8986 |
2023-08-31 11:23
|
t.php.2.exe e5854c758473d847a7e9ba63e0e3f88d UPX OS Processor Check DLL PE File PE64 PDB |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8987 |
2023-08-31 11:23
|
winlog.exe 60255ef7d90a35361e5fe2f5d5514734 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 VirusTotal Malware |
|
|
|
|
1.0 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8988 |
2023-08-31 11:20
|
msedge.exe 19d6340743164342171504547933597f Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 VirusTotal Malware |
|
|
|
|
1.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8989 |
2023-08-31 10:49
|
wagnergroup.rtf 2735cd8e39f7e6ce667ab2722770931c MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash Tofsee Exploit crashed |
|
2
iplogger.com(148.251.234.93) - mailcious 148.251.234.93 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
2.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8990 |
2023-08-31 10:43
|
t.php 10a6d12af72886e825179217de2ed3a5 UPX OS Processor Check DLL PE File PE64 PDB |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8991 |
2023-08-31 10:43
|
Document_Scan_231.js a5fa19b8e9d308e0b423e7b3f77cb9dc UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
1
http://oopscokir.com/ - rule_id: 36099
|
4
avestainfratech.com(184.168.119.55) oopscokir.com(172.67.179.217) - mailcious 104.21.64.90 - mailcious 184.168.119.55 - mailcious
|
1
ET MALWARE Win32/IcedID Request Cookie
|
1
|
5.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8992 |
2023-08-31 10:43
|
Document_Scan_463.js ff68487fd840687d90c92d63ea6ef82a UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files RWX flags setting Windows utilities suspicious process WriteConsoleW Windows |
1
http://oopscokir.com/ - rule_id: 36099
|
4
moashraya.com(184.168.117.217) - malware oopscokir.com(172.67.179.217) - mailcious 172.67.179.217 184.168.117.217 - malware
|
1
ET MALWARE Win32/IcedID Request Cookie
|
1
|
5.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8993 |
2023-08-31 10:43
|
t.php ce212477efea0109d5fe886a6396f4b4 UPX OS Processor Check DLL PE File PE64 PDB |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8994 |
2023-08-31 10:43
|
Document_Scan_48.js 0591fcaf382e5457adf79f4350279ccf UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
1
http://oopscokir.com/ - rule_id: 36099
|
4
moashraya.com(184.168.117.217) - malware oopscokir.com(172.67.179.217) - mailcious 184.168.117.217 - malware 104.21.64.90 - mailcious
|
1
ET MALWARE Win32/IcedID Request Cookie
|
1
|
5.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8995 |
2023-08-31 09:51
|
Document_Scan_480.js e22cc458efd3971cb286c74abef7bd5a UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
2
http://oopscokir.com/
https://moashraya.com/out/t.php
|
4
moashraya.com(184.168.117.217)
oopscokir.com(104.21.64.90) 172.67.179.217
184.168.117.217
|
1
ET MALWARE Win32/IcedID Request Cookie
|
|
5.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8996 |
2023-08-31 09:51
|
Document_Scan_321.js e7c03a6bb595c52072921ba842e9f1ff UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
2
http://oopscokir.com/
https://avestainfratech.com/out/t.php
|
4
avestainfratech.com(184.168.119.55)
oopscokir.com(104.21.64.90) 172.67.179.217
184.168.119.55 - mailcious
|
1
ET MALWARE Win32/IcedID Request Cookie
|
|
5.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8997 |
2023-08-31 09:45
|
taskhost.exe 9ddf58d42ea6fd8cbc1f2642c336358f RedLine stealer .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName Cryptographic key Software crashed |
|
2
rc30.tuktuk.ug(85.209.3.9) 85.209.3.9
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
10.2 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8998 |
2023-08-31 09:44
|
taskhost.exe 9ddf58d42ea6fd8cbc1f2642c336358f RedLine stealer Generic Malware .NET framework(MSIL) Malicious Library UPX Malicious Packer Anti_VM AntiDebug AntiVM PE File .NET EXE PE32 PE64 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces installed browsers check Stealer Windows Browser ComputerName Trojan DNS Cryptographic key Software crashed |
2
http://95.214.27.254/getfile/msedge.exe http://95.214.27.254/getfile/winlog.exe
|
3
rc30.tuktuk.ug(85.209.3.9) 95.214.27.254 85.209.3.9
|
10
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.2 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8999 |
2023-08-31 08:03
|
wagnergroup.rtf 2735cd8e39f7e6ce667ab2722770931c MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed |
|
2
iplogger.com(148.251.234.93) - mailcious 148.251.234.93 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9000 |
2023-08-31 07:57
|
fotos894.exe 608bfad41214b06eefaf2cdffa6bab23 Gen1 Emotet Malicious Library UPX CAB PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://193.233.254.61/loghub/master - rule_id: 35736
|
2
77.91.124.82 193.233.254.61 - mailcious
|
7
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://193.233.254.61/loghub/master
|
14.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|