8686 |
2023-09-13 13:51
|
038806df1542419d8fff8f288bc215... 358e5b1466b74932897a1a20230ab58a UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger ICMP traffic unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
2
xyoptotway.work.gd(163.123.143.98) 163.123.143.98
|
1
ET INFO DYNAMIC_DNS Query to a *.work .gd Domain
|
|
4.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8687 |
2023-09-13 13:48
|
3a9096d615a3cd3163b814cc2803d6... 5616daa897af18e81dee80e75eef90cd .NET DLL DLL PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8688 |
2023-09-13 09:42
|
MD.hta be845330d81fd790621f0b0acb323f49 Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://103.183.115.28/T129W/wininit.exe
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
8.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8689 |
2023-09-13 09:42
|
schtasks.exe 4e3e4e3c383fd56423cb48be8b9f3006 UPX PE File .NET EXE PE32 OS Processor Check suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
2
xyoptotway.work.gd(163.123.143.98) 163.123.143.98
|
1
ET INFO DYNAMIC_DNS Query to a *.work .gd Domain
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8690 |
2023-09-13 09:42
|
hkcmd.hta ba271568b611cfbc62dca1fc2d2e8bf3 Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.18 104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8691 |
2023-09-13 09:41
|
hkcmd.hta 21e650595550a14f42931906c0dd9f92 Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/583/411/original/hta.jpg?1692658229
http://23.94.239.122/IB/hkcmd.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 23.209.95.50
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8692 |
2023-09-13 09:40
|
acrobat.hta efe16f7f42f3c45c5ca557049025ecf2 Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
1
http://170.130.172.66/M119T/wininit.exe
|
|
|
|
7.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8693 |
2023-09-13 07:52
|
fotod445.exe 3b1efcafca28654e7ee16923ce5a56d2 Gen1 Emotet RedLine Infostealer RedLine stealer Malicious Library UPX .NET framework(MSIL) Confuser .NET Escalate priviledges ScreenShot persistence AntiDebug AntiVM PE File PE32 OS Processor Check CAB .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer Email Client Info Stealer Malware Microsoft AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious 5.42.92.211 - mailcious
|
7
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
18.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8694 |
2023-09-13 07:51
|
wininit.exe ad805c8a19a06c66dad4e4e4a77ee305 PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder suspicious TLD Browser DNS |
16
http://www.edf23hravau.xyz/hcn4/ http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip http://www.igrashka.net/hcn4/?xZHMPl=m30+Ki//Y8sL2zE0P61kdhvYOwqWFptCCmwU8vQq6zE1sjNGfZDnTyH3LHXrki/eEv4hHjHktamnN/oDf7D42Eqb/YZUuybaqZkYvtQ=&6Xjd=b5pQwL http://www.ssongg12497.cfd/hcn4/ http://www.ekcc.xyz/hcn4/ http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip http://www.igrashka.net/hcn4/ http://www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip http://www.ekcc.xyz/hcn4/?xZHMPl=om4NFYT3TXA6pgTJPX84EKmZ3QuIf6Fm+NGGNTX2Njr3wYMs1PvUHqCFX1UG/yqqZ/GyGdZe8kkoP2oQdk3G5tENNPGEvkfEzBvgy4w=&6Xjd=b5pQwL http://www.jedidylan.com/hcn4/ http://www.jedidylan.com/hcn4/?xZHMPl=OEaMQIXzJ1y0Ti/BrjZfTQsudV+gIEPJKSCSuDa5GJUseBJeyfizYkge5InQO6hD9ZXOEPkPQpdLpgPCjm1/NgvgONU/CrlD65E5YMY=&6Xjd=b5pQwL http://www.ssongg12497.cfd/hcn4/?xZHMPl=x2uJ4u9RM1nVLx9RY8bcWHYUZIRoQlSU64mz3eHM0QiCPE4P0FZMVIShEzgG2lVG6Gbc5vdNKYVNMWtwdeV8UK1q6UmnGIB9sfUNvKw=&6Xjd=b5pQwL http://www.edf23hravau.xyz/hcn4/?xZHMPl=THRJx5HoM4pxizf3tffVux/F1dnvdAzr5GPiuCoKifJxde7dkuco3WiYLQ8onutaznLrkvN96f0rnicV+F6qZ7Z7/ZoKrPI7mfac+KI=&6Xjd=b5pQwL http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip http://www.shakcham.top/hcn4/ http://www.shakcham.top/hcn4/?xZHMPl=VLrMamQnDTGMeMJgx6hkOx5BwaKLG+lWawKYC9Jql/bfu43cgRCDr21Ipw5nqE2MDIkIhr3bxwasMrx+aUmXse9uaxrLWLp/EVeQozE=&6Xjd=b5pQwL
|
15
www.ekcc.xyz(91.195.240.94) www.ssongg12497.cfd(101.32.68.183) www.ssongg9873.cfd(43.135.11.21) www.jedidylan.com(204.11.56.48) www.edf23hravau.xyz(20.247.39.217) www.shakcham.top(203.161.62.123) www.igrashka.net(91.206.200.88) 203.161.62.123 91.195.240.94 - phishing 43.135.11.21 101.32.68.183 45.33.6.223 20.247.39.217 204.11.56.48 - phishing 91.206.200.88
|
2
ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile
|
|
9.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8695 |
2023-09-13 07:49
|
wininit.exe 8136a990ac239336f0c9bd5b46f586b0 Suspicious_Script_Bin Malicious Library UPX PE File PE32 DLL PNG Format PE64 Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8696 |
2023-09-13 07:45
|
vur.exe 8e37ada55c666aa357babdec553161c3 Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware Code Injection buffers extracted WriteConsoleW |
|
|
|
|
7.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8697 |
2023-09-13 07:45
|
1_2023-09-12_12-04.exe 6fe96bde2446d98d2b67d8a0ed7d21d6 Malicious Library PE File PE32 PDB |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8698 |
2023-09-12 17:09
|
chrorne.js c81296de524edf622f5fdaba1db40ba7 Malicious Library UPX ZIP Format DLL PE File PE32 OS Processor Check Malware download NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder IP Check Windows Java Email ComputerName DNS crashed |
1
|
9
objects.githubusercontent.com(185.199.108.133) - malware github.com(20.200.245.247) - mailcious repo1.maven.org(199.232.192.209) ip-api.com(208.95.112.1) 185.199.109.133 - mailcious 139.180.178.254 208.95.112.1 151.101.24.209 20.200.245.247 - malware
|
2
ET MALWARE STRRAT CnC Checkin ET POLICY External IP Lookup ip-api.com
|
|
9.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8699 |
2023-09-12 17:08
|
oogwayy666_crypted_FOX.exe d62a54fccfd3b480e0a76925d6d6b0ad Malicious Library UPX PWS SMTP AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.13.31) 94.142.138.94 - mailcious 104.26.13.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
|
|
12.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8700 |
2023-09-12 17:07
|
123.exe 047588f6b860814057c2fd2287561f43 Gen1 UPX .NET framework(MSIL) Malicious Library Malicious Packer Http API PWS HTTP ScreenShot Internet API AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check Browser Info Stealer Malware download VirusTotal Malware RecordBreaker PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder malicious URLs sandbox evasion installed browsers check Stealer Windows Browser DNS crashed |
8
http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll http://94.142.138.114/087e4c08d161b069cf03855db8be2676 http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll http://94.142.138.114/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
|
1
94.142.138.114 - mailcious
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1 ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING Possible Generic Stealer Sending System Information
|
|
14.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|