| 9391 |
2023-10-20 18:38
|
 7a54bdb20779c4359694feaa1398dd... c76c4a17ea2a70829f904bb5d5fed4e2
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9392 |
2023-10-20 18:36
|
 baf14778c246e15550645e30ba78ce... 65d5b184ca2df5942a6abec42c242d18
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9393 |
2023-10-20 18:34
|
setup2.7z 3735adf80a188c2b01494f4c914ad709
Stealc Vidar PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex VirusTotal Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader |
60
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://kevinrobinson.top/e9c345fc99a4e67e.php - rule_id: 37432
http://172.86.97.117/himeffectivelyproress.exe - rule_id: 37400
http://85.217.144.143/files/Amadey.exe - rule_id: 37253
http://5.75.212.77/13088c19c5a97b42d0d1d9573cc9f1b8 - rule_id: 37466
http://gons01b.top/build.exe - rule_id: 37402
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://5.75.212.77/ - rule_id: 37407
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://gobo02fc.top/build.exe - rule_id: 37395
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e - rule_id: 37430
http://104.194.128.170/svp/Hfxbflp.mp3 - rule_id: 37467
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://171.22.28.221/files/Ads.exe - rule_id: 37468
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://5.42.92.88/loghub/master - rule_id: 37264
http://193.42.33.7/mbSDvj3/index.php - rule_id: 37449
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396
http://45.129.14.83/fra.exe - rule_id: 37469
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://171.22.28.213/3.exe - rule_id: 37068
http://171.22.28.221/files/Random.exe - rule_id: 37434
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://5.75.212.77/upgrade.zip - rule_id: 37406
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
http://193.42.33.7/newumma.exe - rule_id: 37470
http://jackantonio.top/timeSync.exe - rule_id: 37357
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/847843b59260/d3h782af.bmp?extra=47rdXWAczPPHoELmIB5F-wINKuHjiWx6MelbVcVKX-XzpjSlHCjtPC1dX3n_SIjy-E4a7Hg3ljMBe_q87PD5QlZ2pVx4ON5lHKAy5mRVFJ1gUNHTUI93vvVaO6EwzCqnfk4tvVE6n497Lvvo
https://db-ip.com/demo/home.php?s=175.208.134.152
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://sun6-20.userapi.com/c909618/u52355237/docs/d11/f10de79a60ff/zxc.bmp?extra=2IWemhXJCtxsmHnrEM-ehLyp7-WvTFYNf8GWUSetJ8-guOw5s09JP69BhcVtGTfTBNve75XWmGAhxDunL7CtJMC1rNTCZuAvsRuanIuDufmraKQuKFdW0Cm_40H7Ham6r6z6YAx4u-VxVNfo
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397
https://experiment.pw/setup294.exe - rule_id: 37436
https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403
https://sso.passport.yandex.ru/push?uuid=0c22eec9-dd9e-4ca3-bb99-195d019d5eff&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/2461e2bfbe4c/PL_Client.bmp?extra=rsx6YdeS1TMyj8hstvsuJl4qhUAw0Cl_BDL9zlBtIcqYM_c5iOMTGcoEDS3olEnkyxRuhLKtQgZ_Zj9A57UjQvMe0WnaTE5UkrhQZfK52loM8JRRAIGs9XcvugIqJJ1mp3W0eylyXuWPRmvv
https://api.myip.com/
https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/c2ec420964d3/2.bmp?extra=smxM9cx8UEWCOi7dAazlPSUrryzvsUncAMkw9IxCyGfvRsBfqF9Kcg1S-tNZodsGOZ48oxP5EllG8Xt2Ml5MTfQOxvIXD5_Fz8dySEBwkZD0lSlzpLf7fEFS2icznum8dAEPSqE3f4Oo6JPe
https://potatogoose.com/49a60f5db34b71a108084872f1d8829a/baf14778c246e15550645e30ba78ce1c.exe
https://diplodoka.net/49a60f5db34b71a108084872f1d8829a/7a54bdb20779c4359694feaa1398dd25.exe
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/367eee565503/WWW11_32.bmp?extra=lT8dVRtZIQ6vp6oOAx94JFf1Pro4u-Ic3tMl1CwZ8XPaX73x5ZrR1KeXmhnzlfj7eyhv7kwN3ufSPWi09MsfgYLRAda7vmz9jpdhAXH9UFKpzlAsiGhAQn-f4zeU-Bw9pQ0y1tekcHh7kG0I
https://sun6-20.userapi.com/c909518/u52355237/docs/d7/12f243df05d7/test2222.bmp?extra=5bKT7bWgmxjzByTTdgZLdjnXojvB8-hfjOtwHYX6E6fgUFd2WSjbF6OE-4IlOSj2ex_qerAma71rtt-akOzRHhnyyLh_hGKtJNRiHlwRwkCy1H5_zDaf6KrOyd06nRcyKhI_1KX0VQOBkLZW
https://dzen.ru/?yredirect=true
https://neuralshit.net/49a60f5db34b71a108084872f1d8829a/7725eaa6592c80f8124e769b4e8a07f7.exe
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://api.2ip.ua/geo.json
https://sun6-22.userapi.com/c909228/u52355237/docs/d34/5396c88b015b/RisePro_0_9.bmp?extra=yXqSXHL5f2CYAzONeUP1CPICSmUZrVngDGEO05ensD48azqcKnZhT4LnpLZSM8Awzy3VfNBN9qtudAdBqvG2Bz9DjytesrB8-F7i4ClmlyfNYz5P0OZKhaPjYFvjyA3yFHnDZDJPNuyzY6lZ
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://sun6-20.userapi.com/c235131/u52355237/docs/d47/44a24ce675a2/crypted.bmp?extra=zC6h-JiJEnlq0D7d34kRb8Vbq1AnLg6Vg_zNG5ePklvOfDwaCO35VzPPNI5eK99N1s35KXwS1iDpWGb2FFRintE43fmGTCnpX9oWSgb42LHByV-2U5b5oyRP2ZmgndiJVmc8OeFX9UV2rI2A
|
116
neuralshit.net(104.21.6.10) - malware
db-ip.com(104.26.4.15)
lakuiksong.known.co.ke(146.59.70.14) - malware
jackantonio.top(45.132.1.20) - malware
t.me(149.154.167.99) - mailcious
lrefjviufewmcd.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
yandex.ru(5.255.255.77)
galandskiyher5.com(194.169.175.127) - malware
iplogger.org(148.251.234.83) - mailcious
potatogoose.com(104.21.35.235) - malware
darianentertainment.com(65.109.26.240)
dzen.ru(62.217.160.2)
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.76.78.101) - mailcious
martvl.com(69.48.143.183) - malware
grabyourpizza.com(104.21.90.82) - malware
laubenstein.space(45.130.41.101) - mailcious
twitter.com(104.244.42.65)
telegram.org(149.154.167.99)
yip.su(148.251.234.93) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
kevinrobinson.top(45.132.1.20) - mailcious
api.db-ip.com(104.26.4.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
diplodoka.net(172.67.217.52) - malware
experiment.pw(104.21.34.37) - malware
www.maxmind.com(104.18.145.235)
iplogger.com(148.251.234.93) - mailcious
gons01b.top(85.143.220.63) - malware
zexeq.com(2.180.10.7) - malware
octocrabs.com(104.21.21.189) - mailcious
colisumy.com(123.140.161.243) - malware
412f46bf-dd0d-47dc-a208-5c99cf96abe8.uuid.alldatadump.org(185.82.216.108)
iplis.ru(148.251.234.93) - mailcious
gobo02fc.top(85.143.220.63) - malware
sun6-22.userapi.com(95.142.206.2) - mailcious
pastebin.com(104.20.67.143) - mailcious
flyawayaero.net(172.67.216.81) - malware
net.geo.opera.com(107.167.110.216)
vk.com(87.240.132.67) - mailcious
api.myip.com(172.67.75.163)
lycheepanel.info(104.21.32.208) - malware
148.251.234.93 - mailcious
194.169.175.128 - mailcious
85.217.144.143 - malware
104.18.146.235
104.18.145.235
123.140.161.243 - mailcious
93.186.225.194 - mailcious
69.48.143.183 - malware
172.67.167.220 - malware
194.169.175.127 - malware
185.225.75.171 - mailcious
77.91.124.55 - mailcious
104.20.68.143 - mailcious
62.217.160.2
104.26.5.15
208.67.104.60 - mailcious
104.244.42.129 - suspicious
172.86.97.117 - malware
104.20.67.143 - mailcious
149.154.167.99 - mailcious
104.21.65.24
172.67.75.166
45.129.14.83 - malware
104.21.90.82 - malware
95.142.206.1 - mailcious
91.215.85.209 - mailcious
193.42.33.7 - mailcious
172.67.187.122 - malware
23.77.13.112
171.22.28.224 - mailcious
171.22.28.226 - malware
171.22.28.221 - malware
34.117.59.81
77.91.68.249 - malware
85.143.220.63 - malware
104.21.21.189
172.67.180.173 - malware
87.240.137.164 - mailcious
148.251.234.83
104.26.8.59
45.130.41.101 - mailcious
172.67.134.35 - malware
193.42.32.118 - mailcious
5.75.212.77 - mailcious
45.132.1.20 - mailcious
104.21.32.208 - malware
77.88.55.88
172.67.216.81 - malware
121.254.136.9
65.109.26.240 - mailcious
23.67.53.27
104.26.9.59
104.21.78.56 - malware
107.167.110.211
45.15.156.229 - mailcious
104.194.128.170 - mailcious
107.167.110.216
193.42.32.29 - malware
95.142.206.3 - mailcious
95.142.206.2 - mailcious
5.42.92.88 - mailcious
95.142.206.0 - mailcious
172.67.217.52 - malware
104.21.93.225 - phishing
146.59.70.14 - malware
171.22.28.239 - mailcious
213.180.204.24
171.22.28.213 - malware
87.240.129.133 - mailcious
171.22.28.236 - mailcious
104.76.78.101 - mailcious
|
52
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.top domain - Likely Hostile
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Possible EXE Download From Suspicious TLD
ET HUNTING Suspicious services.exe in URI
ET INFO TLS Handshake Failure
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Packed Executable Download
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host ZIP Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
39
http://171.22.28.226/download/WWW14_64.exe
http://kevinrobinson.top/e9c345fc99a4e67e.php
http://172.86.97.117/himeffectivelyproress.exe
http://85.217.144.143/files/Amadey.exe
http://5.75.212.77/13088c19c5a97b42d0d1d9573cc9f1b8
http://gons01b.top/build.exe
http://zexeq.com/test2/get.php
http://5.75.212.77/
http://colisumy.com/dl/build2.exe
http://gobo02fc.top/build.exe
http://85.217.144.143/files/My2.exe
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e
http://104.194.128.170/svp/Hfxbflp.mp3
http://45.15.156.229/api/firegate.php
http://zexeq.com/files/1/build3.exe
http://171.22.28.221/files/Ads.exe
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://5.42.92.88/loghub/master
http://193.42.33.7/mbSDvj3/index.php
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://galandskiyher5.com/downloads/toolspub1.exe
http://45.129.14.83/fra.exe
http://45.15.156.229/api/tracemap.php
http://171.22.28.213/3.exe
http://171.22.28.221/files/Random.exe
http://193.42.32.118/api/firecom.php
http://5.75.212.77/upgrade.zip
http://77.91.68.249/navi/kur90.exe
http://193.42.33.7/newumma.exe
http://jackantonio.top/timeSync.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
https://experiment.pw/setup294.exe
https://pastebin.com/raw/HPj0MzD6
https://steamcommunity.com/profiles/76561199563297648
https://pastebin.com/raw/xYhKBupz
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
7.4 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9394 |
2023-10-20 18:17
|
 salut.json.exe 971dd6c48909adf98861fb8457125faa
Malicious Library UPX Malicious Packer PE File DLL PE64 OS Processor Check VirusTotal Malware PDB Checks debugger unpack itself crashed |
|
|
|
|
2.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9395 |
2023-10-20 18:14
|
 shareu_2.exe c3c5b18a7c9594e91c6aff42d26fd5ac
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9396 |
2023-10-20 18:12
|
 shareu.exe cb8a6ad517b3a3eeb0eb66d90cca43b6
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB Code Injection Check memory Creates executable files suspicious process WriteConsoleW Remote Code Execution |
|
|
|
|
6.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9397 |
2023-10-20 18:12
|
Setup.7z 72b145dcb4456a0892b5b725eec5d1b4
Stealc Vidar PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser RisePro Trojan DNS Downloader |
68
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://kevinrobinson.top/e9c345fc99a4e67e.php - rule_id: 37432
http://172.86.97.117/himeffectivelyproress.exe - rule_id: 37400
http://85.217.144.143/files/Amadey.exe - rule_id: 37253
http://5.75.212.77/13088c19c5a97b42d0d1d9573cc9f1b8
http://5.75.212.77/upgrade.zip - rule_id: 37406
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://gobo02fc.top/build.exe - rule_id: 37395
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e - rule_id: 37430
http://104.194.128.170/svp/Hfxbflp.mp3
http://jackantonio.top/timeSync.exe - rule_id: 37357
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://5.42.92.88/loghub/master - rule_id: 37264
http://193.42.33.7/mbSDvj3/index.php - rule_id: 37449
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://5.75.212.77/ - rule_id: 37407
http://45.129.14.83/fra.exe
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://171.22.28.213/3.exe - rule_id: 37068
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://171.22.28.221/files/Random.exe - rule_id: 37434
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://gons01b.top/build.exe - rule_id: 37402
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/847843b59260/d3h782af.bmp?extra=47rdXWAczPPHoELmIB5F-wINKuHjiWx6MelbVcVKX-XzpjSlHCjtPC1dX3n_SIjy-E4a7Hg3ljMBe_q87PD5QlZ2pVx4ON5lHKAy5mRVFJ1gUNHTUI93vvVaO6EwzCqnfk4tvVE6n497Lvvo
https://db-ip.com/demo/home.php?s=175.208.134.152
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=a00cd6w1eEWAICwyKE1cTFHt5KkPpREimUXb%2F8yxloI%3D&spr=https&se=2023-10-21T09%3A35%3A45Z&rscl=x-e2eid-895be34d-23854a20-9d9bd2e0-37a2ea5b-session-e9f4363b-00ed493a-bb4152d6-64db1898
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=i2VslFCszJFPcsoKvioFglCJvuT3uSV4ZcbuBEr9zkw%3D&spr=https&se=2023-10-21T09%3A12%3A02Z&rscl=x-e2eid-ea5bfd11-052b4cba-8003f3a4-4c7e5a46-session-8e6b7233-d98a40c2-b0fb76d7-2383fe95
https://sun6-20.userapi.com/c909618/u52355237/docs/d11/f10de79a60ff/zxc.bmp?extra=2IWemhXJCtxsmHnrEM-ehLyp7-WvTFYNf8GWUSetJ8-guOw5s09JP69BhcVtGTfTBNve75XWmGAhxDunL7CtJMC1rNTCZuAvsRuanIuDufmraKQuKFdW0Cm_40H7Ham6r6z6YAx4u-VxVNfo
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397
https://vk.com/doc52355237_667162081?hash=4BgzraSUlIskCw5J6xGm3ViPzq8b7svHxEssqfvoCPH&dl=LANzNVd3qg51q6TImeUt70feNJmp9qZlTmWM3bxixcD&api=1&no_preview=1#test22
https://potatogoose.com/011c9f113ddd731c796c737fa640ca01/baf14778c246e15550645e30ba78ce1c.exe
https://experiment.pw/setup294.exe - rule_id: 37436
https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/2461e2bfbe4c/PL_Client.bmp?extra=rsx6YdeS1TMyj8hstvsuJl4qhUAw0Cl_BDL9zlBtIcqYM_c5iOMTGcoEDS3olEnkyxRuhLKtQgZ_Zj9A57UjQvMe0WnaTE5UkrhQZfK52loM8JRRAIGs9XcvugIqJJ1mp3W0eylyXuWPRmvv
https://api.myip.com/
https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/c2ec420964d3/2.bmp?extra=smxM9cx8UEWCOi7dAazlPSUrryzvsUncAMkw9IxCyGfvRsBfqF9Kcg1S-tNZodsGOZ48oxP5EllG8Xt2Ml5MTfQOxvIXD5_Fz8dySEBwkZD0lSlzpLf7fEFS2icznum8dAEPSqE3f4Oo6JPe
https://msdl.microsoft.com/download/symbols/index2.txt
https://sso.passport.yandex.ru/push?uuid=f7ac55a0-6e6f-4cd3-8e26-a48c8345246e&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/367eee565503/WWW11_32.bmp?extra=lT8dVRtZIQ6vp6oOAx94JFf1Pro4u-Ic3tMl1CwZ8XPaX73x5ZrR1KeXmhnzlfj7eyhv7kwN3ufSPWi09MsfgYLRAda7vmz9jpdhAXH9UFKpzlAsiGhAQn-f4zeU-Bw9pQ0y1tekcHh7kG0I
https://sun6-20.userapi.com/c909518/u52355237/docs/d7/12f243df05d7/test2222.bmp?extra=5bKT7bWgmxjzByTTdgZLdjnXojvB8-hfjOtwHYX6E6fgUFd2WSjbF6OE-4IlOSj2ex_qerAma71rtt-akOzRHhnyyLh_hGKtJNRiHlwRwkCy1H5_zDaf6KrOyd06nRcyKhI_1KX0VQOBkLZW
https://dzen.ru/?yredirect=true
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://api.2ip.ua/geo.json
https://sun6-22.userapi.com/c909228/u52355237/docs/d34/5396c88b015b/RisePro_0_9.bmp?extra=yXqSXHL5f2CYAzONeUP1CPICSmUZrVngDGEO05ensD48azqcKnZhT4LnpLZSM8Awzy3VfNBN9qtudAdBqvG2Bz9DjytesrB8-F7i4ClmlyfNYz5P0OZKhaPjYFvjyA3yFHnDZDJPNuyzY6lZ
https://vk.com/doc52355237_667141516?hash=HsWBQHEyToldG20L9sZwIGv5gYpaCVz2I4NaffNltj4&dl=bzijOkGFnqMWzUUPzsZAF8ZEAo0nny8RcsO8lHuWRKD&api=1&no_preview=1#rise
https://diplodoka.net/011c9f113ddd731c796c737fa640ca01/7a54bdb20779c4359694feaa1398dd25.exe
https://vk.com/doc52355237_667169888?hash=0FXstFY9YauEmcBFs6Ju2Y5tz7xvBx6HWmEsxICLiEk&dl=ZYeU9AHGQRsNeFvrDCqd9qZaUAOggliBMioUMK71cy8&api=1&no_preview=1#t1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://neuralshit.net/011c9f113ddd731c796c737fa640ca01/7725eaa6592c80f8124e769b4e8a07f7.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://sun6-20.userapi.com/c235131/u52355237/docs/d47/44a24ce675a2/crypted.bmp?extra=zC6h-JiJEnlq0D7d34kRb8Vbq1AnLg6Vg_zNG5ePklvOfDwaCO35VzPPNI5eK99N1s35KXwS1iDpWGb2FFRintE43fmGTCnpX9oWSgb42LHByV-2U5b5oyRP2ZmgndiJVmc8OeFX9UV2rI2A
|
127
neuralshit.net(172.67.134.35) - malware
www.maxmind.com(104.18.146.235)
db-ip.com(172.67.75.166)
jackantonio.top(45.132.1.20) - malware
dzen.ru(62.217.160.2)
t.me(149.154.167.99) - mailcious
lrefjviufewmcd.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
galandskiyher5.com(194.169.175.127) - malware
iplogger.org(148.251.234.83) - mailcious
potatogoose.com(104.21.35.235) - malware
darianentertainment.com(65.109.26.240)
lakuiksong.known.co.ke(146.59.70.14) - malware
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.76.78.101) - mailcious
martvl.com(69.48.143.183) - malware
api.db-ip.com(172.67.75.166)
laubenstein.space(45.130.41.101) - mailcious
twitter.com(104.244.42.129)
telegram.org(149.154.167.99)
yip.su(148.251.234.93) - mailcious
cdn.discordapp.com(162.159.135.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
kevinrobinson.top(45.132.1.20) - mailcious
octocrabs.com(104.21.21.189) - mailcious
ab07dfb1-b583-46f4-8c3d-99c8152cf07f.uuid.filesdumpplace.org(185.82.216.96)
sun6-21.userapi.com(95.142.206.1) - mailcious
msdl.microsoft.com(204.79.197.219)
diplodoka.net(104.21.78.56) - malware
experiment.pw(104.21.34.37) - malware
yandex.ru(77.88.55.60)
grabyourpizza.com(172.67.197.174) - malware
iplogger.com(148.251.234.93) - mailcious
gons01b.top(85.143.220.63) - malware
zexeq.com(211.119.84.112) - malware
stun4.l.google.com(172.253.127.127)
vsblobprodscussu5shard10.blob.core.windows.net(20.150.70.36)
colisumy.com(201.124.243.137) - malware
net.geo.opera.com(107.167.110.211)
api.myip.com(172.67.75.163)
gobo02fc.top(85.143.220.63) - malware
sun6-22.userapi.com(95.142.206.2) - mailcious
pastebin.com(104.20.67.143) - mailcious
flyawayaero.net(104.21.93.225) - malware
vsblobprodscussu5shard58.blob.core.windows.net(20.150.38.228)
vk.com(87.240.132.67) - mailcious
sso.passport.yandex.ru(213.180.204.24)
server11.filesdumpplace.org(185.82.216.96)
iplis.ru(148.251.234.93) - mailcious
lycheepanel.info(104.21.32.208) - malware
148.251.234.93 - mailcious
194.169.175.128 - mailcious
85.217.144.143 - malware
104.18.146.235
193.42.33.7 - mailcious
93.186.225.194 - mailcious
171.22.28.213 - malware
69.48.143.183 - malware
172.67.167.220 - malware
194.169.175.127 - malware
185.225.75.171 - mailcious
77.91.124.55 - mailcious
104.20.68.143 - mailcious
162.159.135.233 - malware
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
5.255.255.70
172.86.97.117 - malware
104.20.67.143 - mailcious
149.154.167.99 - mailcious
104.21.65.24
104.21.34.37 - phishing
45.129.14.83 - malware
20.150.38.228
104.21.90.82 - malware
95.142.206.1 - mailcious
91.215.85.209 - mailcious
204.79.197.219
172.67.187.122 - malware
190.187.52.42
171.22.28.224
171.22.28.226 - malware
171.22.28.221 - malware
20.150.79.68
34.117.59.81
77.91.68.249 - malware
85.143.220.63 - malware
104.21.21.189
104.21.35.235
185.82.216.96
148.251.234.83
104.26.8.59
104.21.6.10 - malware
190.219.136.87
193.42.32.118 - mailcious
5.75.212.77 - mailcious
45.132.1.20 - mailcious
104.21.32.208 - malware
172.67.75.166
172.67.216.81 - malware
94.142.138.113 - mailcious
172.67.197.174
121.254.136.9
65.109.26.240 - mailcious
45.130.41.101 - mailcious
104.21.78.56 - malware
107.167.110.211
45.15.156.229 - mailcious
104.194.128.170 - mailcious
193.42.32.29 - malware
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
185.216.70.238 - mailcious
172.67.217.52 - malware
95.142.206.0 - mailcious
146.59.70.14 - malware
171.22.28.239
213.180.204.24
172.67.180.173 - malware
87.240.132.72 - mailcious
142.251.2.127
171.22.28.236
104.76.78.101 - mailcious
5.42.92.88 - mailcious
|
56
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.pw domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO TLS Handshake Failure
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Redline Stealer Activity (Response)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
|
36
http://171.22.28.226/download/WWW14_64.exe
http://kevinrobinson.top/e9c345fc99a4e67e.php
http://172.86.97.117/himeffectivelyproress.exe
http://85.217.144.143/files/Amadey.exe
http://5.75.212.77/upgrade.zip
http://zexeq.com/test2/get.php
http://45.15.156.229/api/firegate.php
http://galandskiyher5.com/downloads/toolspub1.exe
http://colisumy.com/dl/build2.exe
http://gobo02fc.top/build.exe
http://85.217.144.143/files/My2.exe
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e
http://jackantonio.top/timeSync.exe
http://zexeq.com/files/1/build3.exe
http://94.142.138.113/api/tracemap.php
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://5.42.92.88/loghub/master
http://193.42.33.7/mbSDvj3/index.php
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://5.75.212.77/
http://45.15.156.229/api/tracemap.php
http://171.22.28.213/3.exe
http://94.142.138.113/api/firegate.php
http://171.22.28.221/files/Random.exe
http://193.42.32.118/api/firecom.php
http://gons01b.top/build.exe
http://77.91.68.249/navi/kur90.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
https://experiment.pw/setup294.exe
https://pastebin.com/raw/HPj0MzD6
https://steamcommunity.com/profiles/76561199563297648
https://pastebin.com/raw/xYhKBupz
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9398 |
2023-10-20 18:11
|
 fra.exe 22312fe9b0d80938ff7ed706fc584e19
Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
6.0 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9399 |
2023-10-20 18:06
|
pwng.ps1 4264a92eea89c33e2f1727db5afca11d
Generic Malware Antivirus Check memory unpack itself WriteConsoleW Windows DNS Cryptographic key |
|
6
107.167.110.211
45.15.156.229 - mailcious
85.217.144.143 - malware
193.42.33.7 - mailcious
185.82.216.96
85.143.220.63 - malware
|
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9400 |
2023-10-20 18:05
|
pwng.ps1 5a84bbec3102aac19960d5d6c55bc825
Generic Malware Antivirus Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9401 |
2023-10-20 18:05
|
 CCleaner.exe 15a712903d393839edde2bd426c16172
Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check PDB unpack itself ComputerName Remote Code Execution |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9402 |
2023-10-20 17:56
|
 a3_2.jpg.exe d08f3729495ae6ed7e5d63e605c80cb1
.NET DLL PE File DLL PE32 VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9403 |
2023-10-20 17:38
|
 T2Gen.txt.vbs 7a6846a31383bb152f865c2ebe64cad4
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://185.81.157.213:222/T2.jpg
|
1
185.81.157.213 - mailcious
|
|
|
8.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9404 |
2023-10-20 17:38
|
 n1.txt.vbs 86b1b6e92a96b3af518441183ee8fe21
Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9405 |
2023-10-20 17:37
|
 n.txt.vbs d3a0f829492384059994c6d1c53d9d5f
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://185.81.157.213:222/a3.jpg
|
2
185.81.157.213 - mailcious
172.111.167.99 - mailcious
|
2
ET HUNTING [TW] Likely Hex Executable String
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|