| 9031 |
2023-11-09 07:53
|
 32.exe fb003fc48dbad9290735c9a6601381f7
Malicious Packer PE File PE32 crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9032 |
2023-11-09 07:52
|
 IGCC.exe 3026e2920c42b559aa2071b25f736d28
.NET framework(MSIL) PE File PE32 .NET EXE PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9033 |
2023-11-09 07:50
|
 r.exe e7f56e0f417b37f40e50145970b25ffa
EnigmaProtector PE File PE32 Malware unpack itself ComputerName crashed |
|
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9034 |
2023-11-09 07:50
|
 InstallSetup2.exe 5b5e94c98e5ac70ad03a0fb91a6c2e71
PE File PE32 .NET EXE PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9035 |
2023-11-09 07:37
|
 build.exe 7159eea664e510fef8420b035fc94869
Malicious Library UPX PE File PE32 OS Processor Check unpack itself Remote Code Execution |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9036 |
2023-11-08 17:58
|
 get4.exe bdbdcb1f607cf1ab2954c7e01fbb87dd
PE File PE32 .NET EXE PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9037 |
2023-11-08 17:38
|
 bet365.exe 90427a600ba896346dca58a43f4cc77f
Malicious Library UPX Socket Http API ScreenShot Escalate priviledges PWS HTTP DNS Code injection Internet API KeyLogger AntiDebug AntiVM PE File PE32 MZP Format Buffer PE suspicious privilege Code Injection Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities AppData folder malicious URLs sandbox evasion WriteConsoleW Windows ComputerName |
|
1
UGimJTaULZqJErlriNlsHPaO.UGimJTaULZqJErlriNlsHPaO()
|
|
|
10.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9038 |
2023-11-08 17:38
|
 macroniska2.1.exe c84fe8d8b80e63f94c93ba326e65b5db
NSIS Malicious Library UPX PE File PE32 FormBook Malware download Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself DNS |
3
http://www.gdtanhua.icu/tb8i/?hBZLW8l=5AAXAdZlmcRrCDR+Yfx/EblZaZMinPv2SiPC8X54i0y8Yz2HVSjKC3lJUrpNHrztM6AvkM+R&jL3Tir=_PG0kH6pr8nlATBp
http://www.districonsumohome.com/tb8i/?hBZLW8l=uPlnLoSq3YhnKr6XkI/ibKBZR5UbIYDon83yscU5401mNJ1eOsSEnnQZdNPUCUqLRQJWzWjQ&jL3Tir=_PG0kH6pr8nlATBp
http://www.ecuajet.net/tb8i/?hBZLW8l=K0i+LInbjQMeF01bJpA1pnYCvby0p5ea/1o04Epx1gQSdVWES3s1884re8hJdKUMMJ2T7E8o&jL3Tir=_PG0kH6pr8nlATBp
|
8
www.bradleymartinfitness.com()
www.ecuajet.net(23.231.50.47)
www.starsyx.com()
www.gdtanhua.icu(154.12.93.8)
www.districonsumohome.com(172.67.170.89)
154.12.93.8
104.21.47.35
23.231.50.47
|
2
ET INFO DNS Query for Suspicious .icu Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9039 |
2023-11-08 17:32
|
 random.exe 5417909356a2789a9cfb1dccca43cc96
PE File PE32 .NET EXE PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9040 |
2023-11-08 10:05
|
Launcher_Password_1234.rar 128e1564f4afaf681a3572f8667f6bd4
Escalate priviledges PWS KeyLogger AntiDebug AntiVM VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
2.4 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9041 |
2023-11-08 09:51
|
File.rar c49151503a28c917e2857760532d8ef0
PrivateLoader Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows RisePro DNS |
53
http://195.201.251.173/
http://195.201.251.173/vcruntime140.dll
http://195.201.251.173/msvcp140.dll
http://195.201.251.173/mozglue.dll
http://194.169.175.118/xinchao.exe - rule_id: 38117
http://194.49.94.97/download/Services.exe - rule_id: 38118
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://195.201.251.173/freebl3.dll
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://jaimemcgee.top/40d570f44e84a454.php - rule_id: 38121
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://195.201.251.173/sqlite3.dll
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=MO990stgnECCXm487Ttm1ga6.exe&platform=0009&osver=5&isServer=0
http://94.142.138.131/api/firecom.php - rule_id: 36179
http://195.201.251.173/nss3.dll
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://194.49.94.48/timeSync.exe - rule_id: 38122
http://195.201.251.173/softokn3.dll
http://185.172.128.69/latestumma.exe - rule_id: 38123
http://stim.graspalace.com/order/tuc19.exe - rule_id: 38124
http://176.113.115.84:8080/4.php - rule_id: 34795
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc26060933_667443076?hash=bDMwfuwwa4Bhfk5iGf4pMZfzUuBZI01JVp5BaGnL6ks&dl=iT71Bl3sZ2372hed0nHcWcvZK3ySxQ2nVKfHeXmS1cs&api=1&no_preview=1
https://sun6-21.userapi.com/c235031/u26060933/docs/d60/f6b4409db97c/BotClients.bmp?extra=XyDUtDw2kxfm9jE5QPM6GZyXP63jc58qFBlzPoTu75dHPn2dPLNikHfM4-g1wqdz4Qhn-mieiLcm4O7701M8WzPInDI5tOdQiWkYAR7YTs7NQMs0If_al1cKjhF-2gxL8v3LtRBMskS4po52
https://vk.com/doc26060933_667461496?hash=egdyyVbzZ1RrLg0G1GnF2OIAfOHjZ6QvOr9xjiWPRzk&dl=R2dHcfkklHZC6QWDijipWsfDaBcPGk1TJodmHYqQ8fk&api=1&no_preview=1#setup
https://sun6-20.userapi.com/c237031/u26060933/docs/d15/93b5ea113936/32ssh7832haf.bmp?extra=J-reDmr00Qi8f6YZm72J-tJgjmoCfEc-kLljTjGdbr7yd3ZtlIOg3fyUoePkg0_0EreB5QB3smN1utxlWgRUlTPXJxmUl4Ef6z0DqxE6gf1mYYxCqOFW2_VFxHJGWv5aSGPvcnYvnjg0VlPT
https://api.ip.sb/ip
https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897
https://iplogger.com/2lhi52 - rule_id: 38127
https://db-ip.com/
https://sso.passport.yandex.ru/push?uuid=43ef0eff-f7be-4313-b10e-1ec1849baf48&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://iplis.ru/1Gemv7.mp3
https://vk.com/doc26060933_667452800?hash=pIiQI9ESvqLAvoJupWTJlr3ieUjnzDC7zAeymHyxjK4&dl=fBx5ZRcRnIbGHZBA56w0xzNAmq8tMCJq2fh7enTkokw&api=1&no_preview=1
https://dzen.ru/?yredirect=true
https://sun6-21.userapi.com/c236331/u26060933/docs/d11/cc5a543357b1/Risepro.bmp?extra=98_LY8vGNbS9n8jSiu71V9JFct5W3jtQnqs7zTkGzJ2VoWwR0gmMISoiXczTZwrYuIzMg5qkHCPbFf4Q3cEmf3sR1dLKKxadp-QPLDW3m9o_qkYCehW0skIUIziOjMKu5cM-we-_6iJsrRtg
https://sun6-23.userapi.com/c237331/u26060933/docs/d29/2565ea094508/RisePro.bmp?extra=jFaOgj7cGIe-uGIOZ7lfR_Sd3YndWWjgA5lFsVisLy5737qzplpz6ZEiBIYYlZaSxi2kIEWvlPOFxmNcvl8yyYK-pQaIVIk-R8q67opgjFsmjXqTOdlFcXmdcMkmcY7GUIepDJWwPvH_ID0D
https://sun6-22.userapi.com/c909328/u26060933/docs/d14/3afe51af0e45/setup.bmp?extra=o6tSkvo3WJHNkWYV4m7MHb8rsWSS52VYICmzrxdaqtDHYoAtuXrvi3UTsiLcKTPhxiQfxNVblrwU_g8L_xHhVX--gZd0YSMm7dNG0AvZ1mBIeczOoQRPJoWtUq0MsJg1piA3KFKvYuuYDMSd
https://api.2ip.ua/geo.json
https://sun6-21.userapi.com/c235031/u26060933/docs/d17/87bf67900bd3/WWW11_32.bmp?extra=XOZlXgdd3bUWej72lwSyK7qAk7zr_0peJo1GKofvOna2ONZ-yM3AA7oSx1TPy4cCQCQ6wRJvbdwU0IDcAro_6SJj7dZA4ahsjH82rHaDVLTvh9HnCoPfpgPA-3FqdegwuIXON0YffOUWk9tl
https://vk.com/doc26060933_667452525?hash=Gh9FdvMkZAv4GqS13jZPZHB5Pcx92djGdjwawRPGUH8&dl=T8IbErzc4mt11RokDKvo5O7LhWRnbzRIZQAIKyuFbVg&api=1&no_preview=1#1
https://vk.com/doc26060933_667442538?hash=mmgXWXsNqbKLvdAt9zehqkuJnMdb3X5PCDebEMwwvAw&dl=GGDaPNTZqZV3JZoFm1DNOMglxPYcMg1N3m7iaSGEzDs&api=1&no_preview=1#maf
https://sun6-22.userapi.com/c235131/u26060933/docs/d1/ba97dca153ca/PL_Clientp.bmp?extra=i9THH3O8H4N_In69cCrUwR_eiU_x753MLTgoyyEPloC8fZBdB6WCrl2-6U0HOjiXL0gVmHe5NRuWccWK8pQGs1aevQpjvkIDvlBwrUwWdZPzdfj2J3XI-ZRUk4lHhrhqOT43mVOCVXLCRwRa
https://sun6-23.userapi.com/c235131/u26060933/docs/d50/60b44504e085/file071123.bmp?extra=trC4U7plV8McjHNCq8dYdsz5Rg0fFfP-eFZscrLGXmck8alwfzoEtDSa_Dz1ix3m6Ygy37-jq-4lRumXt32zfR7uYa5jP5DsRgLG05cUZLLjgisywUwEdd4T4YFkaRkPTPqy4CgG3gqYi3db
https://vk.com/doc26060933_667439449?hash=vzkbG8bKfHAO2x625lZNXBKXCuAvPBZzPx9sufiaWx0&dl=3zz9ZDFfOKnbcxNR19mrKyOTob271CPE08u0D3OPGzw&api=1&no_preview=1#risepro
https://sun6-20.userapi.com/c909618/u26060933/docs/d28/cb4943e7d785/crypted.bmp?extra=-NWW48wNXl3YvNe-AnEflBbZHTLY4_N5lcHl5XP0D7TPUq6fpITpdKXfjR51pSITnAqWwBNo10QoTngMnWeyVzqu5nmAOqHsrjXwRKxHJOEo36gaOnosP9E15RLICh_lxm7oqnp74_g6XDzi
https://sun6-20.userapi.com/c909418/u26060933/docs/d53/2538a0bc40f7/1MG.bmp?extra=S9vmGUX-pZ2meKHDX1Rz8vKYbPeXST17jDUsID2ZPP61PtEiwHzq3i-4xYLRq4qD_Cy53LPosP8ep3g9pTZYtfLqcEUgPO3ZG8R-WrerRlw_AJOHy9LADl1Uin3Rwz6N3mCX2NdcR8p1Q9nM
https://vk.com/doc26060933_667462812?hash=BNWNUlhfnsvUW8vuJOkR6wETTQRQYSEXqD7FAHmgIoH&dl=Zt1uh0kla8CEullAPIbT2Uyh8Gn9CHZtt3EEdBcLJYD&api=1&no_preview=1#test22
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-20.userapi.com/c235131/u26060933/docs/d3/e0bc894d3f39/tmvwr.bmp?extra=PaStbbEwQZf_4ZOMtpbva-yY57KOQbmYSM0Zr6WbebuMjhlFCSsuwkBN0TlyCkjb2FqRcQEtgQpKtxniYw2yVB8_pp0JDAU_T_63OIZ4vYm70NbsbooB-1_iGzJNLdD9jJmvd9iOR4gY0Q2i
https://steamcommunity.com/profiles/76561199568528949
|
76
stim.graspalace.com(104.21.20.155) - malware
db-ip.com(104.26.4.15)
sun6-23.userapi.com(95.142.206.3) - mailcious
vanaheim.cn(158.160.73.47) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
yandex.ru(5.255.255.70)
jaimemcgee.top(193.106.175.190) - mailcious
dzen.ru(62.217.160.2)
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
learn.microsoft.com(104.75.1.96)
gons11fc.top(212.113.122.87) - malware
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.75.41.21) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
ironhost.io(104.21.57.237)
sso.passport.yandex.ru(213.180.204.24)
api.ip.sb(104.26.13.31)
iplogger.com(172.67.194.188) - mailcious
fdjbgkhjrpfvsdf.online(104.21.87.5) - malware
iplis.ru(104.21.63.150) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
www.maxmind.com(104.18.145.235)
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.8.59)
194.169.175.128 - mailcious
104.18.145.235
93.186.225.194 - mailcious
91.215.85.209 - mailcious
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
149.154.167.99 - mailcious
213.180.204.24
172.67.75.166
104.21.12.138
104.26.12.31
23.210.37.172
185.216.70.232
185.173.38.57
194.49.94.41 - mailcious
212.113.122.87 - malware
194.49.94.48 - malware
34.117.59.81
158.160.73.47
176.113.115.84 - mailcious
77.88.55.60
148.251.234.83
104.26.8.59
194.33.191.60 - mailcious
194.169.175.118 - mailcious
91.92.243.151 - mailcious
91.103.252.189 - malware
185.172.128.69 - malware
104.21.57.237 - mailcious
94.142.138.131 - mailcious
195.201.251.173
121.254.136.9
194.49.94.97 - malware
45.15.156.229 - mailcious
104.26.4.15
104.21.87.5 - malware
104.21.63.150
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
95.142.206.3 - mailcious
104.21.20.155 - malware
193.106.175.190 - malware
95.142.206.1 - mailcious
104.76.78.101 - mailcious
|
46
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET INFO Executable Download from dotted-quad Host
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO EXE - Served Attached HTTP
ET INFO Packed Executable Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Redline Stealer Activity (Response)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
15
http://194.169.175.118/xinchao.exe
http://194.49.94.97/download/Services.exe
http://45.15.156.229/api/tracemap.php
http://45.15.156.229/api/firegate.php
http://jaimemcgee.top/40d570f44e84a454.php
http://94.142.138.131/api/firegate.php
http://91.92.243.151/api/tracemap.php
http://94.142.138.131/api/firecom.php
http://94.142.138.131/api/tracemap.php
http://194.49.94.48/timeSync.exe
http://185.172.128.69/latestumma.exe
http://stim.graspalace.com/order/tuc19.exe
http://176.113.115.84:8080/4.php
https://fdjbgkhjrpfvsdf.online/setup294.exe
https://iplogger.com/2lhi52
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9042 |
2023-11-08 09:43
|
 work.vbs f98b2d9799e83e700d3be6e231c3e615VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
|
2
chongmei33.publicvm.com(103.47.144.63) - mailcious
103.47.144.63
|
1
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
10.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9043 |
2023-11-08 09:39
|
 ORDER-23116FC.pdf.js cf34cf3dc725d0145cb4b3ecfba459e7VirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://grapemundo.com/Apk/work.vbs
|
2
grapemundo.com(103.50.163.157) - mailcious
103.50.163.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9044 |
2023-11-08 09:21
|
File.rar c49151503a28c917e2857760532d8ef0
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9045 |
2023-11-08 08:07
|
 1.exe 1e690482756e59e446f6fd38063d69dd
Gen1 Malicious Library UPX ASPack Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format ftp Check memory Creates executable files |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|