9676 |
2023-08-07 09:39
|
soft64.dll bb4e3b588aedce8e203361b0879d9113 Malicious Library VMProtect DLL PE64 PE File VirusTotal Malware Checks debugger unpack itself DNS |
|
1
|
|
|
4.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9677 |
2023-08-07 09:39
|
sof64t.dll 48514490face0a58cd5ea063e7de28e0 Malicious Library VMProtect DLL PE64 PE File VirusTotal Malware Checks debugger unpack itself DNS |
|
1
|
|
|
4.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9678 |
2023-08-07 09:36
|
BR.exe c895da0796fc8d1b87c7212ef1e5b0b7 Themida Packer UPX Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Tofsee Windows ComputerName Firmware DNS Cryptographic key crashed |
1
https://pastebin.com/raw/V1mwGj8h - rule_id: 35619
|
4
pastebin.com(172.67.34.170) - mailcious 103.100.211.218 - malware 95.143.190.57 - mailcious 172.67.34.170 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.com/raw/V1mwGj8h
|
9.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9679 |
2023-08-07 09:34
|
wowo.exe c2ca868ecfdd5ee7a6d4143890a29872 UPX Malicious Library Malicious Packer .NET EXE PE File PE32 OS Processor Check PE64 Browser Info Stealer Malware download VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Fabookie Browser |
3
http://aa.imgjeoogbb.com/check/?sid=144266&key=9905c940269e74e12bc7b18ce6ca2d14 - rule_id: 34651 http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482 http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
|
4
aa.imgjeoogbb.com(154.221.26.108) - mailcious us.imgjeoigaa.com(103.100.211.218) - mailcious 154.221.26.108 - mailcious 103.100.211.218 - malware
|
1
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
|
3
http://aa.imgjeoogbb.com/check/ http://us.imgjeoigaa.com/sts/imagc.jpg http://aa.imgjeoogbb.com/check/safe
|
5.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9680 |
2023-08-07 09:34
|
snow.exe e0c895fc97263d8424dcc9946184f476 Generic Malware .NET framework(MSIL) Antivirus PWS KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(64.185.227.156) api.telegram.org(149.154.167.220) 64.185.227.156 149.154.167.220
|
4
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
13.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9681 |
2023-08-07 09:33
|
shellcommand.ps1 578bed560ab7fb3eb7de6c8e4d468975 Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9682 |
2023-08-07 09:32
|
Gammatraff.exe 120cbb2cca4d4036d54253165cd428d5 Malicious Library PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9683 |
2023-08-07 09:30
|
pcr.exe bca6e394222e591240d968c68e6ebfc0 UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware Checks debugger suspicious TLD DNS |
1
http://AEQhVH.nasongle.t34gs1x.top/cc.txt
|
2
aeqhvh.nasongle.t34gs1x.top(104.21.39.183) 104.21.39.183 - malware
|
2
ET INFO HTTP Request to a *.top domain ET DNS Query to a *.top domain - Likely Hostile
|
|
2.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9684 |
2023-08-07 09:30
|
ekr8L6VCw7MAc.exe 7266d01b13259f70486280871f90a845 Malicious Library PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9685 |
2023-08-07 09:28
|
dm2f1807b2.exe c94eff4a0c5bdac49eaba7dd5136ef85 Gen1 UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM PE File PE32 DLL OS Processor Check GIF Format VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Checks debugger Creates shortcut Creates executable files unpack itself AppData folder Windows ComputerName NetSupport |
1
http://geo.netsupportsoftware.com/location/loca.asp
|
4
geo.netsupportsoftware.com(51.142.119.24) Dmforinenam18.com() Dmforinenam17.com() 62.172.138.67
|
1
ET POLICY NetSupport GeoLocation Lookup Request
|
|
6.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9686 |
2023-08-07 09:28
|
Setup1234.exe 8d149876b8a3aae84aacaac5a70b4f20 North Korea Generic Malware UPX .NET framework(MSIL) Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer Http API HTTP ScreenShot Internet API AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications sandbox evasion installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware |
3
http://gstatic-node.io/ - rule_id: 35379 http://gstatic-node.io/c2sock - rule_id: 35381 http://gstatic-node.io/c2conf - rule_id: 35380
|
2
gstatic-node.io(172.67.204.199) - mailcious 172.67.204.199 - mailcious
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt
|
3
http://gstatic-node.io/ http://gstatic-node.io/c2sock http://gstatic-node.io/c2conf
|
13.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9687 |
2023-08-07 09:24
|
C3.exe 113206f6a06da35df94d8cd455b3091c Redline RedLine stealer Emotet Generic Malware .NET framework(MSIL) Admin Tool (Sysinternals etc ...) UPX WinRAR Malicious Library Antivirus PWS AntiDebug AntiVM BitCoin .NET EXE PE File PE32 ZIP Format OS Processor Check DLL Browser Info Stealer RedLine FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://94.131.105.161:1337/ - rule_id: 35603 https://api.ip.sb/geoip
|
9
myip.opendns.com() api.ip.sb(172.67.75.172) resolver1.opendns.com(208.67.222.222) yello9erylanguage.gromovananii199.repl.co(35.186.245.55) - mailcious 194.59.218.160 172.67.75.172 - mailcious 208.67.222.222 94.131.105.161 - mailcious 35.186.245.55 - phishing
|
9
ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup) SURICATA HTTP unable to match response to request ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://94.131.105.161:1337/
|
20.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9688 |
2023-08-07 09:16
|
Rendestene.doc f4c7f6f75b0bd401889447acb3d9c91b MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://geoplugin.net/json.gp
http://64.188.25.4/harVkpqND3.bin
http://2.59.254.18/_errorpages/Rendestene.exe
|
5
geoplugin.net(178.237.33.50) 178.237.33.50
64.188.25.4
194.59.218.160
2.59.254.18 - malware
|
7
ET MALWARE Generic .bin download from Dotted Quad ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9689 |
2023-08-07 09:14
|
Xmqgijbudgv.exe c5b41042c6a47872025836fcce77e1bc UPX .NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
4.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9690 |
2023-08-07 09:13
|
faman.exe aa836df733f834e30eb28e3125b4c927 UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 DLL PDB Code Injection unpack itself suspicious process AppData folder Remote Code Execution |
|
|
|
|
2.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|