| 8866 |
2023-11-16 18:34
|
 svchost.exe 54a47f6b5e09a77e61649109c6a08866
Gen1 Malicious Packer UPX PE32 PE File PDB Remote Code Execution |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8867 |
2023-11-16 18:34
|
 Windows Loader.exe ab6675956f434085e7a387c7c76e8ceb
Gen1 Generic Malware Malicious Library Malicious Packer UPX PE32 PE File MachineGuid Check memory Checks debugger WMI RWX flags setting unpack itself Checks Bios sandbox evasion anti-virtualization ComputerName Remote Code Execution Firmware crashed |
|
|
|
|
5.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8868 |
2023-11-16 16:24
|
 02390d465ec5ef463741f737b0d098... 01244c0aaa1117bb904d354dc8f5729f
RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger ICMP traffic unpack itself Check virtual network interfaces suspicious TLD Windows Cryptographic key crashed keylogger |
1
http://gmacro.ru/files/pubg/versionpubg.txt
|
2
gmacro.ru(194.67.207.88)
194.67.207.88
|
|
|
7.4 |
|
20 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8869 |
2023-11-16 15:57
|
htmlbrowserhistorycleanbothfil... 819445270fd095cf54c6768d1e380e1b
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/U1LNm
https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
61.111.58.34 - malware
172.67.187.200 - mailcious
104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8870 |
2023-11-16 15:54
|
htmlbrowserhistorycleanwithcoo... 1840929cb01d825efc19c973c961230d
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted exploit crash unpack itself Exploit DNS crashed |
|
1
188.127.225.196 - mailcious
|
|
|
4.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8871 |
2023-11-16 15:21
|
 5dd663aa30da9fd0b72650d9e8c259... fd36da278e03915e659c14f3c1b88a56
RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File ftp OS Processor Check VirusTotal Malware PDB Check memory Checks debugger ICMP traffic unpack itself Check virtual network interfaces suspicious TLD Windows Cryptographic key crashed |
|
2
files.gmacro.ru(95.216.77.146)
95.216.77.146
|
|
|
6.2 |
|
12 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8872 |
2023-11-16 13:37
|
clp.exe 9bc7730e14189753be3c8c680c12d3a7
UPX PE File PE64 .NET EXE VirusTotal Malware Windows Remote Code Execution crashed |
|
|
|
|
2.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8873 |
2023-11-16 13:35
|
 lightmuzik2.1.exe 8a7e5664d1f1d5bf41c6d943299aa1e8
NSIS Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8874 |
2023-11-16 13:32
|
 amd.exe 20475c809f00840b49f662de6c9216ff
Amadey Themida Packer Generic Malware UPX Anti_VM PE32 PE File VirusTotal Malware AutoRuns Malicious Traffic Check memory unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process AppData folder WriteConsoleW VMware anti-virtualization Windows ComputerName Firmware DNS crashed |
1
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993
|
1
185.172.128.100 - mailcious
|
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
11.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8875 |
2023-11-16 13:30
|
 TrueCrypt_lDwnwJ.exe d6a28fab04acec60305a5c6be5b105d2
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
0.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8876 |
2023-11-16 13:28
|
 build.exe af3b051d8a6a33705bd095b6d5608355
Malicious Library PE32 PE File VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8877 |
2023-11-16 13:27
|
 unsecapp.exe 7630a755b70921f9f22891035c3628e9
Malicious Library PE32 PE File Browser Info Stealer VirusTotal Malware unpack itself AppData folder suspicious TLD Browser DNS |
21
http://www.ezus.life/zqco/?wFt=u471bzHmixRgx8jG34/3521QRSoafTDA19WcHl++OFLBIVcH0DdbJeLxOpVlrYL99BmDVXWg0zcKhLFxNQar41PBegN+NBU9NC/0Y9c=&o0Ijw=FV31C
http://www.tauruss29.click/zqco/?wFt=BXZ/xzuuMumnvtIwilHAju88nUMjodQ2L7qTmXiCbitM75fYFK9Ni/+RZPv+ooYbFCP5HCJJxbmcDVUQEF+nSIUi2tQgIq30IPYEAqs=&o0Ijw=FV31C
http://www.velvet-key-properties.top/zqco/?wFt=3cujheEXCxTSONvEGgHYK3Ro6UrcWljFRITPND+osZObjxCf4likA3rqCl3sr+p4oSCTpecI3ocHZbRBmm9rhynO4PrZ/611WMrx7zI=&o0Ijw=FV31C
http://www.stprov.biz/zqco/?wFt=ogfkNg/1tCd9W0WeOmHDQCOqLPOGwiuWSgR6FQ2+VD8GhLug2Ctv0H3GE0eldR7xC4dFHEP3Eqt1pFBXCYATF7XInOdNSl+LOLADaFA=&o0Ijw=FV31C
http://www.wearehydrant.com/zqco/?wFt=yN+4vjoTZa2+2rQfpO28lQWMu+aZ3T74Wrnr375QTRpmINRbNSsldLaHn5rMvgmgz4hpMiEXqXqPXNl5+v6fM5IMtXKekPO/Z+VSq9A=&o0Ijw=FV31C
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.oneillspubs.com/zqco/?wFt=XdRd7IBdWEpb/jCY/gch7kg+lw27Z26x+D3ieONLL7CY8BddAHnhXbvHyElLQzrirdgR+wn8qaFBYv6gfz4EEy7O0ffUbALIB58FlQs=&o0Ijw=FV31C
http://www.speedbikesglobal.com/zqco/?wFt=9kePTKggf4eP6/DCGbsdghdg+/LhYxsxm+U+B1ESzIz+TmizgBdCe1eXOmqUrZ0x2YkFTu0erOvA47Ha2c+EVc4yEgJLqy1Od5EFPsA=&o0Ijw=FV31C
http://www.ofupakoshi.com/zqco/?wFt=oR8rxthcq91bDeb9vmLMA5uA0V6TVpHsZzEUlFltfnhRD4eEP3S8Ru2FP+uQ72DlNChyjz/yveiA7oMKQr7r0mPigqg1fcYUoRyODkg=&o0Ijw=FV31C
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3390000.zip
http://www.zz23xw.top/zqco/?wFt=VoRUmMaSMr2kGXzG8DGzs0cy5P6qw2FvfeSWrzBmFVf4r1pcQgw7LosabWMBXohSSG87M+jYFIXYlgYqysxLRuA79T8FIpBWYkRSO2Y=&o0Ijw=FV31C
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.surcebmx.shop/zqco/?wFt=sVrFTG3ePMlGeHtN+9NOfDvz/GoZiwZc2hOKEoTgtp1zYewc+7d6IlOKQB9rGmOyetA1JhIO28lR44+yf+JFgN9FJ6btdItGqkraV1A=&o0Ijw=FV31C
http://www.brls.money/zqco/?wFt=kJJUs3T9xo/faco/szFu0NbjBV/XWn0UwEs2UTEFdB9bg8qGS48Zihll1h6n106FVzSgHW/cbGOli2i8W1uBzVY1OSvzf5lm+SHpTzw=&o0Ijw=FV31C
http://www.54c7pv.top/zqco/?wFt=XV3W3W1bHvM399Du4uoMZ6VmM7juBhQ9XL1FfmdLfANGdpYh3tpg4K62NhqwFVpBYKsURc+EQi3NVVDNf+vTi2grpbzFJu9fs/bFcso=&o0Ijw=FV31C
http://www.ayotundewrites.com/zqco/?wFt=+wI3MeD3jbNUmfUR22cpBsb5CtqXzI827TrKoKznZ2673z1g+k3Zglb4E7/i1xr4Z9cBRHIArS2WPt0us+pQAzv8dUN4XDgXBL/DreA=&o0Ijw=FV31C
http://www.izabeladesa.com/zqco/?wFt=xgP5YBHAlkZQY3zMM6zpGwRaICyRepfzD3pvdIKGHZOpNZwdZqd18fiXnD4wcHdwNOCnD+EJd+f9y7+0iF4km1rz8VJupnABKYXyGpk=&o0Ijw=FV31C
http://www.talknconvert.com/zqco/
http://www.talknconvert.com/zqco/?wFt=+y3ZRElHCLe7jmdKMp2JFPlUK9YT5bvGGHfUVKPtd2bXz9pNtTUvPUI0E2mMKKDMK40SLr9h4U0bLKuGzmPR68kee6xzU8cXih09j6g=&o0Ijw=FV31C
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
32
www.izabeladesa.com(192.185.223.51)
www.ofupakoshi.com(118.27.125.154)
www.tauruss29.click(198.252.99.243)
www.talknconvert.com(34.120.137.41)
www.cardsfinanse.online()
www.brls.money(76.76.21.93)
www.velvet-key-properties.top(162.0.222.119)
www.wearehydrant.com(216.40.34.41)
www.oneillspubs.com(199.59.243.225)
www.ayotundewrites.com(83.229.19.76)
www.stprov.biz(208.91.197.132)
www.surcebmx.shop(104.21.25.102)
www.speedbikesglobal.com(207.244.126.150)
www.zz23xw.top(198.44.187.121)
www.54c7pv.top(154.91.180.241)
www.ezus.life(34.96.147.60)
34.96.147.60
83.229.19.76
199.59.243.225 - mailcious
172.67.134.1
198.44.187.121
207.244.126.150 - mailcious
154.91.180.241
192.185.223.51 - mailcious
216.40.34.41 - mailcious
76.76.21.241 - mailcious
45.33.6.223
208.91.197.132 - mailcious
34.120.137.41 - mailcious
118.27.125.154
198.252.99.243
162.0.222.119
|
5
ET INFO Observed DNS Query to .biz TLD
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD
|
|
4.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8878 |
2023-11-16 13:26
|
 ama.exe 501fa03f6abac7f44696927b21cfefb5
Amadey Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware AutoRuns Malicious Traffic Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
1
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993
|
1
185.172.128.100 - mailcious
|
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
8.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8879 |
2023-11-16 13:23
|
 traffico.exe 461b8083838b2d837b19466b5acce0e4
Malicious Library Malicious Packer PE32 PE File Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
|
|
6.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8880 |
2023-11-16 07:56
|
 ama.exe a61aac13f8a4841915791fb57aa2e275
Amadey UPX PE32 PE File Malware download Amadey Malware AutoRuns Malicious Traffic Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS |
1
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993
|
4
www.dropbox.com(162.125.84.18) - mailcious
208.91.197.132 - mailcious
185.172.128.100 - mailcious
162.125.84.18 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey Bot Activity (POST)
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|