| 10006 |
2023-09-30 13:38
|
x.xx.x.x.doc ad154e6d30789f35ac383edc8c671806
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://193.42.33.63/exploitprivate/goatedinvagina.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware
193.42.33.63 - mailcious
121.254.136.9
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10007 |
2023-09-30 13:36
|
 audiodg.exe d8f6b1d6c8b4210fec0826280dccf0fa
UPX .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10008 |
2023-09-30 13:36
|
 cqBmSn7ZZ0p6a7K.exe 727987dd54cdd7bce9f056b2a80731e9
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10009 |
2023-09-30 13:34
|
 Updater.exe 67e741557eaa3124261105bff38bc62a
Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware PDB Check memory Tofsee |
|
2
mayo.edu(129.176.1.88)
129.176.1.88
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10010 |
2023-09-30 13:34
|
 audiodg.exe a1f785bfdea5c75ed569fc48681eb610
LokiBot Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
15
api.ipify.org(104.237.62.212)
142.250.206.238 - mailcious
142.251.222.195
142.250.204.109
142.250.66.132
104.237.62.212
142.250.204.110
142.250.76.131
172.217.25.170 - malware
172.217.161.234 - malware
216.58.200.228
142.251.220.1
142.251.220.3
142.250.204.67
172.217.25.174 - mailcious
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10011 |
2023-09-30 13:33
|
IOI0ioio0OIOIO0IOI0ioi0i000000... 750637aa4adce8ce221b8d8755dbbaf8
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Windows Exploit Google DNS crashed |
5
http://192.3.108.47/test/ChromeSetup.exe
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhemejginpboagddgdfbepgmp_414_all_ZZ_acz2kiivwz66gcmd564fvjnnf4sa.crx3
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=11:7Gz5hy99G0OJGwmw-g8p-blMoWYIGYN02Dr48kg3q48&cup2hreq=7a6509b0222169109f7b96e446becc365cb6859e88bdecbd3f898226ad48db9e
|
28
edgedl.me.gvt1.com(34.104.35.123)
dns.google(8.8.4.4)
www.google.com(142.250.76.132)
clients2.googleusercontent.com(172.217.161.225)
www.gstatic.com(142.250.206.227)
r1---sn-3u-bh2ss.gvt1.com(211.114.64.12)
_googlecast._tcp.local()
apis.google.com(172.217.161.238)
clientservices.googleapis.com(142.250.206.195)
accounts.google.com(172.217.25.173)
142.250.206.238 - mailcious
142.251.222.195
142.250.204.109
211.114.64.12
142.250.66.132
192.3.108.47 - mailcious
142.250.204.110
142.250.76.131
172.217.25.170 - malware
172.217.161.234 - malware
172.217.161.225 - mailcious
216.58.200.228
142.251.220.1
142.251.220.3
142.250.66.67
142.250.204.67
34.104.35.123
172.217.25.174 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO EXE - Served Attached HTTP
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
4.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10012 |
2023-09-30 13:32
|
 audiodg.exe 44467cb97748f78289cca59f5ad2cc3a
NSIS Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Check memory Creates executable files unpack itself AppData folder crashed |
|
|
|
|
4.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10013 |
2023-09-30 13:31
|
 audiodg.exe 71471d6ba26a1046e49cc34cf9b1122e
UPX .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces |
|
|
|
|
2.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10014 |
2023-09-30 13:30
|
MD.doc 67d3cae949ee03c6d70466c4c2735a57
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Exploit DNS crashed |
|
1
|
|
|
4.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10015 |
2023-09-30 13:29
|
I0OIIOIOi0ioii0oiioi0ioiooi0i0... 647d8be1ca923f60c2d571eb746ef0e2
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash suspicious TLD Windows Exploit DNS crashed |
15
http://50.3.182.140/350/audiodg.exe
http://www.banking-products.com/c8nr/?F3=ENL5hTb1LcB7CURkiczdT+ejQGmla3oISTfQo2/YV4hNHnoLkBSgmjHFVmlBRdxgRm3zMdu0VU9DbjiUlLDYulW193G769XwZ3GN77g=&rT=Nt-TZZTkeRdw
http://www.charcoal-id.com/c8nr/
http://www.ng1ljmv67o.com/c8nr/
http://www.freeprosoftz.download/c8nr/?F3=QwWL61OjL6Zjup2of9u7xYwZUk4i9WyrtzOogSBq0fTkVXlsW82z9ucnH56cGKu7VeAvdm+QQh0mLF61TehwZUGfckypRxLgmJoqexY=&rT=Nt-TZZTkeRdw
http://www.waremart.top/c8nr/?F3=KVXIGGOevITGxD2WQvY/uYGCDwnSgtX62kxPYtz8ySb+fzNjXSoJfn3Gb7fCEKXq0Dt0VHGAWvVKgT6TbMH6cQbNJ8bX2L8nNVJJ3fQ=&rT=Nt-TZZTkeRdw
http://www.calculaqui.com/c8nr/?F3=OjdZwvBuU/ug8o3d94DJyrhInUGEGcqmO1sXFb6TuBXVHy3dgl4nqyV+jYs1QF37euEKRExOzrzz3hz7a5wEHeU8OO/DqHfi+/lveaw=&rT=Nt-TZZTkeRdw
http://www.charcoal-id.com/c8nr/?F3=6JSHidr3Bn2iwSUtC4PW4Gvpxg89xUQjO4aPVvfz4xZu1RX38nUjyBfg1u2hjWOcq5dMLqFxHMQyk/L5KrgEpXnP9NcgGvuA1NBUhr0=&rT=Nt-TZZTkeRdw
http://www.calculaqui.com/c8nr/
http://www.freeprosoftz.download/c8nr/
http://www.whistle.news/c8nr/
http://www.waremart.top/c8nr/
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip
http://www.whistle.news/c8nr/?F3=CqYf1SmszDBRcRt3Ry7nuhva6EmhLI5UD2I/eVu+u8EOQktcJMnp9pGxshpp5J7Zxswa5jm29s59MM0LkVDS8/fxra0kqVJlH6+elnA=&rT=Nt-TZZTkeRdw
http://www.banking-products.com/c8nr/
|
18
www.calculaqui.com(104.21.85.74)
www.charcoal-id.com(202.52.146.246)
www.shimakaze-83.cfd()
www.yle4ql.cfd()
www.freeprosoftz.download(172.67.175.76)
www.waremart.top(162.0.213.94)
www.whistle.news(84.32.84.32)
www.ng1ljmv67o.com(208.91.197.39)
www.banking-products.com(147.182.150.98)
162.0.213.94
208.91.197.39 - mailcious
50.3.182.140 - mailcious
202.52.146.246
84.32.84.32 - mailcious
104.21.85.74
147.182.150.98
172.67.175.76
45.33.6.223
|
7
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10016 |
2023-09-30 13:28
|
 audiodg.exe 54326c193800ac78407da899e591e86d
NSIS Malicious Library UPX PE File PE32 OS Processor Check Check memory Creates executable files unpack itself AppData folder DNS crashed |
|
1
|
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10017 |
2023-09-30 13:28
|
 123.exe 9648cd34630e6a0e149ea9f49911c7cd
Emotet Suspicious_Script_Bin Downloader Malicious Library UPX Malicious Packer Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug VirusTotal Malware suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check Windows ComputerName |
|
|
|
|
7.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10018 |
2023-09-30 13:28
|
agodzx.doc b53d71a64cb165fb5bd36e7f22879546
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://185.28.39.18:7777/185.28.39.18/agodzx.exe
|
5
api.ipify.org(104.237.62.212)
smtp.yandex.com(77.88.21.158)
185.28.39.18 - malware
173.231.16.77
77.88.21.158
|
10
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10019 |
2023-09-30 13:26
|
 ja8drj17aq2.exe 31c3b0ab9b83cafb8eb3a7890e2d05ca
RedLine stealer Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications WriteConsoleW installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
11.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10020 |
2023-09-30 13:24
|
 Fix.exe 52e507f8cbdf95493c5963ddba10968e
Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Obsidium protector Malicious Packer PE File PE32 OS Processor Check ftp MZP Format DLL PNG Format VirusTotal Malware PDB Malicious Traffic Check memory buffers extracted Creates executable files unpack itself AppData folder Tofsee ComputerName |
1
https://i.imgur.com/aUGHSWZ.png
|
2
i.imgur.com(151.101.40.193) - mailcious
146.75.92.193 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|