| 8761 |
2023-09-10 09:16
|
 mcakcsmm7d fb53ba2be077cdd3122c67247890db76
Hide_EXE AntiDebug AntiVM VirusTotal Email Client Info Stealer Malware Code Injection Check memory Checks debugger unpack itself installed browsers check Browser Email |
|
|
|
|
3.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8762 |
2023-09-09 21:55
|
 Black_Saturn.exe 33a22c3db8fe05d4c819a9c9360c8de4
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
2.2 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8763 |
2023-09-09 21:53
|
 Jakugym.exe 19b80e894146b941d7a1b47e5264dde0
UPX .NET framework(MSIL) PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Telegram MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces IP Check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key |
1
http://ip-api.com/json/?fields=11827
|
4
ip-api.com(208.95.112.1)
api.telegram.org(149.154.167.220)
208.95.112.1
149.154.167.220
|
5
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
ET HUNTING Telegram API Domain in DNS Lookup
|
|
6.8 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8764 |
2023-09-09 21:53
|
 setupX.exe 6c98e7cbfb82fb29f4bd29fb0bd5acc0
Malicious Library UPX PWS SMTP AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
11.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8765 |
2023-09-09 21:50
|
devalzx.doc 9c104fa0210a291c44d1a4073577a214
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware exploit crash unpack itself Windows Exploit DNS crashed |
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8766 |
2023-09-09 21:50
|
 toolspub4.exe 98ce8687a896a63f1a52979ce8871b2e
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
2.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8767 |
2023-09-09 21:48
|
 168.exe e334c5353a9700935d476c2460ab0e22
RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
4.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8768 |
2023-09-09 21:48
|
 devalzx.exe 6c1f6ba0b351e825fe667aa684f11fdd
.NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8769 |
2023-09-09 21:46
|
lnvoice_1332936990.js fd8654cbec65781ef40ef64410c93bf6
Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8770 |
2023-09-09 21:44
|
IGCCU.lnk e67fd436c857cd3c1ec0c9fd287d4b5f
Generic Malware Antivirus Hide_URL AntiDebug AntiVM Lnk Format GIF Format PowerShell VirusTotal Malware VBScript powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
http://141.98.6.202/windows/wind/IE_Cache.vbs
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/597/236/original/rump_privada.jpg?1693847070
http://141.98.6.202/windows/Notedpad.txt
|
4
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
104.21.45.138 - malware
141.98.6.202 - malware
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
12.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8771 |
2023-09-09 21:42
|
chungzx.doc 592dd1fe894165940b95381201c91017
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware RWX flags setting exploit crash Windows Exploit DNS DDNS crashed |
1
http://185.28.39.17:7777/185.28.39.18/chungzx.exe
|
3
ascoitaliasasummer.duckdns.org(194.147.140.199) - mailcious
194.147.140.199 - mailcious
185.28.39.17 - malware
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
SURICATA Applayer Protocol detection skipped
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8772 |
2023-09-09 21:41
|
 igfxCU.exe e99042bc75c1e7c4ae8803b59a817975
Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself |
4
http://www.gracefullytouchedartistry.com/sy22/?Mfg=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&D6h4=O2JdRpPP8 - rule_id: 35940
http://www.gk84.com/sy22/?Mfg=EZXT1couL1SMJvG2qeg6eanykcNOwoSwRkeI+9JF3ekTKFJ8rStu/JDK0lzRposG9gxESXnb&D6h4=O2JdRpPP8
http://www.omclaval.com/sy22/?Mfg=Vmf4Q5/zoPfldgruhOQLZP4+4m5gHfPs/jeCYPGlLiq5dZVswyzLC3uxqGOHhCLAF9vvj7E0&D6h4=O2JdRpPP8
http://www.sx15k.com/sy22/?Mfg=uDOmxGSZOI7byjRwM2VfDnyujtJEJ3PREhDiUuqfTZK7lE43sYjySeizw7LCJ3MdEZKjGoPp&D6h4=O2JdRpPP8 - rule_id: 35941
|
8
www.gk84.com(107.148.223.82)
www.omclaval.com(34.117.168.233)
www.sx15k.com(211.149.249.34) - mailcious
www.gracefullytouchedartistry.com(34.149.87.45) - mailcious
34.117.168.233 - mailcious
211.149.249.34 - mailcious
107.148.223.82
34.149.87.45 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.gracefullytouchedartistry.com/sy22/
http://www.sx15k.com/sy22/
|
5.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8773 |
2023-09-09 21:41
|
 mshta.hta cc504d2b599df93f30cf9fe27cb00ce2
Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
|
1
185.246.221.126 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8774 |
2023-09-09 21:41
|
 1.hta ff3ba7711a230e6c17ac77a271ec3622
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows ComputerName DNS Cryptographic key |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
the.earth.li(93.93.131.124) - malware
transfer.sh(144.76.136.153) - malware
23.67.53.17
93.93.131.124
144.76.136.153 - mailcious
|
5
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
|
|
10.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8775 |
2023-09-09 21:39
|
 netTime.exe bb3ed0240186a6d24238986c8f774800
UPX Malicious Packer Anti_VM PE File PE64 ftp VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Remote Code Execution |
|
|
|
|
3.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|