| 8686 |
2023-09-13 13:51
|
 038806df1542419d8fff8f288bc215... 358e5b1466b74932897a1a20230ab58a
UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger ICMP traffic unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
2
xyoptotway.work.gd(163.123.143.98)
163.123.143.98
|
1
ET INFO DYNAMIC_DNS Query to a *.work .gd Domain
|
|
4.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8687 |
2023-09-13 13:48
|
 3a9096d615a3cd3163b814cc2803d6... 5616daa897af18e81dee80e75eef90cd
.NET DLL DLL PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8688 |
2023-09-13 09:42
|
MD.hta be845330d81fd790621f0b0acb323f49
Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://103.183.115.28/T129W/wininit.exe
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
8.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8689 |
2023-09-13 09:42
|
 schtasks.exe 4e3e4e3c383fd56423cb48be8b9f3006
UPX PE File .NET EXE PE32 OS Processor Check suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
2
xyoptotway.work.gd(163.123.143.98)
163.123.143.98
|
1
ET INFO DYNAMIC_DNS Query to a *.work .gd Domain
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8690 |
2023-09-13 09:42
|
 hkcmd.hta ba271568b611cfbc62dca1fc2d2e8bf3
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.18
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8691 |
2023-09-13 09:41
|
 hkcmd.hta 21e650595550a14f42931906c0dd9f92
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/583/411/original/hta.jpg?1692658229
http://23.94.239.122/IB/hkcmd.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
23.209.95.50
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8692 |
2023-09-13 09:40
|
acrobat.hta efe16f7f42f3c45c5ca557049025ecf2
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
1
http://170.130.172.66/M119T/wininit.exe
|
|
|
|
7.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8693 |
2023-09-13 07:52
|
 fotod445.exe 3b1efcafca28654e7ee16923ce5a56d2
Gen1 Emotet RedLine Infostealer RedLine stealer Malicious Library UPX .NET framework(MSIL) Confuser .NET Escalate priviledges ScreenShot persistence AntiDebug AntiVM PE File PE32 OS Processor Check CAB .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer Email Client Info Stealer Malware Microsoft AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious
5.42.92.211 - mailcious
|
7
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
18.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8694 |
2023-09-13 07:51
|
 wininit.exe ad805c8a19a06c66dad4e4e4a77ee305
PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder suspicious TLD Browser DNS |
16
http://www.edf23hravau.xyz/hcn4/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.igrashka.net/hcn4/?xZHMPl=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&6Xjd=b5pQwL
http://www.ssongg12497.cfd/hcn4/
http://www.ekcc.xyz/hcn4/
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
http://www.igrashka.net/hcn4/
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip
http://www.ekcc.xyz/hcn4/?xZHMPl=om4NFYT3TXA6pgTJPX84EKmZ3QuIf6Fm+NGGNTX2Njr3wYMs1PvUHqCFX1UG/yqqZ/GyGdZe8kkoP2oQdk3G5tENNPGEvkfEzBvgy4w=&6Xjd=b5pQwL
http://www.jedidylan.com/hcn4/
http://www.jedidylan.com/hcn4/?xZHMPl=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&6Xjd=b5pQwL
http://www.ssongg12497.cfd/hcn4/?xZHMPl=x2uJ4u9RM1nVLx9RY8bcWHYUZIRoQlSU64mz3eHM0QiCPE4P0FZMVIShEzgG2lVG6Gbc5vdNKYVNMWtwdeV8UK1q6UmnGIB9sfUNvKw=&6Xjd=b5pQwL
http://www.edf23hravau.xyz/hcn4/?xZHMPl=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&6Xjd=b5pQwL
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.shakcham.top/hcn4/
http://www.shakcham.top/hcn4/?xZHMPl=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&6Xjd=b5pQwL
|
15
www.ekcc.xyz(91.195.240.94)
www.ssongg12497.cfd(101.32.68.183)
www.ssongg9873.cfd(43.135.11.21)
www.jedidylan.com(204.11.56.48)
www.edf23hravau.xyz(20.247.39.217)
www.shakcham.top(203.161.62.123)
www.igrashka.net(91.206.200.88)
203.161.62.123
91.195.240.94 - phishing
43.135.11.21
101.32.68.183
45.33.6.223
20.247.39.217
204.11.56.48 - phishing
91.206.200.88
|
2
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
|
|
9.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8695 |
2023-09-13 07:49
|
 wininit.exe 8136a990ac239336f0c9bd5b46f586b0
Suspicious_Script_Bin Malicious Library UPX PE File PE32 DLL PNG Format PE64 Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8696 |
2023-09-13 07:45
|
 vur.exe 8e37ada55c666aa357babdec553161c3
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware Code Injection buffers extracted WriteConsoleW |
|
|
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8697 |
2023-09-13 07:45
|
 1_2023-09-12_12-04.exe 6fe96bde2446d98d2b67d8a0ed7d21d6
Malicious Library PE File PE32 PDB |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8698 |
2023-09-12 17:09
|
 chrorne.js c81296de524edf622f5fdaba1db40ba7
Malicious Library UPX ZIP Format DLL PE File PE32 OS Processor Check Malware download NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Windows Java Email ComputerName DNS crashed |
1
|
9
objects.githubusercontent.com(185.199.108.133) - malware
github.com(20.200.245.247) - mailcious
repo1.maven.org(199.232.192.209)
ip-api.com(208.95.112.1)
185.199.109.133 - mailcious
139.180.178.254
208.95.112.1
151.101.24.209
20.200.245.247 - malware
|
2
ET MALWARE STRRAT CnC Checkin
ET POLICY External IP Lookup ip-api.com
|
|
9.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8699 |
2023-09-12 17:08
|
 oogwayy666_crypted_FOX.exe d62a54fccfd3b480e0a76925d6d6b0ad
Malicious Library UPX PWS SMTP AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.13.31)
94.142.138.94 - mailcious
104.26.13.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
|
|
12.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8700 |
2023-09-12 17:07
|
 123.exe 047588f6b860814057c2fd2287561f43
Gen1 UPX .NET framework(MSIL) Malicious Library Malicious Packer Http API PWS HTTP ScreenShot Internet API AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check Browser Info Stealer Malware download VirusTotal Malware RecordBreaker PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion installed browsers check Stealer Windows Browser DNS crashed |
8
http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://94.142.138.114/087e4c08d161b069cf03855db8be2676
http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
|
1
94.142.138.114 - mailcious
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
|
14.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|