| 8851 |
2023-11-16 20:31
|
 etchCore-0.x86.dll 1f0669f13dc0545917e8397063f806db
UPX PE32 PE File DLL OS Processor Check Checks debugger unpack itself crashed |
|
|
|
|
0.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8852 |
2023-11-16 19:05
|
 Aaezheyu.exe 0a0600b53524420fff66bd37676a29be
UPX PE File PE64 OS Processor Check Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8853 |
2023-11-16 19:03
|
 need.exe e622baf0198d6821fb4e1a8a23618a17
RedLine stealer Emotet Gen1 Malicious Library UPX ScreenShot PWS Socket Steal credential DNS Code injection AntiDebug AntiVM PE32 PE File CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs AntiVM_Disk sandbox evasion anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81)
db-ip.com(172.67.75.166)
194.49.94.152
104.26.4.15
34.117.59.81
|
11
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8854 |
2023-11-16 19:03
|
 dllhostex.exe f5a7b1f998390241f5c10cbddfe88647
Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check Cryptocurrency Miner Cryptocurrency unpack itself Check virtual network interfaces |
|
4
iron.tenchier.com(194.195.223.249)
194.195.223.249
139.177.196.162
139.59.109.18
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
2.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8855 |
2023-11-16 19:02
|
 svchost.exe 54a47f6b5e09a77e61649109c6a08866
Gen1 Malicious Packer UPX PE32 PE File PDB Remote Code Execution |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8856 |
2023-11-16 19:02
|
 Morning.exe 34b8f4812ef8821f651d1f74618d54a2
Raccoon Gen1 Malicious Library UPX Malicious Packer Http API ScreenShot PWS HTTP Internet API AntiDebug AntiVM PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Malware RecordBreaker PDB MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Collect installed applications AppData folder sandbox evasion installed browsers check Stealer Windows Browser DNS |
9
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://195.20.16.35/ - rule_id: 38330
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://195.20.16.35/f7dfd24d220b20be470487526bb7e7c8
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://195.20.16.35/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
|
1
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
1
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8857 |
2023-11-16 18:59
|
 macherako2.1.exe 5b691330acaa3c5432b9caadbeb82003
NSIS Malicious Library UPX PE32 PE File FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
3
http://www.jaliyahsboutique.site/tb8i/?Mfg=AQaGQeJtSF7XURKecA8O7yr+NlX8zRsowlAtlkToCPVC5G43PHBjCbek0+SoUA10RQeLzaXp&D6h4=O2JdRpPP8
http://www.freightlizards.com/tb8i/?Mfg=iDy6itdHrWaTfAWmWuh/mgzAS6tKx110PlwR6oB3LkHWhoHRuQXiu8dUVQqS4bUVZcTWjSMs&D6h4=O2JdRpPP8
http://www.driftlessmenofthewoods.com/tb8i/?Mfg=eqj5Z4ypABx4+RJiqSEL2pQMeiYVPR0bHgBfmB0KWoL2fjeQVwepQ8EqIXRbUYrWMehCRAoK&D6h4=O2JdRpPP8
|
7
www.freightlizards.com(15.197.148.33)
www.rykuruh.cfd()
www.driftlessmenofthewoods.com(66.96.162.130)
www.jaliyahsboutique.site(62.72.50.217)
3.33.130.190 - phishing
62.72.50.217
66.96.162.130 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8858 |
2023-11-16 18:59
|
 AWB No.5839077413pdf.exe 3192f8ad7bde4add1fd295e08176c383
AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212)
64.185.227.156
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8859 |
2023-11-16 18:57
|
 ApplicationUpdateHelper.dll 86df103101e7b6735eb8c5c305752661
Malicious Library UPX PE32 PE File DLL OS Processor Check Checks debugger unpack itself crashed |
|
|
|
|
0.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8860 |
2023-11-16 18:57
|
NOV_INQUIRY.js b22055de1a1ea49c1b4f7d64ff315471
ActiveXObject wscript.exe payload download unpack itself Check virtual network interfaces Tofsee DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://pastebin.com/raw/NVAgzFRR - rule_id: 35284
https://wtools.io/code/dl/bR6Z
|
5
wtools.io(104.21.6.247) - malware
pastebin.com(104.20.68.143) - mailcious
104.21.6.247 - malware
121.254.136.9
172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
|
1
https://pastebin.com/raw/NVAgzFRR
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8861 |
2023-11-16 18:57
|
 tucl-1.dll 83076104ae977d850d1e015704e5730a
PE32 PE File DLL Checks debugger unpack itself crashed |
|
|
|
|
0.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8862 |
2023-11-16 18:56
|
 build.exe 3f1ba0dace898dc2cee247de5e15f068
Malicious Library PE32 PE File PDB unpack itself Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8863 |
2023-11-16 18:53
|
gate9.rar 7ef0c56659703f74b1749bf84b73f82f
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8864 |
2023-11-16 18:49
|
 x86.dll 95786b6c28bf8dba7bbfeeba9e1ec27a
Malicious Library UPX PE32 PE File DLL DllRegisterServer dll OS Processor Check Checks debugger unpack itself |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8865 |
2023-11-16 18:36
|
 x86.dll 95786b6c28bf8dba7bbfeeba9e1ec27a
Malicious Library UPX PE32 PE File DLL DllRegisterServer dll OS Processor Check Checks debugger unpack itself |
|
|
|
|
0.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|