8716 |
2023-09-12 07:39
|
trpcg.exe 0704e4ae55e1180a2e472c337504742a LokiBot UPX PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs crashed |
|
|
|
|
7.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8717 |
2023-09-12 07:38
|
xdlsuthdjke456jd.exe 35c62ad8e01089dbeac7cd63e551627c NSIS Suspicious_Script_Bin Malicious Library UPX PE File PE32 DLL VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder Ransomware |
|
|
|
|
4.2 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8718 |
2023-09-11 18:11
|
Outstanding Balance Invoice.ex... e99e9e9e9e864b38fc75f29b54771c86 NSIS Malicious Library UPX PE File PE32 OS Processor Check Malware download VirusTotal Malware suspicious privilege Check memory Creates executable files ICMP traffic unpack itself AppData folder |
17
http://www.aboutmart.info/stcf/ http://www.aboutmart.info/stcf/?RMuHL=U3Hdzf4+NthdwoRpHnYAtQn3xNbqAVbGixRD45JbkQ2tjCPrd668asZ32u/Z/WUAQbK0mo64IDMrfMoRJRydMFx21uDMy5x8Dc/xGxo=&J8=1fA1FL4 http://www.innovativefewsustra.com/stcf/ http://www.innovativefewsustra.com/stcf/?RMuHL=KMOD9sTNx2YSpovUrRJUEzn1Yx0Z43DK6JEh/zvUzYRR0vvq/o2vdjVBrU8HPW3QMgYOZkgxf1P3X+8HybL4wtlflHnPghnD15Ngsf8=&J8=1fA1FL4 http://www.saintprojetdesalers.com/stcf/ http://www.houtaijiaju.com/stcf/ http://www.hummall.com/stcf/?RMuHL=Nk5K1Xbn5LNktyygdQF3BnmJ+burJ+ny2OkZcNPXdwEtJdOtq79vPWmp/B6BaLcWj3tVzmTo+5PqGZIC/UTM1vSFnsb91g1hVUGRl4c=&J8=1fA1FL4 http://www.saintprojetdesalers.com/stcf/?RMuHL=+e/LxL8BCb5JT2mwgKzbp1bNGh3lgePyU3D6l90SLvlYtUAerZBoaAu+StBCYI+EmdbaVLlpQ9qQs+tY0i0hLe/6ntyVXpS6CIyxXlk=&J8=1fA1FL4 http://www.hummall.com/stcf/ http://www.ronikonmet.online/stcf/?RMuHL=uecC1YIjKds5pfO1EToES15TCdBTvi7vIYoUJgTFy6qDYT2nEUgo5MyoghBmj6FTuqUN6uVJE1bE0H4aXubCPUG1zI5pjeamkbBuCmA=&J8=1fA1FL4 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip http://www.admiralx-qjff.buzz/stcf/?RMuHL=/cN5NAnYyQNGkv6VI4g5hCl6zLANo+Uxyk0R0Gf4W9JvbRZK1NaF3DJOi9LLfoZAma38Eec3ft5h7udphOb57G+0pUhbPZipWhAdHO0=&J8=1fA1FL4 http://www.houtaijiaju.com/stcf/?RMuHL=1dqEu7FqG0Fk44M2SsORztBhqeVPz5dcffezXnqN6lUv5lMi6TOQp3fd1b+R5p9IBvl5i/IMrCH65j4DnfcQMtwjHinribTwYdLVWxQ=&J8=1fA1FL4 http://www.ronikonmet.online/stcf/ http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip http://www.ozu-sushi.com/stcf/ http://www.admiralx-qjff.buzz/stcf/
|
17
www.houtaijiaju.com(206.237.167.5) www.aboutmart.info(66.29.149.4) www.saintprojetdesalers.com(103.224.182.252) www.ozu-sushi.com(199.59.243.224) www.hummall.com(192.187.101.110) www.innovativefewsustra.com(199.21.76.77) www.admiralx-qjff.buzz(172.67.172.5) www.ronikonmet.online(194.58.112.174) 103.224.182.252 - suspicious 192.187.101.110 199.59.243.224 - mailcious 199.21.76.77 194.58.112.174 - mailcious 66.29.149.4 45.33.6.223 172.67.172.5 206.237.167.5
|
2
ET INFO HTTP Request to a *.buzz domain ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
|
|
6.2 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8719 |
2023-09-11 18:07
|
qwerty.chm b556bd47157695e3e0b279d56401026f AntiDebug AntiVM CHM Format VirusTotal Malware AutoRuns MachineGuid Code Injection Check memory RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
1
http://zhaodaolajiankang.com/apache/try.php?h=%computername%*%username%
|
|
|
|
4.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8720 |
2023-09-11 18:02
|
fxjcg.exe 69a09092311de18b2e02203a4315f281 LokiBot UPX PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://141.98.6.249:8287/kojdjgljhgfta/Panel/five/fre.php
|
1
|
|
|
12.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8721 |
2023-09-11 18:02
|
RaiDrive_2023.9.0_x64.exe a523a20f9993d562a1e2761d930cc243 Gen1 Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Antivirus Malicious Packer ASPack CAB PE File PE32 OS Processor Check JPEG Format PE64 DLL BMP Format icon DllRegisterServer dll MSOffice File VirusTotal Malware Buffer PE PDB suspicious privilege Check memory buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
4.2 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8722 |
2023-09-11 17:59
|
Document.pdf.exe ef9728a0916c18e4f90b6b32798dd564 Lumma Malicious Library UPX Http API ScreenShot Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency Code Injection Malicious Traffic Check memory buffers extracted unpack itself Collect installed applications sandbox evasion installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware |
3
http://gapi-node.io/c2conf - rule_id: 36034 http://gapi-node.io/c2sock - rule_id: 36035 http://gapi-node.io/ - rule_id: 36033
|
2
gapi-node.io(172.67.135.211) - mailcious 104.21.26.93 - mailcious
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt
|
3
http://gapi-node.io/c2conf http://gapi-node.io/c2sock http://gapi-node.io/
|
12.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8723 |
2023-09-11 17:58
|
install.exe c9a2e54e8501a2f6dd57255225999b40 UPX PE File PE32 VirusTotal Malware AutoRuns Malicious Traffic Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS |
1
https://pastebin.com/raw/pdRjLLjy
|
3
pastebin.com(172.67.34.170) - mailcious 195.58.51.109 172.67.34.170 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8724 |
2023-09-11 17:56
|
@facebyk_packlab.exe 7c6d12dcd138418691419f9783f8d3bd RedLine stealer Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
|
11.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8725 |
2023-09-11 15:52
|
fasfqwrqweqw.exe 7278b6ce3ddda7dba2473e0392e54ea6 RedLine stealer UPX AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
91.103.252.39 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
|
11.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8726 |
2023-09-11 11:43
|
lnvoice_1332936990.js fd8654cbec65781ef40ef64410c93bf6 Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
http://htlbook.blogspot.com/atom.xml
https://d9e1c3dd-1fee-48c1-9089-09a70580408e.usrfiles.com/ugd/d9e1c3_1ccf9ae5ff04452898a53f7e8cd563d0.txt
|
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8727 |
2023-09-11 11:30
|
setup_pass.7z 5c90eadfd3d0167a17483af6439fbede PrivateLoader Vidar Stealc Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader plugin |
59
http://hugersi.com/dl/6523.exe - rule_id: 32660 http://87.121.221.58/g.exe - rule_id: 35764 http://94.156.253.187/download/WWW14_n.exe - rule_id: 36185 http://charlesjones.top/412a0310f85f16ad/nss3.dll http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe http://myfilebest.com/order/set17.exe - rule_id: 36161 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://45.9.74.80/super.exe - rule_id: 36063 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://195.201.131.165/ - rule_id: 36334 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://45.9.74.80/31839b57a4f11171d6abc8bbc4451ee4.exe - rule_id: 36201 http://45.9.74.80/toolspub2.exe - rule_id: 36066 http://94.142.138.131/api/firegate.php - rule_id: 32650 http://charlesjones.top/e9c345fc99a4e67e.php - rule_id: 36283 http://charlesjones.top/412a0310f85f16ad/msvcp140.dll http://94.142.138.131/api/firecom.php - rule_id: 36179 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://charlesjones.top/412a0310f85f16ad/softokn3.dll http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790 http://charlesjones.top/412a0310f85f16ad/mozglue.dll http://charlesjones.top/412a0310f85f16ad/freebl3.dll http://charlesjones.top/412a0310f85f16ad/vcruntime140.dll http://176.113.115.84:8080/4.php - rule_id: 34795 http://195.201.131.165/htdocs.zip http://45.9.74.80/ummaa.exe - rule_id: 36186 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://charlesjones.top/412a0310f85f16ad/sqlite3.dll http://www.google.com/ http://195.201.131.165/b8051b8228ebec240e80eed1f06471da https://vk.com/doc44017378_669100051?hash=Y1d8yh89LcZ0zAOx8obl7JZ7mZWqNSdnCHqxRkQxKbD&dl=IZJ6qPZZJHdKI0zpkVZuoaMzdZItvl7ncz41tGh3PbP&api=1&no_preview=1#rise_cpp https://vk.com/doc44017378_669136690?hash=E5ro6HNAOZHVOgZiTIDkvKctXbILQ0zBBx6f8KGt5e8&dl=qG39A2bhq4t9EZmEY5oWbCHZP2L9kp7Offbq4R5FDD0&api=1&no_preview=1#test2 https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc44017378_669039465?hash=TZaAQZJWncKB7EXmzbWyNUVJjrKlyY24ZpxCAMzIJsD&dl=Iq2KdxHCqmMyvTqTCrQ4Vjrbdtz5XUdGezvASZEpuq0&api=1&no_preview=1#WW1 https://steamcommunity.com/profiles/76561199548518734 - rule_id: 36333 https://vk.com/doc44017378_668981261?hash=KtP4jlmfa5n21hEuywQIenzbdeHE6fN4MtKmM0s1LgP&dl=ogaN1GU0x5hbsmXLGfmQBkv0VN664AvXi2xyl1vLRkP&api=1&no_preview=1 https://9ebdad1ad09d8c98b7f58219cda2573f-connect.update-regb-service.biz/image/998587841.png https://preconcert.pw/setup294.exe - rule_id: 36162 https://sun6-22.userapi.com/c909218/u44017378/docs/d3/d584056413f0/crypted.bmp?extra=6KfyeT40fAsgkFTs0wFUO83a85tAsob3PJcQqsl9DWAxTVBaKABfMcuH1DohulfsPmulvH6l40-LsiZvXvpXm2pbbsKvuoJRvHlxUFhZHOGSm25fquCimjTI2L0rskpFlag4C886QlRTRQbk https://vk.com/doc44017378_669144995?hash=qUceK0TC1DmQcU4Sn4PNZMbZTVp8r8ctiv13JTfkgY4&dl=2N3XMnrnFOcu6tpuFs21nrXNqkjKBcauobC5rzT6oGX&api=1&no_preview=1#krdb https://db-ip.com/ https://sun6-20.userapi.com/c237331/u44017378/docs/d6/5efff224b4d4/worpli.bmp?extra=D3AGybYtrYUrEq-isHlKobGFzZSc_K_URzyX5uJHKEyDiRLMcRR0ISehTnA9OJQRz0jQ3DMH9CsV3Ef_11kkkOha2D7af46EtGtX9MxFRitVE6eo2tHPiZ5nkub2Ga44Z-UQYp3X4UOlsedA https://sun6-21.userapi.com/c236331/u44017378/docs/d44/60a193c8c3c5/krdb7c.bmp?extra=MbWbOFyH6AxN16RKKYW_ygecokNoSGzrrc_jS-ct5JUXOO8HnIRPXt5cLm3aeVnQwiwjLh2sjSyKfP8qUqmSFRCoewYvsd-PmWZg_gMh9gPIKfl_SSGF6AsFi1IE-m0tVVNwuo5HizrSJ59S https://vk.com/doc44017378_669146327?hash=isBZGj5DOl2N4abzGRi9Zk8QZdLnM2qVlQb7yV2eOCw&dl=e6LGGCqVZncnRfY5M9XZiL8rRkf4L3zIvYviZQTDUgw&api=1&no_preview=1#1 https://dzen.ru/?yredirect=true https://vk.com/doc44017378_669130061?hash=Bf2ehkjMQd1Zywk6bhXXNSlQvTW1MZnkBZD50NiYCbX&dl=XLNOcb0rZSRAqTVXXfRsaznqOJ7omuerZRNlXY1EIP0&api=1&no_preview=1#qq https://sun6-23.userapi.com/c909618/u44017378/docs/d58/61fd5db4eb19/Synapse.bmp?extra=Wrj4ukVhQXeqKejJoizvxsun5vCYIbYEjmpAHnxmfSFDIpbJvY8dON8FY0hBdP3rKDFDP35MyD8hCLX_vcHYCozpoVjWH4Nsg8r3cVtuypfIVR3TXCLfpInOtWfdOdpxRosv4scb9a2Au0uU https://sun6-23.userapi.com/c909328/u44017378/docs/d42/46d57c72695f/BottClient.bmp?extra=VX6XAm-y3bCp4TklM1ZI2zwGa-edzrs_n40bJYiaIfsewEQS8lK9Cz--5tZqy6DRMCHcloRaCf0g6Ekt_kZuYY3n0tshOQkad3pSZhm4RDZcwq5SPqZQBdHfzrvT1pHbd-VTakkDFHNT8GS8 https://sun6-23.userapi.com/c235131/u44017378/docs/d30/8091d6ce75a6/RisePro_0_6.bmp?extra=FPVsj7wi4agim-GPDWmj3bEuZct8COPXqWtmhhAN9_V5uKBRkn5dWs5gFIWUEpBdcrQPSKeb26Ib-uqeJPOU4n_gwkWugLBqggS-mWSzc_1U77OpOKa88Zbw8DLqDDsxpa0duInmONkXpTA_ https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sso.passport.yandex.ru/push?uuid=2f6eabf9-a482-45ba-96ff-d556bf0c359a&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-21.userapi.com/c236331/u44017378/docs/d17/8aadafe7a6fd/test2.bmp?extra=LSsPiFLqYNecqtBM9twto1JvPqPjTSlrYHRXdJEric_lOPxs4OkWTGkAR2bzv7bvv-p3vzKiNBZTucviyAt-jmLY15Xcq9WXLhFI3U0nnETcgtmJSfCfVjDFYMj059rmdqX1vHHidG_ttVgZ https://sun6-22.userapi.com/c237331/u44017378/docs/d50/498c9dba8d4c/WWW1.bmp?extra=Ae5BRqnTTNsRymyTsEx3hIFSGGBfN9qo2gCPzNKwYigFihJcz_SAwYbgC_vvbitqc2D0YGA83vLxlt_Uh23FiRqZfsPASVIMTNT_jvE7rkfr5WqldNQY08PVk2W3m_oxhBeW-qOqbkp2JvHJ https://vk.com/doc44017378_669048765?hash=4y9BzzNOTmmZPixDuggkZgFx4GZ0QVZg3tNSdZK5BRs&dl=GJoifTjG0klCvDa0fmGosGT2YiTbPX4KW0RXRQc7WGk&api=1&no_preview=1 https://sun6-23.userapi.com/c240331/u44017378/docs/d9/ecba6e817ae1/PL_Client.bmp?extra=bzxMGX--GxRktRGlATumvfpjlN-xO5mU8gbfzY5tJEjpIVAWjxvoEq8CwdnxM93glO1mplH5drvazJaTe6oSwmZXTMLEX_5AxrZN5rz37Jo55I1pZJZOOV3iXQ9Cx08nphhMTBs6YA4Sbe12
|
99
db-ip.com(172.67.75.166) telegram.org(149.154.167.99) www.tiktok.com(175.207.14.145) sun6-23.userapi.com(95.142.206.3) vanaheim.cn(185.39.205.39) - mailcious t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) agsnv.com(181.214.31.34) - malware yandex.ru(77.88.55.88) dzen.ru(62.217.160.2) preconcert.pw(104.21.84.222) - malware charlesjones.top(51.250.21.16) - mailcious williecampbell.top(51.250.21.16) - malware api.2ip.ua(162.0.217.254) steamcommunity.com(104.76.78.101) - mailcious arthritis.org(104.22.10.53) z.nnnaajjjgc.com(156.236.72.121) - malware twitter.com(104.244.42.65) myfilebest.com(104.21.56.98) - malware sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.5.15) ironhost.io(104.21.57.237) sso.passport.yandex.ru(213.180.204.24) 9ebdad1ad09d8c98b7f58219cda2573f-connect.update-regb-service.biz(172.67.190.232) ji.alie3ksgbb.com(104.21.90.117) - mailcious bitbucket.org(104.192.141.1) - malware 230907161118223.nmr.xrm42.top(94.156.35.76) zexeq.com(202.4.114.123) - malware www.arthritis.org(172.67.28.160) colisumy.com(201.124.224.61) - malware www.google.com(142.250.76.132) api.myip.com(104.26.9.59) hugersi.com(91.215.85.147) - malware i.instagram.com(157.240.215.63) sun6-21.userapi.com(95.142.206.1) - mailcious sun6-22.userapi.com(95.142.206.2) www.maxmind.com(104.18.146.235) vk.com(87.240.129.133) - mailcious 182.162.106.32 194.169.175.128 - mailcious 104.18.145.235 181.214.31.34 - malware 172.67.197.101 176.123.9.142 - mailcious 157.240.31.63 104.22.10.53 91.215.85.147 - malware 77.91.68.238 - malware 62.122.184.92 - mailcious 62.217.160.2 104.26.5.15 208.67.104.60 - mailcious 172.67.200.102 149.154.167.99 - mailcious 193.42.32.118 - mailcious 172.67.75.166 172.67.193.129 172.67.75.163 80.210.25.252 195.201.131.165 - mailcious 94.156.35.76 - malware 121.254.136.18 31.41.244.27 172.67.183.191 - malware 142.250.76.132 162.0.217.254 94.156.253.187 - malware 176.113.115.84 - mailcious 176.113.115.85 - mailcious 109.175.29.39 172.67.190.232 87.121.221.58 - malware 213.180.204.24 51.250.21.16 - malware 176.113.115.135 - mailcious 176.113.115.136 - mailcious 34.117.59.81 45.9.74.80 - malware 77.88.55.88 104.192.141.1 - mailcious 80.66.75.4 - mailcious 185.225.73.32 - mailcious 87.240.132.78 - mailcious 156.236.72.121 - mailcious 45.15.156.229 - mailcious 185.39.205.39 104.26.4.15 175.207.14.24 95.142.206.2 95.142.206.1 - mailcious 45.143.201.238 - mailcious 95.142.206.0 - mailcious 95.142.206.3 104.244.42.193 - suspicious 85.208.136.10 - mailcious 62.122.184.58 - mailcious 87.240.132.72 - mailcious 104.76.78.101 - mailcious 94.142.138.131 - mailcious
|
58
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET DNS Query to a *.pw domain - Likely Hostile SURICATA Applayer Mismatch protocol both directions ET DNS Query to a *.top domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Suspicious services.exe in URI ET INFO TLS Handshake Failure ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Possible EXE Download From Suspicious TLD ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO Observed DNS Query to .biz TLD ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET INFO Dotted Quad Host ZIP Request ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Packed Executable Download ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
23
http://hugersi.com/dl/6523.exe http://87.121.221.58/g.exe http://94.156.253.187/download/WWW14_n.exe http://zexeq.com/test2/get.php http://myfilebest.com/order/set17.exe http://colisumy.com/dl/build2.exe http://45.9.74.80/super.exe http://45.15.156.229/api/tracemap.php http://45.15.156.229/api/firegate.php http://195.201.131.165/ http://zexeq.com/files/1/build3.exe http://45.9.74.80/31839b57a4f11171d6abc8bbc4451ee4.exe http://45.9.74.80/toolspub2.exe http://94.142.138.131/api/firegate.php http://charlesjones.top/e9c345fc99a4e67e.php http://94.142.138.131/api/firecom.php http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/tracemap.php http://45.9.74.80/0bjdn2Z/index.php http://176.113.115.84:8080/4.php http://45.9.74.80/ummaa.exe https://steamcommunity.com/profiles/76561199548518734 https://preconcert.pw/setup294.exe
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8728 |
2023-09-11 11:29
|
https://booking-comdetails.blo... b31a65581c16d9ec7688fd612974a3b7 Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger Javascript_Blob AntiDebug AntiVM MSOffice File icon VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
https://booking-comdetails.blogspot.com/favicon.ico https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css https://www.blogger.com/static/v1/widgets/664379233-widgets.js
|
4
booking-comdetails.blogspot.com(142.250.207.97) - mailcious www.blogger.com(142.250.206.233) 172.217.31.9 172.217.27.33
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8729 |
2023-09-11 10:45
|
NGVkZTM3.doc a4605f24de3aba74ccce5d5ab73d67a6 VBA_macro Generic Malware Antivirus AntiDebug AntiVM Word 2007 file format(docx) ZIP Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Exploit ComputerName Cryptographic key crashed |
1
http://ielsd.myartsonline.com/kw/on.txt
|
1
ielsd.myartsonline.com() - mailcious
|
|
|
9.8 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8730 |
2023-09-11 10:40
|
клопотання_обшук_Данилець_друк... 4eea6d2c075a3edb0a80ebab2f44e468 Doc XML Downloader Word 2007 file format(docx) ZIP Format VirusTotal Malware exploit crash unpack itself suspicious TLD Exploit crashed |
|
2
preview98.vloperang.ru(85.159.229.34) 85.159.229.34
|
|
|
3.6 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|