8761 |
2023-09-10 09:16
|
mcakcsmm7d fb53ba2be077cdd3122c67247890db76 Hide_EXE AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself installed browsers check Browser Email |
|
|
|
|
3.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8762 |
2023-09-09 21:55
|
Black_Saturn.exe 33a22c3db8fe05d4c819a9c9360c8de4 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
2.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8763 |
2023-09-09 21:53
|
Jakugym.exe 19b80e894146b941d7a1b47e5264dde0 UPX .NET framework(MSIL) PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Telegram MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces IP Check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key |
1
http://ip-api.com/json/?fields=11827
|
4
ip-api.com(208.95.112.1) api.telegram.org(149.154.167.220) 208.95.112.1 149.154.167.220
|
5
ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com ET HUNTING Telegram API Domain in DNS Lookup
|
|
6.8 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8764 |
2023-09-09 21:53
|
setupX.exe 6c98e7cbfb82fb29f4bd29fb0bd5acc0 Malicious Library UPX PWS SMTP AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
11.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8765 |
2023-09-09 21:50
|
devalzx.doc 9c104fa0210a291c44d1a4073577a214 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware exploit crash unpack itself Windows Exploit DNS crashed |
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8766 |
2023-09-09 21:50
|
toolspub4.exe 98ce8687a896a63f1a52979ce8871b2e Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
2.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8767 |
2023-09-09 21:48
|
168.exe e334c5353a9700935d476c2460ab0e22 RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
4.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8768 |
2023-09-09 21:48
|
devalzx.exe 6c1f6ba0b351e825fe667aa684f11fdd .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8769 |
2023-09-09 21:46
|
lnvoice_1332936990.js fd8654cbec65781ef40ef64410c93bf6 Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8770 |
2023-09-09 21:44
|
IGCCU.lnk e67fd436c857cd3c1ec0c9fd287d4b5f Generic Malware Antivirus Hide_URL AntiDebug AntiVM Lnk Format GIF Format PowerShell VirusTotal Malware VBScript powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
http://141.98.6.202/windows/wind/IE_Cache.vbs
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/597/236/original/rump_privada.jpg?1693847070
http://141.98.6.202/windows/Notedpad.txt
|
4
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
104.21.45.138 - malware
141.98.6.202 - malware
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request ET POLICY curl User-Agent Outbound ET HUNTING curl User-Agent to Dotted Quad
|
|
12.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8771 |
2023-09-09 21:42
|
chungzx.doc 592dd1fe894165940b95381201c91017 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware RWX flags setting exploit crash Windows Exploit DNS DDNS crashed |
1
http://185.28.39.17:7777/185.28.39.18/chungzx.exe
|
3
ascoitaliasasummer.duckdns.org(194.147.140.199) - mailcious 194.147.140.199 - mailcious
185.28.39.17 - malware
|
8
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain SURICATA Applayer Protocol detection skipped
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8772 |
2023-09-09 21:41
|
igfxCU.exe e99042bc75c1e7c4ae8803b59a817975 Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
4
http://www.gracefullytouchedartistry.com/sy22/?Mfg=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&D6h4=O2JdRpPP8 - rule_id: 35940 http://www.gk84.com/sy22/?Mfg=EZXT1couL1SMJvG2qeg6eanykcNOwoSwRkeI+9JF3ekTKFJ8rStu/JDK0lzRposG9gxESXnb&D6h4=O2JdRpPP8 http://www.omclaval.com/sy22/?Mfg=Vmf4Q5/zoPfldgruhOQLZP4+4m5gHfPs/jeCYPGlLiq5dZVswyzLC3uxqGOHhCLAF9vvj7E0&D6h4=O2JdRpPP8 http://www.sx15k.com/sy22/?Mfg=uDOmxGSZOI7byjRwM2VfDnyujtJEJ3PREhDiUuqfTZK7lE43sYjySeizw7LCJ3MdEZKjGoPp&D6h4=O2JdRpPP8 - rule_id: 35941
|
8
www.gk84.com(107.148.223.82) www.omclaval.com(34.117.168.233) www.sx15k.com(211.149.249.34) - mailcious www.gracefullytouchedartistry.com(34.149.87.45) - mailcious 34.117.168.233 - mailcious 211.149.249.34 - mailcious 107.148.223.82 34.149.87.45 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.gracefullytouchedartistry.com/sy22/ http://www.sx15k.com/sy22/
|
5.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8773 |
2023-09-09 21:41
|
mshta.hta cc504d2b599df93f30cf9fe27cb00ce2 Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
|
1
185.246.221.126 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8774 |
2023-09-09 21:41
|
1.hta ff3ba7711a230e6c17ac77a271ec3622 Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows ComputerName DNS Cryptographic key |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
the.earth.li(93.93.131.124) - malware transfer.sh(144.76.136.153) - malware 23.67.53.17 93.93.131.124 144.76.136.153 - mailcious
|
5
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
|
|
10.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8775 |
2023-09-09 21:39
|
netTime.exe bb3ed0240186a6d24238986c8f774800 UPX Malicious Packer Anti_VM PE File PE64 ftp VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Remote Code Execution |
|
|
|
|
3.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|