| 9646 |
2023-10-11 18:36
|
 typhon.exe 3fad6c3e0604ee091f2b2a61a91e2b4d
Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Telegram Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee ComputerName DNS |
2
http://api.ipify.org/
https://ipapi.co/175.208.134.152/json
|
6
ipapi.co(104.26.9.44)
api.ipify.org(173.231.16.77)
api.telegram.org(149.154.167.220)
104.26.9.44 - mailcious
104.237.62.212
149.154.167.220
|
7
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup api.ipify.org
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
4.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9647 |
2023-10-11 18:36
|
 build.exe 71535cb29a844c48321528d0fdfdb6d9
PE File PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency Check memory unpack itself Auto service Check virtual network interfaces ComputerName Firmware DNS |
|
1
|
2
ET 3CORESec Poor Reputation IP group 16
ET POLICY Cryptocurrency Miner Checkin
|
|
4.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9648 |
2023-10-11 18:12
|
 bQ5J.exe 82f98bb613a30f61ceb9ca7686f97847
PE File PE32 .NET EXE VirusTotal Malware Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212)
148.72.177.212 - mailcious
121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9649 |
2023-10-11 18:12
|
 BYxYP9c1.ps1 ee4cabf85331d01dcc5fa75be75b5598
Generic Malware Antivirus .NET DLL PE File DLL PE32 VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9650 |
2023-10-11 18:11
|
 Ooseha.exe cb75f58a8d5e9ab38bf5e6afdb09d7c8
Formbook UPX .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
16
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://www.frefire.top/kniu/ - rule_id: 36723
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.prosourcegraniteinc.com/kniu/?WvaMk96=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&tP=06tUJ - rule_id: 36717
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.theartboxslidell.com/kniu/?WvaMk96=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&tP=06tUJ - rule_id: 36718
http://23.95.106.3/479/Kodviywuey.mp3
http://www.tsygy.com/kniu/?WvaMk96=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&tP=06tUJ - rule_id: 36721
http://www.onlyleona.com/kniu/?WvaMk96=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&tP=06tUJ - rule_id: 36720
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.xxkxcfkujyeft.xyz/kniu/?WvaMk96=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&tP=06tUJ - rule_id: 36719
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
http://www.frefire.top/kniu/?WvaMk96=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&tP=06tUJ - rule_id: 36723
http://www.poultry-symposium.com/kniu/?WvaMk96=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&tP=06tUJ - rule_id: 36722
|
19
www.onlyleona.com(172.67.132.228) - mailcious
www.prosourcegraniteinc.com(216.239.34.21) - mailcious
www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious
www.frefire.top(67.223.117.37) - mailcious
www.8956kjw1.com(103.71.154.243)
www.theartboxslidell.com(199.59.243.225) - mailcious
www.tsygy.com(23.104.137.185) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.pengeloladata.click() - mailcious
216.239.38.21 - phishing
23.104.137.185 - mailcious
23.95.106.3 - mailcious
199.59.243.225
67.223.117.37 - mailcious
85.128.134.237 - mailcious
216.240.130.67 - mailcious
104.21.13.143
103.71.154.243
45.33.6.223
|
12
SURICATA HTTP unable to match response to request
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers
|
14
http://www.onlyleona.com/kniu/
http://www.frefire.top/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.tsygy.com/kniu/
http://www.onlyleona.com/kniu/
http://www.tsygy.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.frefire.top/kniu/
http://www.poultry-symposium.com/kniu/
|
11.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9651 |
2023-10-11 18:11
|
 KjAvj6Vu.ps1 ea8465175894190a7542d07bcea179b8
Generic Malware Antivirus .NET DLL PE File DLL PE32 VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.0 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9652 |
2023-10-11 18:10
|
 Olfumi.exe eb05d45ff60a5fd5ea43ed782e967600
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Windows ComputerName DNS Cryptographic key |
1
http://82.115.209.180/1941
|
1
|
|
|
4.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9653 |
2023-10-11 18:10
|
0iuoioooUIOIOiiiu0u0uioiui0iui... 3289a3401f78873c39e10465d77be4df
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
18
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://www.prosourcegraniteinc.com/kniu/?9UU4WiQ1=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&XT=9LS9sDj_UX - rule_id: 36717
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.onlyleona.com/kniu/?9UU4WiQ1=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&XT=9LS9sDj_UX - rule_id: 36720
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.theartboxslidell.com/kniu/?9UU4WiQ1=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&XT=9LS9sDj_UX - rule_id: 36718
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.xxkxcfkujyeft.xyz/kniu/?9UU4WiQ1=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&XT=9LS9sDj_UX - rule_id: 36719
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.tsygy.com/kniu/?9UU4WiQ1=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&XT=9LS9sDj_UX - rule_id: 36721
http://www.frefire.top/kniu/ - rule_id: 36723
http://23.95.106.3/479/Kodviywuey.mp3
http://23.95.106.3/479/qw/Ooseha.exe
http://23.95.106.3/479/process.exe
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.poultry-symposium.com/kniu/?9UU4WiQ1=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&XT=9LS9sDj_UX - rule_id: 36722
http://www.frefire.top/kniu/?9UU4WiQ1=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&XT=9LS9sDj_UX - rule_id: 36723
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
|
21
www.onlyleona.com(172.67.132.228) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.prosourcegraniteinc.com(216.239.32.21) - mailcious
www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious
www.frefire.top(67.223.117.37) - mailcious
www.8956kjw1.com(103.71.154.243)
www.theartboxslidell.com(199.59.243.225) - mailcious
www.tsygy.com(23.104.137.185) - mailcious
www.siteapp.fun() - mailcious
www.pengeloladata.click() - mailcious
216.239.38.21 - phishing
23.104.137.185 - mailcious
104.21.13.143
23.95.106.3 - mailcious
199.59.243.225
67.223.117.37 - mailcious
85.128.134.237 - mailcious
216.240.130.67 - mailcious
103.71.154.243
45.33.6.223
185.225.75.8 - malware
|
15
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SURICATA HTTP unable to match response to request
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET 3CORESec Poor Reputation IP group 16
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
14
http://www.onlyleona.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.onlyleona.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.theartboxslidell.com/kniu/
http://www.tsygy.com/kniu/
http://www.frefire.top/kniu/
http://www.tsygy.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.frefire.top/kniu/
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9654 |
2023-10-11 18:09
|
 Nmyp2y0F.ps1 2eeab273293d358d548a3aeb7f8b7033
Generic Malware Antivirus .NET DLL PE File DLL PE32 VirusTotal Malware Checks debugger Creates executable files unpack itself Windows utilities AppData folder Windows Cryptographic key crashed |
|
|
|
|
3.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9655 |
2023-10-11 18:08
|
 Setup.exe aac23ff6c2cc93769600e060ab7cfca9
Generic Malware Malicious Library UPX Malicious Packer .NET framework(MSIL) Antivirus Anti_VM PE File PE32 OS Processor Check ZIP Format BMP Format CHM Format DLL .NET EXE PE64 MSOffice File JPEG Format Word 2007 file format(docx) VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency Telegram PDB Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Auto service Check virtual network interfaces AppData folder IP Check Tofsee Ransomware Windows Email ComputerName Firmware DNS |
10
http://185.225.75.8/stryzon/cleanse.exe
http://185.225.75.8/stryzon/build.exe
http://api.ipify.org/
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO
http://185.225.75.8/stryzon/typhon.exe
http://ip-api.com/line/?fields=hosting
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2J1aWxkLmV4ZQ==
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL3R5cGhvbi5leGU=
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2NsZWFuc2UuZXhl
https://ipapi.co/175.208.134.152/json
|
9
api.telegram.org(149.154.167.220)
api.ipify.org(104.237.62.212)
ipapi.co(104.26.9.44)
ip-api.com(208.95.112.1)
104.26.9.44 - mailcious
149.154.167.220
64.185.227.156
208.95.112.1
185.225.75.8 - malware
|
15
ET POLICY External IP Lookup ip-api.com
ET 3CORESec Poor Reputation IP group 16
ET POLICY curl User-Agent Outbound
ET INFO Executable Download from dotted-quad Host
ET HUNTING curl User-Agent to Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET HUNTING Telegram API Domain in DNS Lookup
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
ET POLICY External IP Lookup api.ipify.org
ET POLICY Cryptocurrency Miner Checkin
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
12.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9656 |
2023-10-11 18:08
|
 sihost.exe 551c449271f2c0a9d4dea541a009bc80
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
9.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9657 |
2023-10-11 18:06
|
 audiodgse.exe 4efcfa2947ffd17dc6eec46cce944ca8
LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
8.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9658 |
2023-10-11 17:01
|
zip_pass1234.7z 902a9838f4e815e995103aa9d5ec3108
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
17
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://176.113.115.84:8080/4.php - rule_id: 34795
http://194.169.175.232/autorun.exe - rule_id: 36817
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
http://171.22.28.212/carryspend.exe - rule_id: 37179
http://94.142.138.113/api/tracemap.php - rule_id: 28877
https://schematize.pw/setup294.exe - rule_id: 37138
https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxhiYr7j1_0fqQ6mBVVKqaCGfPpqwAg3i-
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_maTffLw-7sBSGpkSUaD6LX6hWcw-l4GHW
https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1
https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUMaj83_ObjaFQepb-ppl7lDqLmoMojbx2
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5md_y5SVg89O6jgA5qLQfQ-z1AuQowoyj
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2Tov5hzqfyAbrB3AF-XrwOdI8NwGE1hBbA
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQE7JndCjMFugsVh7HxIoogAaG3UIsWGdB
https://api.myip.com/
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5x8k_bC5GVV3LMEZpaq9hbJJpwEd5EZC7
|
25
schematize.pw(104.21.32.142) - malware
api.myip.com(104.26.8.59)
ipinfo.io(34.117.59.81)
sun6-20.userapi.com(95.142.206.0) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
sun6-23.userapi.com(95.142.206.3) - mailcious
onualituyrs.org(91.215.85.209) - malware
vk.com(87.240.137.164) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
77.91.68.249 - malware
172.67.152.98 - malware
172.67.75.163
95.142.206.3 - mailcious
95.142.206.2 - mailcious
91.215.85.209 - mailcious
95.142.206.0 - mailcious
171.22.28.226 - malware
194.169.175.232 - malware
87.240.132.72 - mailcious
34.117.59.81
94.142.138.113 - mailcious
208.67.104.60 - mailcious
176.113.115.84 - mailcious
95.142.206.1 - mailcious
171.22.28.212 - malware
|
14
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET HUNTING Suspicious services.exe in URI
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
|
8
http://171.22.28.226/download/Services.exe
http://176.113.115.84:8080/4.php
http://194.169.175.232/autorun.exe
http://94.142.138.113/api/firegate.php
http://77.91.68.249/navi/kur90.exe
http://171.22.28.212/carryspend.exe
http://94.142.138.113/api/tracemap.php
https://schematize.pw/setup294.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9659 |
2023-10-11 15:48
|
OI0ioioOI0I0I0oioioi0oiOI0oi00... 2a932891e36958c4509cf7b54d3cf43b
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic ICMP traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
18
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://www.frefire.top/kniu/?-3E-P=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&buPns=-YhUz8pH8JO - rule_id: 36723
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.theartboxslidell.com/kniu/?-3E-P=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&buPns=-YhUz8pH8JO - rule_id: 36718
http://www.poultry-symposium.com/kniu/?-3E-P=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&buPns=-YhUz8pH8JO - rule_id: 36722
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.onlyleona.com/kniu/?-3E-P=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&buPns=-YhUz8pH8JO - rule_id: 36720
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.xxkxcfkujyeft.xyz/kniu/?-3E-P=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&buPns=-YhUz8pH8JO - rule_id: 36719
http://www.frefire.top/kniu/ - rule_id: 36723
http://www.tsygy.com/kniu/?-3E-P=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&buPns=-YhUz8pH8JO - rule_id: 36721
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.prosourcegraniteinc.com/kniu/?-3E-P=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&buPns=-YhUz8pH8JO - rule_id: 36717
http://23.95.106.3/350/sihost.exe
http://23.95.106.3/350/122/Ekcflzifpij.mp3
http://23.95.106.3/350/122/process.exe
|
20
www.onlyleona.com(104.21.13.143) - mailcious
www.prosourcegraniteinc.com(216.239.38.21) - mailcious
www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious
www.siteapp.fun() - mailcious
www.theartboxslidell.com(199.59.243.225) - mailcious
www.8956kjw1.com(103.71.154.243)
www.tsygy.com(156.234.127.118) - mailcious
www.frefire.top(67.223.117.37) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.pengeloladata.click() - mailcious
216.239.38.21 - phishing
23.104.137.185 - mailcious
23.95.106.3 - mailcious
199.59.243.225
67.223.117.37 - mailcious
85.128.134.237 - mailcious
216.240.130.67 - mailcious
104.21.13.143
103.71.154.243
45.33.6.223
|
14
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO HTTP Request to a *.top domain
SURICATA HTTP unable to match response to request
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers
|
14
http://www.onlyleona.com/kniu/
http://www.frefire.top/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.onlyleona.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.frefire.top/kniu/
http://www.tsygy.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.tsygy.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
|
5.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9660 |
2023-10-11 15:46
|
zip1_09.7z cc7af56986cf3d93d33a92bd4a2962f1
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Lumma Stealer Windows RisePro DNS |
37
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://194.169.175.232/autorun.exe - rule_id: 36817
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://45.9.74.80/super.exe - rule_id: 36063
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://176.113.115.84:8080/4.php - rule_id: 34795
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://94.142.138.131/api/firecom.php - rule_id: 36179
http://172.86.98.101/xs12pro/Vdthrdd.pdf - rule_id: 37111
http://45.9.74.80/zinda.exe - rule_id: 37063
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://www.maxmind.com/geoip/v2.1/city/me
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
http://www.google.com/
http://bytecloudasa.website/api
https://vk.com/doc52355237_666782820?hash=ArroX66l9eYl49eAHc8hpGG9y4ueo0YcyAXCK6pwb68&dl=kNiFdjjHEiGZauYFHzX4HcInvoKLFcTYwmBCbWjJoNw&api=1&no_preview=1
https://schematize.pw/setup294.exe - rule_id: 37138
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQH75ndCjMFugsVh7Hldwu1lHUjEssXTAV
https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxiior7j1_0fqQ6mBVUqbACDeY8atU2Czs
https://db-ip.com/
https://vk.com/doc52355237_666772349?hash=hYVRMj3VXZEN6TuoRIyuNJBsp1uaaX2imFKbcIG1Vfg&dl=9cyMlTApKcbHG0TjdzdQvAAFPBW96Jc1btF9S5guV48&api=1&no_preview=1#rise
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_mZTvfLw-7sBSGpkSUZ2zaDqxVcAGn4TCN
https://dzen.ru/?yredirect=true
https://api.2ip.ua/geo.json
https://sun6-20.userapi.com/c909618/u52355237/docs/d14/c31569dfbdeb/tmvwr.bmp?extra=yxC_ij_BEaCeg17_3RBMDQ1BNAZNk2h_OM7eSsW8UFjriQQEuPjhkmx7r0l5RwikTTTaRs8JC_WeZ6J1ia9pemH-qujCGGdFQ4qt1HjhdnUs91Pu9zHKbqwz31PEAhQxeOFJQPN_beZxT45a
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5y8U_bC5GVV3LMEZpPK42aJxtw0YqR8a7
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2TrvJhzqfyAbrB3AF-DLwMdohQlTY21hLG
https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1
https://sso.passport.yandex.ru/push?uuid=b09af16e-2e62-4304-9cf5-7f2d1c90ff55&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUPaT83_ObjaFQepb-p8krkTffz9kq27hz
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5ldPy5SVg89O6jgA587BEQuCjUOJ_mYqg
|
77
watson.microsoft.com(104.208.16.93)
db-ip.com(104.26.5.15)
vanaheim.cn(193.106.174.220) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
yandex.ru(5.255.255.70)
dzen.ru(62.217.160.2)
schematize.pw(104.21.32.142) - malware
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.75.41.21) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
bytecloudasa.website(172.67.212.39)
69d9414d-87e8-4ca5-945d-204bdc8124d9.uuid.zaoshanghao.su(185.82.216.48)
onualituyrs.org(91.215.85.209) - malware
zexeq.com(109.175.29.39) - malware
colisumy.com(2.88.121.8) - malware
www.google.com(142.250.76.132)
iplis.ru(148.251.234.93) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
www.maxmind.com(104.18.145.235)
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.9.59)
104.21.61.162
148.251.234.93 - mailcious
193.106.174.220
104.18.146.235
148.251.234.83
185.225.75.171
194.169.175.128 - mailcious
62.122.184.92 - mailcious
172.86.98.101 - mailcious
62.217.160.2
149.154.167.99 - mailcious
104.21.65.24
172.67.75.166
80.66.75.4 - mailcious
51.255.152.132 - mailcious
91.215.85.209 - mailcious
142.250.204.100
171.22.28.226 - malware
34.117.59.81
77.91.68.249 - malware
176.113.115.84 - mailcious
176.113.115.85 - mailcious
77.88.55.60
104.244.42.65 - suspicious
104.26.8.59
193.42.32.118 - mailcious
176.113.115.135 - mailcious
176.113.115.136 - mailcious
45.143.201.238 - mailcious
45.9.74.80 - malware
194.169.175.232 - malware
176.123.9.142 - mailcious
104.208.16.93
45.15.156.229 - mailcious
172.67.152.98 - malware
104.26.4.15
2.88.121.8
95.142.206.2 - mailcious
211.119.84.111 - malware
95.142.206.0 - mailcious
95.142.206.3 - mailcious
94.142.138.131 - mailcious
213.180.204.24
62.122.184.58 - mailcious
87.240.132.72 - mailcious
95.142.206.1 - mailcious
104.76.78.101 - mailcious
171.22.28.212 - malware
|
37
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Packed Executable Download
ET INFO Dotted Quad Host PDF Request
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
17
http://94.142.138.131/api/firegate.php
http://194.169.175.232/autorun.exe
http://colisumy.com/dl/build2.exe
http://45.9.74.80/super.exe
http://171.22.28.226/download/Services.exe
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://171.22.28.226/download/WWW14_64.exe
http://94.142.138.131/api/firecom.php
http://172.86.98.101/xs12pro/
http://45.9.74.80/zinda.exe
http://45.15.156.229/api/firegate.php
http://94.142.138.131/api/tracemap.php
http://zexeq.com/files/1/build3.exe
http://zexeq.com/test2/get.php
http://77.91.68.249/navi/kur90.exe
https://schematize.pw/setup294.exe
|
8.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|