| 9781 |
2023-10-07 16:19
|
 Compiled.exe 19b2d98085a534439812011db7186839
Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 MZP Format OS Processor Check VirusTotal Malware AutoRuns unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS |
1
|
4
lan.persianremote.world(195.85.201.36)
api.myip.com(172.67.75.163)
104.26.8.59
195.85.201.36
|
3
ET POLICY IP Check (myip .com)
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET INFO Observed DNS Query to .world TLD
|
|
5.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9782 |
2023-10-07 16:19
|
 Stealer.exe 242c47b16c8755e72d7d1fdbc9ff0f17
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9783 |
2023-10-07 16:17
|
 build1111.exe 2823a053cb3512532ca475cc6eaec825
RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET PE File PE32 .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
185.196.9.65
172.67.75.172 - mailcious
|
3
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9784 |
2023-10-07 16:16
|
 build2.0.exe da078231b647caf50cb1ca51ae69a3ef
RedlineStealer RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows Cryptographic key |
|
2
ec2-54-91-200-119.compute-1.amazonaws.com(54.91.200.119)
54.91.200.119
|
|
|
3.6 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9785 |
2023-10-07 16:14
|
 setup294.exe a2058836ff17b81908237731b8258974
Malicious Library UPX PE File PE32 DLL OS Processor Check Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9786 |
2023-10-07 16:14
|
 sks3.exe 30e1bf37e853843f0437250b763fab89
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9787 |
2023-10-07 15:56
|
HtmlCent.vbs cafb6eb3bcfa78631ba6c20d8fa5b8e6
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://103.182.16.23/250/3/UXO.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
23.32.56.80
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9788 |
2023-10-07 15:56
|
HTMLcc.vbs 89cb6db34bd7438b02194d8363bfd41b
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://103.182.16.23/250/2/UFG.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.33 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9789 |
2023-10-07 15:33
|
 a3d5715a81f2fbeb_memz.exe 19dbec50735b5f2a72d4199c4e184960
Malicious Library PE File PE32 VirusTotal Malware Check memory crashed |
|
|
|
|
1.6 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9790 |
2023-10-07 15:01
|
i0ioi0o0IOoiio00I00oOOo0i0I0IO... ac1981dfa38cdea35c6002762274915f
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://103.182.16.23/250/2/HTMLcc.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware
103.182.16.23 - malware
23.67.53.17
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9791 |
2023-10-07 15:01
|
html.vbs 652db94281f8ba32aa8e7314453559aa
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://103.182.16.23/250/1/UFX.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
23.67.53.17
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9792 |
2023-10-07 14:59
|
 updat3.exe 4452e402d114953030710ae7708537ba
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9793 |
2023-10-07 14:59
|
hhreexploit.vbs 561d5f4d8df4d135fbbd9effde8edf77
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://193.42.33.63/apamaaktivozebas364.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
182.162.106.33 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9794 |
2023-10-07 14:58
|
bkop.vbs f29c576dafde535cca1e48bc52efc6d9
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://193.42.33.91/nnannanwosu.txt
|
4
uploaddeimagens.com.br(104.21.45.138) - malware
23.67.53.17
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9795 |
2023-10-07 14:57
|
 Emulation_of_the_installer.exe fb073c1e8e693469572835389d67317e
RedLine stealer UPX .NET framework(MSIL) Malicious Library ScreenShot PWS AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
12.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|