| 9841 |
2023-08-02 10:05
|
000000000000%23%23%23%23%23%23... 94340ec5c5d586f335f2d9076e802b4e
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
3
http://www.memyar.com/gs22/?s0=9ZBC0f+9RgjxeuZvHOxJK0OniZLAdU+4qjFxfxF4zayhVhrzWW9GrjI8li8yjT6m11JrM5L0&CZ=7nH8XRk
http://103.6.248.9/S307M/wininit.exe
http://23.95.60.83/FBI/4/XemnhqpeY66.bin
|
5
www.sadwqe.quest()
www.memyar.com(207.244.97.155)
103.6.248.9 - malware
207.244.97.155
23.95.60.83 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE FormBook CnC Checkin (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9842 |
2023-08-02 10:03
|
 redlkript.exe c3b8d601e3e591f86694bf495397b8d7
UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
6.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9843 |
2023-08-02 10:02
|
 g.exe 0293212e847c117726731f3cb4994176
Malicious Library PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9844 |
2023-08-02 10:01
|
 BRR.exe 5efbe5d0bcd3b6a78d4ee2b4ea3236e4
Themida Packer Generic Malware UPX Obsidium protector Anti_VM .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Tofsee Windows ComputerName Firmware DNS Cryptographic key crashed |
1
https://pastebin.com/raw/V1mwGj8h
|
3
pastebin.com(172.67.34.170) - mailcious
95.143.190.57 - mailcious
172.67.34.170 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9845 |
2023-08-02 10:00
|
 IE_Neth.exe a69b0516cb39875b649aa5003b8ccadb
Generic Malware .NET framework(MSIL) Antivirus .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
8.4 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9846 |
2023-08-02 10:00
|
 conhost.exe ecdb97e94c539f0be22aa0bd82739da1
XMRig Miner Emotet Generic Malware Suspicious_Script_Bin task schedule Downloader UPX Malicious Library Antivirus Malicious Packer .NET framework(MSIL) Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP D VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Cryptographic key |
7
https://github.com/S1lentHashhh/watchdog/raw/main/WatchDog.exe - rule_id: 35032
https://raw.githubusercontent.com/S1lentHashhh/WinRing/main/WinRing0x64.sys - rule_id: 35034
https://raw.githubusercontent.com/S1lentHashhh/WinRing/main/WinRing0x64.sys
https://github.com/S1lentHashhh/xmrig/raw/main/xmrig.exe - rule_id: 35033
https://pastebin.com/raw/mu8c4MXX
https://github.com/S1lentHashhh/WinRing/raw/main/WinRing0x64.sys - rule_id: 35035
https://github.com/S1lentHashhh/WinRing/raw/main/WinRing0x64.sys
|
6
github.com(20.200.245.247) - mailcious
raw.githubusercontent.com(185.199.108.133) - malware
pastebin.com(104.20.68.143) - mailcious
104.20.68.143 - mailcious
20.200.245.247 - malware
185.199.108.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
https://github.com/S1lentHashhh/watchdog/raw/main/WatchDog.exe
https://raw.githubusercontent.com/S1lentHashhh/WinRing/main/WinRing0x64.sys
https://github.com/S1lentHashhh/xmrig/raw/main/xmrig.exe
https://github.com/S1lentHashhh/WinRing/raw/main/WinRing0x64.sys
|
11.6 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9847 |
2023-08-02 09:59
|
 wininit.exe e61c76dd476999bcb6a6fa307754ff96
.NET framework(MSIL) .NET EXE PE File PE32 PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9848 |
2023-08-02 09:57
|
 IE_Netcape.exe 664f4735aaad4babd8c6ab8abe20e4ce
AgentTesla Generic Malware .NET framework(MSIL) Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.76)
104.237.62.211
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9849 |
2023-08-02 09:57
|
 IE_NETWORK_PROTOCOL.exe 8321893248c389b13d9db8ef0757a73b
Formbook .NET framework(MSIL) PWS AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself ComputerName |
2
http://www.zhperviepixie.com/sy22/?x48hXFZH=hdFL0kwy0tP2Sq5zkMkXOvLbydzGG5NDjXbLdYDkA/+zwUFtuqh4YP0DuyJcd4UMQHwk1geg&Sh=Cp-8188
http://www.gypseascuba.com/sy22/?x48hXFZH=Z7yxFYGiTVxJAd1yfFfhqAx2pfNKomlFjnvRFuASxUX7fZSe7oi5kSfugx5B4kXiQ+Y9k/Os&Sh=Cp-8188
|
5
www.gypseascuba.com(34.149.87.45)
www.zhperviepixie.com(13.248.148.254)
www.jizihao1.com()
13.248.148.254 - mailcious
34.149.87.45 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9850 |
2023-08-02 09:55
|
 1Lyla.exe 4b1b9a060092af401c073ffbd1dd9e1b
UPX Socket DNS PWS SMTP AntiDebug AntiVM .NET EXE PE File PE32 PNG Format GIF Format JPEG Format PE64 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Tofsee Interception Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
10
http://tokoi45.beget.tech/server2.txt - rule_id: 34428
http://tokoi45.beget.tech/server1.txt
http://disgen.in/webArg1.txt
https://iplogger.com/12qaJ4
http://disgen.in/1/data64_1.exe
http://disgen.in/1/data64_2.exe
http://disgen.in/1/data64_3.exe
http://disgen.in/1/data64_4.exe
http://disgen.in/1/data64_5.exe
http://disgen.in/1/data64_6.exe
|
7
tokoi45.beget.tech(5.101.152.100) - mailcious
disgen.in(92.42.110.125) - malware
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
5.101.152.100 - malware
92.42.110.125 - malware
168.119.252.116
|
8
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO TLS Handshake Failure
|
1
http://tokoi45.beget.tech/server2.txt
|
17.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9851 |
2023-08-02 09:55
|
 updareservice.exe 21ef28aa75e0283b056e079624cb6ad4
.NET EXE PE File PE32 PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows |
|
2
bitbucket.org(104.192.141.1) - malware
104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9852 |
2023-08-02 09:52
|
 IE_Neth.exe cdd6c89e919974fd8f8fa65ece0de766
.NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9853 |
2023-08-02 09:52
|
00000000000000000000000%23%23%... c9ba92fc5db1a1e6428443f3d03ef006
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://103.16.215.29/S307M/wininit.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9854 |
2023-08-01 16:18
|
 loa.exe 0478a63ce705230c0750bd0688cf3f89
UPX Malicious Library Malicious Packer .NET EXE PE File PE32 OS Processor Check Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
1
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
|
1
|
8
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Packed Executable Download
|
1
http://45.9.74.80/0bjdn2Z/index.php
|
9.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9855 |
2023-08-01 16:17
|
 sd.exe 472512528a7908cda186e815079dd062
UPX .NET framework(MSIL) Malicious Library Malicious Packer Antivirus OS Processor Check .NET EXE PE File PE32 Check memory Checks debugger unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|