| 8971 |
2023-09-01 09:07
|
 wwlib aa1188eb63e988676a78adf858d8a887
Malicious Library UPX OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8972 |
2023-09-01 09:07
|
 4t.exe 33a1cc504b545fc22aa44dbc9cf12882
Malicious Library PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8973 |
2023-09-01 09:07
|
HWX.vbs eff515cd80fca123c65f7ed20d7f071f
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://94.156.161.167/tl/luq98.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
182.162.106.33 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8974 |
2023-09-01 09:00
|
230827- 협의회 참여단체 현황.xlsx.lnk... bc3fb948dc956f79dbc7aac06442d6ef
AntiDebug AntiVM Lnk Format GIF Format PowerShell ZIP Format Malware download Vulnerability VirusTotal Malware VBScript powershell Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI wscript.exe payload download Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key Dropper |
1
http://anrun.kr/movie/contents.php
|
5
anrun.kr(112.222.52.98) - mailcious
resolver1.opendns.com(208.67.222.222)
myip.opendns.com()
208.67.222.222
112.222.52.98 - mailcious
|
5
ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
ET HUNTING Suspicious Possible Process Dump in POST body
ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
|
|
10.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8975 |
2023-08-31 18:41
|
 Test.dll f4e3845b30dac395fcd56a25cebf4fb8
Malicious Library .NET DLL DLL PE File PE32 |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8976 |
2023-08-31 14:57
|
 syscall.exe c95d214005076e29185b0f9cb05adcd9
Gen1 Malicious Library UPX OS Processor Check PE File PE64 VirusTotal Malware PDB sandbox evasion |
|
|
|
|
1.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8977 |
2023-08-31 14:51
|
 novojay2.1.exe 5593a8e8c5000016aea6d7d3368289c0
NSIS Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156)
173.231.16.76
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8978 |
2023-08-31 13:26
|
372688131_122117915342010661_1... 31bd4726f47463794574a1a6aba359e9
JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8979 |
2023-08-31 13:21
|
setup_pass1234.7z b91e7390dd00dc6715856489c653d438
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Remote Code Execution Trojan DNS Downloader |
22
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://193.233.254.61/loghub/master - rule_id: 35736
http://45.9.74.80/super.exe - rule_id: 36063
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://176.113.115.84:8080/4.php - rule_id: 34795
http://jjz.alie3ksgbb.com/m/iela2f5.exe - rule_id: 36007
http://87.121.221.58/g.exe - rule_id: 35764
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://230809204625331.nes.dtf99.top/f/fikim0809331.exe - rule_id: 36062
http://45.9.74.80/loa.exe - rule_id: 36065
https://sun6-23.userapi.com/c909618/u44017378/docs/d56/2e5bffb4b140/x.bmp?extra=18HSPNiIYgKLbbl48OJ_64Jg0eESYaIEs_dPTjxWwv3vwx2a1OX0e_sehPnhJYffSDMn1tK2yXjMUFmpZMyGxl-sCP0_le9ryYouD3N9SPJQd3mbMFegnblEf7N6N-p8bVg7qdrjeKYpXu7q
https://sun6-22.userapi.com/c237131/u44017378/docs/d10/0eace7d79cc4/crypted.bmp?extra=M8GbCDfCrW1ub9Q5slSgTTBFfznRtwWOKr36lHOM-Re5SFdZSZF-Y4kgrrz3zpNVkWVuEQc8tCGt-20M8ZEti8U1y9uhgbdrhKwQ4vI2eWH0jb5KGfPwNHNNP_hduOB7a5iqkOH_i2e96h-q
https://vk.com/doc44017378_668639053?hash=A5ZnazptWbehp0K2bmvg9nTph2rdHiPWvSvYBqxl2Io&dl=u8tIJoReWZ9iXOjlDd9hcaN8C0CaGmNqNJZQ5HWAu3s&api=1&no_preview=1#tmwvr
https://sun6-20.userapi.com/c909618/u44017378/docs/d44/84692adb9c73/PL43464.bmp?extra=aRAEFw0S10iBr5bwZTi-5jZr_6wX3IsSreEbRM8sbK60EF5ibZb5w9fkfSmlPUzl8Djr3wyGfrkKPDLerzbcNHgQCE8uHGqYPVFBO89_uupJcezWA7BEkOlOZV0iP96vhFxJ5nVwfGV5iMCF
https://sun6-23.userapi.com/c909628/u44017378/docs/d59/221ef20b4271/RisePro_0_5_eM6kP0V0t0TJM31LPkFZ.bmp?extra=Vls0OFOX8PkeKJQTuoF0lpLdYvzEFOgYPWoxd_sA4yhk_DgZJMVhtaqzLG0ULamRPz7Tm6opWoY86-PGuJ-AdTpeFT7CPUDeXpynRKMJvQkgmKPQ_QYqwsTp3JPeud42Phrf5ydSpR2njD-w
https://psv4.userapi.com/c909228/u44017378/docs/d31/66018e514799/cosmicbuild.bmp?extra=W_993hAe2h--VQW-eYynrxtSaGnHJOCgNHBpsLzNSsdh5iXO1r-TLZTRM1fVmQOGjW5qtes-T91bB1iQKhfFsWUypuW2CT7YyvrIHMJjnYx4v2X7vOJnTK8051F8ST7UqKlx_tnKGTihYZ7K
https://api.myip.com/
https://vk.com/doc44017378_668652522?hash=aElEGkO6cyfDGZNIDzHllf0dQ4WNLPcT73XeeGyH5jg&dl=etMSyZnQNNPaCSFSv3rP0cZ4xAqHsXvrmrPorxT0Daz&api=1&no_preview=1
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-22.userapi.com/c909518/u44017378/docs/d34/17f9a0d874d5/tmvwr.bmp?extra=A8kJYs2DIs1ImjMXJOsbVJQmiVIgTEuFXke-lW4f5ghIZiPJjTZ5LDxj7vYQlnSUJOCjKdostqUlbncezr8lGYcoqps7dMsUHpPy-lw537He4fjWeqFxYljNS4o8WQqm1FWq5yYGcShcdbmZ
https://vk.com/doc44017378_668627833?hash=v2kBVggWFGsyqLXmuhbM0xSIZkC6l63EzgDLz4F9Iko&dl=6VtSROfzSgb2bB0PZuMqg4O6szSBSj8n7GkqKoKr3Iz&api=1&no_preview=1#ff
|
49
230809204625331.nes.dtf99.top(94.156.35.76) - malware
db-ip.com(104.26.4.15)
psv4.userapi.com(87.240.190.76)
api.myip.com(104.26.8.59)
frontolysis.pw()
ipinfo.io(34.117.59.81)
iplogger.org(148.251.234.83) - mailcious
z.nnnaajjjgc.com(156.236.72.121) - malware
sun6-22.userapi.com(95.142.206.2)
jjz.alie3ksgbb.com(172.67.200.102) - malware
bitbucket.org(104.192.141.1) - malware
sun6-23.userapi.com(95.142.206.3)
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.78) - mailcious
vanaheim.cn(91.142.78.129) - mailcious
iplis.ru(148.251.234.93) - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.192.141.1 - mailcious
77.91.68.238 - malware
179.43.158.2
208.67.104.60 - mailcious
87.240.190.76
172.67.200.102
87.121.221.58 - malware
172.67.75.166
193.233.254.61 - mailcious
194.26.135.162 - mailcious
87.240.132.78 - mailcious
34.117.59.81
176.113.115.84 - mailcious
148.251.234.83
104.26.8.59
91.142.78.129
77.91.124.82 - mailcious
45.9.74.80 - malware
94.142.138.131 - mailcious
176.123.9.142 - mailcious
185.225.73.32 - mailcious
149.202.0.242 - mailcious
156.236.72.121 - mailcious
45.15.156.229 - mailcious
104.26.9.59
95.142.206.3
163.123.143.4 - mailcious
95.142.206.0 - mailcious
85.208.136.10 - mailcious
95.142.206.2
62.122.184.58 - mailcious
|
35
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DNS Query to a *.pw domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET DROP Dshield Block Listed Source group 1
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
|
11
http://94.142.138.131/api/firegate.php
http://193.233.254.61/loghub/master
http://45.9.74.80/super.exe
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://jjz.alie3ksgbb.com/m/iela2f5.exe
http://87.121.221.58/g.exe
http://45.15.156.229/api/firegate.php
http://94.142.138.131/api/tracemap.php
http://230809204625331.nes.dtf99.top/f/fikim0809331.exe
http://45.9.74.80/loa.exe
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8980 |
2023-08-31 13:15
|
https://scontent-ord5-1.xx.fbc...
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM JPEG Format icon MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
https://scontent-ord5-1.xx.fbcdn.net/v/t39.30808-6/372692248_122117916470010661_8155039477004584634_n.jpg?stp=dst-jpg_p720x720&_nc_cat=111&ccb=1-7&_nc_sid=44e04b&_nc_ohc=Zs4-22aovxgAX8OZltq&_nc_ht=scontent-ord5-1.xx&oh=00_AfDK0Vv2_-WZaI-cqQSAyg-DON4F0mbVpUmZjjCL2YdJFg&oe=64F53F16
https://scontent-ord5-1.xx.fbcdn.net/favicon.ico
|
2
scontent-ord5-1.xx.fbcdn.net(157.240.249.8)
157.240.249.8
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8981 |
2023-08-31 13:05
|
372692248_122117916470010661_8... d791f9b33a6c8e010ed6905d5427491e
JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8982 |
2023-08-31 13:04
|
372692248_122117916470010661_8... d791f9b33a6c8e010ed6905d5427491e
JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8983 |
2023-08-31 12:35
|
 referent.hta cf35de3a0d4386f729982c33a1cc298a
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process suspicious TLD Windows ComputerName Cryptographic key |
|
2
gk-stst.ru(194.169.175.143)
194.169.175.143
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8984 |
2023-08-31 12:31
|
 xp_amp_app_usage_dnu-2023-08-2... 195e33f55e504c45d059e006a6e75821
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8985 |
2023-08-31 11:24
|
 t.php.exe 588bbac508cd620fae65c16a47b2fc1c
UPX OS Processor Check DLL PE File PE64 PDB |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|