| 9016 |
2023-11-09 09:45
|
 bRr6.exe 08ac3275ce1ae001d977fbfc70104ca0
Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9017 |
2023-11-09 09:44
|
 afkjo.txt.exe 8a399a88e341566dae0dc853addda913
AgentTesla Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
4.4 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9018 |
2023-11-09 09:43
|
 new_image.jpg.exe 2239cbbc9e09382c8c1e7a6b94b547a9
Generic Malware Antivirus .NET DLL PE File DLL PE32 VirusTotal Malware |
|
|
|
|
1.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9019 |
2023-11-09 09:32
|
 manual.pdf e5dcc2c3a1f835ce7362107cde64740d
PDF ZIP Format Windows utilities Windows |
5
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_6_20042.zip
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/278_20_6_20042.zip
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9020 |
2023-11-09 09:31
|
ngown.vbs 02a3397b2d50409559121caee5c82d81
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/69jx0
https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750
http://equiticoy.top/vasity/ngohms.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
104.21.84.67 - malware
121.254.136.18
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9021 |
2023-11-09 09:27
|
HTMLIEbrowserChromehtml.vbs 63c71d97a2625c3537e9edde15f3d34b
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/9thzE
https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750
http://172.245.33.131/3324/RMR.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
172.67.187.200 - mailcious
104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9022 |
2023-11-09 09:27
|
HtmlIEbrowsercachehistoryclean... 6d852c09f951469e5265373380460ebf
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://192.227.173.78/1255/IGCC.exe
|
3
api.ipify.org(64.185.227.156)
173.231.16.77
192.227.173.78 - malware
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9023 |
2023-11-09 08:11
|
 Adobe.exe be4bbdb604b6c6e5f6975c050d00ce53
NSIS Generic Malware Malicious Library UPX ASPack Antivirus Malicious Packer Anti_VM PE File PE32 DLL PE64 OS Processor Check BMP Format ZIP Format ftp JPEG Format DllRegisterServer dll PNG Format Check memory Creates executable files unpack itself AppData folder Ransomware DNS |
|
1
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9024 |
2023-11-09 08:08
|
 smss.exe 62c8a57ed7d641bc8b4e451e37452df1
Malicious Library UPX PE File PE32 MZP Format DllRegisterServer dll RWX flags setting unpack itself Tofsee Interception crashed |
|
2
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9025 |
2023-11-09 08:05
|
 2.exe da84a65802683137d09e3246fe24400a
Gen1 Malicious Library UPX Malicious Packer PE File PE32 MZP Format DLL OS Processor Check Browser Info Stealer Malware download Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName crashed plugin |
8
http://bidbur.com/494fac8b0beb96d3/freebl3.dll
http://bidbur.com/494fac8b0beb96d3/nss3.dll
http://bidbur.com/494fac8b0beb96d3/vcruntime140.dll
http://bidbur.com/494fac8b0beb96d3/msvcp140.dll
http://bidbur.com/494fac8b0beb96d3/mozglue.dll
http://bidbur.com/b5c586aec2e1004c.php
http://bidbur.com/494fac8b0beb96d3/sqlite3.dll
http://bidbur.com/494fac8b0beb96d3/softokn3.dll
|
2
bidbur.com(68.170.2.83) - mailcious
68.170.2.83 - mailcious
|
14
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9026 |
2023-11-09 08:01
|
 get4.exe adf9f5ecb2c5cfde8ad9b49abc91abab
PE File PE32 .NET EXE PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9027 |
2023-11-09 08:00
|
 IGCC.exe dad01083f1469e5ffa79e73f6c4252b3
AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
3
api.ipify.org(104.237.62.212)
185.174.174.220 - phishing
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9028 |
2023-11-09 07:57
|
 IGCC.exe 1007f94e20df5535b81e25138316ac57
AgentTesla Confuser .NET PWS SMTP KeyLogger AntiDebug AntiVM PE File PE64 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Software crashed keylogger |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
mail.bretoffice.com(185.174.174.220) - mailcious
121.254.136.9
185.174.174.220 - phishing
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9029 |
2023-11-09 07:56
|
 need.exe 91d5dbd8e4804912cb38e62186467068
Gen1 Emotet Malicious Library UPX PWS AntiDebug AntiVM PE File PE32 CAB OS Processor Check Browser Info Stealer Malware download Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Stealc Windows Update Browser Email ComputerName Remote Code Execution DNS crashed |
1
http://193.233.255.73/loghub/master - rule_id: 37500
|
1
193.233.255.73 - mailcious
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://193.233.255.73/loghub/master
|
16.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9030 |
2023-11-09 07:55
|
 dcee5b78-00b4-4c16-8307-e930fb... 6aab37c5887c49c665d17fd7823498d6
EnigmaProtector PE File PE32 unpack itself ComputerName DNS crashed |
|
1
|
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|