| 9706 |
2023-10-10 18:33
|
 usrgroup.dat.dll 420a13202d271babc32bf8259cdaddf3
Malicious Library PE File DLL PE64 VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.6 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9707 |
2023-10-10 18:32
|
 XUYSoft.download.exe a3333cc24e8144d6a3bb5ef08cbf9b82
Gen1 Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PE File PE64 ftp DllRegisterServer dll OS Processor Check VirusTotal Malware PDB crashed |
|
|
|
|
1.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9708 |
2023-10-10 18:25
|
 putty.exe 1d5ad4a60ec9be32c11ad99f234bfe8f
Malicious Library UPX PE File PE64 OS Processor Check FTP Client Info Stealer VirusTotal Malware Check memory Checks debugger unpack itself Software |
|
|
|
|
3.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9709 |
2023-10-10 17:02
|
 w-12.exe 0cb677593212bc9f636c778bd6333b3a
PE File PE32 VirusTotal Malware WriteConsoleW crashed |
|
|
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9710 |
2023-10-10 17:02
|
 windows.exe 36065d0183df9a022d1cfb4eac70ee71
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.109.133)
185.199.110.133 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9711 |
2023-10-10 17:01
|
 windows.exe 0652f7b122116eec5cfe7cd5bae5a7bd
Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9712 |
2023-10-10 17:00
|
i-5.8-6.Sakura 934037ef82e243dea200d0567604bd2e
AntiDebug AntiVM ELF VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
4.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9713 |
2023-10-10 17:00
|
 Prowf.exe 3cef8b4a9c9507c112ca5449a03b03e9
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
|
2
pmjo.fra1.cdn.digitaloceanspaces.com(205.185.216.42) - malware
205.185.216.42 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9714 |
2023-10-10 14:06
|
 setup294.exe cdab7ff04a8249fd9709106297453f03
Malicious Library UPX PE File PE32 DLL OS Processor Check Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9715 |
2023-10-10 14:04
|
 setup294.exe 3c1be0e1c425fd4f3204a6f914021210
Malicious Library UPX PE File PE32 DLL OS Processor Check Check memory Checks debugger Creates executable files unpack itself AppData folder WriteConsoleW |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9716 |
2023-10-10 10:56
|
Contract-2.msi 8e68a2869daf1ba9eaebf31d2d87973e
DarkGate Malicious Library MSOffice File CAB OS Processor Check VirusTotal Malware Buffer PE suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Windows ComputerName |
9
http://piret-wismann.com:2351/njsswd - rule_id: 37133
http://piret-wismann.com:2351/njsswd
http://piret-wismann.com:8080/ - rule_id: 37129
http://piret-wismann.com:2351/ - rule_id: 37133
http://piret-wismann.com:2351/
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt
http://piret-wismann.com:2351/cztngt - rule_id: 37133
http://piret-wismann.com:2351/cztngt
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
|
4
piret-wismann.com(162.33.179.65) - mailcious
www.ssl.com(54.236.82.84)
54.174.96.153
162.33.179.65 - mailcious
|
3
ET POLICY curl User-Agent Outbound
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
4
http://piret-wismann.com:2351/
http://piret-wismann.com:8080/
http://piret-wismann.com:2351/
http://piret-wismann.com:2351/
|
4.8 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9717 |
2023-10-10 10:48
|
zip.7z 180d73f995d228c51498c4bfaf674d57
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
22
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://194.169.175.232/autorun.exe - rule_id: 36817
http://171.22.28.212/2/carryspend.exe
http://isaiahbenjamin.top/calc2.exe - rule_id: 37065
http://176.113.115.84:8080/4.php - rule_id: 34795
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://schematize.pw/setup294.exe
https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/a25470dcbd60/51.bmp?extra=GeDMEoBnj5HiBH8lYCKM4E8Cdf0ZvPTo7RNEQt5rgyVqxNfQ0I1nABcSoOF-zqaJGTRo_TjvBGxRvljryGdpzuoTpkFMg9qakOHKfcy3PKJOd07O5ybrR3WWuhp7tE8ZYJj02c1Oe-7AW9Ea
https://sun6-20.userapi.com/c909218/u52355237/docs/d56/c799dfa67f83/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=8V_Gx4EM01ClICmHXir_Nyg1m47_gpkHviRFEfRfwEimSdJ7lF-rSRtzZ4lLXEDEWL0c4-UIjMfbK753vsOEAkQgoAt5gND6ezVX9FScbP3ssicE-oDCWJBeWvjxLE67DNaRE4nMetqT17G0
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a379a3d6dbcc/s328sadfg.bmp?extra=ewdYmK0WfXaphUxsYVOMtnqPtsupcKUARPvi9rMvr31eIuAz7ZOZNRG5PIDRf1OM_zfw3x7KbpMAloitO121-9yAWedpZPHVRejXt_vzKVu5BUG_kC5_eTliTWpQcpaMEku0Tw5SEAB62PFE
https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22
https://api.myip.com/
https://vk.com/doc52355237_666723625?hash=0XzYCf0Jcy2su6zuK2SNEpQd4wEUCdm2dCf3EnEbT6c&dl=GVcRiS2pf3k3AJQ40jMUWdwrMZlIpwfBRf0X8QAO9y0&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/dc55b042e028/PL_Client.bmp?extra=jUW_oRwrD9NTavRvUvJs7-AeE7YRls5T39ZVi5MifraVz98tbOwI8GPUjfeSa75bJxmiU8vIH7QDMkGrb0ecKgZ_9P3GfaMs4m7oDLVoHA5EkCVG9LefjOT1D_n4uIQjuJREJRk5KewbforM
https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk
https://vk.com/doc52355237_666740840?hash=eOQIZZkaEGIDpIMnMtScHnZo2IjU6SfEjtIRm4HjaVz&dl=RuFCA30NjDjQttzjQkMKji7OE54jkmgwhZ6q4PGRZtT&api=1&no_preview=1#1
https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1
https://sun6-21.userapi.com/c909228/u52355237/docs/d40/9713ae4da741/crypted.bmp?extra=3z2dDFxrgb3KmfY19dlv_B46b4NrqlNdYNZ3DbiQFvyuEAQXVtdjJm7Wh06D-CL1zZM7lCr2nTBOUJuQifKo9xnFcROWroQzWR5wooLm9QV99Z4qVunwmdzaBsJ3WpcGqfiqnEPzj1g67u9E
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/41178e94324b/test22.bmp?extra=50EX2Euknv-wHFrHFEnsB8am5MGHT-UOUeAN0VgDGEZSz5WsYfiPQTcTccfABNS317kmjuBB2el09vADkUL_fUZM_KrFZH1YlXJypuWL5cIaUxakmnjmKYE7dL8-TkydAD9366cw6QHsgSTr
|
24
schematize.pw(104.21.32.142)
api.myip.com(172.67.75.163)
onualituyrs.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.137.164) - mailcious
isaiahbenjamin.top(85.143.221.30) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
77.91.68.249 - malware
85.143.221.30 - malware
172.67.75.163
95.142.206.3 - mailcious
91.215.85.209 - mailcious
95.142.206.0 - mailcious
171.22.28.226 - malware
87.240.129.133 - mailcious
194.169.175.232 - malware
34.117.59.81
104.21.32.142
176.113.115.84 - mailcious
95.142.206.1 - mailcious
94.142.138.131 - mailcious
171.22.28.212
|
18
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET DNS Query to a *.pw domain - Likely Hostile
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Suspicious services.exe in URI
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
|
7
http://94.142.138.131/api/firegate.php
http://171.22.28.226/download/Services.exe
http://194.169.175.232/autorun.exe
http://isaiahbenjamin.top/calc2.exe
http://176.113.115.84:8080/4.php
http://94.142.138.131/api/tracemap.php
http://77.91.68.249/navi/kur90.exe
|
6.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9718 |
2023-10-10 10:42
|
zip.7z 854c628dca46bee73c0d90ce447d626e
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
21
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://176.113.115.84:8080/4.php - rule_id: 34795
http://171.22.28.212/2/carryspend.exe
http://isaiahbenjamin.top/calc2.exe - rule_id: 37065
http://194.169.175.232/autorun.exe - rule_id: 36817
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/a25470dcbd60/51.bmp?extra=GeDMEoBnj5HiBH8lYCKM4E8Cdf0ZvPTo7RNEQt5rgyVqxNfQ0I1nABcSoOF-zqaJGTRo_TjvBGxRvljryGdpzuoTpkFMg9qakOHKfcy3PKJOd07O5ybrR3WWuhp7tE8ZYJj02c1Oe-7AW9Ea
https://sun6-20.userapi.com/c909218/u52355237/docs/d56/c799dfa67f83/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=8V_Gx4EM01ClICmHXir_Nyg1m47_gpkHviRFEfRfwEimSdJ7lF-rSRtzZ4lLXEDEWL0c4-UIjMfbK753vsOEAkQgoAt5gND6ezVX9FScbP3ssicE-oDCWJBeWvjxLE67DNaRE4nMetqT17G0
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a379a3d6dbcc/s328sadfg.bmp?extra=ewdYmK0WfXaphUxsYVOMtnqPtsupcKUARPvi9rMvr31eIuAz7ZOZNRG5PIDRf1OM_zfw3x7KbpMAloitO121-9yAWedpZPHVRejXt_vzKVu5BUG_kC5_eTliTWpQcpaMEku0Tw5SEAB62PFE
https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22
https://api.myip.com/
https://vk.com/doc52355237_666723625?hash=0XzYCf0Jcy2su6zuK2SNEpQd4wEUCdm2dCf3EnEbT6c&dl=GVcRiS2pf3k3AJQ40jMUWdwrMZlIpwfBRf0X8QAO9y0&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/dc55b042e028/PL_Client.bmp?extra=jUW_oRwrD9NTavRvUvJs7-AeE7YRls5T39ZVi5MifraVz98tbOwI8GPUjfeSa75bJxmiU8vIH7QDMkGrb0ecKgZ_9P3GfaMs4m7oDLVoHA5EkCVG9LefjOT1D_n4uIQjuJREJRk5KewbforM
https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk
https://vk.com/doc52355237_666740840?hash=eOQIZZkaEGIDpIMnMtScHnZo2IjU6SfEjtIRm4HjaVz&dl=RuFCA30NjDjQttzjQkMKji7OE54jkmgwhZ6q4PGRZtT&api=1&no_preview=1#1
https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1
https://sun6-21.userapi.com/c909228/u52355237/docs/d40/9713ae4da741/crypted.bmp?extra=3z2dDFxrgb3KmfY19dlv_B46b4NrqlNdYNZ3DbiQFvyuEAQXVtdjJm7Wh06D-CL1zZM7lCr2nTBOUJuQifKo9xnFcROWroQzWR5wooLm9QV99Z4qVunwmdzaBsJ3WpcGqfiqnEPzj1g67u9E
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/41178e94324b/test22.bmp?extra=50EX2Euknv-wHFrHFEnsB8am5MGHT-UOUeAN0VgDGEZSz5WsYfiPQTcTccfABNS317kmjuBB2el09vADkUL_fUZM_KrFZH1YlXJypuWL5cIaUxakmnjmKYE7dL8-TkydAD9366cw6QHsgSTr
|
24
schematize.pw(172.67.152.98)
api.myip.com(104.26.9.59)
onualituyrs.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(93.186.225.194) - mailcious
isaiahbenjamin.top(85.143.221.30) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
193.42.32.118 - mailcious
77.91.68.249 - malware
85.143.221.30 - malware
104.26.9.59
95.142.206.3 - mailcious
91.215.85.209 - mailcious
95.142.206.0 - mailcious
171.22.28.226 - malware
87.240.129.133 - mailcious
194.169.175.232 - malware
34.117.59.81
104.21.32.142
176.113.115.84 - mailcious
95.142.206.1 - mailcious
171.22.28.212
|
18
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
|
7
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://176.113.115.84:8080/4.php
http://isaiahbenjamin.top/calc2.exe
http://194.169.175.232/autorun.exe
http://193.42.32.118/api/tracemap.php
http://77.91.68.249/navi/kur90.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9719 |
2023-10-10 10:37
|
xxx.jpg.ps1 afaec0cb0efc79d3c2effd5ea7c43cf9
Generic Malware Antivirus VirusTotal Malware Check memory Creates executable files unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9720 |
2023-10-10 10:36
|
 Informazioni.txt.url 0e20d831a104276c6b374d9c01cc9bde
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.73/scarica/client.url
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|