8806 |
2023-09-07 19:06
|
no230.exe 79aeea7e2cae474eba241c822e5f99e8 Malicious Library UPX AntiDebug AntiVM OS Processor Check PE File PE32 Malware download VirusTotal Malware Code Injection Malicious Traffic buffers extracted unpack itself Stealc Browser DNS |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
1
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://5.42.92.211/loghub/master
|
8.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8807 |
2023-09-07 19:06
|
dloidvbsssss.vbs 604119e70e8646be1e0626523f82acd6 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/597/236/original/rump_privada.jpg?1693847070
http://95.214.27.56/apama2aktivossssbas364444.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8808 |
2023-09-07 19:04
|
tualiop.vbs b712210ee2a1427f19d123de5cc4b29e Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://94.156.253.116/runokais.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 104.21.45.138 - malware
23.32.56.72
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8809 |
2023-09-07 19:03
|
KUYYERAEUG.exe af43f40a0b114fd0dfc2919b475003ca Malicious Library PE File PE64 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8810 |
2023-09-07 19:02
|
keninv.exe 5a2f3553f03bea972618a4fc780146ab .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AppData folder suspicious TLD Browser DNS |
5
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip http://www.bookingshop01.top/hnmu/?zNts=PAkg1urm7N9AVeASEKiY0GMQCzBOtYt4wERqVQow/jdQ5NqazHSv+YEC2ee5pD3t/p5aHGQj+n8MoPHKBsOZlw3EOYcHEuSkqJKafkc=&PZpKO=y9dVejt2Kk4On http://www.bookingshop01.top/hnmu/
|
5
www.bookingshop01.top(172.67.150.87) www.ost.design(185.83.214.222) 172.67.150.87 185.83.214.222 - mailcious 45.33.6.223
|
2
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain
|
|
11.8 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8811 |
2023-09-07 19:02
|
1.exe ff06438321dc9f8b1dadfe3fecb1df92 Malicious Library UPX OS Processor Check MZP Format PE File PE64 Check memory Tofsee |
|
2
mayo.edu(129.176.1.88) 129.176.1.88
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8812 |
2023-09-07 19:00
|
fantasy.vbs 20b5ae33d5b27bf8d6a25659b4ee4798 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://185.225.75.151/usoudomi.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 23.67.53.17
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8813 |
2023-09-07 18:59
|
jeffzx.doc 302822808680b13287d8d8942ee6dc0c MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware exploit crash unpack itself Windows Exploit DNS crashed |
1
http://185.28.39.17:7777/185.28.39.18/jeffzx.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8814 |
2023-09-07 18:57
|
kenpol.exe 9e621dabf65534dfc620eb0c70f6b7a4 .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8815 |
2023-09-07 18:57
|
jatropkaq.vbs 567e6ba31d1adf5a1fd3e69d1f0e1865 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://163.123.143.164/lopmadi.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8816 |
2023-09-07 17:54
|
obizx.doc 5c2b9063897b742f636bbed0c5dc7884 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://185.28.39.17:7777/185.28.39.18/obizx.exe
|
5
cp5ua.hyperhost.ua(91.235.128.141)
api.ipify.org(104.237.62.212) 185.28.39.17 - malware
104.237.62.212
91.235.128.141
|
8
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure
|
|
3.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8817 |
2023-09-07 17:49
|
mtxRwzg.exe e244628c750d40509ef2e3e72e4c2049 UPX .NET framework(MSIL) Http API Escalate priviledges AntiDebug AntiVM OS Processor Check PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process sandbox evasion Windows Browser ComputerName Cryptographic key crashed |
|
|
|
|
10.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8818 |
2023-09-07 17:47
|
123.exe 4c328b215a84c1b2c982a3268b4a0cea PE File PE64 VirusTotal Cryptocurrency Miner Malware unpack itself DNS CoinMiner |
|
2
pool.hashvault.pro(125.253.92.50) - mailcious 125.253.92.50
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
1.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8819 |
2023-09-07 17:47
|
undergroundzx.exe 4f91d6f43a69717ff16f3c09dcd0e7e8 PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8820 |
2023-09-07 17:45
|
qqdownloadftnv5 9cbc21a9ed6e1525332557904760e570 VBA_macro Generic Malware Http API PWS ScreenShot KeyLogger AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting unpack itself |
|
|
|
|
3.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|