| 10096 |
2024-05-03 15:54
|
 buben.exe 89614bcd95a77224939391e14e6a45d4
EnigmaProtector Malicious Packer PE File PE32 Malware download VirusTotal Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
147.45.47.93 - malware
104.26.4.15
34.117.186.192
|
6
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
|
|
7.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10097 |
2024-05-03 15:53
|
 svchosts.exe 10e53496bc04214f85f2ba5688430edb
XMRig Miner Generic Malware Malicious Library Malicious Packer UPX PE File DllRegisterServer dll PE32 OS Processor Check PE64 VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns Check memory Creates executable files unpack itself Auto service Check virtual network interfaces WriteConsoleW Windows ComputerName RCE Firmware |
|
|
|
|
6.6 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10098 |
2024-05-03 15:51
|
 1668093182.exe 9fbc495f7b8396fd10b994d966f88796
Malicious Packer PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10099 |
2024-05-03 15:50
|
prnportlatinos.vbs 544d0c91d215bdd930d481b2edb9a9ffVirusTotal Malware VBScript wscript.exe payload download Creates shortcut Check virtual network interfaces Tofsee Dropper |
1
|
2
paste.ee(172.67.187.200) - mailcious
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10100 |
2024-05-03 15:49
|
 setup%E4%B8%8B%E8%BD%BD%E5%90%... 6072310e460bb41fb1a0e5ea9f16e33c
Malicious Library PE64 PE File VirusTotal Malware DNS |
|
1
|
|
|
3.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10101 |
2024-05-03 15:48
|
vistatharagreatgirlwholovedafi... 5781051426025f65897f57bcb1ce41ca
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://192.3.243.154/lalalawgome.vbs
https://paste.ee/d/NOyVa
|
6
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.9
104.21.84.67 - malware
104.21.45.138 - malware
192.3.243.154 - malware
|
3
ET INFO Dotted Quad Host VBS Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
5.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10102 |
2024-05-03 15:47
|
creatednewthingstounderstandho... 584c735262a9081e8936430d1e631f01
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed Downloader |
|
1
|
2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10103 |
2024-05-03 15:46
|
 shar.scr 6dc6f63b7b1a593e209d062c877a488f
LokiBot Malicious Library .NET framework(MSIL) UPX PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs suspicious TLD installed browsers check Browser Email ComputerName DNS Software |
|
1
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
12.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10104 |
2024-05-03 15:45
|
reallylovelyladylovedfisherman... a3fdaa72eed95c9df31ee087177f76c5
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
|
3
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
192.3.243.154 - malware
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10105 |
2024-05-03 15:44
|
havenewthingstounderstandwhich... 0aba1094e29ed6d65fa5a8b1ec8c2e57
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://107.172.31.6/28088/indexphppagenotfound.gif
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/e1cCs
|
6
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
107.172.31.6 - mailcious
104.21.84.67 - malware
121.254.136.18
172.67.215.45 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10106 |
2024-05-03 15:39
|
 loader-1000.exe d58a180c5d85448472b4e1007fae4b2a
NSIS Generic Malware Downloader Malicious Library UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 PowerS VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
6
http://185.172.128.59/ISetup1.exe
http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt
https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000
https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000
https://d295fdouc92v9n.cloudfront.net/load/load.php?c=1000
https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000
|
7
d2iv78ooxaijb6.cloudfront.net(54.192.60.34)
d295fdouc92v9n.cloudfront.net(13.225.129.43)
240429000936002.mjt.kqri92.top(94.156.35.76)
179.43.158.2
13.225.129.43
54.192.60.34
185.172.128.59 - malware
|
9
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO HTTP Request to a *.top domain
|
|
11.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10107 |
2024-05-03 15:35
|
beautifulroseipictureiseenitss... 844d25a95681bdf377d72dc961fe7357
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
1
|
3
paste.ee(104.21.84.67) - mailcious
107.175.242.96 - mailcious
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10108 |
2024-05-03 08:03
|
 amert.exe b47bc18496fcf0de153317af360b3020
Amadey Client SW User Data Stealer Craxs RAT Emotet RedLine stealer RedlineStealer ftp Client info stealer Generic Malware Downloader Malicious Library Antivirus UPX Malicious Packer MPRESS .NET framework(MSIL) VMProtect PWS Create Servi Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Microsoft Telegram Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD sandbox evasion WriteConsoleW VMware anti-virtualization human activity check installed browsers check Kelihos Tofsee Stealer Windows Browser Email ComputerName DNS Cryptographic key Software crashed Downloader |
25
http://193.233.132.234/files/setup.exe
http://193.233.132.56/lend/jfesawdr.exe
http://nic-it.nl/games/index.php
http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll - rule_id: 39573
http://193.233.132.56/lend/gold.exe
http://193.233.132.56/Pneh2sXQk0/index.php - rule_id: 39572
http://193.233.132.56/lend/jok.exe
http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300
http://193.233.132.56/lend/swiiiii.exe
http://193.233.132.56/lend/alexxxxxxxx.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll - rule_id: 39574
http://193.233.132.56/lend/swiiii.exe
http://193.233.132.234/files/loader-2841.exe
http://file-file-host6.com/downloads/toolspub1.exe
https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
https://pastebin.com/raw/E0rY26ni - rule_id: 37702
https://bitbucket.org/testerrrrrrrrrrr888/retsettttttt522222/downloads/en.exe
https://iplogger.com/1lyxz
https://bbuseruploads.s3.amazonaws.com/e121190f-0147-44a2-9224-0f5d52a7cce0/downloads/63aad01e-f180-459d-b740-c6d732381d87/en.exe?response-content-disposition=attachment%3B%20filename%3D%22en.exe%22&AWSAccessKeyId=ASIA6KOSE3BNLIMOONM7&Signature=34B2nKagLOo2jgD9ot7JqmWRso4%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEA8aCXVzLWVhc3QtMSJHMEUCIHnsdFKdLno7P%2BAtCPv9qB1PAaTS7quKdRJ5g2%2Bc305XAiEAp5eRUu7T48XnZLNLEc8i%2BA3x%2BH%2B9oAmY6CZfdLFYqjYqpwIIaBAAGgw5ODQ1MjUxMDExNDYiDCv8oIujdYNAYfnERiqEArNGg7uYx76ffvkclZGp5Vgokk71Sx%2BNF1W%2FmoEpo%2FCsIfI9h9Ajg%2F%2FPY6%2B305J9ZUo8w6RZsmFpuvdH4b6i9915JgmBcI2a8qV5Dt8WeFvXvewNry5hdSEPpDyEUUSWgn%2ForfCo25HUx8BQPo6X6ie%2FCHmNLQhqELtilumjgOmqZSRVdcEFA5AtjaQlHgYAQ2gf8t35v37GANXYpKPAnpjyrn6V0xJd%2BQ8HikT0DvD870leqlEoYDywLpSVaPQAEv4tb7H%2BEoEBQRDDQ69EkEKb%2F3iYsUYZb%2FAgCGs7uLUwyxHAN15quE6wC%2FBulTSOAxNnwntzn77Ke3yHqH43cME1OOjZMJ%2By0LEGOp0B7EPLd6VczdUsGDlkkACLyiL9yzadW9J9GNI9QXu1ITfusE0TG1LW9fkhdYtqbteTreF2DGJLCHSutHr5fRjP7dB97vXKCu9QVMsGFANODIZPB2c090EMpXoo2plO5AHbdzaN6xYs76BRNte51J7eZzVWXKoN4BTiIGXP0b1E7lbDzHYDzdbJys8bl9IaP2OhHZPJ8q9jzfJHNLGAFQ%3D%3D&Expires=1714692135
https://steamcommunity.com/profiles/76561199680449169
https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe
https://yip.su/RNWPd.exe - rule_id: 37623
https://junglethomas.com/12f9ebdfdbff10402be2408e18dd1dd7/4767d2e713f2021e8fe856e3ea638b58.exe
https://parrotflight.com/4767d2e713f2021e8fe856e3ea638b58.exe
|
37
skategirls.org(172.67.172.161)
jonathantwo.com(172.67.176.131)
iplogger.com(172.67.188.178) - mailcious
parrotflight.com(104.21.84.71)
file-file-host6.com(188.119.67.73) - malware
junglethomas.com(172.67.197.33)
steamcommunity.com(104.76.78.101) - mailcious
realdeepai.org(104.21.90.14)
bbuseruploads.s3.amazonaws.com(3.5.10.150) - malware
t.me(149.154.167.99) - mailcious
pastebin.com(104.20.3.235) - mailcious
bitbucket.org(104.192.141.1) - malware
nic-it.nl(189.163.142.13)
yip.su(104.21.79.77) - mailcious
52.143.157.84 - mailcious
193.233.132.56 - malware
172.67.188.178 - mailcious
185.172.128.59 - malware
185.215.113.67 - mailcious
149.154.167.99 - mailcious
172.67.197.33
185.172.128.19 - mailcious
104.21.79.77 - phishing
193.233.132.234 - mailcious
193.233.132.175 - malware
188.119.67.73
104.20.4.235 - mailcious
52.216.37.129
175.138.146.92
104.21.55.197
104.192.141.1 - mailcious
61.111.58.35 - malware
172.67.193.79
95.217.245.42
104.21.84.71 - malware
104.21.31.124 - phishing
104.76.78.101 - mailcious
|
24
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO EXE - Served Attached HTTP
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
6
http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
http://193.233.132.56/Pneh2sXQk0/index.php
http://185.172.128.19/ghsdh39s/index.php
http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll
https://pastebin.com/raw/E0rY26ni
https://yip.su/RNWPd.exe
|
33.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10109 |
2024-05-03 07:59
|
 file.exe 5451fddd7b59b191df90b89a06ef1691
Generic Malware Malicious Library PE File PE32 VirusTotal Malware RCE |
|
|
|
|
1.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10110 |
2024-05-03 07:57
|
 HSTS.exe f970eb941bf3666823b761cea657061c
Malicious Packer UPX PE64 PE File VirusTotal Malware Checks debugger Check virtual network interfaces |
|
2
ns1.mtls.ink(167.71.205.181)
167.71.205.181 - mailcious
|
|
|
2.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|