| 9301 |
2023-10-26 13:59
|
 mohammeddroidupdatedfilebase64... 6070a1b84846a0946639a374043787d6
AgentTesla Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware Check memory Checks debugger unpack itself Windows Browser Email ComputerName crashed |
|
|
|
|
4.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9302 |
2023-10-26 13:23
|
jajajjajapapapappanananan.vbs 7e9d44a6c4367491ad178bf62548f136
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://94.156.253.236/yeyesyesyeys.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9303 |
2023-10-26 13:23
|
eveningFile.vbs 088dd62ff5ed6d7e15caab5a0bb62f10
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://185.254.37.174/mohammeddroidupdatedfilebase64.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9304 |
2023-10-26 13:22
|
 aaaaa.txt.exe f7a2deae211b49311fa7f56c1e4566f2
Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9305 |
2023-10-26 10:43
|
HTMLEVENbrowser.dOC 8ff3248ebdfa3b7dd737f7bee9b9dae6
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.254.37.174/eveningFile.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.18
185.254.37.174 - mailcious
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9306 |
2023-10-26 10:41
|
 HTMLIECachesBrowser.dOC a08ca8e6fd0e7002499434aa2547d160
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.156.253.236/jajajjajapapapappanananan.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware
94.156.253.236 - mailcious
104.21.45.138 - malware
23.32.56.72
|
2
ET INFO Dotted Quad Host VBS Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9307 |
2023-10-26 10:40
|
 foto1661.exe 7613290b26555e6b7b16131d17331960
Amadey RedLine stealer Gen1 Emotet Generic Malware Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB OS Processor Check .NET E Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
25
http://77.91.68.249/fuza/2.ps1 - rule_id: 37524
http://77.91.68.249/fuza/2.ps1
http://193.233.255.73/loghub/master - rule_id: 37500
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.68.249/fuza/foto1661.exe
http://77.91.68.249/fuza/tus.exe
http://77.91.68.249/fuza/nalo.exe - rule_id: 37525
http://77.91.68.249/fuza/nalo.exe
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/index.php - rule_id: 37040
http://77.91.124.1/theme/index.php
https://accounts.google.com/generate_204?KIpSmg
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzOGFzuxGAg2e3DWgR266n9r5qQR7Zrm_rptfo9RAihsFAa9lZDZl4RK6XmLN3Nk2pDoW9bUg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-268318837%3A1698283071925212
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzpjHxpq1INlvGNncWH3u8zcoYJ7-v1sB2hwU2EY24lJvyiM2sMyf-U-uZStEXfb2_J_j288Q
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/generate_204?x9IqeA
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywvEr1d-fiWqWdBLl2arLIwhz5TAKS5Ub4o4j3ERjjUOyhcbjQnhhGNhoBp7mqC14wej4Mn
https://www.google.com/favicon.ico
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywLm9zKARhd3TW4v_bKsXTv35Vp7b1sZNUIHBh4-R3fXErE4ApIG4xaQw9ptWyWfEi9FpYQxg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-150941688%3A1698283074308887
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
www.youtube.com(172.217.25.174) - mailcious
ssl.gstatic.com(142.250.206.227)
www.facebook.com(157.240.215.35)
accounts.google.com(142.250.206.205)
www.google.com(142.250.76.132)
142.250.204.36
142.251.220.14
216.58.200.237
77.91.124.86
216.58.203.67
193.233.255.73 - mailcious
77.91.124.1 - malware
157.240.215.35
77.91.68.249 - malware
|
18
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO PS1 Powershell File Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
6
http://77.91.68.249/fuza/2.ps1
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.68.249/fuza/nalo.exe
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/index.php
|
24.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9308 |
2023-10-26 10:38
|
 Main332.js c3cc912df10bafc0de538be5557710ac
AntiDebug AntiVM VirusTotal Malware Code Injection Malicious Traffic wscript.exe payload download Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS |
2
http://49.13.119.73/GJDtkud/Aerot
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
3
www.ssl.com(54.87.241.101)
49.13.119.73
34.195.117.81
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
7.6 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9309 |
2023-10-26 10:38
|
 T1.js caa023ac5ec92dd9fd17b33a448c140a
AntiDebug AntiVM VirusTotal Malware Code Injection wscript.exe payload download Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS |
2
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
http://155.138.224.36/abb/unsec
|
3
www.ssl.com(54.87.241.101)
155.138.224.36 - mailcious
34.195.117.81
|
|
|
8.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9310 |
2023-10-26 10:28
|
 Final rooming list.bat 98000fd6e24b741927fd81c1d61ae996
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9311 |
2023-10-26 10:24
|
 987123.exe 7ed1926e1e6e2fe6390c3c6d4b8878aa
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9312 |
2023-10-26 10:23
|
 tus.exe 10a17abe9f1d739be062dfa9f1730298
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB Code Injection buffers extracted |
|
|
|
|
7.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9313 |
2023-10-26 10:23
|
 davincizx.exe 9f12d35cb063268ba5e58c71c26ef0e4
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware |
|
|
|
|
1.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9314 |
2023-10-26 10:23
|
 timeSync.exe ab629ce2f730accf1ccfe3c5054d6c1b
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9315 |
2023-10-25 18:27
|
File.7z 86f0e6986a754d96179b2c20d8db49b6
PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Cryptocurrency Miner Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser Trojan DNS Downloader CoinMiner |
80
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://109.107.182.2/race/bus50.exe - rule_id: 37496
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://85.217.144.143/files/townpublishing.exe
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://49.12.116.189/upload.zip
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.69/newumma.exe - rule_id: 37499
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://49.12.116.189/58f391d2f33b9f5a2ddb51a3516986eb
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://171.22.28.221/files/Ads.exe - rule_id: 37468
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://77.91.124.1/theme/index.php - rule_id: 37040
http://gons3fc.top/build.exe
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://176.113.115.84:8080/4.php - rule_id: 34795
http://193.233.255.73/loghub/master - rule_id: 37500
http://gobo04fc.top/build.exe
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://171.22.28.221/files/Random.exe - rule_id: 37434
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://171.22.28.213/3.exe - rule_id: 37068
http://www.google.com/
https://sun6-22.userapi.com/c909328/u52355237/docs/d36/94e70066ac80/PL_Client.bmp?extra=GYu9pTC-Wl1Sg_fchSUawzC7SOJQ5mf6X2A3Lm8ZE1bmn4F7iqzq_0_-pgTnEnf4Z8ETAumkli_vcaYV1Z_ULFP_mNBGwhECBvqkXysXuH9Sz8e5J6_7zGC5Vyj2-tcbfXz3qBeXxZZmpG6k
https://vk.com/doc52355237_667343838?hash=zdFRocOdJtT0IyxFdnygjsrvYEitfza6BvyL25bGpZD&dl=sHDqrRzc8uNalY3nwHHztHxEdFCN6CpN55OVgGQqijL&api=1&no_preview=1#1
https://steamcommunity.com/profiles/76561199564671869
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397
https://accounts.google.com/generate_204?CDdS5w
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://potatogoose.com/976b26ee384bf2dcf27abfc3b8d028eb/baf14778c246e15550645e30ba78ce1c.exe
https://www.google.com/favicon.ico
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://api.ip.sb/ip
https://experiment.pw/setup294.exe - rule_id: 37436
https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=hjMZy0D95eSFxb%2FYE%2Fdrj5C6tndz19A2RfpDONXthx4%3D&spr=https&se=2023-10-26T09%3A35%3A45Z&rscl=x-e2eid-cd83c9d1-11ee493e-8ec461f2-562aef4b-session-3b3dacd9-31504d5f-bf9a4f83-796fb600
https://vk.com/doc52355237_667339795?hash=Vr6hZn5xlDzZsz30TpnTzHAO4DHKke3DmD4kGhoeqoH&dl=6fzaZ8xtsOzOd75auvzL1Z7h0auXHva7GD7UyQqxDDo&api=1&no_preview=1
https://sun6-22.userapi.com/c909618/u52355237/docs/d51/b8b9a3f0dc19/RisePro_0_9.bmp?extra=S_Pw_XtG5PO3pErgyMk8rmhNNVpFLN7JZFRZb7P0DQbCvb25kgrWOiITEqnQ1DrUrLRqlEiLjGGyyXplnWiQQv40Gxo9KL6bmVJWDYrct0qqfiD8S9zjDR328l71NfIg7q089wragM-LuguC
https://vk.com/doc52355237_667363057?hash=EFGn7JDa1yL3d80vbqsB9WZH2w3XpT5V6LPR4VEBzc4&dl=QJPdu5Tzl9CEda3jy8BmjsTGIU8RaodEGQVRlC2jmdD&api=1&no_preview=1#all
https://sun6-22.userapi.com/c909328/u52355237/docs/d39/fea02e6516ef/all.bmp?extra=1jLtQoDZlkXee5oo1ICc_9GEajaJa4WgEW2aW76jh1X4r0G8nBKsO1fC-UITCjUotA9USMbQHx2E534DFNgrHG_ven327gh2BTuXaBkk_4hLBUxns9Tv5eHEyBEemy9O9cRIt33iy9__px79
https://api.myip.com/
https://sun6-22.userapi.com/c909618/u52355237/docs/d26/cc55b2954aea/crypted.bmp?extra=xLNs08HOc2FVnDJsDb3fD8GFoFKmCU7QJz_fRbm4cuX-Ud8sbS3ZYM4raB86hLMg30wxZWxsHLUDDk07eXkgw1zAbBCXdaTfzZ9SmqURbHH51SmXU4eNGjrBU_f7Jo6Q2J1vJSYawZTYv0pt
https://msdl.microsoft.com/download/symbols/index2.txt
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://yip.su/RNWPd.exe
https://diplodoka.net/976b26ee384bf2dcf27abfc3b8d028eb/7a54bdb20779c4359694feaa1398dd25.exe
https://sun6-22.userapi.com/c909518/u52355237/docs/d5/1aa2c5f38718/test23.bmp?extra=9FhCUwRY0gis9rghwSNws5CZNzCYS1cFvSzMovIC4R9pgAu6f-6BHFvxk7A3VnUhzurcljGxSjA3h1u1s_urlUUF8X-lH3axsr1NmjA9bVbhXg_8fAna1HNi9FXqmBMzfYbdJ8NBaWlajfQ7
https://vk.com/doc52355237_667363160?hash=90eo1ggSa79KsVZPaYy6x9lScec24zb12wdY8O5unQk&dl=m7LLs87D1wJQyUxzU3MK1qZzpMIcxisi2LpUtD1jlOs&api=1&no_preview=1#test22
https://dzen.ru/?yredirect=true
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/9072feeb59e1/2.bmp?extra=anTEO8FrVGu00Q5VjCfBzfV6wA1wHhJ4v3kJhx0qWWZQbBF7ZjM9pGJCaiS-ZPprUSRJiLz6BgcrTKyf9D1xg2NvZAKTna40r0l84UKOHs6o-eobD5J99sFFPZGpyzmim2vkG5mjF5IJtf23
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyykJNODYDpIHqhOifsHXhwJQmK8zndb5lyvjBtQuk9jZeMf94g9TWw4WX1eVNV9XYlWLO5icg
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://sun6-22.userapi.com/c909218/u52355237/docs/d42/60d05adee2f0/WWW11_32.bmp?extra=C65rMG9a2ZLgS4-qRwSgkiSxHJ3RAaH3KFKeI6EmSeeje_84SPUwWXjC_3sPq8LlWHKSPAXwi3EVIIkD0RFllrJ7VuliWNF78K0_YqEAepb9uoFHLsXGRl9gQ5Yenv5OHgw81aIn24dCy__n
https://vk.com/doc828628200_671409039?hash=0yEYLUUztkFa1eCd0vT01xEQlMXCn20q2EbUpZXcuIP&dl=Mz4XiECwpxCz6uTiBkS3szJG5kfAHZDNnQub6U5y8Do&api=1&no_preview=1
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://sun6-23.userapi.com/c909518/u52355237/docs/d59/b2220ffab81c/d432j89adg.bmp?extra=fPb2B9ko9Mhx2DzFJ1UkjS4bmg5SfYI4NNWBqcF0aiYSAU5AZdPLvdhQqhn8ujfkWsa5z86DgnzoIkQaGeBFjxxg_BisIc9O5Kwa1JhnN-RSdiZG-vmmpRjn_ZaVPz_ccs1EJjKOIIEUE1Ns
https://sun6-20.userapi.com/c237231/u52355237/docs/d30/24459ebe9485/crypted.bmp?extra=G9O9Z5VhCwn1IjHZMEeC96bT7TZPJN8bQD-u_isK9maVUv8bgsaMkkehRuoCWJvCMzxY1RJKKn6oA1e40Wf5bbv_o9I-NxdvV3Mk7krC79T7DX_qSTi5qr4ZLmbvRGkLp-Bll9JOEJ1Kahsn
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywL3WvaP67WC1xBgQHpszVeSkZSzqgvgWBUNZ5eG5Ei8Y5pss0d4jN2xMG0ZtU8qv0vxabvug&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1291519739%3A1698225333762439
https://vk.com/doc52355237_667352314?hash=zEDslzmi2iqzNrxct8lDgzwviJyAQH0HNgf3d1Rmh6P&dl=fusKtwAsyn4UnIwHaxljeG8aYAZah7k5j7DwacWhYAc&api=1&no_preview=1#cryp
https://sso.passport.yandex.ru/push?uuid=b4b5387a-4dc9-40ae-a50c-088ac025b446&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://vk.com/doc52355237_667345691?hash=b2GSJerzQ21MGzq3fbxSH4ZU7wFsRgdMXupM5JVGGe8&dl=CHVE21CiJhK5KnfhOr6bKYBVGnvTZozjOitXlACAFDc&api=1&no_preview=1#rise
https://vk.com/doc52355237_667323207?hash=ZkIwTTYNTwNDXLt5Gs5EEchtp6n7cf7VmKRYfvfVcZc&dl=ZTGusJZiietYLrS13VtWmnhjrFLGcXrZJST1wXSwTtP&api=1&no_preview=1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-21.userapi.com/c909218/u828628200/docs/d43/026941298ed6/a.bmp?extra=9KmCzHW6FEZN4c_hjWXF-FgWhxDqAhwzrh1sL_mdkgUFjkoB_oENhSPtaYj_XCrlpK5zdeuq4i-I9q8tGp5lrf4wvZp6ESTPthD-L5d66fICr_NCQ0Jh4CWCK83G052Fl_ju4E8t7KE5wq0g8Q
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=JmV9CYXdjSQ9qTNp1k5Pntqf0mOYcgNbYjV92kz0qm4%3D&spr=https&se=2023-10-26T09%3A12%3A04Z&rscl=x-e2eid-dfe33115-46c74920-9c682d65-9c3d827d-session-005fb60a-442d420e-a210e886-3c4ce8d3
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://vk.com/doc52355237_667299917?hash=ZBXZXgvR0VGrrHhRL8ouG0pmaOgq5CMqSVSg07KQ3kD&dl=VP4eeCrZnI7ZSJlYk7MTGWNlWtWgIwQmPzfjoXznkSD&api=1&no_preview=1#ww11
https://api.2ip.ua/geo.json
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
|
153
neuralshit.net(104.21.6.10) - malware
db-ip.com(104.26.4.15)
telegram.org(149.154.167.99)
lakuiksong.known.co.ke(146.59.70.14) - malware
vanaheim.cn(84.201.152.220) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
gobo04fc.top(85.143.220.63)
accounts.google.com(142.250.206.205)
sun6-23.userapi.com(95.142.206.3) - mailcious
galandskiyher5.com(95.214.26.34) - malware
potatogoose.com(104.21.35.235) - malware
www.snipes.com(104.16.223.69)
dzen.ru(62.217.160.2)
insuport.com(69.90.162.0)
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.75.41.21) - mailcious
iplogger.org(148.251.234.83) - mailcious
laubenstein.space() - mailcious
jamesjordan.top() - malware
twitter.com(104.244.42.129)
msdl.microsoft.com(204.79.197.219)
yip.su(172.67.169.89) - mailcious
cdn.discordapp.com(162.159.135.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(172.67.75.166)
server13.thestatsfiles.ru(185.82.216.96)
sun6-21.userapi.com(95.142.206.1) - mailcious
a8b8fc1f-3586-4658-b72f-0e583b0d00e8.uuid.thestatsfiles.ru(185.82.216.96)
lrefjviufewmcd.org(91.215.85.209) - malware
pool.hashvault.pro(131.153.76.130) - mailcious
walkinglate.com(104.21.23.184) - malware
stun2.l.google.com(74.125.197.127)
diplodoka.net(172.67.217.52) - malware
experiment.pw(104.21.34.37) - malware
www.nakedcph.com(104.16.129.120)
ssl.gstatic.com(142.250.206.227)
api.ip.sb(172.67.75.172)
www.sivasdescalzo.com(104.18.233.222)
iplogger.com(148.251.234.93) - mailcious
gons3fc.top(85.143.220.63)
colisumy.com(181.170.86.159) - malware
zexeq.com(123.213.233.131) - malware
octocrabs.com(104.21.21.189) - mailcious
vsblobprodscussu5shard58.blob.core.windows.net(20.150.70.36)
vsblobprodscussu5shard10.blob.core.windows.net(20.150.70.36)
yandex.ru(5.255.255.70)
net.geo.opera.com(107.167.110.216)
iplis.ru(148.251.234.93) - mailcious
www.google.com(142.250.76.132)
www.maxmind.com(104.18.145.235)
sun6-22.userapi.com(95.142.206.2) - mailcious
pastebin.com(104.20.67.143) - mailcious
flyawayaero.net(172.67.216.81) - malware
grabyourpizza.com(172.67.197.174) - malware
vk.com(87.240.132.67) - mailcious
sso.passport.yandex.ru(213.180.204.24)
api.myip.com(104.26.8.59)
lycheepanel.info(104.21.32.208) - malware
148.251.234.93 - mailcious
85.217.144.143 - malware
62.122.184.92 - mailcious
62.217.160.2
85.143.220.63 - malware
149.154.167.99 - mailcious
193.42.32.118 - mailcious
172.67.75.163
172.67.187.122 - malware
83.97.73.44
142.250.76.132
185.82.216.96
176.113.115.84 - mailcious
104.21.35.235
104.16.222.69
104.75.41.21 - mailcious
121.254.136.9
74.125.197.127
49.12.116.189
45.143.201.238 - mailcious
87.240.132.78 - mailcious
109.107.182.2 - malware
171.22.28.236 - mailcious
194.169.175.128 - mailcious
162.159.135.233 - malware
84.201.152.220
87.240.129.133 - mailcious
193.233.255.73 - mailcious
104.244.42.129 - suspicious
104.21.65.24
104.21.34.37 - phishing
171.22.28.226 - malware
87.240.132.67 - mailcious
171.22.28.221 - malware
104.26.8.59
104.21.6.10 - malware
104.18.233.222
194.169.175.233 - malware
181.170.86.159
95.142.206.3 - mailcious
95.142.206.2 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
172.67.217.52 - malware
104.21.93.225 - phishing
104.21.90.82 - malware
80.66.75.77 - mailcious
69.90.162.0
142.250.204.35
104.18.145.235
95.214.26.34
77.91.124.1 - malware
104.20.68.143 - mailcious
20.150.70.36
94.142.138.113 - mailcious
104.26.5.15
208.67.104.60 - mailcious
131.153.76.130 - mailcious
80.66.75.4 - mailcious
104.26.12.31
104.21.79.77 - phishing
77.91.124.86
176.113.115.135 - mailcious
176.113.115.136 - mailcious
185.172.128.69 - malware
45.15.156.229 - mailcious
172.67.216.81 - malware
91.215.85.209 - mailcious
107.167.110.211
172.67.139.220
146.59.70.14 - malware
104.21.23.184 - malware
104.16.128.120
123.213.233.131
172.67.167.220 - malware
5.42.65.101 - mailcious
5.255.255.70
104.20.67.143 - mailcious
213.180.204.24
142.251.130.13
20.150.79.68
34.117.59.81
104.21.21.189
148.251.234.83
185.225.75.171 - mailcious
204.79.197.219
77.232.38.234 - mailcious
23.200.75.26
104.21.32.208 - malware
172.67.197.174
23.200.75.28
104.21.78.56 - malware
91.103.252.189 - malware
171.22.28.213 - malware
|
51
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET INFO Dotted Quad Host ZIP Request
|
29
http://171.22.28.226/download/WWW14_64.exe
http://109.107.182.2/race/bus50.exe
http://zexeq.com/test2/get.php
http://colisumy.com/dl/build2.exe
http://85.217.144.143/files/My2.exe
http://185.172.128.69/newumma.exe
http://45.15.156.229/api/firegate.php
http://zexeq.com/files/1/build3.exe
http://171.22.28.221/files/Ads.exe
http://94.142.138.113/api/tracemap.php
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://galandskiyher5.com/downloads/toolspub1.exe
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://77.91.124.1/theme/index.php
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://193.233.255.73/loghub/master
http://94.142.138.113/api/firegate.php
http://171.22.28.221/files/Random.exe
http://193.42.32.118/api/firecom.php
http://171.22.28.213/3.exe
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
https://experiment.pw/setup294.exe
https://pastebin.com/raw/HPj0MzD6
https://pastebin.com/raw/xYhKBupz
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|