| 10036 |
2023-07-25 18:49
|
 ssltdzx.exe dd2d413bc603305444c816d1cf84e2b6
AgentTesla UPX .NET framework(MSIL) KeyLogger AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.211)
104.237.62.211
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10037 |
2023-07-25 18:49
|
lawzx.doc 31332915ea2a23d649e1ccb1c15c6a1c
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash Tofsee Windows Exploit DNS crashed |
1
http://87.121.221.212/lawzx.exe
|
3
us2.smtp.mailhostbox.com(208.91.199.224)
208.91.199.225 - mailcious
87.121.221.212 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10038 |
2023-07-25 18:49
|
 crypt_se.exe bca2197eefdb2e06f4b9cf01f1d3e291
UPX Malicious Library PWS SMTP AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications WriteConsoleW installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
1
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
12.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10039 |
2023-07-25 17:24
|
abyx.vbs 531e8d4ce64013bb6cf4afa0eb38eefe
Generic Malware Antivirus PowerShell VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.2 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10040 |
2023-07-25 17:22
|
 1.exe df53bb96de4749ce780bf8b939dc2cd5
RedLine stealer UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces WriteConsoleW installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172)
62.72.23.19
172.67.75.172 - mailcious
|
4
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
41 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10041 |
2023-07-25 16:55
|
 clip64.dll 358ddcec1819198ecad04ef86899feaa
Amadey UPX Admin Tool (Sysinternals etc ...) Malicious Library OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
59 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10042 |
2023-07-25 16:52
|
 clip64.dll 2392b231cf4a80739b5cb09bf808127d
Amadey UPX Admin Tool (Sysinternals etc ...) Malicious Library OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
60 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10043 |
2023-07-25 10:38
|
 HHYGASDBBBX.hta 2aa4741c22f4f7e9f7fb2318e974649c
Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
9.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10044 |
2023-07-25 10:37
|
shdeulerinstall.lnk fcfd7e25e415f1d9ee598ab41ca31840
Generic Malware Antivirus AntiDebug AntiVM GIF Format VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.8 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10045 |
2023-07-25 09:33
|
 clip64.dll 358ddcec1819198ecad04ef86899feaa
UPX Admin Tool (Sysinternals etc ...) Malicious Library OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10046 |
2023-07-25 09:12
|
Untitled2.bmp.ps1 b503ffd3552cd5a97874afe409f3b469
Generic Malware Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself powershell.exe wrote WriteConsoleW Windows ComputerName Cryptographic key |
16
http://www.aurestia.com/m8a3/?3fV=MQDzZIc0FUKkDnXQ5rfeT8IT1Q2H7vA9uok2G/WP3wmzi3A9vAewWHa8AW9vIGV9U9KwcU6guObd6YworSgfcdiVdqsBbQc4sRTN8us=&tzhR=VoZB5
http://www.914762.com/m8a3/
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3120000.zip
http://www.u1uc86.shop/m8a3/?3fV=5h8HxZ/VEhiexXVbMQOSyi/3Mq8FOldADmOfAXPisI7PhPT+BDz7e5vjA2S4Strjp4YKKaICYEzvWipuZUJ1fClpkGPLHU02z9EmeuA=&tzhR=VoZB5
http://www.eunicebarber.com/m8a3/?3fV=KfxyrYt0+dAkLzUy5BAmpABz5VvFOs89DNVvjaW49ahTyKh9A9lKw+SabxvlU3Szqi/M1EC4o9KRioA0xZp4mHTtqaUR/OlFIGLcRDE=&tzhR=VoZB5
http://www.moqainc.com/m8a3/
http://www.914762.com/m8a3/?3fV=fmtS1HqN0Y1GeG2n+s22nkteR5zb5rH2owPMNZ2Uw45FRfDCx3Qi2vCzK5U3OLBwaoIRNyVRLkfIuDiLo+1mYA8v0QdlhtIT4EYDvzg=&tzhR=VoZB5
http://www.moqainc.com/m8a3/?3fV=2PXzv/KUOl1j1NuZtmCfgjmk8F4d7zpI1k9NLrqIqxTSD5EEUqAnKuNnQ3j68zwJ4/UMJIA84T5y5YZmbeegBpPNaATffbV8yLAKduU=&tzhR=VoZB5
http://www.u1uc86.shop/m8a3/
http://www.aurestia.com/m8a3/
http://www.eunicebarber.com/m8a3/
http://www.blackhawkstickets.com/m8a3/?3fV=wELRwQq9Ik4akR1AOQPiTuGKLBWDjs8a2YaLQcHnUlU7Bv3tKYzAPKjFnfPfLGcW0Jon1I5GThlPJSE9uANXd1MOTjhszMbeqP80jx4=&tzhR=VoZB5
http://www.jshjyz.com/m8a3/?3fV=HdAArDrpc0/lWistcOXV8fE+D+9k1/Pmn5Nebv2sEOwmLRgBysRR+rlQ+FZERh068j6RXDw4R3I17DF8bzv3o/zP6s/z0ghnBgwDlLg=&tzhR=VoZB5
http://www.jshjyz.com/m8a3/
http://www.blackhawkstickets.com/m8a3/
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip
|
15
www.aurestia.com(178.211.137.32)
www.eunicebarber.com(134.73.114.39)
www.u1uc86.shop(8.217.57.91)
www.moqainc.com(156.237.252.50)
www.jshjyz.com(104.164.75.231)
www.blackhawkstickets.com(91.195.240.68)
www.914762.com(46.149.197.101)
46.149.197.101
91.195.240.68 - mailcious
8.217.57.91
156.237.252.50
134.73.114.39
178.211.137.32
104.164.75.231
45.33.6.223
|
|
|
10.6 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10047 |
2023-07-25 09:05
|
 clip64.dll 2392b231cf4a80739b5cb09bf808127d
UPX Admin Tool (Sysinternals etc ...) Malicious Library OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10048 |
2023-07-25 08:34
|
 pls.exe 3b32db2fff556c03e79cf112664238fd
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL suspicious privilege Check memory Creates executable files unpack itself AppData folder suspicious TLD DNS |
19
http://www.purelyunorthodox.com/r862/
http://www.ianfobase.com/r862/?9HLhJ=9rRZzNTr1dZKiLQzoI8XLjplaAqV+6t0e2B+X0zrtppRDMRYTz2tf5iTpqyOXvL8YlOJPhd6SWRcIOrEs9d7dAqVmuaL1+6j3ULt+YU=&z15D5=o-d4OppZ1CkegyG
http://www.xn--cailang1-ml9sl35r.xyz/r862/?9HLhJ=S/uF320df8UnDjQS/4k38ZSLphwfiAtDFhdsqMNymj/DeDghP6n6HhyCBg2DbRSzT3vxi2zyebAOy4KdU8evD5ZQgDrzpIHmTqE3N+A=&z15D5=o-d4OppZ1CkegyG
http://www.amazing-s.com/r862/?9HLhJ=69RVFoxGUY0D0B3YqV+2mwld1PL5jwXfCjKjkpFiZLY9mwR5LQBOEU2e4EMrrKOfaYIcO1mtIEZSetKk7fnyFeOPJ3RpyEil2UQyy0o=&z15D5=o-d4OppZ1CkegyG
http://www.kwikwak.top/r862/?9HLhJ=T36R+hE18isjZaXjHzJ7Zkpexlmt5v6sU4YsQWgDgXjuAXXLweAwq0yhvE2TlpXK9Gtcm5Nka75XxGZqFoeRwg4xeWPhgOB9NrAcAUA=&z15D5=o-d4OppZ1CkegyG
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
http://www.gt6yzx.cfd/r862/
http://www.gt6yzx.cfd/r862/?9HLhJ=jgW1+RlOC4xiYAXn1VJcs3xpdlY55VN4wLhIJOPbS0OP2EW6OQwN62RI3QxvYMjApYT1XrwWyIHWN8qx3bgOQseXlpGUbfms8CoO5DA=&z15D5=o-d4OppZ1CkegyG
http://www.xn--cailang1-ml9sl35r.xyz/r862/
http://www.mioranopshop1.com/r862/
http://www.gtma10.vip/r862/?9HLhJ=8U41kzTN+uwIk3DyTQw7tTBJajqrXzV/U9eOIBRkK2PXE9wxxbe3C7vN86vdfopV2wBFBOOuk8l7RbumaXqM7+uyZLgcll40YrlUwV0=&z15D5=o-d4OppZ1CkegyG
http://www.ianfobase.com/r862/
http://www.purelyunorthodox.com/r862/?9HLhJ=PG+qG0x7ut6mghFWWv9z1aDvXJK7PEjXaxh4JoeELx5QQPgBEqAa9HIswWXT0JiH0VH9RlNF/ZpaJPb31jDauT2CX4A+EFc+mct1Eo4=&z15D5=o-d4OppZ1CkegyG
http://www.rumirajut.com/r862/?9HLhJ=1rAwQw2q1BpIxjxJkxZnSFonK+gXIesu8ZIiKuE2uI5xydDspJKJXPKvtGbjys3KWnfwZosHEMAN/bUeljygPFh0vZwT4MGahhqUpDc=&z15D5=o-d4OppZ1CkegyG
http://www.gtma10.vip/r862/
http://www.amazing-s.com/r862/
http://www.kwikwak.top/r862/
http://www.rumirajut.com/r862/
http://www.mioranopshop1.com/r862/?9HLhJ=cfbduTtVFkWmRD2P4Oq/5eEMdctrPNntf4MnpZA55yca/7EmbnTer6jTOsB3u9XDWPwG0+Qof3Hb8E9shSYTsXaQROqx/cLcjawbQss=&z15D5=o-d4OppZ1CkegyG
|
19
www.amazing-s.com(81.169.145.68)
www.mioranopshop1.com(34.149.87.45)
www.gt6yzx.cfd(43.154.67.170)
www.ianfobase.com(167.172.228.26)
www.kwikwak.top(162.0.214.109)
www.purelyunorthodox.com(154.204.19.73)
www.rumirajut.com(173.232.112.114)
www.xn--cailang1-ml9sl35r.xyz(35.186.197.188)
www.gtma10.vip(172.67.192.77)
154.204.19.73
81.169.145.68 - mailcious
34.149.87.45 - phishing
173.232.112.114
43.154.67.170 - mailcious
167.172.228.26 - mailcious
172.67.192.77
162.0.214.109 - mailcious
45.33.6.223
35.186.197.188 - mailcious
|
2
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10049 |
2023-07-25 07:59
|
 wininit.exe 682fbd7115e44f2d2cdac467072a0e24
Formbook .NET framework(MSIL) PWS AntiDebug AntiVM .NET EXE PE File PE32 Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
11
http://www.sisbom.online/pta7/ - rule_id: 35245
http://www.yh66985.com/pta7/?DwSq=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&w07om4=jGcI-wh - rule_id: 35249
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.yh66985.com/pta7/ - rule_id: 35249
http://www.cosmicearthgoddess.com/pta7/?DwSq=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&w07om4=jGcI-wh - rule_id: 35248
http://www.cosmicearthgoddess.com/pta7/ - rule_id: 35248
http://www.maytag36.com/pta7/?DwSq=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&w07om4=jGcI-wh - rule_id: 35246
http://www.selfstorage.koeln/pta7/?DwSq=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&w07om4=jGcI-wh - rule_id: 35247
http://www.sisbom.online/pta7/?DwSq=9K+XUf37kaVDuc0IEb/en1sQBc6oG59LX1JpxUbzLe92mNGRZFlQ32afb7pO3FMoswo/Nr7Bt7+lgxXjhaaHcK0lGMXqPnmX0dOCo/8=&w07om4=jGcI-wh - rule_id: 35245
http://www.maytag36.com/pta7/ - rule_id: 35246
http://www.selfstorage.koeln/pta7/ - rule_id: 35247
|
11
www.sisbom.online(162.240.81.18) - mailcious
www.selfstorage.koeln(81.169.145.157) - mailcious
www.yh66985.com(154.215.247.58) - mailcious
www.cosmicearthgoddess.com(74.208.236.61) - mailcious
www.maytag36.com(76.223.26.96) - mailcious
81.169.145.157 - mailcious
154.215.247.58 - mailcious
76.223.26.96 - mailcious
45.33.6.223
162.240.81.18 - mailcious
74.208.236.61 - mailcious
|
|
10
http://www.sisbom.online/pta7/
http://www.yh66985.com/pta7/
http://www.yh66985.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.maytag36.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.sisbom.online/pta7/
http://www.maytag36.com/pta7/
http://www.selfstorage.koeln/pta7/
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10050 |
2023-07-25 07:55
|
IBLIBLIBLIBLIBLUBLUBUBIBLIBLIB... 6042e77faf4b55ffab673816405d31b6
MS_RTF_Obfuscation_Objects RTF File doc buffers extracted RWX flags setting exploit crash Exploit crashed |
|
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|