8881 |
2023-09-06 07:48
|
Services.exe ca7502cd02a0a170d9f4305c18410126 PrivateLoader RedLine Infostealer RedLine stealer Generic Malware Malicious Library UPX VMProtect .NET framework(MSIL) Confuser .NET Malicious Packer PWS SMTP AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE PE64 DLL Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Check virtual network interfaces suspicious process AppData folder suspicious TLD sandbox evasion WriteConsoleW anti-virtualization IP Check installed browsers check PrivateLoader Tofsee Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
27
http://94.142.138.131/api/firegate.php - rule_id: 32650 http://94.156.253.187/download/WWW14_n.exe http://45.9.74.80/super.exe - rule_id: 36063 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://94.142.138.131/api/firecom.php http://45.15.156.229/api/firegate.php - rule_id: 36052 http://apps.identrust.com/roots/dstrootcax3.p7c http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php http://www.maxmind.com/geoip/v2.1/city/me http://230809204625331.nes.dtf99.top/f/fikim0809331.exe - rule_id: 36062 https://preconcert.pw/setup294.exe - rule_id: 36162 https://psv4.userapi.com/c235131/u44017378/docs/d5/eb6fe76df516/red.bmp?extra=ME0T5ttRod9kvT9aKKSwe-oAdBL69d6YUKjB4zWwRSSWsFL7VU3KidZTPIhbjE0zWgoso1_RHm-VuqcNV5k7SY-fZDpTkZFPHptlTeudtXPzawqATgpx9GnpEDrul3HPvZeDLFV3JEzI7tmA https://vk.com/doc44017378_668913178?hash=82bcV2gCZ1FH8Z8HToaxuiwCiEN2mz2z1qfoXJTCPC0&dl=ErxeeY7X3LIyZIBiZ0QDMkzCLk2vvDO29uX36h22aek&api=1&no_preview=1#u9 https://dzen.ru/?yredirect=true https://sun6-20.userapi.com/c909618/u44017378/docs/d36/c9a88b9c7135/PL_Client.bmp?extra=tJtT3z6UbzYseJPa76j1zRBj1wmyid3YaDvAzaMsz31tqOzwexxS6SL75PPvYs4H2kzJbhj1WI3RcZekL6A_lMuCQ7wlgzvR82UbZKpo_7rDNXDLKPfZIU6wTZ5q87vSoPPRjK5zIRkegmYD https://vk.com/doc44017378_668897025?hash=9izn0TzhC6Gq52AYs6wKluNJs8IMGa5IygoIE2NWiZX&dl=RzpPQgkrU5Bo3xTNnupfnzibo1sU36B0QqzJYdEUq3c&api=1&no_preview=1#redcl https://psv4.userapi.com/c909328/u44017378/docs/d20/80a165d7642a/3c8fttmg7n06dp.bmp?extra=nuZcn5b8fGh0uPRKfbUAXX0VAMxL-cYveJG88PCotdD--pDq-7gxijOyIWQPtaUUAWSIRH_w1wstuzNboJLwKcBxW1Y6MIjCb1xhxyymyAxolfvAbMP9rCDe9gfZUPLDuOK0pAEC8-MuwAkw https://sun6-23.userapi.com/c909618/u44017378/docs/d58/502f8d1b7c6f/Synapse.bmp?extra=7ymvw_aFwN4_Uj7FsOWPKcOeA3Uvoj8EikYjHvdatt0X3JP-3DmTnc04rqW9o15Tpv6WRsx3NGvtPS7zQz6ZuNvop6Jj1TXski6zguIEMge-ITDtAes8MpdXIiCKNbvKN4nbBz6NMzSp29ZK https://vk.com/doc44017378_668850966?hash=seNAc9XpZGb24lXnAxVAwPiPVaSTe6IiTQaY7IFhggw&dl=A9mazd4TmUx700iSSJAZzZTPnbX30hG5PEtIhQs2FVw&api=1&no_preview=1#utube https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://db-ip.com/ https://vk.com/doc44017378_668777192?hash=bErtt2Itw8CZPTouyuXblBKb3pLfVImQzvGWnZ4CyVs&dl=vm2AArvcYQaQAETnMlmPKTg0CoqMAAqRh2fogvAYbWP&api=1&no_preview=1#tmwvr https://sso.passport.yandex.ru/push?uuid=bc95c885-a33d-4f0b-a172-5792d56f2b99&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-21.userapi.com/c235131/u44017378/docs/d58/cc01f1bebaed/tmvwr.bmp?extra=q1LcznyK48tN8Wen35rZ4SsDNwN0UeWZ55tLITfBZg-6OTIEQfzGqel91B2rOXtWrIKTnt-LHmOoR4Rgiv5jb_s-93At_nSn5l0lxswHLYTdEqposLIc_-NG6GXefWaiEN4nocBNujY4KphO https://sun6-21.userapi.com/c909628/u44017378/docs/d11/7f1a7c274f11/WWW1.bmp?extra=ibUwsIlBLQfXz5F54C2lVB4_UNTN1SYsuHJjPdJG1kmKXbQKYUdmzOpzkBzvq_CQ0kTWEzPmDitIXdL62nwV1Wz6vYHp9FTHjt_sDl-d0N1MlyijNg1uwrPaBxnTvlsmksXyhzo9dFkQw3Dx https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
57
db-ip.com(104.26.5.15) ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) dzen.ru(62.217.160.2) preconcert.pw(172.67.197.101) - malware psv4.userapi.com(87.240.190.76) twitter.com(104.244.42.129) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.4.15) red.mk(141.95.126.89) - malware ironhost.io(104.21.57.237) sso.passport.yandex.ru(213.180.204.24) api.myip.com(172.67.75.163) 230809204625331.nes.dtf99.top(94.156.35.76) - malware yandex.ru(77.88.55.60) iplis.ru(148.251.234.93) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious www.maxmind.com(104.18.146.235) vk.com(87.240.132.67) - mailcious sergejbukotko.com(172.67.214.144) 148.251.234.93 - mailcious 104.18.146.235 104.18.145.235 93.186.225.194 - mailcious 172.67.197.101 87.240.137.140 87.240.129.133 - mailcious 23.32.56.80 62.217.160.2 104.26.5.15 179.43.158.2 208.67.104.60 - mailcious 176.123.9.85 - mailcious 149.154.167.99 - mailcious 193.42.32.118 172.67.75.166 172.67.193.129 172.67.75.163 121.254.136.18 34.117.59.81 94.156.253.187 - malware 141.95.126.89 - malware 104.244.42.65 - suspicious 213.180.204.24 45.9.74.80 - malware 94.142.138.131 - mailcious 185.225.73.32 - mailcious 104.21.59.53 45.15.156.229 - mailcious 104.26.9.59 95.142.206.3 95.142.206.1 - mailcious 95.142.206.0 - mailcious 85.208.136.10 - mailcious 185.225.74.51 77.88.55.60
|
22
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DNS Query to a *.pw domain - Likely Hostile SURICATA Applayer Mismatch protocol both directions SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET DNS Query to a *.top domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
7
http://94.142.138.131/api/firegate.php http://45.9.74.80/super.exe http://45.15.156.229/api/tracemap.php http://45.15.156.229/api/firegate.php http://94.142.138.131/api/tracemap.php http://230809204625331.nes.dtf99.top/f/fikim0809331.exe https://preconcert.pw/setup294.exe
|
23.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8882 |
2023-09-06 07:46
|
6606.exe 8e17227d496580ab3015b0196442e49f AsyncRAT UPX .NET framework(MSIL) Malicious Packer OS Processor Check PE File .NET EXE PE32 VirusTotal Malware DNS |
|
1
|
|
|
3.2 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8883 |
2023-09-06 07:46
|
update.exe f8714a5169debbd07cacc5cd529f117a Malicious Library UPX Malicious Packer PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
4
api.ipify.org(64.185.227.156) api.telegram.org(149.154.167.220) 173.231.16.76 149.154.167.220
|
4
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
5.2 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8884 |
2023-09-06 07:45
|
DocRecevutta.exe 334df8989da06aff9a71ab0f6534301a njRAT backdoor Generic Malware Malicious Library UPX Antivirus OS Name Check OS Processor Check CAB PE File PE32 MSOffice File VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows Remote Code Execution DNS Cryptographic key |
|
2
179.43.158.2 45.9.74.80 - malware
|
|
|
4.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8885 |
2023-09-06 07:45
|
file.exe 16b14dbba5d98857cc8b06fd9319d68a Generic Malware Malicious Library UPX Malicious Packer Anti_VM OS Processor Check PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8886 |
2023-09-06 07:42
|
Fnvtdhenapsfwu.exe cffe529403460c6affe0f52c1e7de602 Malicious Library UPX Admin Tool (Sysinternals etc ...) MZP Format PE File PE32 URL Format Remcos VirusTotal Malware Check memory unpack itself Windows keylogger |
1
http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenaps
|
5
tornado.ydns.eu(193.42.32.61) wsvdyhrgebwhevawe.ydns.eu(81.161.229.9) - mailcious orifak.ydns.eu(193.42.32.61) 193.42.32.61 81.161.229.9 - mailcious
|
1
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
3.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8887 |
2023-09-05 21:10
|
aaeaf69dc4dd105e8e2d637a9336af... 8333b78c2a3eacf8cfd843a7b62ce6ba Generic Malware UPX Malicious Packer AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted Creates executable files RWX flags setting unpack itself malicious URLs Remote Code Execution crashed |
2
http://lastimaners.ug/zxcvb.exe
http://lastimaners.ug/asdfg.exe
|
1
lastimaners.ug() - malware
|
|
|
7.2 |
|
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8888 |
2023-09-05 21:07
|
4f0926d0d27a4ac8d93749b86cc9cb... 7d9cc6628fad0eb20977796f5c2335a7 Emotet Malicious Library UPX OS Processor Check PE File DllRegisterServer dll PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.4 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8889 |
2023-09-05 09:23
|
Uni.bat aa2cc8f91afd53faea6991ab256a8a7e Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger Anti_VM AntiDebug AntiVM suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8890 |
2023-09-05 09:16
|
invoiceID485.wsf 02f6d3f1ccfefe7a445d2a3f65f434a5 Generic Malware Antivirus ZIP Format VirusTotal Malware VBScript powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key Dropper |
2
http://23.254.227.121:222/dd.txt
http://23.254.227.121:222/bn.jpg
|
1
23.254.227.121 - mailcious
|
|
|
10.0 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8891 |
2023-09-05 08:57
|
gen.txt.vbs cd6bed1ef56b1e58d23ede753dc7e9e5 Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://45.138.16.89:222/coder.jpg
|
1
|
|
|
8.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8892 |
2023-09-05 08:47
|
foto7866.exe 86e1e4c7dd69a31a2c6fe3d9e40c923f Gen1 Emotet Malicious Library UPX CAB PE File PE32 AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Update Remote Code Execution Cryptographic key crashed |
|
|
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8893 |
2023-09-05 08:44
|
pusan.exe 4fc4f4eef8a8dcb87b99721fda7113f2 Malicious Library UPX Anti_VM AntiDebug AntiVM OS Processor Check PE File PE32 DLL PDB Code Injection Check memory RWX flags setting unpack itself suspicious process AppData folder ComputerName Remote Code Execution |
|
|
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8894 |
2023-09-05 08:43
|
main.exe db4801f350f32e49f20e81ddba0e91a6 Gen1 Emotet Generic Malware Malicious Library UPX ASPack OS Processor Check PE File PE64 DLL ZIP Format ftp DllRegisterServer dll VirusTotal Malware Check memory Creates executable files crashed |
|
|
|
|
2.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8895 |
2023-09-05 08:43
|
e4C7Fwop.wsf 6f83b9c7c240127c0b92ce814d02bcb0wscript.exe payload download DNS |
1
http://185.252.178.121:222/gen.txt
|
1
185.252.178.121 - mailcious
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|