8911 |
2023-09-04 17:13
|
foto2166.exe 1ad10fe1f8b0816dcc0c371a16383f10 Gen1 Emotet Malicious Library UPX CAB PE File PE32 VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Update Remote Code Execution Cryptographic key crashed |
|
|
|
|
8.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8912 |
2023-09-04 17:10
|
@interpoIpanic_alice.exe d9109db79ab552695a226bd2bde10c92 Malicious Library UPX AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
9.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8913 |
2023-09-04 17:08
|
fotod200.exe e08ec2efbc2cb0b25e6b8b63a6c19014 Gen1 Emotet Malicious Library UPX CAB PE File PE32 VirusTotal Malware AutoRuns PDB Check memory Creates executable files unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Remote Code Execution |
|
|
|
|
5.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8914 |
2023-09-04 17:08
|
obizx.exe 1caeba20d73f6665029d6bc0fa853312 .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8915 |
2023-09-04 17:06
|
gen.txt.vbs 028a0617ed7c664bd7ba075bf52fb984 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://51.254.49.49:222/truintobroth/cod.jpg
|
1
|
|
|
9.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8916 |
2023-09-04 17:05
|
cod.jpg.vbs 40674809fecf09c232335b84919108b2 Antivirus crashed |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8917 |
2023-09-04 15:26
|
set17.exe 9cb1d62bdfac3735fcbc75a9ed9fc113 Emotet Gen1 Malicious Library UPX Confuser .NET MZP Format PE File PE32 DLL OS Processor Check DllRegisterServer dll PE64 CHM Format suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8918 |
2023-09-04 15:23
|
setup294.exe 6b4871afc29f9a0494fddb3a475c638e Malicious Library UPX AntiDebug AntiVM OS Processor Check PE File PE32 DLL PDB Code Injection Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8919 |
2023-09-04 15:10
|
Instal_pass.7z 6012442e75bf062ee37a19e3b813b95c PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealer Windows RisePro Trojan DNS Downloader |
25
http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://87.121.221.58/g.exe - rule_id: 35764 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://myfilebest.com/order/set17.exe http://94.142.138.113/api/tracemap.php - rule_id: 28877 https://preconcert.pw/setup294.exe https://vk.com/doc44017378_668841700?hash=B7naXG9fPpueUKaZxzbzFzqgThiLopd9A232GVSoLbD&dl=VDCn0RuU4RRcIuzpA6hHZu4JCvVt7UCUAmWFRORbSKs&api=1&no_preview=1 https://vk.com/doc44017378_668806860?hash=qtzoSGTGfTX0Y89NBaFBYakjoCyaeVOVJQ5aLZ9qe6c&dl=MsOUl0nIy2MxBmzFM55NV4K7DzBdgHfls4LY6OEHerL&api=1&no_preview=1#qq https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc44017378_668685574?hash=2Z9kWDMxHv9Bg52ieOFMjjyZlIe2LzZhpXJtbJfi2jD&dl=MckLSTrLnFqxzbDQcQsY8zw8KxvNLWnEyU8AMbhyK6s&api=1&no_preview=1#WW1 https://psv4.userapi.com/c909618/u44017378/docs/d58/3ae907fdfcf3/Synapse.bmp?extra=KUBnABH___ud3k6Iz_4j06dbnFS9VRlNbUwfTgh7gFkqGiY9bpQRB8S2WTllutClgFicO9HQdM2CdICtoMDrTIUve1tpzFA4EraxxEm1T-w5HYMIufQJZJ3ZZuL60ICYmx_il49EiGSxeEtl https://db-ip.com/ https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-20.userapi.com/c909228/u44017378/docs/d21/84fb03a45baf/RisePro_0_5_eM6kP0V0t0TJM31LPkFZ.bmp?extra=0flX9Y0ztZxXjKMYf4MpJJjzvYpZP31BlbRhAJosHEXpLdo8JT_b5DH9Y0PRC9dGByVJGDom6Q85dl7oudoJZHFhYVAOPLcxqHxV4bfTwq2t2ZLBF5atjVwW-KpohUyr8NnU5FS4_f1sEXD4 https://sun6-23.userapi.com/c240331/u44017378/docs/d40/ea107227b79a/test2.bmp?extra=T669DDPm8ZLFNZCYmG4ho1hhgwomS77jaE2Yn7VnIXwin8UREXNFw9ArqM4W0cg7xTW45XFbxsmQRIFsVfy1w7UsYsb0Uhx9j2OLuM-0E3RUf8vSZA5CNcinhMJmev2Nv1FGmFs4mSuLTip3 https://vk.com/doc44017378_668790441?hash=ZAKf3wtiDekEKOwL5zOUpKlhs3NsBThU4THBbA9UjZ0&dl=tGcv3oqIrQKDSR0z8GXJxfn9P4s1HZm2ci3UQevYE7w&api=1&no_preview=1#test2 https://sun6-20.userapi.com/c909618/u44017378/docs/d36/970407f834ab/PL_Client.bmp?extra=aN41sDSFUADrGrdU_RjM1QHebyaC6CfPPnkhN8Sh5X1ARi3KwK86JBBO2RmrPchH2zWsjNJamP2kvNM4ZBw3wVvUHefjC0u7DuaIJJ3n0zlEfuc5TbQudsfFWKgLDw8h18lU6pjBLjcaodL_ https://vk.com/doc44017378_668805679?hash=Pq8nRu8IL2bYqDVs2GPjMvpAFMOm04kusdFGQmRlGY0&dl=ns6C3Wug8h8cGKJrvWC9ONCmtSXnbVIqzmpprkB3Voz&api=1&no_preview=1#rise https://sun6-21.userapi.com/c909628/u44017378/docs/d11/ac2bb3ec415d/WWW1.bmp?extra=PdcCi5Du3aPXs6h3g6zfZQ1vp80eYhCaeQWYwshlaKabq3cItIQbRsgtJq0TWtJ44yhs8vYSoCXkcJ9B1aoCxAqw1FzxTuOWr37cbrEr81UIcHuZxy3avmSshVlPZDeDf90bALLE9p_SrNDd https://sun6-21.userapi.com/c909218/u44017378/docs/d35/7d15da7ffef6/qq.bmp?extra=2GxVWJpu25oym3VxYwWNtfWO8cQIKYpcF0VxbVK3BFm6aprr9H7tTHFEku9l_-NfQgcfHxfucUok_MgxivF-HiFfE_IhhOE0f3IqvHMsERCQI19xXhu3k8QfnZs_rFCImiUJW5RjB0c29Ysf https://sun6-22.userapi.com/c235031/u44017378/docs/d4/1974a6683533/crypted.bmp?extra=XHKJoN80jGNAz1QmohIWSJwLNw1xbuFQMIVe0WiYZj62gT4pGvNZfyg4fHynhr0PlaBSK9k-uRbQkcGieK0oYQcB8CGDXqOb9JLjC38GlvNCMUriI1WLUKlrZb65vZcsrmYy1EOO8igzh7tD https://vk.com/doc44017378_668771908?hash=xTpUd6Irq53Iv3XxYBTLtZCTvA1vPIxYTBJi9GFflYg&dl=r01wYZoWFOYu6Y5AAmkbdHXEnBHxBfvDm7ze3p9Hqz0&api=1&no_preview=1#1 https://vk.com/doc44017378_668679037?hash=6lxdrm9NUkSryZCfzYZn4zR2sOTXzaKgfQIcVCaPnvX&dl=FLqYTpktPSSWsXhtSyyzRawRyuZZexn7WIKXiXEZBv4&api=1&no_preview=1
|
49
preconcert.pw(172.67.197.101) api.2ip.ua(162.0.217.254) db-ip.com(172.67.75.166) psv4.userapi.com(87.240.190.76) api.db-ip.com(104.26.5.15) api.myip.com(172.67.75.163) agsnv.com(181.214.31.34) - malware iplis.ru(148.251.234.93) - mailcious sun6-22.userapi.com(95.142.206.2) iplogger.org(148.251.234.83) - mailcious sun6-23.userapi.com(95.142.206.3) ipinfo.io(34.117.59.81) myfilebest.com(172.67.183.191) www.maxmind.com(104.18.145.235) sun6-20.userapi.com(95.142.206.0) - mailcious vk.com(87.240.132.67) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious 148.251.234.93 - mailcious 194.169.175.128 - mailcious 104.18.145.235 181.214.31.34 - malware 77.91.68.238 - malware 87.240.129.133 - mailcious 104.26.5.15 172.67.75.163 87.240.190.76 87.121.221.58 - malware 172.67.75.166 104.21.56.98 162.0.217.254 194.26.135.162 - mailcious 87.240.132.67 - mailcious 34.117.59.81 148.251.234.83 104.21.84.222 121.254.136.9 176.123.9.142 - mailcious 94.142.138.113 - mailcious 185.225.73.32 - mailcious 149.202.0.242 - mailcious 45.15.156.229 - mailcious 104.26.9.59 104.26.4.15 87.240.137.164 - mailcious 95.142.206.3 163.123.143.4 - mailcious 95.142.206.1 - mailcious 95.142.206.0 - mailcious 95.142.206.2
|
28
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions ET DNS Query to a *.pw domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure ET INFO EXE - Served Attached HTTP ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
4
http://45.15.156.229/api/tracemap.php http://87.121.221.58/g.exe http://45.15.156.229/api/firegate.php http://94.142.138.113/api/tracemap.php
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8920 |
2023-09-04 15:06
|
Invitation To Attend Cryptocur... 0b4aab3d1e2946b15b70a63187c1f927 AntiDebug AntiVM CHM Format VirusTotal Malware AutoRuns MachineGuid Code Injection Check memory RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName |
1
http://dashonlineclub.com/CVBN/mzx.php
|
|
|
|
4.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8921 |
2023-09-04 11:15
|
4.html f71368efc1380be49fbffadd63510ab1 Antivirus AntiDebug AntiVM MSOffice File Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8922 |
2023-09-04 11:06
|
4.html f71368efc1380be49fbffadd63510ab1 Antivirus unpack itself crashed |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8923 |
2023-09-04 11:01
|
Konni_종합소득세 해명자료 제출 안내.lnk... 19dc387bffdc0a22f640bd38af320db4 Generic Malware Suspicious_Script_Bin Antivirus HWP PS PostScript Malicious Library AntiDebug AntiVM Lnk Format GIF Format PowerShell MSOffice File PE File PE32 ZIP Format Malware download VirusTotal Malware Campaign powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI heapspray Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check Konni Windows ComputerName DNS Cryptographic key |
3
http://serviceset.net/upload.php
https://file.drive002.com/read/get.php?cu=ln3&so=xu6502
http://serviceset.net/list.php?f=%COMPUTERNAME%.txt
|
5
resolver1.opendns.com(208.67.222.222)
serviceset.net(88.119.169.93)
myip.opendns.com() 88.119.169.93
208.67.222.222
|
2
ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup) ET MALWARE [ANY.RUN] Konni.APT Exfiltration
|
|
15.4 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8924 |
2023-09-04 10:30
|
Fukushima.chm 9e6a2914a35256dd450db549fb975f45 Generic Malware Antivirus Hide_URL AntiDebug AntiVM CHM Format VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote suspicious process suspicious TLD WriteConsoleW Interception Windows ComputerName Cryptographic key |
2
http://navercorp.ru/dashboard/image/202302/4.html
http://navercorp.ru/dashboard/image/202302/com.php
|
2
navercorp.ru(46.254.21.69) 46.254.21.69
|
1
ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
|
8.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8925 |
2023-09-04 09:40
|
aafg31.exe 103b3199c5a7b92b74ce14f14a3965d4 Malicious Library UPX PE File PE64 VirusTotal Malware PDB unpack itself Tofsee Remote Code Execution |
1
https://z.nnnaajjjgc.com/sts/imagd.jpg
|
2
z.nnnaajjjgc.com(156.236.72.121) - malware 156.236.72.121 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|