| 9856 |
2023-10-05 17:02
|
 445.jpg 30000f8e4ee5bce90382de83814fb8c9
Generic Malware Antivirus Malicious Library UPX Malicious Packer Downloader PE File PE32 DLL PE64 OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security suspicious process AppData folder Windows ComputerName Cryptographic key |
|
2
ssh.362-com.com(203.124.11.111)
203.124.11.111
|
|
|
8.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9857 |
2023-10-05 17:02
|
 222.exe 2efdda89d5ae8c0512fb0dfab4cff22a
RedLine stealer Malicious Library UPX ScreenShot PWS AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
10.8 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9858 |
2023-10-05 09:23
|
Wshp.vbs 8be364f89bc3f098890bf2c1a576d7a6
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://172.86.76.208/zh2/LPG.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9859 |
2023-10-05 09:17
|
 xqnoOIWFbr2N.exe 19ec1b3fe77ac2bb9b4019ecf20cfc5b
UPX .NET framework(MSIL) Malicious Packer PE File PE32 .NET EXE Malware download NetWireRC VirusTotal Malware IP Check RAT |
1
|
4
usacupid.org(2.59.254.111)
ip-api.com(208.95.112.1)
2.59.254.111 - mailcious
208.95.112.1
|
2
ET MALWARE Common RAT Connectivity Check Observed
ET POLICY External IP Lookup ip-api.com
|
|
2.0 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9860 |
2023-10-05 08:00
|
 1.exe c5999a94094f1b68b36ecdb65e809730
RedLine stealer Malicious Library UPX ScreenShot PWS AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
10.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9861 |
2023-10-05 07:57
|
 ufGFFXjWy6vU4y9.exe dbf80d2ee0c7e4a7903479e3dadeac3d
PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself ComputerName DNS crashed |
|
1
|
|
|
3.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9862 |
2023-10-05 07:56
|
 server1.exe 4d8037262c4cfb2fee106c9ae7d36428
LokiBot task schedule UPX ScreenShot PWS DNS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Malware download NetWireRC VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself WriteConsoleW IP Check RAT ComputerName DNS DDNS |
1
|
6
fronpeatcam.publicvm.com(45.12.253.94)
qpurrybeatmecamtest.ddns.net(45.12.253.94)
ip-api.com(208.95.112.1)
182.162.106.32
45.12.253.94
208.95.112.1
|
4
ET MALWARE Common RAT Connectivity Check Observed
ET POLICY External IP Lookup ip-api.com
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
10.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9863 |
2023-10-05 07:54
|
 FPyuSqdES06O8vS.exe c3fdabfa7e016aa9b2cacbb5fc9860a8
Generic Malware UPX Malicious Packer Malicious Library .NET framework(MSIL) PE File PE32 .NET EXE JPEG Format OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces IP Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://rakishev.net/wp-cron.php
|
4
rakishev.net(104.21.88.34)
checkip.dyndns.org(193.122.130.0)
132.226.8.169
104.21.88.34
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9864 |
2023-10-05 07:53
|
 HTML.exe 0c86e968796f80b0e5c091b3270ce88b
Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156)
173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9865 |
2023-10-05 07:51
|
 KqxxD43gE6ehqZb.exe d3fc0eb99a8edffaf0a4c9a66ed91777
Generic Malware Malicious Library UPX PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla suspicious privilege Malicious Traffic Checks debugger unpack itself Check virtual network interfaces IP Check installed browsers check Windows Browser Email ComputerName DNS DDNS Software crashed keylogger |
2
http://rakishev.net/wp-admin/admin-ajax.php
http://checkip.dyndns.org/
|
4
rakishev.net(104.21.88.34)
checkip.dyndns.org(158.101.44.242)
172.67.150.79
158.101.44.242
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET MALWARE AgentTesla Communicating with CnC Server
|
|
10.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9866 |
2023-10-05 07:51
|
 file.exe 9f528babec87d802acab810f56b9e534
RedLine stealer Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
11.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9867 |
2023-10-05 07:51
|
 rjFcwBLmZM9M3y7.exe 5d4392b56aa4ebac400bbe86fe5d0767
Gen1 Generic Malware Malicious Library UPX Malicious Packer Downloader .NET framework(MSIL) PE File PE32 .NET EXE icon DLL OS Processor Check BMP Format Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check Ransomware Browser ComputerName |
2
http://rakishev.net/wp-load.php
http://ip-api.com/json/?fields=11827
|
4
rakishev.net(172.67.150.79)
ip-api.com(208.95.112.1)
104.21.88.34
208.95.112.1
|
3
ET POLICY External IP Lookup ip-api.com
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
ET HUNTING PNG in HTTP POST (Outbound)
|
|
9.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9868 |
2023-10-05 07:49
|
 50_2023-10-04_13-27.exe 1a341a36cd0d3e3ab04a1898194fba3a
Malicious Library UPX PE File PE32 OS Processor Check PDB Remote Code Execution |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9869 |
2023-10-05 07:48
|
 FocFoaRhEf4vkFl.exe ccec9f6516e38c852b1df13c836e5430
UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE PNG Format MSOffice File JPEG Format VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Check virtual network interfaces Tofsee Windows Exploit Browser ComputerName DNS crashed |
1
http://www.adobe.com/go/download_PHSP_ko_KR?mv=product&mv2=accc
|
6
www.adobe.com(175.207.14.65)
na1e-acc.services.adobe.com(52.37.31.54)
cc-api-data.adobe.io(35.73.141.179)
121.254.136.152
35.73.141.179
34.215.32.195
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
9.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9870 |
2023-10-05 07:47
|
 XZJ7pcVdxODBwEr.exe 43793501051282b49746c790640bcf31
Emotet Generic Malware Malicious Library UPX Downloader Malicious Packer Anti_VM PE File PE32 .NET EXE JPEG Format OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk IP Check VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS DDNS Software crashed keylogger |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://checkip.dyndns.org/
|
5
checkip.dyndns.org(158.101.44.242)
rakishev.org(172.67.191.205)
182.162.106.32
132.226.8.169
172.67.191.205
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
|
|
13.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|