| 9466 |
2023-10-19 02:14
|
 Rechung-87_PDF.js.pdf 64b82476268205bc28b7fccca5808cf0
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9467 |
2023-10-18 18:04
|
 sogn.exe b67ddf6cef57729b557a66460c0b6dd4
UPX .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9468 |
2023-10-18 18:01
|
 test.exe 3939345bad08812d7dba41f064c1665d
Malicious Packer PE File PE32 VirusTotal Malware unpack itself DNS |
|
2
167.172.140.132 - malware
91.235.128.141
|
|
|
3.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9469 |
2023-10-18 18:00
|
 arinzezx.exe e25e15eb096d884c88cce0f4e079d2de
UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9470 |
2023-10-18 17:57
|
 123.exe 62914a3d73d59716bd8dbbbd947f6a02
RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
88.99.105.150 - mailcious
|
|
|
3.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9471 |
2023-10-18 17:55
|
 abun.exe 85b7d14c272f7d0ad66a74ec947b7677
UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mymobileorder.com(162.0.232.65)
api.ipify.org(64.185.227.156)
104.237.62.212
162.0.232.65 - phishing
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9472 |
2023-10-18 17:55
|
 obizx.exe d08792fa3031b847d0fd6bd56d10ee93
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9473 |
2023-10-18 15:20
|
Archive.7z 14cf80a7fd8a77c3eaed98b8ec615eb4
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealer Discord DNS |
6
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://193.42.32.118/api/tracemap.php - rule_id: 36180
https://cdn.discordapp.com/attachments/1162840103530528921/1163757886992814141/setup.exe
https://vk.com/doc52355237_667082058?hash=SCtt4ltNCbu3lnYUwPGvIGmMakZCTQ0Yuj5qiGj1Uc0&dl=hil1F6PzYlnVsXsKpXdnyCyI9zVoEp3fH0XkDiKEhgk&api=1&no_preview=1
https://sun6-23.userapi.com/c909628/u52355237/docs/d52/6076404f60cf/ses.bmp?extra=vfnVMTyJ0z5oRRioQq5a4Ra-175lPx2RCYBIotPnmMhApvMMpHNxSEiuf3yMM4CorYaMFxQs-9DkKKFN4lsr5mu9vCvcF8W8b8fZhd4C_vKIeW8tIByAbMv_YKl3iV7Wq6s56P6Y96mO2chN
https://api.myip.com/
|
18
iplis.ru(148.251.234.93) - mailcious
sun6-23.userapi.com(95.142.206.3) - mailcious
iplogger.org(148.251.234.83) - mailcious
ipinfo.io(34.117.59.81)
cdn.discordapp.com(162.159.129.233) - malware
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.8.59)
87.240.137.164 - mailcious
148.251.234.83
148.251.234.93 - mailcious
104.26.9.59
193.42.32.118 - mailcious
95.142.206.3 - mailcious
51.254.67.186
34.117.59.81
91.103.253.6
208.67.104.60 - mailcious
162.159.129.233 - malware
|
15
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO TLS Handshake Failure
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
2
http://193.42.32.118/api/firegate.php
http://193.42.32.118/api/tracemap.php
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9474 |
2023-10-18 11:00
|
 1 609c656c5caf4dadf68d74817b292b9f
UPX Downloader PE File PE32 VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9475 |
2023-10-18 10:01
|
audiodgse.vbs 338b7c96e85cbe30dd4f196461fc4ba4
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.52.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9476 |
2023-10-18 10:00
|
eggoflife.vbs 5cb5b67ebd7c01a2476d96153d26b45a
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9477 |
2023-10-18 09:59
|
RBLnetwork.vbs 393a35d56ac8e0403f5e37a0ab0bba4b
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9478 |
2023-10-18 09:57
|
 Managing.ps1 7bbd630da159177a21f5ce10f73fb571
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself Windows Cryptographic key |
|
|
|
|
1.4 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9479 |
2023-10-18 09:54
|
 ltd.txt.ps1 76a88901ca572ebb907813bc9a8c75db
Generic Malware Antivirus VirusTotal Malware unpack itself WriteConsoleW Windows DNS Cryptographic key |
1
http://185.81.157.25:222/A.txt
|
1
|
|
|
1.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9480 |
2023-10-18 09:52
|
HTMLcache.doc ab0a2dc85b78848f7f2bb5e3fab1abea
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://101.99.75.183/MfoGYZkxZIl205.bin
http://103.186.65.80/79/audiodgse.exe
http://geoplugin.net/json.gp
|
5
geoplugin.net(178.237.33.50)
178.237.33.50
103.186.65.80 - malware
2.59.254.111 - mailcious
101.99.75.183
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET JA3 Hash - Remcos 3.x TLS Connection
ET HUNTING Generic .bin download from Dotted Quad
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|