| 9496 |
2023-10-18 07:47
|
 timeSync.exe 3a77fc04743664066168d91666d06b5f
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9497 |
2023-10-18 07:47
|
 Qconngovaq.exe 9bd29cbf6a0bc205a1202a1c61ce8989
UPX .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
1
http://185.254.37.80/Wuotlbdh.jpg
|
1
185.254.37.80 - mailcious
|
|
|
6.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9498 |
2023-10-17 17:01
|
Setup.7z 72cbddd810e52a32ffed4a5db1faeb1d
Stealc PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows RisePro Trojan DNS |
47
http://elijahdiego.top/e9c345fc99a4e67e.php - rule_id: 37238
http://49.12.118.149/
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://45.9.74.80/zinda.exe - rule_id: 37063
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://49.12.118.149/13088c19c5a97b42d0d1d9573cc9f1b8
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://194.169.175.232/autorun.exe - rule_id: 36817
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://49.12.118.149/upgrade.zip
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
http://171.22.28.213/3.exe - rule_id: 37068
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://vk.com/doc52355237_667021459?hash=JwfD1ZCA6QgwzFekXEx3DZwJrazNVwknSJ4vBCdj3Ys&dl=GOvejb9TzKE4gYCzHfWoYwfHsCK1bKByDgPNozGoPQ0&api=1&no_preview=1
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/74273ccf856a/PL_Client.bmp?extra=csnf916qLySdbOnPb4QM1wJpYN_KmcpQ0uEFEG_2BbxdphBM_paLXN7TqQuhyJHVsORGU7Lwfy-9qBR2zD4xszU1xUBr__claLXF0x6sHrD1ifcltZ-58oDUrMaND0_8NAoeyAOgPC7otb_A
https://sun6-22.userapi.com/c236331/u52355237/docs/d33/42ad5fd25833/red.bmp?extra=jBPpxCu8-8kHW7GkJagOOeVXeAQjqfh9RbubCoWwr1e6QBnvUiXFOpQD6-AOKdEluD9PjClWI2PdF4IE7pjgRurUidTgNX-Z5pW4fVBPn3w3ta24A1Zusw3MYV0bfl8SqeMNhko2PkzgFhL-
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc52355237_667050459?hash=NQ6HDrMciNrk8Op9e7nKqKnZP9u5xJpPRChkwNPyBm8&dl=GmBH7q7bEBk6zEfSp9MzqQBJzBwkDu0dFrhvnqw9kZX&api=1&no_preview=1#1
https://api.myip.com/
https://sun6-21.userapi.com/c909328/u52355237/docs/d47/2d1629fb7768/crypted.bmp?extra=67ZspKd_7kut6U_BdMgPfLmi-rrOqPQZg3ry0Z3nw-UpCPBi2s6Gs3v_cRKTtjcjmYcFSwZCRNI6VHoHLKEzQGK9rCbhfCs7HFqkPSTyx8jwjYinbL6-X5Bwaw38J2IoGL4FuWerVQxrbGCU
https://neuralshit.net/e6545cb463abdbecb9cd0d283091d3c0/7725eaa6592c80f8124e769b4e8a07f7.exe
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/bd7e3c736003/d3h782af.bmp?extra=38DKfqb_w8hVm9RJN_Qn_gfteoDZJ7YQzPjblN39bGB-Bitknr4lgd3LDYR1O7LVHAF6-hZmbIGzgBwxsaZ5vMrHZr8hMpGk5u6ApIHydB_NQ8ERsWEKXcgd4qEQTxri2gFZgMgCJkV1Jw7n
https://steamcommunity.com/profiles/76561199563297648
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/ec8a82716932/WWW11_32.bmp?extra=_TX1F44UV3ZALg1n2AWa4_-qKufakNhMTfVuhdspFzFQRFCYWXoMm-jfuDOI_Y1mPEIdF3QRBd-YZg3Y7R9ZqYiRxeF73Pg5AywpwdKlTdb0i9gHQ1cXO2m4_9Zg9zDYrv7MBtSoz_V4C03z
https://sun6-22.userapi.com/c909218/u52355237/docs/d2/f567f079ad99/RisePro.bmp?extra=83cSc7SmRJtjl8ec5OifozM_93tFy3jitg49sHNddO9i3ziQaQp3z9kjzmQmhEhbVDBaQMd-IcnziRKKHxPrBqsRJToRLDIngFoFoi58B3XLhIbZg7FoTMF2bOKk1Z3EuOtKP64u_ZIhsvDf
https://dzen.ru/?yredirect=true
https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11
https://vk.com/doc52355237_667058910?hash=gMtZhgmhgRDSfdoT60ZYuWDEkeRS7glwRzWLd8gGPSD&dl=vq3c6smk6NfdJIb3KZ7PfBwj29NEULFaVBD1Cs53UT0&api=1&no_preview=1
https://api.2ip.ua/geo.json
https://vk.com/doc52355237_667007935?hash=kuzA3bv8gFM9aPx1xppN6S57Z5FudS8VHgMzVNpYwzD&dl=0btHZXBhsJfZuUYdw9b30BIP8DDelUCYMFbdByUZzSz&api=1&no_preview=1#redcl
https://sso.passport.yandex.ru/push?uuid=056912ca-651d-41f9-9209-f91be412c310&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-23.userapi.com/c909228/u52355237/docs/d47/e2ccee6d682c/test222.bmp?extra=U4162n5729zjzlGgVMiKIwzkJSzSn6BRN_m83VHCDSL2utwpPZDW9dRU8eEsy3wfrW9-Fnnv7vUexxvyKCeW1kRRzPKq6pr-ITEC7sbkXtFyxI0n2f11UEvsmCo1nAB9Qjt2CAa662A847o7
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/67dc191caaa7/Bot_Clien.bmp?extra=R7Za_Su74KEChmw7p4WuJr3aQHsGFZ2niNVfSw7b_TcPR0Sh2TQRPc3x_dKUmQJGRsRS4Xg6uck9HOypT7iZguOe0t_Bgd5pRLa3KUoDL1FvFkA_0x2K1agbjgpqkyYmkbhnAiFySCR08qqj
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-21.userapi.com/c237231/u52355237/docs/d27/97f34481b2d7/tmvwr.bmp?extra=MbgzQeRuofM3NgGPkxkb0_xwXGY1o0ISiHXbQDKdc321StSZO94IbBXMfprao9MyHL5npLe6QCtHnmMBR8O05vh1T0ga5C9dTDnASZTZANNWKwDcQpBoDq2_RwfwvphDmhc8RFjNE5yEk52g
https://psv4.userapi.com/c909228/u52355237/docs/d30/4f54757f9387/A.bmp?extra=c6xP4In-uEely4pqMn_2h7WTf6bko6EEcEZ5TO_oQYHWln-qquXSXmTgnWqOSmK1uyFx9AhMO7GbFotOpoci3VxIKQfVzDsxHMcjzMI_gX6g6MuIB0tHGHNUjiOz0MEdtjlH6rj1rNAs9CH1
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
75
neuralshit.net(172.67.134.35) - malware
db-ip.com(104.26.4.15)
jackantonio.top(45.132.1.20) - malware
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
elijahdiego.top(45.132.1.20) - mailcious
yandex.ru(5.255.255.70)
dzen.ru(62.217.160.2)
sun6-23.userapi.com(95.142.206.3) - mailcious
psv4.userapi.com(87.240.137.140)
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.76.78.101) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
lakuiksong.known.co.ke(146.59.70.14) - malware
onualituyrs.org(91.215.85.209) - malware
zexeq.com(95.86.30.3) - malware
octocrabs.com(172.67.200.10) - mailcious
colisumy.com(190.224.203.37) - malware
iplis.ru(148.251.234.93) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
www.maxmind.com(104.18.146.235)
vk.com(93.186.225.194) - mailcious
api.myip.com(104.26.8.59)
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.18.145.235
148.251.234.83
93.186.225.194 - mailcious
185.225.75.171 - mailcious
187.156.19.138
62.217.160.2
5.42.65.101 - mailcious
208.67.104.60 - mailcious
87.240.190.76
149.154.167.99 - mailcious
104.21.65.24
172.67.75.166
45.9.74.80 - malware
91.215.85.209 - mailcious
171.22.28.226 - malware
87.240.132.67 - mailcious
34.117.59.81
104.21.21.189
104.244.42.65 - suspicious
104.26.8.59
172.67.134.35 - malware
193.42.32.118 - mailcious
93.112.205.101
45.132.1.20 - mailcious
185.225.74.144 - malware
194.169.175.232 - malware
94.142.138.113 - mailcious
77.91.68.249 - malware
23.67.53.17
104.26.9.59
94.142.138.131 - mailcious
49.12.118.149
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
45.15.156.229 - mailcious
146.59.70.14 - malware
87.240.132.78 - mailcious
213.180.204.24
104.76.78.101 - mailcious
95.142.206.1 - mailcious
171.22.28.213 - malware
77.88.55.88
|
40
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO Packed Executable Download
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
19
http://elijahdiego.top/e9c345fc99a4e67e.php
http://171.22.28.226/download/WWW14_64.exe
http://45.9.74.80/zinda.exe
http://zexeq.com/test2/get.php
http://colisumy.com/dl/build2.exe
http://45.15.156.229/api/tracemap.php
http://194.169.175.232/autorun.exe
http://45.15.156.229/api/firegate.php
http://zexeq.com/files/1/build3.exe
http://94.142.138.113/api/tracemap.php
http://171.22.28.226/download/Services.exe
http://94.142.138.131/api/tracemap.php
http://193.42.32.118/api/tracemap.php
http://45.9.74.80/0bjdn2Z/index.php
http://171.22.28.213/3.exe
http://94.142.138.113/api/firegate.php
http://193.42.32.118/api/firecom.php
http://77.91.68.249/navi/kur90.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9499 |
2023-10-17 17:00
|
 ChromeSetup.exe 7d09d9b412845150b51c52503339f52e
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9500 |
2023-10-17 16:58
|
 angel.exe a6f75b1e5f8b4265869f7e5bdcaa3314
Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB Malicious Traffic Check memory buffers extracted Collect installed applications sandbox evasion installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware |
1
|
2
numpersb.fun(172.67.216.26)
104.21.53.180 - malware
|
2
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
|
|
7.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9501 |
2023-10-17 16:58
|
 0d735167.exe 7d09d9b412845150b51c52503339f52e
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9502 |
2023-10-17 16:44
|
 smss.exe 73f54afbcdc80fdb3c3dd8a0e9fa1c32
Formbook UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.ssongg1620.cfd/ro12/?U8SH=wJcU9x7bcQT30Vlu6skHEH2yDXJgKB+8Un6IvHNNd/2gr3HAzb0uIab34tSxofd9+lpmgYX7&zL08q0=0V0hlT
|
4
www.ssongg1620.cfd(154.208.15.212)
www.los3.online(172.177.169.252)
154.208.15.212
172.177.169.252
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9503 |
2023-10-17 16:42
|
 bQGy.exe a60c2e8459387329e1dbe2d3625ee2c8
PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212)
148.72.177.212 - mailcious
182.162.106.33 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9504 |
2023-10-17 16:42
|
 owenzx.exe 944cbd3720565dd3132d42deaaf25cb3
Formbook AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS |
2
http://www.ngmnetwork.com/o5gu/?nRntHD=nt54C05KUkIvbOhXcmX2JQxj1c8TC2AD0f5qM8oIBe83LqreralmCs6eOllIegrlb6Ji0dmb&Lh38w=ATUDS8l - rule_id: 37293
http://www.jonathanvuportfolio.website/o5gu/?nRntHD=s49Z/zB4WxMPm1wKIpwtofnGUZAAmhHqcm3eZ7CT59XMMjyacZTQ4OMMqMGT9RUeDBDjK0yu&Lh38w=ATUDS8l - rule_id: 37288
|
5
www.appsrocky.top()
www.ngmnetwork.com(65.254.250.192) - mailcious
www.jonathanvuportfolio.website(76.76.21.123) - mailcious
76.76.21.241 - mailcious
65.254.250.192 - mailcious
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.ngmnetwork.com/o5gu/
http://www.jonathanvuportfolio.website/o5gu/
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9505 |
2023-10-17 16:40
|
 Ermnnolfu.exe 7ba214f8174004943d83942dda0f9731
Downloader UPX PWS KeyLogger Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential Sniff Audio HTTP DNS Code injection Internet API FTP P2P AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
|
4
www.pubgh4cks.com(190.123.45.218)
x1.i.lencr.org(104.76.70.102)
190.123.45.218
104.76.70.102
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9506 |
2023-10-17 16:28
|
Archive.7z 14cf80a7fd8a77c3eaed98b8ec615eb4
Stealc PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Kelihos Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS plugin |
56
http://elijahdiego.top/412a0310f85f16ad/msvcp140.dll
http://elijahdiego.top/e9c345fc99a4e67e.php - rule_id: 37238
http://49.12.118.149/
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://elijahdiego.top/412a0310f85f16ad/nss3.dll
http://elijahdiego.top/412a0310f85f16ad/freebl3.dll
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://49.12.118.149/13088c19c5a97b42d0d1d9573cc9f1b8
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://194.169.175.232/autorun.exe - rule_id: 36817
http://elijahdiego.top/412a0310f85f16ad/vcruntime140.dll
http://79.137.192.18/latestX.exe - rule_id: 37269
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://elijahdiego.top/412a0310f85f16ad/softokn3.dll
http://elijahdiego.top/412a0310f85f16ad/sqlite3.dll
http://49.12.118.149/upgrade.zip
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
http://45.9.74.80/zinda.exe - rule_id: 37063
http://elijahdiego.top/412a0310f85f16ad/mozglue.dll
http://galandskiyher5.com/downloads/toolspub2.exe - rule_id: 37268
http://171.22.28.213/3.exe - rule_id: 37068
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://vk.com/doc52355237_667021459?hash=JwfD1ZCA6QgwzFekXEx3DZwJrazNVwknSJ4vBCdj3Ys&dl=GOvejb9TzKE4gYCzHfWoYwfHsCK1bKByDgPNozGoPQ0&api=1&no_preview=1
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc52355237_667050459?hash=NQ6HDrMciNrk8Op9e7nKqKnZP9u5xJpPRChkwNPyBm8&dl=GmBH7q7bEBk6zEfSp9MzqQBJzBwkDu0dFrhvnqw9kZX&api=1&no_preview=1#1
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/74273ccf856a/PL_Client.bmp?extra=csnf916qLySdbOnPb4QM1wJpYN_KmcpQ0uEFEG_2BbxdphBM_paLXN7TqQuhyJHVsORGU7Lwfy-9qBR2zD4xszU1xUBr__claLXF0x6sHrD1ifcltJe58oDUrMaND0_8ZVYazlP3PyjpseqU
https://rangeroverfan.org/499e7c149c3637ba0e1fb742ba195677/e0cbefcb1af40c7d4aff4aca26621a98.exe
https://sun6-23.userapi.com/c909228/u52355237/docs/d47/e2ccee6d682c/test222.bmp?extra=U4162n5729zjzlGgVMiKIwzkJSzSn6BRN_m83VHCDSL2utwpPZDW9dRU8eEsy3wfrW9-Fnnv7vUexxvyKCeW1kRRzPKq6pr-ITEC7sbkXtFyxI0n2PV1UEvsmCo1nAB9EjpwBAPoujY85rFq
https://api.myip.com/
https://steamcommunity.com/profiles/76561199563297648
https://vk.com/doc52355237_667007935?hash=kuzA3bv8gFM9aPx1xppN6S57Z5FudS8VHgMzVNpYwzD&dl=0btHZXBhsJfZuUYdw9b30BIP8DDelUCYMFbdByUZzSz&api=1&no_preview=1#redcl
https://sun6-22.userapi.com/c909218/u52355237/docs/d2/f567f079ad99/RisePro.bmp?extra=83cSc7SmRJtjl8ec5OifozM_93tFy3jitg49sHNddO9i3ziQaQp3z9kjzmQmhEhbVDBaQMd-IcnziRKKHxPrBqsRJToRLDIngFoFoi58B3XLhIbZgrloTMF2bOKk1Z3Eu7sYPaYt_5og4PqN
https://foxandcatbet.org/e0cbefcb1af40c7d4aff4aca26621a98.exe
https://sun6-21.userapi.com/c237231/u52355237/docs/d27/97f34481b2d7/tmvwr.bmp?extra=MbgzQeRuofM3NgGPkxkb0_xwXGY1o0ISiHXbQDKdc321StSZO94IbBXMfprao9MyHL5npLe6QCtHnmMBR8O05vh1T0ga5C9dTDnASZTZANNWKwDcQ5hoDq2_RwfwvphDyBdjR1nIT5nczJep
https://dzen.ru/?yredirect=true
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/67dc191caaa7/Bot_Clien.bmp?extra=R7Za_Su74KEChmw7p4WuJr3aQHsGFZ2niNVfSw7b_TcPR0Sh2TQRPc3x_dKUmQJGRsRS4Xg6uck9HOypT7iZguOe0t_Bgd5pRLa3KUoDL1FvFkA_0hWK1agbjgpqkyYmx7lhWSAmGHQio_uh
https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11
https://sun6-22.userapi.com/c236331/u52355237/docs/d33/42ad5fd25833/red.bmp?extra=jBPpxCu8-8kHW7GkJagOOeVXeAQjqfh9RbubCoWwr1e6QBnvUiXFOpQD6-AOKdEluD9PjClWI2PdF4IE7pjgRurUidTgNX-Z5pW4fVBPn3w3ta24Al5usw3MYV0bfl8SrrAG1BgwPh-7QEH9
https://api.2ip.ua/geo.json
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/ec8a82716932/WWW11_32.bmp?extra=_TX1F44UV3ZALg1n2AWa4_-qKufakNhMTfVuhdspFzFQRFCYWXoMm-jfuDOI_Y1mPEIdF3QRBd-YZg3Y7R9ZqYiRxeF73Pg5AywpwdKlTdb0i9gHQl8XO2m4_9Zg9zDYpvmcVNGrm6ByCU3-
https://sso.passport.yandex.ru/push?uuid=c8f6077b-5611-4c81-b623-d60b8e575442&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/bd7e3c736003/d3h782af.bmp?extra=38DKfqb_w8hVm9RJN_Qn_gfteoDZJ7YQzPjblN39bGB-Bitknr4lgd3LDYR1O7LVHAF6-hZmbIGzgBwxsaZ5vMrHZr8hMpGk5u6ApIHydB_NQ8ERsGkKXcgd4qEQTxriiwoM1M8FJB4mclLk
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-21.userapi.com/c909328/u52355237/docs/d47/2d1629fb7768/crypted.bmp?extra=67ZspKd_7kut6U_BdMgPfLmi-rrOqPQZg3ry0Z3nw-UpCPBi2s6Gs3v_cRKTtjcjmYcFSwZCRNI6VHoHLKEzQGK9rCbhfCs7HFqkPSTyx8jwjYinbba-X5Bwaw38J2IoTeNUu2uqVAtoOWGQ
https://neuralshit.net/499e7c149c3637ba0e1fb742ba195677/7725eaa6592c80f8124e769b4e8a07f7.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
80
rangeroverfan.org(104.21.66.240)
neuralshit.net(172.67.134.35) - malware
db-ip.com(104.26.4.15)
jackantonio.top(45.132.1.20) - malware
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
galandskiyher5.com(194.169.175.127) - malware
dzen.ru(62.217.160.2)
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.76.78.101) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.129)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
octocrabs.com(172.67.200.10) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
lakuiksong.known.co.ke(146.59.70.14) - malware
yandex.ru(77.88.55.88)
foxandcatbet.org(104.21.71.26)
onualituyrs.org(91.215.85.209) - malware
elijahdiego.top(45.132.1.20) - mailcious
zexeq.com(181.170.86.159) - malware
api.db-ip.com(104.26.5.15)
colisumy.com(187.18.108.158) - malware
api.myip.com(104.26.8.59)
sun6-22.userapi.com(95.142.206.2) - mailcious
www.maxmind.com(104.18.145.235)
vk.com(87.240.137.164) - mailcious
iplis.ru(148.251.234.93) - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.18.145.235
182.162.106.33 - malware
93.186.225.194 - mailcious
194.169.175.127 - malware
185.225.75.171 - mailcious
45.9.74.80 - malware
62.217.160.2
208.67.104.60 - mailcious
149.154.167.99 - mailcious
104.21.65.24
211.171.233.129
172.67.75.166
172.67.75.163
175.120.254.9 - malware
91.215.85.209 - mailcious
172.67.142.109
171.22.28.226 - malware
34.117.59.81
172.67.165.223
104.21.21.189
77.88.55.60
87.240.137.164 - mailcious
148.251.234.83
104.26.8.59
79.137.192.18 - malware
172.67.134.35 - malware
193.42.32.118 - mailcious
45.132.1.20 - mailcious
185.225.74.144 - malware
194.169.175.232 - malware
94.142.138.113 - mailcious
77.91.68.249 - malware
45.15.156.229 - mailcious
104.26.9.59
104.26.4.15
49.12.118.149
95.142.206.3 - mailcious
95.142.206.2 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
146.59.70.14 - malware
104.244.42.193 - suspicious
87.240.132.78 - mailcious
213.180.204.24
104.76.78.101 - mailcious
171.22.28.213 - malware
94.142.138.131 - mailcious
|
54
ET DNS Query to a *.top domain - Likely Hostile
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Microsoft net.tcp Connection Initialization Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Packed Executable Download
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Possible Kelihos.F EXE Download Common Structure
|
21
http://elijahdiego.top/e9c345fc99a4e67e.php
http://171.22.28.226/download/WWW14_64.exe
http://zexeq.com/test2/get.php
http://45.15.156.229/api/firegate.php
http://colisumy.com/dl/build2.exe
http://45.15.156.229/api/tracemap.php
http://194.169.175.232/autorun.exe
http://79.137.192.18/latestX.exe
http://zexeq.com/files/1/build3.exe
http://94.142.138.113/api/tracemap.php
http://171.22.28.226/download/Services.exe
http://193.42.32.118/api/tracemap.php
http://45.9.74.80/0bjdn2Z/index.php
http://45.9.74.80/zinda.exe
http://galandskiyher5.com/downloads/toolspub2.exe
http://171.22.28.213/3.exe
http://94.142.138.113/api/firegate.php
http://94.142.138.131/api/tracemap.php
http://193.42.32.118/api/firecom.php
http://77.91.68.249/navi/kur90.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9507 |
2023-10-17 10:52
|
 at.hta b3a69d39ea2f074e520077721b475d51
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
http://91.207.183.9:8000/main.bat - rule_id: 37338
|
3
www2.lunapic.com(72.9.146.243)
91.207.183.9 - mailcious
72.9.146.243
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
1
http://91.207.183.9:8000/main.bat
|
12.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9508 |
2023-10-17 10:42
|
 uwp4072801.png.exe e0154733596f482f5feff0f3b5b5cadf
Malicious Library UPX .NET DLL PE File DLL PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9509 |
2023-10-17 10:38
|
 opt-63.js 27677b638817a290b98a867a960e28a1
AntiDebug AntiVM Malware Code Injection Malicious Traffic wscript.exe payload download unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS crashed |
2
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
http://89.147.111.46/gWUA/hyper
|
3
www.ssl.com(54.174.96.153)
89.147.111.46
54.236.82.84
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
8.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9510 |
2023-10-17 10:38
|
 opt-66.js a8715ee933ba762489a918d77d89030d
AntiDebug AntiVM Malware Code Injection Malicious Traffic Check memory wscript.exe payload download unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows DNS crashed |
2
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
http://89.147.111.46/gWUA/hyper
|
3
www.ssl.com(54.236.82.84)
54.174.96.153
89.147.111.46
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
8.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|