9211 |
2023-08-22 17:45
|
trxV9376 c901c8089c5e017f8e9b4b15c8ef154f Malicious Library UPX Malicious Packer OS Processor Check PE File DLL PE64 DllRegisterServer dll VirusTotal Malware Remote Code Execution |
|
|
|
|
1.8 |
M |
54 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9212 |
2023-08-22 17:42
|
trxV9376 c901c8089c5e017f8e9b4b15c8ef154f Malicious Library UPX Malicious Packer OS Processor Check PE File DLL PE64 DllRegisterServer dll VirusTotal Malware Check memory Remote Code Execution |
|
|
|
|
2.0 |
M |
54 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9213 |
2023-08-22 17:39
|
trxV9376 c901c8089c5e017f8e9b4b15c8ef154f Malicious Library UPX Malicious Packer OS Processor Check PE File DLL PE64 DllRegisterServer dll VirusTotal Malware Remote Code Execution |
|
|
|
|
1.8 |
M |
54 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9214 |
2023-08-22 17:18
|
trxV9376 c901c8089c5e017f8e9b4b15c8ef154f Malicious Library UPX Malicious Packer OS Processor Check PE File DLL PE64 VirusTotal Malware Check memory unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9215 |
2023-08-22 17:01
|
Setup_password1234.7z f847310169b762399708482414582efc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Remote Code Execution Trojan DNS Downloader plugin |
32
http://208.67.104.60/api/firegate.php - rule_id: 34253 http://208.67.104.60/api/tracemap.php - rule_id: 28876 http://193.233.254.61/loghub/master - rule_id: 35736 http://reinroot.top/f059ec3d7eb90876/softokn3.dll http://reinroot.top/f059ec3d7eb90876/sqlite3.dll http://reinroot.top/f059ec3d7eb90876/vcruntime140.dll http://reinroot.top/f059ec3d7eb90876/msvcp140.dll http://apps.identrust.com/roots/dstrootcax3.p7c http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://reinroot.top/f059ec3d7eb90876/mozglue.dll http://reinroot.top/f059ec3d7eb90876/freebl3.dll http://www.maxmind.com/geoip/v2.1/city/me http://87.121.221.58/g.exe - rule_id: 35764 http://reinroot.top/f059ec3d7eb90876/nss3.dll http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://reinroot.top/3886d2276f6914c4.php https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc647736509_665946936?hash=Fw8vXcrjS5Y82bLQZhz32GCk6IzsT6dnzFC0fLxgLtw&dl=YdGZzLuwnaHUwjzmbi8OVpbEtxsL4XE8QVyvW0tyB7z&api=1&no_preview=1#ampul https://sun6-22.userapi.com/c909628/u647736509/docs/d9/d05371c5ad1b/crypted.bmp?extra=_BSw5BxWGH5kQbw3SOZWiZmxneG1Mm7KsLdT8BR9aygsrxw3tGDzxJ7zahx7VVTUjJFO6WEids3x3ydWzjErsNVr_sglsVXU19p-gTF0BkqUFhJk6Dwy0IGXzdey84pdzfJaU0KQ-EXh84vs4g https://busell.store/setup294.exe - rule_id: 35772 https://db-ip.com/ https://vk.com/doc647736509_665952794?hash=beIXGypj5pVP0OkMsBnpWjHmPdo1Dvd0ZLVa9zqpxNT&dl=gw9epkyrndw2PGDAQG3LR6ojcOshuBjYRZzs1CrYVbw&api=1&no_preview=1#nudik https://sun6-23.userapi.com/c909628/u647736509/docs/d6/bffd6b9ab110/RisePro.bmp?extra=jX_cm3sy4CknoQfM7-JMWS4wYRkXkleQqeOPhUa0tcdjKyTHBvsnjrCXjFFZqrDtB6UL7hLyHU_Wo1bXM-pjy3vsLBMutPb9uIlqhW6cxt_Eb89cF8G9u8-5J9GaM_1jnexuqzcPqWUZJg_cSg https://sun6-22.userapi.com/c909618/u647736509/docs/d6/49341793a9d8/OfficeTlsN.bmp?extra=8gEtDs_1QebRuVjs7yy3207O3Hn6bCGEr5wFC9607nRvd_8t5t2sB-Ps-ApEVaZty8lKaZ7Oxy126dTQDgvWpI7bRQAS0oztn42AxB-ir1QJ-rZq8mWDmQcg7NioqcbH1ASenGQb15vBsIVo2w https://sun6-21.userapi.com/c909628/u647736509/docs/d12/c33b467a8d1d/PMmp.bmp?extra=EMd7mEWvFCEyKakzsVUMs8a_hW7nen1rxXQOcH8l0dktthsDXofuo_pUCyQCh5p1kWZjb2ZrjUg9S6ygNDxvMnyb4is4G3RZ7GoFzrK2A9XR_xJRGPuSyEop-UQnQs4LHxz6v_01rFNENj5UKg https://sun6-22.userapi.com/c909228/u647736509/docs/d52/fbdf66113369/nudik.bmp?extra=IBxLJjQkBRFD0a5qyjwrm-nMLwFIxDFxBKKVlM0bfjPUbQuWvEP0zJqYdaV-LS-jCeSuSm_uddwjcZlp01E7eXv2_FgfgBWyvdSsiR0aQIWqYYW1yg0tNhRC6CoWdvT4u9mYUi_6UdsgrrT2xg https://vk.com/doc647736509_665952884?hash=ouqF7K5kIj5i1vbx3UIlf5iAbqbiAUCRXIUOYrMg3xL&dl=7655dMZoGamYocJn7PzpOvUI8TGxiVDzfg20PeJrtlz&api=1&no_preview=1#office https://sun6-22.userapi.com/c237231/u647736509/docs/d56/8153c0d6ad19/WWW1.bmp?extra=5fYdSdSSZoymAUCSE3cIydPBy5p8q8gxm_LzgKcDYywjcv-MNLMbSeCs4FmIZ0_6HF_kn5xggisfPt-rTt5BqT8b4GHFFFwECg59El_Ocl1L9fWjP36mvG6iqaJeijCeXE2J7tSiVzx8iZ7WIQ https://transfer.sh/get/v1v0vsd6BF/d38afgh.exe https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-21.userapi.com/c909618/u647736509/docs/d36/ae9a2d0b4afe/AmpulesUnweened.bmp?extra=rFOfD69Ynm6Q6ocKi7J-93DMK3OKh29QrNV-VGwsF1sMAqLR3s_Hk3J-EoKz4cLNQPuf_-zGtPdRZ3a_CGTWXJGSC11JkCjRWI5bgAu6_O-f8aYwX-48CL60scV5tmngHFPV3-qfg46aIydhtg https://vk.com/doc647736509_665954868?hash=2Ur4wxKVMUCXZVZ12NZLQLSvSpf4bpmZ3Ss59vXSvs4&dl=mx1kX4WsmG2cW1Op1kgtsxXsfQL3ZeRLkEs3HHXv6pX&api=1&no_preview=1#1
|
53
db-ip.com(104.26.5.15) sun6-21.userapi.com(95.142.206.1) - mailcious api.db-ip.com(104.26.5.15) andrewjohnson.top(195.58.51.86) - malware sun6-22.userapi.com(95.142.206.2) vk.com(87.240.132.67) - mailcious busell.store(104.21.9.89) - malware iplogger.org(148.251.234.83) - mailcious sun6-23.userapi.com(95.142.206.3) z.nnnaajjjgc.com(156.236.72.121) - malware ipinfo.io(34.117.59.81) api.myip.com(104.26.9.59) bitbucket.org(104.192.141.1) - malware www.maxmind.com(104.17.241.37) zzz.alie3ksgdd.com(172.67.143.192) - malware www.logpasta.com(188.166.57.133) reinroot.top(195.58.51.86) - malware iplis.ru(148.251.234.93) - mailcious transfer.sh(144.76.136.153) - malware 148.251.234.93 - mailcious 194.169.175.128 - mailcious 144.76.136.153 - mailcious 104.16.104.68 104.26.5.15 208.67.104.60 - mailcious 87.121.221.58 - malware 61.111.58.34 - malware 172.67.75.166 104.21.54.252 - malware 194.26.135.162 - mailcious 87.240.132.78 - mailcious 195.58.51.86 - malware 34.117.59.81 148.251.234.83 77.91.124.73 - mailcious 104.21.9.89 - malware 15.235.130.167 94.142.138.131 - mailcious 104.192.141.1 - mailcious 77.91.124.231 - malware 149.202.0.242 - mailcious 156.236.72.121 - mailcious 45.15.156.229 - mailcious 104.26.9.59 104.26.4.15 95.142.206.3 163.123.143.4 - mailcious 95.142.206.1 - mailcious 193.233.254.61 - mailcious 85.208.136.10 - mailcious 95.142.206.2 188.166.57.133 185.244.181.112 - mailcious
|
50
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SURICATA Applayer Mismatch protocol both directions ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) ET DROP Spamhaus DROP Listed Traffic Inbound group 39 ET DNS Query to a *.top domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET INFO Packed Executable Download ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Possible EXE Download From Suspicious TLD ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO TLS Handshake Failure ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET DROP Dshield Block Listed Source group 1 ET MALWARE Redline Stealer Activity (Response) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with plugins Config ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting System Information to C2
|
7
http://208.67.104.60/api/firegate.php http://208.67.104.60/api/tracemap.php http://193.233.254.61/loghub/master http://94.142.138.131/api/tracemap.php http://87.121.221.58/g.exe http://45.15.156.229/api/tracemap.php https://busell.store/setup294.exe
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9216 |
2023-08-22 16:59
|
class-wp-image-editors.php 8aba0879d92cfe48941218b64cd49e27 Generic Malware task schedule Malicious Library UPX Antivirus AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
5
https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys - rule_id: 34841 https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys https://pastebin.com/raw/PTNbBX9V - rule_id: 34840 https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe - rule_id: 21519 https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe - rule_id: 21520
|
4
github.com(20.200.245.247) - mailcious pastebin.com(104.20.67.143) - mailcious 104.20.68.143 - mailcious 20.200.245.247 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys https://pastebin.com/raw/PTNbBX9V https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe
|
15.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9217 |
2023-08-22 16:48
|
cliam.exe 42fa04f90fa460eb9c514c85a39a70e6 UPX PE File PE64 VirusTotal Malware sandbox evasion WriteConsoleW |
|
|
|
|
3.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9218 |
2023-08-22 16:45
|
v16p1gseo3t8fb.exe cb990bbd972b9938ddc9efaf80abab21 RedLine stealer Malicious Library UPX AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder malicious URLs installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
https://bloom-artists.com/wp-includes/class-wp-image-editors.php?filename=winx32apideftype.exe - rule_id: 35978
|
3
bloom-artists.com(85.187.128.34) - malware 46.149.77.25 - mailcious 85.187.128.34 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://bloom-artists.com/wp-includes/class-wp-image-editors.php
|
13.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9219 |
2023-08-22 16:43
|
supr.exe 998dc2c3d2f2c0f6d847c506fed46f8e Malicious Library UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
3.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9220 |
2023-08-22 14:57
|
pzOEfyaZPW1OyO690Z19HEU7.dll fe1097b9754d8e3c54c7f54c68c4dabd Malicious Library Malicious Packer MZP Format PE File DLL PE64 VirusTotal Malware Check memory Remote Code Execution |
|
|
|
|
2.2 |
|
53 |
yjw
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9221 |
2023-08-22 14:34
|
pzOEfyaZPW1OyO690Z19HEU7.dll fe1097b9754d8e3c54c7f54c68c4dabd Malicious Library Malicious Packer MZP Format PE File DLL PE64 VirusTotal Malware Check memory Remote Code Execution |
|
|
|
|
2.2 |
|
53 |
yjw
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9222 |
2023-08-22 14:11
|
pzOEfyaZPW1OyO690Z19HEU7.dll fe1097b9754d8e3c54c7f54c68c4dabd Malicious Library Malicious Packer MZP Format PE File DLL PE64 VirusTotal Malware Check memory Remote Code Execution |
|
|
|
|
2.2 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9223 |
2023-08-22 13:52
|
payload.dll aa9991d405f0742d592ca9a3c193a931 UPX Malicious Packer OS Processor Check PE File DLL PE64 VirusTotal Malware PDB Check memory |
|
|
|
|
1.6 |
|
46 |
yjw
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9224 |
2023-08-22 13:44
|
payload.dll aa9991d405f0742d592ca9a3c193a931 UPX Malicious Packer OS Processor Check PE File DLL PE64 VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
46 |
yjw
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9225 |
2023-08-22 13:35
|
payload.dll aa9991d405f0742d592ca9a3c193a931 UPX Malicious Packer OS Processor Check PE File DLL PE64 VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
46 |
yjw
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|