8971 |
2023-09-01 09:07
|
wwlib aa1188eb63e988676a78adf858d8a887 Malicious Library UPX OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8972 |
2023-09-01 09:07
|
4t.exe 33a1cc504b545fc22aa44dbc9cf12882 Malicious Library PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8973 |
2023-09-01 09:07
|
HWX.vbs eff515cd80fca123c65f7ed20d7f071f Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://94.156.161.167/tl/luq98.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 182.162.106.33 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8974 |
2023-09-01 09:00
|
230827- 협의회 참여단체 현황.xlsx.lnk... bc3fb948dc956f79dbc7aac06442d6ef AntiDebug AntiVM Lnk Format GIF Format PowerShell ZIP Format Malware download Vulnerability VirusTotal Malware VBScript powershell Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI wscript.exe payload download Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key Dropper |
1
http://anrun.kr/movie/contents.php
|
5
anrun.kr(112.222.52.98) - mailcious
resolver1.opendns.com(208.67.222.222)
myip.opendns.com() 208.67.222.222
112.222.52.98 - mailcious
|
5
ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup) ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND ET HUNTING Suspicious Possible Process Dump in POST body ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
|
|
10.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8975 |
2023-08-31 18:41
|
Test.dll f4e3845b30dac395fcd56a25cebf4fb8 Malicious Library .NET DLL DLL PE File PE32 |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8976 |
2023-08-31 14:57
|
syscall.exe c95d214005076e29185b0f9cb05adcd9 Gen1 Malicious Library UPX OS Processor Check PE File PE64 VirusTotal Malware PDB sandbox evasion |
|
|
|
|
1.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8977 |
2023-08-31 14:51
|
novojay2.1.exe 5593a8e8c5000016aea6d7d3368289c0 NSIS Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Software crashed keylogger |
|
2
api.ipify.org(64.185.227.156) 173.231.16.76
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8978 |
2023-08-31 13:26
|
372688131_122117915342010661_1... 31bd4726f47463794574a1a6aba359e9 JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8979 |
2023-08-31 13:21
|
setup_pass1234.7z b91e7390dd00dc6715856489c653d438 PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Remote Code Execution Trojan DNS Downloader |
22
http://94.142.138.131/api/firegate.php - rule_id: 32650 http://193.233.254.61/loghub/master - rule_id: 35736 http://45.9.74.80/super.exe - rule_id: 36063 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://176.113.115.84:8080/4.php - rule_id: 34795 http://jjz.alie3ksgbb.com/m/iela2f5.exe - rule_id: 36007 http://87.121.221.58/g.exe - rule_id: 35764 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://230809204625331.nes.dtf99.top/f/fikim0809331.exe - rule_id: 36062 http://45.9.74.80/loa.exe - rule_id: 36065 https://sun6-23.userapi.com/c909618/u44017378/docs/d56/2e5bffb4b140/x.bmp?extra=18HSPNiIYgKLbbl48OJ_64Jg0eESYaIEs_dPTjxWwv3vwx2a1OX0e_sehPnhJYffSDMn1tK2yXjMUFmpZMyGxl-sCP0_le9ryYouD3N9SPJQd3mbMFegnblEf7N6N-p8bVg7qdrjeKYpXu7q https://sun6-22.userapi.com/c237131/u44017378/docs/d10/0eace7d79cc4/crypted.bmp?extra=M8GbCDfCrW1ub9Q5slSgTTBFfznRtwWOKr36lHOM-Re5SFdZSZF-Y4kgrrz3zpNVkWVuEQc8tCGt-20M8ZEti8U1y9uhgbdrhKwQ4vI2eWH0jb5KGfPwNHNNP_hduOB7a5iqkOH_i2e96h-q https://vk.com/doc44017378_668639053?hash=A5ZnazptWbehp0K2bmvg9nTph2rdHiPWvSvYBqxl2Io&dl=u8tIJoReWZ9iXOjlDd9hcaN8C0CaGmNqNJZQ5HWAu3s&api=1&no_preview=1#tmwvr https://sun6-20.userapi.com/c909618/u44017378/docs/d44/84692adb9c73/PL43464.bmp?extra=aRAEFw0S10iBr5bwZTi-5jZr_6wX3IsSreEbRM8sbK60EF5ibZb5w9fkfSmlPUzl8Djr3wyGfrkKPDLerzbcNHgQCE8uHGqYPVFBO89_uupJcezWA7BEkOlOZV0iP96vhFxJ5nVwfGV5iMCF https://sun6-23.userapi.com/c909628/u44017378/docs/d59/221ef20b4271/RisePro_0_5_eM6kP0V0t0TJM31LPkFZ.bmp?extra=Vls0OFOX8PkeKJQTuoF0lpLdYvzEFOgYPWoxd_sA4yhk_DgZJMVhtaqzLG0ULamRPz7Tm6opWoY86-PGuJ-AdTpeFT7CPUDeXpynRKMJvQkgmKPQ_QYqwsTp3JPeud42Phrf5ydSpR2njD-w https://psv4.userapi.com/c909228/u44017378/docs/d31/66018e514799/cosmicbuild.bmp?extra=W_993hAe2h--VQW-eYynrxtSaGnHJOCgNHBpsLzNSsdh5iXO1r-TLZTRM1fVmQOGjW5qtes-T91bB1iQKhfFsWUypuW2CT7YyvrIHMJjnYx4v2X7vOJnTK8051F8ST7UqKlx_tnKGTihYZ7K https://api.myip.com/ https://vk.com/doc44017378_668652522?hash=aElEGkO6cyfDGZNIDzHllf0dQ4WNLPcT73XeeGyH5jg&dl=etMSyZnQNNPaCSFSv3rP0cZ4xAqHsXvrmrPorxT0Daz&api=1&no_preview=1 https://db-ip.com/demo/home.php?s=175.208.134.152 https://sun6-22.userapi.com/c909518/u44017378/docs/d34/17f9a0d874d5/tmvwr.bmp?extra=A8kJYs2DIs1ImjMXJOsbVJQmiVIgTEuFXke-lW4f5ghIZiPJjTZ5LDxj7vYQlnSUJOCjKdostqUlbncezr8lGYcoqps7dMsUHpPy-lw537He4fjWeqFxYljNS4o8WQqm1FWq5yYGcShcdbmZ https://vk.com/doc44017378_668627833?hash=v2kBVggWFGsyqLXmuhbM0xSIZkC6l63EzgDLz4F9Iko&dl=6VtSROfzSgb2bB0PZuMqg4O6szSBSj8n7GkqKoKr3Iz&api=1&no_preview=1#ff
|
49
230809204625331.nes.dtf99.top(94.156.35.76) - malware db-ip.com(104.26.4.15) psv4.userapi.com(87.240.190.76) api.myip.com(104.26.8.59) frontolysis.pw() ipinfo.io(34.117.59.81) iplogger.org(148.251.234.83) - mailcious z.nnnaajjjgc.com(156.236.72.121) - malware sun6-22.userapi.com(95.142.206.2) jjz.alie3ksgbb.com(172.67.200.102) - malware bitbucket.org(104.192.141.1) - malware sun6-23.userapi.com(95.142.206.3) sun6-20.userapi.com(95.142.206.0) - mailcious vk.com(87.240.132.78) - mailcious vanaheim.cn(91.142.78.129) - mailcious iplis.ru(148.251.234.93) - mailcious 148.251.234.93 - mailcious 194.169.175.128 - mailcious 104.192.141.1 - mailcious 77.91.68.238 - malware 179.43.158.2 208.67.104.60 - mailcious 87.240.190.76 172.67.200.102 87.121.221.58 - malware 172.67.75.166 193.233.254.61 - mailcious 194.26.135.162 - mailcious 87.240.132.78 - mailcious 34.117.59.81 176.113.115.84 - mailcious 148.251.234.83 104.26.8.59 91.142.78.129 77.91.124.82 - mailcious 45.9.74.80 - malware 94.142.138.131 - mailcious 176.123.9.142 - mailcious 185.225.73.32 - mailcious 149.202.0.242 - mailcious 156.236.72.121 - mailcious 45.15.156.229 - mailcious 104.26.9.59 95.142.206.3 163.123.143.4 - mailcious 95.142.206.0 - mailcious 85.208.136.10 - mailcious 95.142.206.2 62.122.184.58 - mailcious
|
35
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DNS Query to a *.pw domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET DROP Dshield Block Listed Source group 1 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET DNS Query to a *.top domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain
|
11
http://94.142.138.131/api/firegate.php http://193.233.254.61/loghub/master http://45.9.74.80/super.exe http://45.15.156.229/api/tracemap.php http://176.113.115.84:8080/4.php http://jjz.alie3ksgbb.com/m/iela2f5.exe http://87.121.221.58/g.exe http://45.15.156.229/api/firegate.php http://94.142.138.131/api/tracemap.php http://230809204625331.nes.dtf99.top/f/fikim0809331.exe http://45.9.74.80/loa.exe
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8980 |
2023-08-31 13:15
|
https://scontent-ord5-1.xx.fbc... Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM JPEG Format icon MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
https://scontent-ord5-1.xx.fbcdn.net/v/t39.30808-6/372692248_122117916470010661_8155039477004584634_n.jpg?stp=dst-jpg_p720x720&_nc_cat=111&ccb=1-7&_nc_sid=44e04b&_nc_ohc=Zs4-22aovxgAX8OZltq&_nc_ht=scontent-ord5-1.xx&oh=00_AfDK0Vv2_-WZaI-cqQSAyg-DON4F0mbVpUmZjjCL2YdJFg&oe=64F53F16 https://scontent-ord5-1.xx.fbcdn.net/favicon.ico
|
2
scontent-ord5-1.xx.fbcdn.net(157.240.249.8) 157.240.249.8
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8981 |
2023-08-31 13:05
|
372692248_122117916470010661_8... d791f9b33a6c8e010ed6905d5427491e JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8982 |
2023-08-31 13:04
|
372692248_122117916470010661_8... d791f9b33a6c8e010ed6905d5427491e JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8983 |
2023-08-31 12:35
|
referent.hta cf35de3a0d4386f729982c33a1cc298a Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process suspicious TLD Windows ComputerName Cryptographic key |
|
2
gk-stst.ru(194.169.175.143) 194.169.175.143
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8984 |
2023-08-31 12:31
|
xp_amp_app_usage_dnu-2023-08-2... 195e33f55e504c45d059e006a6e75821 AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8985 |
2023-08-31 11:24
|
t.php.exe 588bbac508cd620fae65c16a47b2fc1c UPX OS Processor Check DLL PE File PE64 PDB |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|