9001 |
2023-08-30 07:51
|
ghostzx.exe 04bcbc084757b3dc87cdc158372207d8 Formbook AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
7
http://www.belatofo.com/m6vg/ - rule_id: 35937 http://www.sonokiz.xyz/m6vg/?pVN_Fq_R=OU8I4t4PJh7jLwKM8g7zNLnIXKzFYO4EOKNLYn2/07El/+gDHE38bA7ufp76Z7q9f8ZNVj+wQy/7gIPBvltigVtQEDdIb2L6NYl27Fw=&ORmnb=c_tDxxLHNsS1Sm9d - rule_id: 35936 http://www.local-masterfab.pro/m6vg/ - rule_id: 35935 http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.sonokiz.xyz/m6vg/ - rule_id: 35936 http://www.local-masterfab.pro/m6vg/?pVN_Fq_R=qlsSz55dMEDh80zakVPbHjaF8j4oNypzrjIj/nO5OsiiIMQ4OCb3eb3/aciAfJPzlTtsA232D702JdziOuhcEJIUeFVyn6zrybpmvBo=&ORmnb=c_tDxxLHNsS1Sm9d - rule_id: 35935 http://www.belatofo.com/m6vg/?pVN_Fq_R=zU2i1DyrLTvj8GmsZ3o7R6kW1xY2b3weixFFYEzXXEr/gEIBiemlOi0xftl7Tao5JEAa7dRSygfLZB5gXWVWN+Vv06aLmgNr2ZdGEQw=&ORmnb=c_tDxxLHNsS1Sm9d - rule_id: 35937
|
10
www.sonokiz.xyz(162.0.239.145) - mailcious www.qhzsxhn73k.top() - mailcious www.services-1222.info() - mailcious www.local-masterfab.pro(64.225.91.73) - mailcious www.instantconvey.com() - mailcious www.belatofo.com(136.243.102.227) - mailcious 162.0.239.145 - mailcious 136.243.102.227 - mailcious 64.225.91.73 - mailcious 45.33.6.223
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
6
http://www.belatofo.com/m6vg/ http://www.sonokiz.xyz/m6vg/ http://www.local-masterfab.pro/m6vg/ http://www.sonokiz.xyz/m6vg/ http://www.local-masterfab.pro/m6vg/ http://www.belatofo.com/m6vg/
|
8.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9002 |
2023-08-30 07:51
|
test10.exe e35f56f0085e9bc842148702e7ba0faf Malicious Library UPX Socket DGA Http API PWS DNS ScreenShot Internet API Code injection AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware AutoRuns PDB Code Injection malicious URLs Tofsee Windows ComputerName Remote Code Execution DNS |
|
2
api.2ip.ua(162.0.217.254) 162.0.217.254
|
4
ET INFO TLS Handshake Failure ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9003 |
2023-08-29 22:03
|
reliigiousplanpro.exe 265f3a4af704826afeb581c091445847 Gen1 Emotet Malicious Library UPX Anti_VM PE File CAB PE64 VirusTotal Malware AutoRuns PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces Tofsee Windows Remote Code Execution |
|
2
i.ibb.co(104.194.8.143) - mailcious 172.96.160.210
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9004 |
2023-08-29 20:39
|
voidlttt_crypted_LAB%20%283%29... b081509178bb6a0cea93d70f7484999f Malicious Library UPX PWS SMTP AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172) 94.142.138.94 - mailcious 104.26.13.31
|
3
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9005 |
2023-08-29 20:39
|
controvoke2.1.exe a36770d1543e103e3ff928050ef769ec NSIS Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Software crashed keylogger |
|
2
api.ipify.org(104.237.62.211) 104.237.62.211
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9006 |
2023-08-29 20:39
|
install.exe c7fc4fba6a117300ddeff12d77a6cf35 task schedule Malicious Library UPX ScreenShot AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Windows ComputerName DNS crashed |
|
1
|
|
|
11.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9007 |
2023-08-29 20:37
|
easy.exe e0cc6408c8713dee078c3d4bcc6af5ef Malicious Library UPX OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
6.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9008 |
2023-08-29 20:35
|
win.exe c349a5db3e862884c451770ce4d558b7 Malicious Library UPX OS Processor Check PE File PE32 VirusTotal Malware PDB Malicious Traffic WriteConsoleW DNS |
2
http:///getkeys/9qb_ir7q8hk http:///addbild/9qb_ir7q8hk/59c72419876507f25695214f68c1717b
|
1
|
1
SURICATA Applayer Detect protocol only one direction
|
|
2.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9009 |
2023-08-29 11:12
|
Setup_pass1234.7z c9328594be0ae6b19feca6629ab32af9 |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9010 |
2023-08-29 09:54
|
1.hta 682f821b4daa22d6629825e83159e98f AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9011 |
2023-08-29 09:53
|
luck.vbs 39cbd31c22643689111e8d5d6f2179e5 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://185.216.71.134/luck.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - 121.254.136.9 -
172.67.215.45 -
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9012 |
2023-08-29 09:36
|
1.hta 682f821b4daa22d6629825e83159e98f AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9013 |
2023-08-29 07:55
|
1395139682.exe 6ab675925dd0e44d05168e660841bb53 Malicious Library UPX Malicious Packer OS Processor Check PE File PE64 ftp VirusTotal Malware |
|
|
|
|
1.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9014 |
2023-08-29 07:55
|
build838.exe baea8727cf8923018d8235c66ae8d6a1 .NET framework(MSIL) PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Check memory Checks debugger unpack itself Ransomware Browser Email Software |
|
|
|
|
5.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9015 |
2023-08-29 04:21
|
AgentService.exe 13773ab7f2d31751c6f31c2a2b140c29 Gen1 Generic Malware Malicious Library Malicious Packer PE File PE64 PDB Remote Code Execution |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|