| 9691 |
2023-08-07 09:12
|
 4XXR.exe 860c75c9a9ccf966c422e197f4c60c1e
Emotet Generic Malware Downloader UPX WinRAR Malicious Library Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM OS Process VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Firewall state off Windows ComputerName Remote Code Execution Cryptographic key crashed |
|
|
|
|
12.0 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9692 |
2023-08-07 09:11
|
 O77vNQG6.exe 90e1482208611ebf4b36413d6bf05f42
UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 JPEG Format VirusTotal Malware AutoRuns PDB Check memory unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Interception Windows ComputerName |
2
http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/cred64.dll
http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/clip64.dll
|
1
|
|
|
7.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9693 |
2023-08-07 09:10
|
 akh.exe 1ead0eed2841266723e332cb9144a808
Emotet Gen1 UPX Malicious Library .NET EXE PE File PE32 MZP Format DLL PE64 OS Processor Check CHM Format VirusTotal Malware MachineGuid Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces AppData folder WriteConsoleW Tofsee Windows ComputerName crashed |
|
2
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9694 |
2023-08-07 09:07
|
bullionzx.doc 7d132a7e0881ce43b5f5e89d9710d3a2
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://2.59.254.18/_errorpages/bullionzx.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9695 |
2023-08-07 09:05
|
 bullionzx.exe f94a7fb16fa08b8d1134b990a8676f51
RedLine stealer .NET framework(MSIL) PWS AntiDebug AntiVM BitCoin .NET EXE PE File PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
8.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9696 |
2023-08-07 09:03
|
fridayyyOnline.vbs 7edb95cf9f76fb8ccbb3d2afd0a7c4bd
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/620/original/rump_img_png.jpeg?1690931808
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.27
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9697 |
2023-08-07 09:01
|
 ChromeSetup.exe 4a22e79ac77bae6154fc85555cc26460
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
13.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9698 |
2023-08-07 08:59
|
 re.exe 42ac2bba9af99081defe93ce797a3412
Generic Malware PE64 PE File Malware Malicious Traffic unpack itself Sliver DNS |
2
https://157.245.47.66/test.txt
https://157.245.47.66/funny_cat.gif
|
1
|
1
ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9699 |
2023-08-07 08:57
|
 owenzx.exe d1c67a8d11b99696527984f91ce9571f
Formbook AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.zqgf529.com/ge83/?uTuD=xP2bwfOv2vpCt0xlFavLXdTEag9kTo/lay+lErW/aYJe6onvGjWkrhTcHwah5PuetW529ZI1&Kj6ly=ATPddxOp02iTrlL0
http://www.tommybcarpentry.com/ge83/?uTuD=4l1dgt6EqJfDtjFFl8HEiOm9OdrxJ3x3R23fkyRuAcDEYyPOkg50wBw+bbg4lJJkpPSBxSQs&Kj6ly=ATPddxOp02iTrlL0
http://www.fxphones.com/ge83/?uTuD=dutfo2jPxvj1WOO8lT3X46PXeruLDGk4GIPLTA+1FdBceEacxR+vVx+tnRg7elNjWLO8USK4&Kj6ly=ATPddxOp02iTrlL0
|
6
www.fxphones.com(13.248.169.48)
www.zqgf529.com(172.67.176.126)
www.tommybcarpentry.com(34.102.136.180)
104.21.31.119 - mailcious
34.102.136.180 - mailcious
76.223.54.146
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9700 |
2023-08-07 08:57
|
qasx.vbs 99152c5481595c0c23bb3b97211c7870
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9701 |
2023-08-07 08:54
|
 demon.exe 6fc6eb3ed2366b85dca354e44e956a11
Generic Malware PE64 PE File Malware Malicious Traffic unpack itself Sliver DNS |
2
https://157.245.47.66/test.txt
https://157.245.47.66/funny_cat.gif
|
1
|
1
ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9702 |
2023-08-07 08:54
|
 940000000q0q0q0q0q0q00q0000000... ea79aedcc19392bd744e17914373363e
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://23.94.148.61/940/ChromeSetup.exe
|
3
api.ipify.org(64.185.227.156)
173.231.16.76
23.94.148.61 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9703 |
2023-08-07 08:52
|
HSS.vbs b63beb44f618c764181abf3ebe260a72
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
95.143.190.57 - mailcious
|
|
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9704 |
2023-08-07 08:52
|
 crypted.exe 1ccbff84cc57f3c7afaa21e68306d4c2
.NET framework(MSIL) .NET EXE PE File PE32 PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9705 |
2023-08-07 08:50
|
 Documents-EnemyFrauz.exe a490f1848b792df4dc37c9e1b200578d
UPX Malicious Library Socket Http API ScreenShot Code injection Internet API AntiDebug AntiVM OS Processor Check PE64 PE File Browser Info Stealer Malware download Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Code Injection Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic Windows utilities Detects VirtualBox suspicious process IP Check installed browsers check Tofsee Ransomware MeduzaStealer Stealer Windows Browser Email ComputerName Trojan Banking DNS |
|
3
api.ipify.org(64.185.227.156)
173.231.16.76
89.208.103.63
|
4
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Protocol detection skipped
|
|
17.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|