| 9676 |
2023-08-07 09:39
|
 soft64.dll bb4e3b588aedce8e203361b0879d9113
Malicious Library VMProtect DLL PE64 PE File VirusTotal Malware Checks debugger unpack itself DNS |
|
1
|
|
|
4.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9677 |
2023-08-07 09:39
|
 sof64t.dll 48514490face0a58cd5ea063e7de28e0
Malicious Library VMProtect DLL PE64 PE File VirusTotal Malware Checks debugger unpack itself DNS |
|
1
|
|
|
4.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9678 |
2023-08-07 09:36
|
 BR.exe c895da0796fc8d1b87c7212ef1e5b0b7
Themida Packer UPX Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Tofsee Windows ComputerName Firmware DNS Cryptographic key crashed |
1
https://pastebin.com/raw/V1mwGj8h - rule_id: 35619
|
4
pastebin.com(172.67.34.170) - mailcious
103.100.211.218 - malware
95.143.190.57 - mailcious
172.67.34.170 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.com/raw/V1mwGj8h
|
9.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9679 |
2023-08-07 09:34
|
 wowo.exe c2ca868ecfdd5ee7a6d4143890a29872
UPX Malicious Library Malicious Packer .NET EXE PE File PE32 OS Processor Check PE64 Browser Info Stealer Malware download VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Fabookie Browser |
3
http://aa.imgjeoogbb.com/check/?sid=144266&key=9905c940269e74e12bc7b18ce6ca2d14 - rule_id: 34651
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
|
4
aa.imgjeoogbb.com(154.221.26.108) - mailcious
us.imgjeoigaa.com(103.100.211.218) - mailcious
154.221.26.108 - mailcious
103.100.211.218 - malware
|
1
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
|
3
http://aa.imgjeoogbb.com/check/
http://us.imgjeoigaa.com/sts/imagc.jpg
http://aa.imgjeoogbb.com/check/safe
|
5.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9680 |
2023-08-07 09:34
|
 snow.exe e0c895fc97263d8424dcc9946184f476
Generic Malware .NET framework(MSIL) Antivirus PWS KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(64.185.227.156)
api.telegram.org(149.154.167.220)
64.185.227.156
149.154.167.220
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
13.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9681 |
2023-08-07 09:33
|
 shellcommand.ps1 578bed560ab7fb3eb7de6c8e4d468975
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9682 |
2023-08-07 09:32
|
 Gammatraff.exe 120cbb2cca4d4036d54253165cd428d5
Malicious Library PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9683 |
2023-08-07 09:30
|
 pcr.exe bca6e394222e591240d968c68e6ebfc0
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware Checks debugger suspicious TLD DNS |
1
http://AEQhVH.nasongle.t34gs1x.top/cc.txt
|
2
aeqhvh.nasongle.t34gs1x.top(104.21.39.183)
104.21.39.183 - malware
|
2
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
|
|
2.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9684 |
2023-08-07 09:30
|
 ekr8L6VCw7MAc.exe 7266d01b13259f70486280871f90a845
Malicious Library PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9685 |
2023-08-07 09:28
|
 dm2f1807b2.exe c94eff4a0c5bdac49eaba7dd5136ef85
Gen1 UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM PE File PE32 DLL OS Processor Check GIF Format VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Checks debugger Creates shortcut Creates executable files unpack itself AppData folder Windows ComputerName NetSupport |
1
http://geo.netsupportsoftware.com/location/loca.asp
|
4
geo.netsupportsoftware.com(51.142.119.24)
Dmforinenam18.com()
Dmforinenam17.com()
62.172.138.67
|
1
ET POLICY NetSupport GeoLocation Lookup Request
|
|
6.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9686 |
2023-08-07 09:28
|
 Setup1234.exe 8d149876b8a3aae84aacaac5a70b4f20
North Korea Generic Malware UPX .NET framework(MSIL) Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer Http API HTTP ScreenShot Internet API AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications sandbox evasion installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware |
3
http://gstatic-node.io/ - rule_id: 35379
http://gstatic-node.io/c2sock - rule_id: 35381
http://gstatic-node.io/c2conf - rule_id: 35380
|
2
gstatic-node.io(172.67.204.199) - mailcious
172.67.204.199 - mailcious
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt
|
3
http://gstatic-node.io/
http://gstatic-node.io/c2sock
http://gstatic-node.io/c2conf
|
13.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9687 |
2023-08-07 09:24
|
 C3.exe 113206f6a06da35df94d8cd455b3091c
Redline RedLine stealer Emotet Generic Malware .NET framework(MSIL) Admin Tool (Sysinternals etc ...) UPX WinRAR Malicious Library Antivirus PWS AntiDebug AntiVM BitCoin .NET EXE PE File PE32 ZIP Format OS Processor Check DLL Browser Info Stealer RedLine FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://94.131.105.161:1337/ - rule_id: 35603
https://api.ip.sb/geoip
|
9
myip.opendns.com()
api.ip.sb(172.67.75.172)
resolver1.opendns.com(208.67.222.222)
yello9erylanguage.gromovananii199.repl.co(35.186.245.55) - mailcious
194.59.218.160
172.67.75.172 - mailcious
208.67.222.222
94.131.105.161 - mailcious
35.186.245.55 - phishing
|
9
ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound
ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
SURICATA HTTP unable to match response to request
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://94.131.105.161:1337/
|
20.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9688 |
2023-08-07 09:16
|
Rendestene.doc f4c7f6f75b0bd401889447acb3d9c91b
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://geoplugin.net/json.gp
http://64.188.25.4/harVkpqND3.bin
http://2.59.254.18/_errorpages/Rendestene.exe
|
5
geoplugin.net(178.237.33.50)
178.237.33.50
64.188.25.4
194.59.218.160
2.59.254.18 - malware
|
7
ET MALWARE Generic .bin download from Dotted Quad
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9689 |
2023-08-07 09:14
|
 Xmqgijbudgv.exe c5b41042c6a47872025836fcce77e1bc
UPX .NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
4.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9690 |
2023-08-07 09:13
|
 faman.exe aa836df733f834e30eb28e3125b4c927
UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 DLL PDB Code Injection unpack itself suspicious process AppData folder Remote Code Execution |
|
|
|
|
2.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|