| 9436 |
2023-10-19 10:47
|
 build.exe a8f8c8c13cfd0aa9b11430b98485b6e5
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9437 |
2023-10-19 10:35
|
 toolspub1.exe d29b29f543a8e7145d225a7a81818308
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
6.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9438 |
2023-10-19 10:35
|
 build.exe fb822de297dc253056e7538748d43a3a
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9439 |
2023-10-19 10:29
|
Setup.7z 7549293a5a8c4e9e8ded3ee62551db42
PrivateLoader Amadey Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c powershell Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser RisePro Trojan DNS Downloader |
76
http://104.194.128.170/svp/Ykwrxaauw.dat
http://77.91.68.52/fuza/nalo.exe - rule_id: 37263
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://77.91.68.52/fuza/2.ps1 - rule_id: 37266
http://172.86.97.117/himeffectivelyproress.exe
http://85.217.144.143/files/Amadey.exe - rule_id: 37253
http://45.9.74.80/zinda.exe - rule_id: 37063
http://gons01b.top/build.exe
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://gobo02fc.top/build.exe
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e
http://77.91.68.52/fuza/sus.exe - rule_id: 37265
http://jackantonio.top/timeSync.exe - rule_id: 37357
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://77.91.68.52/fuza/foto2552.exe - rule_id: 37267
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://kevinrobinson.top/e9c345fc99a4e67e.php
http://5.42.92.88/loghub/master - rule_id: 37264
http://galandskiyher5.com/downloads/toolspub1.exe
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
http://5.75.212.77/
http://77.91.124.1/theme/index.php - rule_id: 37040
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://171.22.28.213/3.exe - rule_id: 37068
http://194.169.175.232/autorun.exe - rule_id: 36817
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://5.75.212.77/upgrade.zip
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://db-ip.com/demo/home.php?s=175.208.134.152
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/95de023df160/d3h782af.bmp?extra=uWvrEgJ3z5rjbkGUgGON8BXoSf90LSPwWAVk1MDz2OGC8nJ7Utcq106l9DbiP0hwHWIPGkGeSQz1I4q-2rTjcC0itP_kUcIkzUbCArTQw7W5SWTQ68NispfgdBF879wcmT2vN2D5d1A-dqqB
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/debee9bfa529/PL_Client.bmp?extra=_HM8K8Sjj1WxKScQ1OeYMYRrX5RMl47KjJl7rwxmzUFhY6HrzOU4J5MJ2VAdTOuft64FSYluhbzSv9pEZlFOTcbs8GEL2XxJVnZXzbEsgwyqWDzo8igRCcZOQKYXFnUdy_j7_idbCPcftFZA
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzIlVx6lvDzEWF2VQxM6HnX3-7bQnCeiaJ8MzoFw7koldZNkvp9MJgSpLpAAJ-RbwL6dIMHGg
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/36cae3a74adf/2.bmp?extra=uh8Nl0xP01rObI2BgDjA81T1ht-JLxZhwz08F1JatMWjPlUdT9BtUuQyrzy8TEQXqyjdKZK0UYOAhBCV3wODweJt-D01gV2oaL0fISrPLFWSG9xh0IGIjUAu7QEVx0PY-SA8x2zc1V7QAvEc
https://vk.com/doc52355237_667122051?hash=LLU5GKPE1Bxnq0uull1jryyVzalFqZ7cqq3hgRfl8pz&dl=Sow5fZmwA8GkZGzQhzOU7iQNHmYouZcqLORXwYaqRSc&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c235131/u52355237/docs/d47/1e4aeaf4b1cc/crypted.bmp?extra=VfK8gGvrthV0hJRIQ7uVaB63HwstXnqx7j4VPNZHwI4G7JbTAKOzOCiPCvNdfuAi5rd_PorBwxTw_A0OJF0Zx-Nm_AM4IxAqk_bR9oyn25eR1cLHusUvUBRQ3l5X5kDDBthNc3DsI-61cMLK
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://experiment.pw/setup294.exe
https://pastebin.com/raw/HPj0MzD6
https://sun6-21.userapi.com/c237231/u52355237/docs/d27/414f7ca564de/tmvwr.bmp?extra=4uCpGtOudHwIqN77rEX9G8lWrBIS3DKRQnWulm-GsiVJDRUh2vA0LlERRvfWitZqVnntI_idvAjIbjJ3Z5i8u0XcfjmrpbWm8W7SlF1LNKXL9YWyeGqt3cL-YZxQV6odCmlo7fI3VmrRjw-v
https://api.myip.com/
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxfTCKidsLSETyDN2ZQPPtpAFuvSbxIsl2_xXmgKF4k7ryyJcqupcrFS-Bsux6MQriiC3Mp&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S537430000%3A1697678262022281
https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
https://vk.com/doc52355237_667061084?hash=RhHoRXA484KClkz0frx3CM9bI4u2I55Ei4EZrjsoui4&dl=Fdk6Nbq2bRZKBvCJgsexoP1lzfwWZIQUN1YWRdecfpP&api=1&no_preview=1#zxc
https://msdl.microsoft.com/download/symbols/index2.txt
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/7a6c9a3fc548/WWW11_32.bmp?extra=gEVUBIMSpLFW-sulR4k8pIyQnDa735WSxMfKdQ0FVscR3Z-euUtZLO5-UkuSpVRy2FTLe6_wLrRN7iqVt_tf5g5d_VS9Bh0zx-v7NIR77xhiJaAwEZ-zB-ErFyjqxUJPoy0Qy0mlY-bG6AK-
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://diplodoka.net/315b6291544e9427ed9c51d39ce0e88a/7a54bdb20779c4359694feaa1398dd25.exe
https://potatogoose.com/315b6291544e9427ed9c51d39ce0e88a/baf14778c246e15550645e30ba78ce1c.exe
https://sun6-22.userapi.com/c909418/u52355237/docs/d54/7cf9702300ea/zxc.bmp?extra=RNCMcjFxA24fI1PmnuRyOY5IftzA7ZvZDX-jEzoN8B1frPPqZcklxduh1iFcuH8q2IQVpvD-oNcodE946iNJu3oxUE5QUW6e_KNW2e1C_xzdfrxKV8Tfmxfo90tWcb2DO2c26nOVDKdnvJVf
https://dzen.ru/?yredirect=true
https://vk.com/doc52355237_667128433?hash=c75kTaBvy8XsGUHj9nZuWnwfdY9ZY2Vr0W0kqMRZKj4&dl=yd0Kt5iJ7qiHq1ne4m1DmzhCyz12TwydRCTVOZYwpg8&api=1&no_preview=1#redcl
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://sso.passport.yandex.ru/push?uuid=8bd09553-e90a-40db-9876-5bae9fb9ffda&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://api.2ip.ua/geo.json
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=7uuTdQ9yPFoIgRPO6Phqx1wMESnkwiHJHATRmVnGV%2FQ%3D&spr=https&se=2023-10-20T01%3A12%3A02Z&rscl=x-e2eid-26e9f45d-861f4c0b-b06b9090-63530012-session-900d63c7-554d47c4-854dea3d-0e2598c0
https://sun6-22.userapi.com/c237231/u52355237/docs/d30/15a1cf47157b/StealerClient_vmp.bmp?extra=KT-f23WxqBQ65uqhhWHQXPNuhiIugIViEdMCQi2BzBo7yt9K1aN3W99K2QYBjITkBCkQw3odEfiI7hfrUgxVCdGOBJ14TNwPPuQK0DvmNqyqwrlh6cFvi-zxRGnOSjGaFh0PU4iAgwwk_c8p
https://accounts.google.com/_/bscframe
https://vk.com/doc52355237_667106954?hash=u1nxcEZaxcLM5gBJiodoTcIasNoT55fLzvwrRyhTuIk&dl=eHGUUzvGf3mld3Z4uL26ddKyh2AQiccctdzWDv3HEzk&api=1&no_preview=1#1
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=jYWwYqntlQNo7VqQEVc7W0I7oehs9CpUhmmPu4LPWr4%3D&spr=https&se=2023-10-20T01%3A35%3A45Z&rscl=x-e2eid-bfe69332-5f324c5b-a4756aa8-ea45ce85-session-c338b56b-83a7497d-b3581a15-6a910b4f
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-23.userapi.com/c909228/u52355237/docs/d47/e08d562222fa/test222.bmp?extra=FKHq0JGAiinhcWKOGpyO4U_lhw9Olo9e_pEe34SbB12PISAklYZQ3HrQCl_WIfjsPWOYZxD9YZx1KLHcAYg8zGIzEtfmlRchaiOTaUHO1g2BjvGsxR-2EbTc4Xw94m3rCXZUQvFZql9qy3E3
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
138
server5.statscreate.org(185.82.216.96)
pastebin.com(104.20.68.143) - mailcious
db-ip.com(172.67.75.166)
telegram.org(149.154.167.99)
jackantonio.top(45.132.1.20) - malware
dzen.ru(62.217.160.2)
neuralshit.net(172.67.134.35) - malware
www.maxmind.com(104.18.146.235)
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
accounts.google.com(142.250.206.205)
ssl.gstatic.com(142.250.206.227)
sun6-23.userapi.com(95.142.206.3) - mailcious
galandskiyher5.com(194.169.175.127) - malware
potatogoose.com(172.67.180.173)
darianentertainment.com(65.109.26.240)
lakuiksong.known.co.ke(146.59.70.14) - malware
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.76.78.101) - mailcious
martvl.com(69.48.143.183) - malware
laubenstein.space(45.130.41.101) - mailcious
twitter.com(104.244.42.1)
msdl.microsoft.com(204.79.197.219)
lrefjviufewmcd.org(91.215.85.209) - malware
yip.su(148.251.234.93) - mailcious
cdn.discordapp.com(162.159.130.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
kevinrobinson.top(45.132.1.20)
octocrabs.com(104.21.21.189) - mailcious
clientservices.googleapis.com(142.250.206.195)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
walkinglate.com(172.67.212.188) - malware
diplodoka.net(104.21.78.56)
experiment.pw(172.67.167.220)
yandex.ru(77.88.55.60)
grabyourpizza.com(172.67.197.174) - malware
iplogger.com(148.251.234.93) - mailcious
gons01b.top(85.143.220.63)
zexeq.com(190.139.250.133) - malware
api.db-ip.com(104.26.5.15)
vsblobprodscussu5shard10.blob.core.windows.net(20.150.79.68)
colisumy.com() - malware
net.geo.opera.com(107.167.110.216)
api.myip.com(172.67.75.163)
stun.l.google.com(172.217.211.127)
gobo02fc.top(85.143.220.63)
sun6-22.userapi.com(95.142.206.2) - mailcious
978e3a64-beaf-4479-964b-134bc983cfb0.uuid.statscreate.org(185.82.216.96)
flyawayaero.net(104.21.93.225) - malware
vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68)
vk.com(87.240.137.164) - mailcious
iplis.ru(148.251.234.93) - mailcious
lycheepanel.info(104.21.32.208) - malware
95.142.206.1 - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
162.159.133.233 - malware
104.18.145.235
69.48.143.183 - malware
172.67.167.220
194.169.175.127 - malware
185.225.75.171 - mailcious
77.91.124.55 - mailcious
142.250.66.99
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
85.217.144.143 - malware
5.255.255.77
172.67.212.188
172.86.97.117
85.143.220.63
149.154.167.99 - mailcious
104.21.65.24
104.21.34.37 - phishing
5.42.92.88 - mailcious
172.67.75.163
104.21.90.82 - malware
45.9.74.80 - malware
91.215.85.209 - mailcious
204.79.197.219
172.67.187.122 - malware
77.91.68.52 - mailcious
74.125.204.127
171.22.28.224
171.22.28.226 - malware
87.240.132.67 - mailcious
171.22.28.221 - malware
85.209.11.85
34.117.59.81
77.91.68.249 - malware
45.129.14.83 - malware
104.21.21.189
211.181.24.132
172.67.180.173
182.162.106.32
182.162.106.33 - malware
104.26.8.59
104.21.6.10 - malware
45.130.41.101 - mailcious
142.250.204.141
87.240.132.78 - mailcious
5.75.212.77
45.132.1.20 - mailcious
142.251.220.109
172.67.75.166
194.169.175.232 - malware
20.150.38.228
77.91.124.1 - malware
94.142.138.113 - mailcious
121.254.136.9
65.109.26.240 - mailcious
185.82.216.96
104.26.9.59
104.21.78.56
107.167.110.211
45.15.156.229 - mailcious
104.194.128.170
104.26.4.15
193.42.32.29 - malware
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
185.216.70.238 - mailcious
104.21.32.208 - malware
104.21.93.225 - phishing
146.59.70.14 - malware
171.22.28.239
172.217.24.77
213.180.204.24
171.22.28.213 - malware
95.142.206.0 - mailcious
193.42.32.118 - mailcious
172.67.34.170 - mailcious
172.217.27.3
171.22.28.236
104.76.78.101 - mailcious
|
57
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.pw domain - Likely Hostile
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING Suspicious services.exe in URI
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Request to .TOP Domain with Minimal Headers
ET INFO Packed Executable Download
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Dotted Quad Host ZIP Request
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO PS1 Powershell File Request
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
30
http://77.91.68.52/fuza/nalo.exe
http://171.22.28.226/download/WWW14_64.exe
http://77.91.68.52/fuza/2.ps1
http://85.217.144.143/files/Amadey.exe
http://45.9.74.80/zinda.exe
http://zexeq.com/test2/get.php
http://45.15.156.229/api/firegate.php
http://85.217.144.143/files/My2.exe
http://77.91.68.52/fuza/sus.exe
http://jackantonio.top/timeSync.exe
http://zexeq.com/files/1/build3.exe
http://77.91.68.52/fuza/foto2552.exe
http://94.142.138.113/api/tracemap.php
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://5.42.92.88/loghub/master
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://45.9.74.80/0bjdn2Z/index.php
http://77.91.124.1/theme/index.php
http://45.15.156.229/api/tracemap.php
http://171.22.28.213/3.exe
http://194.169.175.232/autorun.exe
http://94.142.138.113/api/firegate.php
http://193.42.32.118/api/firecom.php
http://77.91.68.249/navi/kur90.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://steamcommunity.com/profiles/76561199563297648
https://pastebin.com/raw/xYhKBupz
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9440 |
2023-10-19 10:21
|
 EngineChromium.exe 2f943946efaa3e446ee3cbd43a540f5b
Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE64 ftp OS Processor Check VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces |
|
|
|
|
3.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9441 |
2023-10-19 09:58
|
 EngineChromium.exe 2f943946efaa3e446ee3cbd43a540f5b
Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE64 ftp OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9442 |
2023-10-19 09:56
|
 bQJU.exe bf88f41d1be46f0855345b4b74beb44f
UPX Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE Malware download NetWireRC VirusTotal Malware IP Check RAT DNS DDNS |
1
|
4
berlinqua.duckdns.org(179.13.0.48)
ip-api.com(208.95.112.1)
179.13.0.48
208.95.112.1
|
4
ET MALWARE Common RAT Connectivity Check Observed
ET POLICY External IP Lookup ip-api.com
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
2.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9443 |
2023-10-19 09:56
|
 oneone.js.exe 7099a939fa30d939ccceb2f0597b19ed
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.6 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9444 |
2023-10-19 09:55
|
 0.txt.ps1 3651e42acbe56a42676d14fc00d3e824
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9445 |
2023-10-19 09:36
|
 oneone.js 8d38022aafef200f061a873cad79fe61
WSHRAT LokiBot Formbook Hide_EXE Generic Malware Suspicious_Script_Bin Antivirus .NET framework(MSIL) Escalate priviledges PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer Wshrat NetWireRC VirusTotal Email Client Info Stealer Malware VBScript powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI wscript.exe payload download Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Windows Houdini Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger Dropper |
2
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
http://ip-api.com/json/
|
6
chongmei33.publicvm.com(103.47.144.71) - mailcious
ftp.martur.cl(187.49.9.55)
ip-api.com(208.95.112.1)
208.95.112.1
187.49.9.55 - mailcious
103.47.144.71 - mailcious
|
6
SURICATA Applayer Detect protocol only one direction
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET POLICY External IP Lookup ip-api.com
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9446 |
2023-10-19 08:05
|
 smss.exe 89e7a2a15d1a8eaff2f2570f39532c1c
Formbook .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
2
http://www.into-org.com/rs10/?C0D=+njUxLNT9hCOVJ3Lnug2QEI/7WyUV+ofb+5xay11NC0a753xJF4LqnCsTY0IVEvVOlnNjj+S&QZ3=ehux_vXh401Xart
http://www.mtauratarnt.com/rs10/?C0D=pPtLjK+gsCF+gBeBSkx+WEjNRlgjs/QTeyOfbuiR2sOl/G3k+8MocAF2pTNT/vXnM1YvSeQw&QZ3=ehux_vXh401Xart
|
5
www.mtauratarnt.com(104.21.69.174)
www.into-org.com(213.186.33.5)
104.21.69.174
104.194.128.170
213.186.33.5 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9447 |
2023-10-19 08:02
|
 987123.exe 1d14fe082ca22877edbcea8f33401b18
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself DNS |
|
1
|
|
|
2.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9448 |
2023-10-19 08:00
|
 ch.exe 443ebfe5300c79fd559324c757aab369
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9449 |
2023-10-19 08:00
|
 Ads.exe 6e781cf49af81b961d0ab465210a35f8
Generic Malware Malicious Library UPX Malicious Packer Antivirus AntiDebug AntiVM PE File PE64 PE32 OS Processor Check DLL Malware download VirusTotal Cryptocurrency Miner Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs suspicious TLD Tofsee Windows DNS Downloader CoinMiner |
10
http://apps.identrust.com/roots/dstrootcax3.p7c
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://gobo02fc.top/build.exe
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://galandskiyher5.com/downloads/toolspub1.exe
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
29
pastebin.com(172.67.34.170) - mailcious
diplodoka.net(104.21.78.56)
net.geo.opera.com(107.167.110.211)
gobo02fc.top(85.143.220.63)
laubenstein.space(45.130.41.101) - mailcious
flyawayaero.net(172.67.216.81) - malware
yip.su(148.251.234.93) - mailcious
grabyourpizza.com(172.67.197.174) - malware
galandskiyher5.com(194.169.175.127) - malware
potatogoose.com(172.67.180.173)
darianentertainment.com(65.109.26.240)
lycheepanel.info(104.21.32.208) - malware
pool.hashvault.pro(131.153.76.130) - mailcious
148.251.234.93 - mailcious
85.217.144.143 - malware
172.67.216.81 - malware
107.167.110.216
85.143.220.63
45.130.41.101 - mailcious
194.169.175.127 - malware
172.67.217.52 - malware
104.21.32.208 - malware
172.67.180.173
162.159.135.233 - malware
172.67.197.174
104.20.67.143 - mailcious
65.109.26.240 - mailcious
23.67.53.27
131.153.76.130 - mailcious
|
17
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET HUNTING Possible EXE Download From Suspicious TLD
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
3
http://85.217.144.143/files/My2.exe
https://pastebin.com/raw/xYhKBupz
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
13.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9450 |
2023-10-19 07:59
|
 Random.exe 191febed315d7c3a620b564e99e5f3cc
Gen1 Emotet Generic Malware UPX Malicious Library Malicious Packer Antivirus AntiDebug AntiVM PE File PE64 PE32 .NET EXE OS Processor Check PNG Format DLL CAB MSOffice File JPEG Format Malware download VirusTotal Cryptocurrency Miner Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed Downloader CoinMiner |
12
http://104.194.128.170/svp/Ykwrxaauw.dat
http://172.86.97.117/himeffectivelyproress.exe
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://85.217.144.143/files/Amadey.exe - rule_id: 37253
http://galandskiyher5.com/downloads/toolspub1.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://gons01b.top/build.exe
https://pastebin.com/raw/HPj0MzD6
https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe
https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
32
iplogger.com(148.251.234.93) - mailcious
yip.su(148.251.234.93) - mailcious
pool.hashvault.pro(131.153.76.130) - mailcious
net.geo.opera.com(107.167.110.216)
martvl.com(69.48.143.183) - malware
laubenstein.space(45.130.41.101) - mailcious
pastebin.com(104.20.68.143) - mailcious
flyawayaero.net(172.67.216.81) - malware
grabyourpizza.com(104.21.90.82) - malware
gons01b.top(85.143.220.63)
galandskiyher5.com(194.169.175.127) - malware
potatogoose.com(172.67.180.173)
lycheepanel.info(104.21.32.208) - malware
diplodoka.net(104.21.78.56)
104.21.78.56
107.167.110.211
148.251.234.93 - mailcious
121.254.136.9
85.217.144.143 - malware
104.194.128.170
193.42.32.29 - malware
85.143.220.63
45.130.41.101 - mailcious
69.48.143.183 - malware
194.169.175.127 - malware
131.153.76.130 - mailcious
104.21.32.208 - malware
172.67.216.81 - malware
172.67.197.174
104.21.35.235
172.86.97.117
104.20.67.143 - mailcious
|
17
ET DNS Query to a *.top domain - Likely Hostile
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
3
http://85.217.144.143/files/My2.exe
http://85.217.144.143/files/Amadey.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
19.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|