| 9001 |
2023-08-30 07:51
|
 ghostzx.exe 04bcbc084757b3dc87cdc158372207d8
Formbook AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
7
http://www.belatofo.com/m6vg/ - rule_id: 35937
http://www.sonokiz.xyz/m6vg/?pVN_Fq_R=OU8I4t4PJh7jLwKM8g7zNLnIXKzFYO4EOKNLYn2/07El/+gDHE38bA7ufp76Z7q9f8ZNVj+wQy/7gIPBvltigVtQEDdIb2L6NYl27Fw=&ORmnb=c_tDxxLHNsS1Sm9d - rule_id: 35936
http://www.local-masterfab.pro/m6vg/ - rule_id: 35935
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.sonokiz.xyz/m6vg/ - rule_id: 35936
http://www.local-masterfab.pro/m6vg/?pVN_Fq_R=qlsSz55dMEDh80zakVPbHjaF8j4oNypzrjIj/nO5OsiiIMQ4OCb3eb3/aciAfJPzlTtsA232D702JdziOuhcEJIUeFVyn6zrybpmvBo=&ORmnb=c_tDxxLHNsS1Sm9d - rule_id: 35935
http://www.belatofo.com/m6vg/?pVN_Fq_R=zU2i1DyrLTvj8GmsZ3o7R6kW1xY2b3weixFFYEzXXEr/gEIBiemlOi0xftl7Tao5JEAa7dRSygfLZB5gXWVWN+Vv06aLmgNr2ZdGEQw=&ORmnb=c_tDxxLHNsS1Sm9d - rule_id: 35937
|
10
www.sonokiz.xyz(162.0.239.145) - mailcious
www.qhzsxhn73k.top() - mailcious
www.services-1222.info() - mailcious
www.local-masterfab.pro(64.225.91.73) - mailcious
www.instantconvey.com() - mailcious
www.belatofo.com(136.243.102.227) - mailcious
162.0.239.145 - mailcious
136.243.102.227 - mailcious
64.225.91.73 - mailcious
45.33.6.223
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
6
http://www.belatofo.com/m6vg/
http://www.sonokiz.xyz/m6vg/
http://www.local-masterfab.pro/m6vg/
http://www.sonokiz.xyz/m6vg/
http://www.local-masterfab.pro/m6vg/
http://www.belatofo.com/m6vg/
|
8.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9002 |
2023-08-30 07:51
|
 test10.exe e35f56f0085e9bc842148702e7ba0faf
Malicious Library UPX Socket DGA Http API PWS DNS ScreenShot Internet API Code injection AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware AutoRuns PDB Code Injection malicious URLs Tofsee Windows ComputerName Remote Code Execution DNS |
|
2
api.2ip.ua(162.0.217.254)
162.0.217.254
|
4
ET INFO TLS Handshake Failure
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9003 |
2023-08-29 22:03
|
 reliigiousplanpro.exe 265f3a4af704826afeb581c091445847
Gen1 Emotet Malicious Library UPX Anti_VM PE File CAB PE64 VirusTotal Malware AutoRuns PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces Tofsee Windows Remote Code Execution |
|
2
i.ibb.co(104.194.8.143) - mailcious
172.96.160.210
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9004 |
2023-08-29 20:39
|
 voidlttt_crypted_LAB%20%283%29... b081509178bb6a0cea93d70f7484999f
Malicious Library UPX PWS SMTP AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
94.142.138.94 - mailcious
104.26.13.31
|
3
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9005 |
2023-08-29 20:39
|
 controvoke2.1.exe a36770d1543e103e3ff928050ef769ec
NSIS Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Software crashed keylogger |
|
2
api.ipify.org(104.237.62.211)
104.237.62.211
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9006 |
2023-08-29 20:39
|
 install.exe c7fc4fba6a117300ddeff12d77a6cf35
task schedule Malicious Library UPX ScreenShot AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Windows ComputerName DNS crashed |
|
1
|
|
|
11.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9007 |
2023-08-29 20:37
|
 easy.exe e0cc6408c8713dee078c3d4bcc6af5ef
Malicious Library UPX OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
6.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9008 |
2023-08-29 20:35
|
 win.exe c349a5db3e862884c451770ce4d558b7
Malicious Library UPX OS Processor Check PE File PE32 VirusTotal Malware PDB Malicious Traffic WriteConsoleW DNS |
2
http:///getkeys/9qb_ir7q8hk
http:///addbild/9qb_ir7q8hk/59c72419876507f25695214f68c1717b
|
1
|
1
SURICATA Applayer Detect protocol only one direction
|
|
2.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9009 |
2023-08-29 11:12
|
Setup_pass1234.7z c9328594be0ae6b19feca6629ab32af9 |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9010 |
2023-08-29 09:54
|
 1.hta 682f821b4daa22d6629825e83159e98f
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9011 |
2023-08-29 09:53
|
luck.vbs 39cbd31c22643689111e8d5d6f2179e5
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://185.216.71.134/luck.txt
|
3
uploaddeimagens.com.br(172.67.215.45) -
121.254.136.9 -
172.67.215.45 -
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9012 |
2023-08-29 09:36
|
 1.hta 682f821b4daa22d6629825e83159e98f
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9013 |
2023-08-29 07:55
|
 1395139682.exe 6ab675925dd0e44d05168e660841bb53
Malicious Library UPX Malicious Packer OS Processor Check PE File PE64 ftp VirusTotal Malware |
|
|
|
|
1.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9014 |
2023-08-29 07:55
|
 build838.exe baea8727cf8923018d8235c66ae8d6a1
.NET framework(MSIL) PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Check memory Checks debugger unpack itself Ransomware Browser Email Software |
|
|
|
|
5.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9015 |
2023-08-29 04:21
|
 AgentService.exe 13773ab7f2d31751c6f31c2a2b140c29
Gen1 Generic Malware Malicious Library Malicious Packer PE File PE64 PDB Remote Code Execution |
|
|
|
|
0.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|