| 9046 |
2023-11-08 08:04
|
 d12934-0202334.doc eac138b49c6f90896c9af5cbc8fe38b8
VBA_macro Generic Malware Antivirus MSOffice File PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting exploit crash unpack itself suspicious process WriteConsoleW Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://89.23.98.22/LN/Konstantin.exe
|
1
|
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9047 |
2023-11-08 07:43
|
 build.exe b243344cf0e32c4f723ef42b48aa256c
Malicious Library UPX PE File PE32 OS Processor Check unpack itself Remote Code Execution |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9048 |
2023-11-08 07:41
|
 madykapen2.1.exe b401492fb6f237abf7327201a0df6e7e
NSIS Malicious Library UPX PE File PE32 OS Processor Check AutoRuns Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
|
2
osairus.duckdns.org(91.92.252.13) - mailcious
91.92.252.13
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9049 |
2023-11-07 19:21
|
 WWW14_64.exe b79c2d99b9899e66e9a3c16b5bc407cb
PrivateLoader NPKI RedLine Infostealer RedLine stealer HermeticWiper Generic Malware NSIS Suspicious_Script UPX Malicious Library Antivirus Malicious Packer .NET framework(MSIL) Confuser .NET Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Bl Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check installed browsers check PrivateLoader Tofsee Ransomware Stealer Windows Browser ComputerName Trojan DNS Cryptographic key Software crashed |
23
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=VneSnp3_ukQr2DpIFzFJmPqn.exe&platform=0009&osver=5&isServer=0
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://apps.identrust.com/roots/dstrootcax3.p7c
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://185.172.128.69/latestumma.exe - rule_id: 38123
https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897
https://sun6-22.userapi.com/c909228/u26060933/docs/d49/128817370068/frankurt.bmp?extra=S-7AocaxsIbLkK-ELoZtcguPmTMKNeGVULVejSj8lKOn4iE-SffQhWawQvouXtHuFn4V30tV4Vyf2KFZ982OpZrWgbptKJF--WytR4WsqWN9BMV4Qn2o60SPWY9OAPvZxXlmSACiGQB9-aWJ
https://sun6-20.userapi.com/c237031/u26060933/docs/d15/cc14cf618ad2/32ssh7832haf.bmp?extra=fwty-u7t3kuVDKn2Ab1i7boHK4AyOko_2OhckURSgZjMwMr1LMRzcDeu6ldvQCwfDuTH4EEUK6o17LKRsfTQtZt7FslDGR2y6GbdZCCcOp_WNzQ9CENa5D8--pR4RgBxxVEvfsknWSZfulv4
https://api.myip.com/
https://vk.com/doc26060933_667439205?hash=9u0pp57etRglLIKfkYwZcH44T9cOpyz0LWapsbTF1Bg&dl=z3Yi2TZu3wznuaMj0bEuIRV5ZXaFnSzqV3ZZNSu9aWD&api=1&no_preview=1#pers
https://vk.com/doc493219498_672836373?hash=M7A4hgYlu29jFClj8BntVZXGQNYZUrmGk5Xo8ZtSs3c&dl=vo1qv3UDs2s1kmfM0D1UlsXrUhketlWT0zHzAFUqZzz&api=1&no_preview=1#redcl
https://iplis.ru/1cN8u7.mp3
https://sun6-20.userapi.com/c909218/u26060933/docs/d54/6e7fc67a6ccd/asca1ex.bmp?extra=o0dbnej6BqzEu2z5v-Mxe5oLOHfcHc8vUDbMSePw_8F_JPn8HPD_NLCakc5EiDyrOG0dJBsKL6WuWl8WcnQT6t_9LwNBS5067YCL7hMG9GPzh8bxUp8FvU7aJ65cY8FynND1rYBTFV4uc5jy
https://neuralshit.net/41952c986340dccbd36c6f7751ad8d3c/7725eaa6592c80f8124e769b4e8a07f7.exe
https://psv4.userapi.com/c237131/u26060933/docs/d39/e725e5f13f43/PERSOM-1107.bmp?extra=lM3OqGzYHO-ydtWN8GVm8iBO22fCJG2WhM2K66LXzBICJffrODU--a9Pi-hhT7sttyJddEU9SHHg9SZN_-JOhRN7W2Plh0m9KbP4ZMAMKkWq9tgZOTF670Girpl8yfCoW0v7ugGpJH7nzSwG
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://vk.com/doc26060933_667402082?hash=YceActlCEWNAxzNWlyosqulkJNKFWOXwPC6aoepp51w&dl=4fZA3npX9cldehaLZ4Szl6YhrZWLZOAzHvN5zwGWoWH&api=1&no_preview=1#as
https://sun6-22.userapi.com/c909218/u26060933/docs/d39/2b5c05ade136/PL_Client.bmp?extra=da599MOTGK0smGFDrYCbIOwnAESK93Bdw8XDZy_0vK13817g4Qsr6AWGWEf5TNMs8D67QVgYFb6fgHXsdA6lLB0kHdsNHYl2LuiA4Cchiwv-echSw-1M9pvREF7eyP8RrYMQCeAIgdGcFGmL
https://vk.com/doc26060933_667283095?hash=XbMEOIVwAxvBMVozZrdx5JL01yibEzrk6OUGAeuqigk&dl=aHYtz9hCKP29fWdvsPFNX8NzNDQemO5X8RKctwJXQK0&api=1&no_preview=1#vmr
|
40
neuralshit.net(172.67.134.35) - malware
globalwebventure.com(65.109.26.240)
lakuiksong.known.co.ke(146.59.70.14) - malware
fdjbgkhjrpfvsdf.online(104.21.87.5) - malware
learn.microsoft.com(23.40.45.69)
api.myip.com(104.26.9.59)
iplis.ru(104.21.63.150) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
ipinfo.io(34.117.59.81)
iplogger.com(172.67.194.188) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.67) - mailcious
octocrabs.com(104.21.21.189) - mailcious
ironhost.io(172.67.193.129)
psv4.userapi.com(87.240.190.76)
95.142.206.0 - mailcious
87.240.137.164 - mailcious
172.67.139.27 - mailcious
172.67.194.188 - mailcious
208.67.104.60 - mailcious
194.33.191.60 - mailcious
23.210.37.172
34.117.59.81
104.21.21.189
104.26.8.59
104.21.6.10 - malware
172.67.147.32
87.240.137.134
185.172.128.69 - malware
194.169.175.235 - mailcious
23.67.53.17
91.92.243.151 - mailcious
65.109.26.240 - mailcious
45.15.156.229 - mailcious
95.142.206.2 - mailcious
194.49.94.72 - malware
194.49.94.77
146.59.70.14 - malware
104.21.57.237 - mailcious
94.142.138.131 - mailcious
|
23
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET INFO TLS Handshake Failure
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
|
9
http://94.142.138.131/api/firegate.php
http://91.92.243.151/api/tracemap.php
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://45.15.156.229/api/firegate.php
http://lakuiksong.known.co.ke/netTimer.exe
http://185.172.128.69/latestumma.exe
https://fdjbgkhjrpfvsdf.online/setup294.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
22.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9050 |
2023-11-07 19:17
|
 MKiNn8877.exe 524730069cd81878eef9b8186fc67963
AgentTesla Confuser .NET PWS SMTP KeyLogger AntiDebug AntiVM PE File PE64 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Browser Email ComputerName Software crashed keylogger |
|
2
mail.bretoffice.com(185.174.174.220) - mailcious
185.174.174.220 - phishing
|
2
SURICATA Applayer Detect protocol only one direction
SURICATA SMTP invalid reply
|
|
10.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9051 |
2023-11-07 19:15
|
 ss.exe 48765ca4f90c51b4adf429311d794d29
Malicious Library UPX PE File PE32 MZP Format Browser Info Stealer Malware download Malware Cryptocurrency wallets Cryptocurrency Malicious Traffic Check memory buffers extracted unpack itself Collect installed applications suspicious TLD sandbox evasion installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware DNS crashed |
1
|
2
temoolda.pw(172.67.154.84)
104.21.48.160
|
4
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO HTTP Request to a *.pw domain
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
|
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9052 |
2023-11-07 19:14
|
 WinRar.exe 12ad5dac08fffe484f5bece941c6ee4e
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.108.133)
185.199.109.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9053 |
2023-11-07 19:13
|
 build.exe 02f447aa40e3fd73d05c72ed4249ff4d
Malicious Library UPX PE File PE32 OS Processor Check PDB unpack itself Remote Code Execution DNS |
|
2
172.67.194.188 - mailcious
194.49.94.77
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9054 |
2023-11-07 19:12
|
 StealerClient_Sharp.exe 344e9762e1477db04edfecaa07cef091
Malicious Library UPX Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check Check memory Checks debugger unpack itself ComputerName Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9055 |
2023-11-07 19:09
|
 toolspub4.exe ba07981c0db641512c0004aac1654895
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9056 |
2023-11-07 19:08
|
 a.exe 248fdd80b574b1379fe4f6f1cee40091
email stealer Downloader .NET framework(MSIL) Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Code injection persistence KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs WriteConsoleW Windows DNS |
|
1
|
|
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9057 |
2023-11-07 19:07
|
 StealerClient_Cpp.exe 0e149c713146c9c1ea53d7b7fa3b39e1
Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9058 |
2023-11-07 19:05
|
 Juderk.exe 3f47913af364115da3a560edb88035ae
Themida Packer Malicious Library Anti_VM PE File PE32 .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare VMware anti-virtualization installed browsers check Stealer Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9059 |
2023-11-07 19:05
|
 xoIBL6LAISDs.exe eb29546aff8b06616b7b226986fd7827
Browser Login Data Stealer Generic Malware Malicious Library UPX Malicious Packer Downloader PE File PE32 OS Processor Check Windows DNS keylogger |
|
1
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9060 |
2023-11-07 15:02
|
CVE 2001-0241.pcap aa96f5eaeb8f04a7e6fc1f1cb455d195
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|