| 8986 |
2023-08-31 11:23
|
 t.php.2.exe e5854c758473d847a7e9ba63e0e3f88d
UPX OS Processor Check DLL PE File PE64 PDB |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8987 |
2023-08-31 11:23
|
 winlog.exe 60255ef7d90a35361e5fe2f5d5514734
Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 VirusTotal Malware |
|
|
|
|
1.0 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8988 |
2023-08-31 11:20
|
 msedge.exe 19d6340743164342171504547933597f
Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 VirusTotal Malware |
|
|
|
|
1.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8989 |
2023-08-31 10:49
|
 wagnergroup.rtf 2735cd8e39f7e6ce667ab2722770931c
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash Tofsee Exploit crashed |
|
2
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
2.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8990 |
2023-08-31 10:43
|
 t.php 10a6d12af72886e825179217de2ed3a5
UPX OS Processor Check DLL PE File PE64 PDB |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8991 |
2023-08-31 10:43
|
 Document_Scan_231.js a5fa19b8e9d308e0b423e7b3f77cb9dc
UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
1
http://oopscokir.com/ - rule_id: 36099
|
4
avestainfratech.com(184.168.119.55)
oopscokir.com(172.67.179.217) - mailcious
104.21.64.90 - mailcious
184.168.119.55 - mailcious
|
1
ET MALWARE Win32/IcedID Request Cookie
|
1
|
5.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8992 |
2023-08-31 10:43
|
 Document_Scan_463.js ff68487fd840687d90c92d63ea6ef82a
UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files RWX flags setting Windows utilities suspicious process WriteConsoleW Windows |
1
http://oopscokir.com/ - rule_id: 36099
|
4
moashraya.com(184.168.117.217) - malware
oopscokir.com(172.67.179.217) - mailcious
172.67.179.217
184.168.117.217 - malware
|
1
ET MALWARE Win32/IcedID Request Cookie
|
1
|
5.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8993 |
2023-08-31 10:43
|
 t.php ce212477efea0109d5fe886a6396f4b4
UPX OS Processor Check DLL PE File PE64 PDB |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8994 |
2023-08-31 10:43
|
 Document_Scan_48.js 0591fcaf382e5457adf79f4350279ccf
UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
1
http://oopscokir.com/ - rule_id: 36099
|
4
moashraya.com(184.168.117.217) - malware
oopscokir.com(172.67.179.217) - mailcious
184.168.117.217 - malware
104.21.64.90 - mailcious
|
1
ET MALWARE Win32/IcedID Request Cookie
|
1
|
5.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8995 |
2023-08-31 09:51
|
 Document_Scan_480.js e22cc458efd3971cb286c74abef7bd5a
UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
2
http://oopscokir.com/
https://moashraya.com/out/t.php
|
4
moashraya.com(184.168.117.217)
oopscokir.com(104.21.64.90)
172.67.179.217
184.168.117.217
|
1
ET MALWARE Win32/IcedID Request Cookie
|
|
5.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8996 |
2023-08-31 09:51
|
 Document_Scan_321.js e7c03a6bb595c52072921ba842e9f1ff
UPX OS Processor Check DLL PE File PE64 IcedID Malware download Malware Malicious Traffic Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows |
2
http://oopscokir.com/
https://avestainfratech.com/out/t.php
|
4
avestainfratech.com(184.168.119.55)
oopscokir.com(104.21.64.90)
172.67.179.217
184.168.119.55 - mailcious
|
1
ET MALWARE Win32/IcedID Request Cookie
|
|
5.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8997 |
2023-08-31 09:45
|
 taskhost.exe 9ddf58d42ea6fd8cbc1f2642c336358f
RedLine stealer .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName Cryptographic key Software crashed |
|
2
rc30.tuktuk.ug(85.209.3.9)
85.209.3.9
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
10.2 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8998 |
2023-08-31 09:44
|
 taskhost.exe 9ddf58d42ea6fd8cbc1f2642c336358f
RedLine stealer Generic Malware .NET framework(MSIL) Malicious Library UPX Malicious Packer Anti_VM AntiDebug AntiVM PE File .NET EXE PE32 PE64 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces installed browsers check Stealer Windows Browser ComputerName Trojan DNS Cryptographic key Software crashed |
2
http://95.214.27.254/getfile/msedge.exe
http://95.214.27.254/getfile/winlog.exe
|
3
rc30.tuktuk.ug(85.209.3.9)
95.214.27.254
85.209.3.9
|
10
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.2 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8999 |
2023-08-31 08:03
|
 wagnergroup.rtf 2735cd8e39f7e6ce667ab2722770931c
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed |
|
2
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9000 |
2023-08-31 07:57
|
 fotos894.exe 608bfad41214b06eefaf2cdffa6bab23
Gen1 Emotet Malicious Library UPX CAB PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://193.233.254.61/loghub/master - rule_id: 35736
|
2
77.91.124.82
193.233.254.61 - mailcious
|
7
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://193.233.254.61/loghub/master
|
14.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|