com/c909328/u418490229/docs/d20/f3a7ad2143af/mr_Bro.bmp?extra=LeAgMHn_2s_EVvaW-K_cYV6O9innY-2Ivke0GMPWzt-Bxu8pOVe7OUztp54ANXLikgsNht2ZvFU3mutgl9UWPZP25IvV6FHhjqfrAX2L6bAqCC7SyALVe6WD2lVYAeSAh3Vn80bmEFxY13YjhQ
https://vk.com/doc418490229_668929813?hash=CcrmLI7IeiRz0lU8DnAVrRG7zp1VmDOzkljV4YdvlFg&dl=fbXhUnfoCiOFBNTYzP3G4TgseWVmer9dhybO06Dbf3X&api=1&no_preview=1#risepro
https://iplis.ru/1Gemv7.mp3
https://sun6-20.userapi.com/c909518/u418490229/docs/d51/4406a2506340/red_line.bmp?extra=1GONfT_9cHm8rJzJ70PLJj4VAC91m0S4Gca-QG052TIJ_-UwtxALkVaPJ0uZ1FKVXet0kJLaXAZ51JpjRgVz_JEdKGwQ8dO7nEJ5B0ilU4MZvTvhmkRuXRNbW12qcvV2G5xp2F3bcuW3WdIAhQ
https://api.2ip.ua/geo.json
https://vk.com/doc418490229_668931401?hash=iAFqqX4VsjibbUrFFs3uLnWGAIedldaHRjTySVZmqV0&dl=hZ7Ql2epmfz2WiO8BxGI8cdwo6AK6bLFPyI65FMR3FH&api=1&no_preview=1#maff
https://sun6-21.userapi.com/c909328/u418490229/docs/d52/e20150ec5011/crypted.bmp?extra=9_uUHyTbLcXEPVRQVoDX2SVXXD5LQIa5cbmPsUZ3sANv_Z7qrNnfAbxOeHfG8kJovBnfxWwX2ooHmOeZbCi822CJMQagWtI1l_OJm3U24MjBdIRMy5fjt-zQyydy6dHJmDi4Osx0CqpLJikI0A
https://vk.com/doc418490229_668767729?hash=65wAhIT5Td9Qu0SLdsQyFz8gx9sXRgxbSsg6rImiJQH&dl=ur2wv4vg3UjVwTO0wSnjKdxULtRETYEfElriZjtBG64&api=1&no_preview=1
https://sun6-21.userapi.com/c237331/u418490229/docs/d28/adfc4032e372/BotClients.bmp?extra=u6VcUNDBHlz4YtdAG5FSiCZtBVvB20an469YZyM8KYXq3Vh2UQ8YRDjgubImLSU5YyYT8TRfRocazjx4RVqpRtmvXLm18R9BiDOzCavVrvZPK5TXT1v1nS1lYeEizYUGJUOVTFeMRkJhvuR3lQ
https://vk.com/doc26060933_667508201?hash=6VnuemqrvgMX7JGCKhOp7uAllSfIKzasrs7cM1fWhgL&dl=JwY775FVXYxbFspXlbElezWDzeVHhbpuZXgjGmHUTZs&api=1&no_preview=1#setup
https://vk.com/doc418490229_668950817?hash=eI5j14qEZqSaw1aKlx69PDkbeE2RaV0OZkR8TCBVlkH&dl=Q3HIRdzNrrMLZtN2dhibLhc4W12UZleN44GQrBv9zQc&api=1&no_preview=1#xin
https://sun6-23.userapi.com/c909328/u418490229/docs/d4/513c59e462a3/2s78sh2agf.bmp?extra=wo3J3uOiHbgaAFfUUpBiWNnQ_wa3RVUVpf16WebNgU3tW18tv009ULs2b4b8x5HTDD7XJTCRwRbunl6DgE_pXd2Bpht21e04pZ2mEDxtRrUOB_l46TDy9w7D_F8mVOCDwNW_T0c_ZlIZ8-Hh2A
|
46
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
zexeq.com(211.168.53.110) - malware
db-ip.com(104.26.4.15)
thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs(172.67.175.68)
gons32cl.top() - malware
iplis.ru(104.21.63.150) - mailcious
api.2ip.ua(172.67.139.220)
sun6-22.userapi.com(95.142.206.2) - mailcious
vanaheim.cn(158.160.82.150) - mailcious
iplogger.org(104.21.4.208) - mailcious
ipinfo.io(34.117.59.81)
api.myip.com(172.67.75.163)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.72) - mailcious
logisticspierias.com(162.0.215.51) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
194.169.175.128 - mailcious
162.0.215.51 - mailcious
5.42.64.41 - mailcious
5.42.64.35 - malware
109.107.182.45 - mailcious
194.33.191.60 - mailcious
91.215.85.209 - mailcious
194.49.94.80 - mailcious
104.21.31.74
190.187.52.42
34.117.59.81
176.113.115.84 - mailcious
104.26.8.59
172.67.147.32
91.92.243.151 - mailcious
95.214.26.17
158.160.82.150
194.49.94.152 - mailcious
194.49.94.97 - malware
23.67.53.17
104.26.4.15
87.240.137.164 - mailcious
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
77.232.39.164
172.67.132.113
95.142.206.1 - mailcious
|
49
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 20
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET INFO EXE - Served Attached HTTP
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
SURICATA HTTP unable to match response to request
|
3
http://zexeq.com/test2/get.php
http://176.113.115.84:8080/4.php
http://91.92.243.151/api/tracemap.php
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8682 |
2023-11-29 14:38
|
 maxziflowzx.exe 5393d9e3a30269ebfed5456bf1304e92
.NET framework(MSIL) AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself AppData folder Browser DNS |
18
http://www.whistle.news/mg0g/?8cRkdL-h=8R1spc4kaDEWlEJg8vF1k1GCYe1vBR5yYH2nKF+uhpjoaiwnvSPXopyruDnDnxaAhR/ULocc2ys9QPFDsU5IyNPMGvvn4PxhaS8XNMs=&r1zVw=7GWQ_-xgU
http://www.limooi.net/mg0g/?8cRkdL-h=T3pbsuGJY2WOIN03L8NlN0GJ+TqkEYwtQUA9siqBJMOxPedzPX2dfFDQxyJSNdSDLlyTl9rcnj2vOMPj0R5dBPd/+rOOG0FZdG8LRvc=&r1zVw=7GWQ_-xgU
http://www.alexbruma.com/mg0g/?8cRkdL-h=TZtAOU2zJBKbLgvHulWrctMijHF9qs7DPKw5qNaDLWK8osbI5ENSukyfV0auBUHllKHlpSsKBSD+iUGqaGCnVjvmwMTcDGlPOxFYPi4=&r1zVw=7GWQ_-xgU
http://www.optime19.com/mg0g/?8cRkdL-h=JX9bRfLOpqNEOOymQR7yk5dab4VR4H7R1nhebZtzBw39xumhyI7GIKzIy7fUqw87BkYQVkkGEP9iK52Y282QYE28HhvkBbptD1a7nt4=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3120000.zip
http://www.e-saleshub.quest/mg0g/
http://www.lederjacke24.com/mg0g/?8cRkdL-h=j84N6G19uoXHTItTNbSgysEEiO8RF1s49C/qmX1UIYmvPN38Fpa3o2d2Xt1p2I563r+6lcLmZmkO/3Pzx/pe1VaGqpP7sGftrUNHiSE=&r1zVw=7GWQ_-xgU
http://www.prospin.click/mg0g/?8cRkdL-h=AMo+Cmk3hXK3yH/KRAxEZqLdKDpgdcehN2HIFp6MhDBnwy4mJAPROf6TTmmTOHloXs1NFvilG7N23QCnTRSKlDKk5HQvSnm6aCYpbZA=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.shutlleross.life/mg0g/?8cRkdL-h=bJn52SPmeJrPy+67E/dcn6LDWlNMaKHrL+hLeIwBYFQegbTEhn+mauNt/7t0vTaKfTZK38m13LQUXcG77GQygy9UzHEWnrwfd1Ppjkk=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.zzennsensual.com/mg0g/?8cRkdL-h=UPCCUTLw89vpBj6v0OYIlyH/tXfMYDNHMqKBY3mPNZeldAdbgqjCzRL3PAAnKT02EQ0FoLgccQ5um3bZSYkyx6B1k5qp4LaFV2egdmY=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.cealr.link/mg0g/?8cRkdL-h=IMAy+8ATmNJk+ySFUKxdJzz5Bsi5/gWlpcldbFUltyc7U32aAYy0gH7A0aaej9oqq+Z9qC1a58M4kMl15uIwUbV5PjKosSXhQm7IMFQ=&r1zVw=7GWQ_-xgU
http://www.pfannen-scholl.info/mg0g/?8cRkdL-h=VKVW22dp+OoakfKr7RHo3LVkALqaN8kis3rXbCHUw2XFas+tapQC3hmrWNln/w9IyKLzGXj0H6Jc9XLG0WdMldG9smrNtVeNBxRCR80=&r1zVw=7GWQ_-xgU
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
http://www.e-saleshub.quest/mg0g/?8cRkdL-h=bJWbZlFCpWjy/9bYbHM6H7ljbRC4b8vPK6lQdtvFTIRbdY1RUFaQDPtKpbiZ1jn13/iERNVq+PXBoNIqG1dC5GacnrVejbGpWc4QdZ0=&r1zVw=7GWQ_-xgU
http://www.canlitinib.com/mg0g/?8cRkdL-h=DCRiVM6IxoWJyptv3NIe0jO5xuFlNfo/UtKdle2BPkU0htusLnDUD8TPrOe6/6WS6xDFuQW1wjE1wfPqEBFmzvzQCsnl689JFcTspE4=&r1zVw=7GWQ_-xgU
|
26
www.pfannen-scholl.info(81.169.145.160)
www.shutlleross.life(66.29.142.244)
www.shimakaze-83.cfd() - mailcious
www.alexbruma.com(104.21.77.252)
www.lederjacke24.com(81.169.145.166)
www.whistle.news(84.32.84.32) - mailcious
www.canlitinib.com(91.195.240.123)
www.cealr.link(38.6.177.47)
www.e-saleshub.quest(104.21.39.249)
www.prospin.click(192.99.101.236)
www.zzennsensual.com(81.169.145.84)
www.optime19.com(45.33.18.44)
www.limooi.net(199.59.243.225)
66.29.142.244 - mailcious
198.58.118.167 - mailcious
172.67.214.17
81.169.145.160 - mailcious
84.32.84.32 - mailcious
199.59.243.225 - mailcious
38.6.177.47
91.195.240.123 - mailcious
172.67.172.121 - phishing
81.169.145.166 - mailcious
81.169.145.84 - mailcious
45.33.6.223
192.99.101.236
|
2
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
|
|
11.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8683 |
2023-11-29 14:33
|
 123.exe 5ab89a96be7570dfe4f49e6b9a42bc88
Malicious Library UPX PE32 PE File MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns Creates executable files unpack itself AppData folder Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
2
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
http://45.125.57.96:8888/8.77.dll
|
8
docs.google.com(142.250.206.206) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious
69.42.215.252
45.125.57.96 - mailcious
142.251.220.14
162.125.84.18 - mailcious
|
4
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET HUNTING Rejetto HTTP File Sever Response
|
|
9.6 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8684 |
2023-11-29 14:33
|
 clip.dll 4194e9b8b694b1e9b672c36f0d868e32
Amadey Malicious Library UPX PE32 PE File DLL OS Processor Check VirusTotal Malware PDB Malicious Traffic Checks debugger unpack itself suspicious TLD |
1
http://tceducn.com/forum/index.php
|
4
tceducn.com(201.103.122.206) - malware
arrunda.ru() - mailcious
soetegem.com()
202.4.114.123
|
|
|
3.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8685 |
2023-11-29 14:33
|
 index.php b13eac66431fb3332fae4527ab1b0e2e
Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
1.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|