9016 |
2023-08-28 17:28
|
CS-Cheat-Installer.exe 64f1d67b14dafea71c599e9c5498edc2 Browser Login Data Stealer Amadey Malicious Library UPX Admin Tool (Sysinternals etc ...) Http API HTTP ScreenShot Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check DLL PE64 JPEG Format Malware download Amadey VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder suspicious TLD WriteConsoleW installed browsers check Tofsee Interception Windows Browser ComputerName DNS Cryptographic key crashed |
4
http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/cred64.dll - rule_id: 35717 http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/clip64.dll - rule_id: 35718 http://xyl.lat/2BfwEnWXSKj6KgTm/index.php?scr=1 http://xyl.lat/2BfwEnWXSKj6KgTm/index.php
|
4
xyl.lat(37.139.129.124) - malware files.slezer.cc(174.138.39.230) 174.138.39.230 37.139.129.124
|
9
ET MALWARE Amadey CnC Check-In ET DNS Query for .cc TLD SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET MALWARE Amadey Bot Activity (POST) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Amadey Bot Activity (POST) M1 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
2
http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/cred64.dll http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/clip64.dll
|
15.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9017 |
2023-08-28 17:27
|
Bratty_Family.exe 5a5e1481a6d57f81703097f832379fb2 Generic Malware Malicious Library UPX Malicious Packer OS Processor Check PE File PE64 VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
1.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9018 |
2023-08-28 17:26
|
Mysecondfamily.exe f6fcfa4a011f9a073aa53830e78157f9 Generic Malware Malicious Library UPX Malicious Packer OS Processor Check PE File PE64 VirusTotal Malware PDB crashed |
|
|
|
|
1.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9019 |
2023-08-28 17:17
|
ok.exe ba84cb431da839bba1bf4dedb3e2ee8f Generic Malware Downloader task schedule Malicious Library UPX Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM OS Process VirusTotal Malware powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Checks Bios Auto service Detects VirtualBox powershell.exe wrote suspicious process WriteConsoleW VMware anti-virtualization Windows ComputerName Cryptographic key Software crashed |
|
|
|
|
17.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9020 |
2023-08-28 15:14
|
COD_MW2_Steam.exe be82ea0c15a8161fcd03fd624ffef4f3 Emotet Gen1 Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM OS Processor Check PE File PE64 DLL DllRegisterServer dll ZIP Format ftp VirusTotal Malware Check memory Creates executable files Ransomware |
|
|
|
|
1.8 |
|
4 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9021 |
2023-08-28 10:05
|
religiousplanpro.exe 93cc75015ca399e68d2176adecea521d Gen1 Emotet Malicious Library UPX Anti_VM PE File CAB PE64 .NET EXE PE32 VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution |
|
2
i.ibb.co(104.194.8.143) - mailcious 104.194.8.120
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9022 |
2023-08-28 10:03
|
reliigiousplanpro.exe 265f3a4af704826afeb581c091445847 Gen1 Emotet Malicious Library UPX Anti_VM PE File CAB PE64 VirusTotal Malware AutoRuns PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces Tofsee Windows Remote Code Execution |
|
2
i.ibb.co(104.194.8.143) - mailcious 172.96.160.210
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9023 |
2023-08-28 09:45
|
oebd595d1a23f36763e746f48750d1... 2d4fd05bdccee76bac5231cfa4da5130 PE File PE32 VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
2.0 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9024 |
2023-08-28 09:43
|
File_pass1234.7z 134ceb06f8f77fcdb5dedf95f32a3f27 Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey VirusTotal Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Remote Code Execution Trojan DNS DDNS DoTNet Downloader |
30
http://208.67.104.60/api/firegate.php - rule_id: 34253 http://208.67.104.60/api/tracemap.php - rule_id: 28876 http://193.233.254.61/loghub/master - rule_id: 35736 http://230809204625331.nes.dtf99.top/f/fikim0809331.exe http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://77.91.124.231/info/img0581.exe - rule_id: 35986 http://176.113.115.84:8080/4.php - rule_id: 34795 http://jjz.alie3ksgbb.com/m/iela2f5.exe - rule_id: 36007 http://87.121.221.58/g.exe - rule_id: 35764 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790 https://busell.store/setup294.exe - rule_id: 35772 https://sun6-20.userapi.com/c240331/u44017378/docs/d44/4a7d1471c416/RazerSynapse.bmp?extra=cN1Ah5ycB0omDx2FAikyNuYCqqszKvg5NBZJDmMD6HRQxbVzQbkLFTHETnx3i1hANoppE7iqkUrkKQtOQRPtkScZhENAh3LCvnuUSp-j8zDG-Cvg9M6IK8a17l-939_WI4KPzI7sBWuITe1s https://sun6-23.userapi.com/c237131/u44017378/docs/d8/804100308acb/crypted.bmp?extra=YdWzxtefQjhAn2En8yMf52BVIWQ1zDpTGnqIQV8H-oovyZAD987-RJUW7gg_f88GbltLuEEDnvBy7hYICJjBzLy3mUu_gNG3r-H83JNo8km9DJT6vRIbrJJSEyZFo5UVa2zp0-t91ahX0NLI https://vk.com/doc44017378_668355890?hash=OEXurxHv742cAEINPwUZWBvCkIvq2mo3gMKCk9mNEZz&dl=FcEr7W2vNSUK3rRVQ2uwXb1BnszbBNaV1N06orQc1Os&api=1&no_preview=1 https://vk.com/doc44017378_668304193?hash=9nKZ2LbJrWZTaSMoxOyzGdzdzVswMLVAELDqvF4WUzc&dl=8uKyjO7RLaL9aj2kQjAN7XRk3OAYJZ3SL1dkc9tNpxc&api=1&no_preview=1#WW1 https://vk.com/doc44017378_668305087?hash=TuocKpTKJDaGHrC0HTDbLSAP7ILM8xAQgYNUm78Bmgc&dl=pQmbc6zVZsxint9VqlO9DcFBndvLOtSqeXbOXCsW4yo&api=1&no_preview=1#start https://sun6-23.userapi.com/c909228/u44017378/docs/d31/031a419a08d3/x.bmp?extra=dePDDxM4DGeRjT25CPSd9Ct_rh4XuSy3bDoQT210esXvzYUkXxOVYuGMvFWgtBzuVzB3Pu96kIXJMM6wkMMmcUYG__1Vlk_pw8FQ7gzlKceZLiq9Eqem8GfM2a6kPvhxYu11_xbkARdYZv5A https://db-ip.com/demo/home.php?s=175.208.134.152 https://sun6-23.userapi.com/c909628/u44017378/docs/d59/31728cb37cde/RisePro_0_5_eM6kP0V0t0TJM31LPkFZ.bmp?extra=8qyEsehyUDi_2xlj_ansoERclQ9Xci7OMgY_Z_dhC3sYp7lSaoe-hwps_VpYFHUZgKttlij0IkBys8yBQrRUN5ckgRxTLEt4x2H7QR9_t0L9p2MEQT46O4gRs1cifsBGFjn9PEomMPopTUT7 https://db-ip.com/ https://vk.com/doc44017378_668379524?hash=SHDy8F6MTaslV7hf9Z9WkzT8bkNJZOA2fSyjKD1YdDo&dl=mK8EYpCb4aWgpHrL7FEXpgLAT0BAaZgxM86wS4u0thT&api=1&no_preview=1 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-22.userapi.com/c240331/u44017378/docs/d46/42e54d223ac0/WWW1.bmp?extra=z3ACIIJGvpBq0HIjNutA06MbTxxpx-3FTjAItWDCFPURzTU-Elofrz0yjYDQ-Y0cKAOty0-j-qZ4D9-iRxHB4fbGo-ZGq2MO7TmgEksuA_yPzC1cH8cIReEGVuYFWKNHeD38LYYVpq6zZwr1 https://sun6-21.userapi.com/c909218/u44017378/docs/d2/a123e4d9467e/tmvwr.bmp?extra=dw3ig29aP3yneS_TLS58bIOpD3nvHS4hyj20IHzV4auTqlcYk7B3PTmG39G-DIsuZibYbb5DJwmuYhj-eeAZU_akb9ZZdKKH3i2dbrzniwCU6siKujeSKY42r-Yjhvn2HFKIbVb7ik8qBPQk https://sun6-20.userapi.com/c909618/u44017378/docs/d44/659cbd3e52a9/PL43464.bmp?extra=wK-OoZtI3J9ssAzreYk1kKj_zykQJOvu-BbinFwgrI900hXBuZG5_zEBcLVat0Mc2xdZYmHMPnynVNnjTwIJFL5e_3907MFu9oh5yOz8DYWjl4htBLKmXxGD66TLBh3cc_hNK4vbUGcr99qq https://vk.com/doc44017378_668405935?hash=fvMGzddKGZ3CmaEa4ShIsqcaZmrdOzO4ZYwVyqVeuP4&dl=A1sZp5keQgwnZnnluDo5illwFz3gbsy8ItDrxpQJEYX&api=1&no_preview=1#rise https://vk.com/doc44017378_668486332?hash=BhRIDxpzULlbXK2tKkcXiuoUkEN2dwCkZOYOzQcmo7H&dl=FDJjPlpT0sFHWyDa952v0WGrE3O4diq55i6OiBzVvCP&api=1&no_preview=1#tmwvr https://vk.com/doc44017378_668469133?hash=BzAyBtoTQmQ0uUkT34inVefZZZfjSHGwzjfnXF9K9IP&dl=Y4YNowZZspOPNeFf2KoJiZEZDeoxookrqRltEutjAJL&api=1&no_preview=1#1
|
52
230809204625331.nes.dtf99.top(94.156.35.76) db-ip.com(104.26.4.15) api.db-ip.com(104.26.5.15) iplis.ru(148.251.234.93) - mailcious www.maxmind.com(104.18.145.235) busell.store(172.67.159.178) - malware sun6-21.userapi.com(95.142.206.1) - mailcious ipinfo.io(34.117.59.81) vanaheim.cn(193.106.174.130) - mailcious z.nnnaajjjgc.com(156.236.72.121) - malware sun6-22.userapi.com(95.142.206.2) autorun.ddns.net(194.169.175.232) - malware api.myip.com(172.67.75.163) sun6-23.userapi.com(95.142.206.3) sun6-20.userapi.com(95.142.206.0) - mailcious jjz.alie3ksgbb.com(172.67.200.102) - malware iplogger.org(148.251.234.83) - mailcious vk.com(93.186.225.194) - mailcious 148.251.234.93 - mailcious 194.169.175.128 - mailcious 104.18.145.235 93.186.225.194 - mailcious 104.21.9.89 - malware 104.26.5.15 179.43.158.2 208.67.104.60 - mailcious 172.67.200.102 87.121.221.58 - malware 121.254.136.9 172.67.75.163 193.233.254.61 - mailcious 194.26.135.162 - mailcious 34.117.59.81 176.113.115.84 - mailcious 148.251.234.83 193.106.174.130 45.9.74.80 - malware 194.169.175.232 - malware 176.123.9.142 - mailcious 77.91.124.231 - malware 185.225.73.32 - mailcious 149.202.0.242 - mailcious 156.236.72.121 - mailcious 45.15.156.229 - mailcious 104.26.4.15 95.142.206.3 163.123.143.4 - mailcious 95.142.206.1 - mailcious 95.142.206.0 - mailcious 95.142.206.2 62.122.184.58 87.240.132.72 - mailcious
|
38
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 39 SURICATA Applayer Mismatch protocol both directions ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Executable Download from dotted-quad Host ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY DNS Query to DynDNS Domain *.ddns .net ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain ET INFO EXE - Served Attached HTTP ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET INFO TLS Handshake Failure ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET DNS Query to a *.top domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET DROP Dshield Block Listed Source group 1 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
10
http://208.67.104.60/api/firegate.php http://208.67.104.60/api/tracemap.php http://193.233.254.61/loghub/master http://45.15.156.229/api/tracemap.php http://77.91.124.231/info/img0581.exe http://176.113.115.84:8080/4.php http://jjz.alie3ksgbb.com/m/iela2f5.exe http://87.121.221.58/g.exe http://45.9.74.80/0bjdn2Z/index.php https://busell.store/setup294.exe
|
7.0 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9025 |
2023-08-28 07:55
|
http://hcdnl.push-rtmps.ovc.gs... Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://hcdnl.push-rtmps.ovc.gslb.rocket-cdn.com/
|
2
hcdnl.push-rtmps.ovc.gslb.rocket-cdn.com(156.59.151.26) 148.153.241.38
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9026 |
2023-08-28 07:43
|
AiBTQrkJNY.exe 93e7784defa1b30dcc93427bae186724 Generic Malware UPX Antivirus OS Processor Check PE File .NET EXE PE32 Lnk Format GIF Format VirusTotal Malware AutoRuns PDB MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces Tofsee Windows ComputerName |
|
2
luxurycrypter.com(31.186.11.128) 31.186.11.128
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9027 |
2023-08-28 07:40
|
toolspub2.exe d3d867c6722255ebcbc51a11a3a39347 Malicious Library UPX AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
3.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9028 |
2023-08-28 07:40
|
Client.exe f9391638fc3c6dec9b7319d1c8adeebb Malicious Library .NET framework(MSIL) UPX ASPack Malicious Packer Antivirus OS Processor Check PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9029 |
2023-08-28 07:37
|
religionprosig.exe 3eb7278ffb8ab7d3f190a56756239e64 Gen1 Emotet Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM PE File CAB VirusTotal Malware powershell AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution Cryptographic key |
2
https://ledentiste.ma/12/religion/religiousplanpro.zip
https://ledentiste.ma/12/religion/reliigiousplanpro.zip
|
2
ledentiste.ma(41.77.116.197) 41.77.116.197
|
3
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9030 |
2023-08-28 07:36
|
billinv.exe 81af4f2d111cb10c9b5922d02b3751e6 Malicious Packer PE File PE64 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|