| 10171 |
2023-07-19 09:12
|
 My_Map.scr 33647ca452ca1a5d88fa6f08aa6f146c
RedLine Infostealer Gen1 UltraVNC UPX Malicious Library Malicious Packer Anti_VM OS Processor Check PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
5
http://116.202.177.109/upgrade.zip
http://116.202.177.109/
http://116.202.177.109/c2413e9d86eb61b5af540798875f05ed
https://steamcommunity.com/profiles/76561198982268531
https://t.me/sundayevent
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.81.130.161) - mailcious
149.154.167.99 - mailcious
116.202.177.109
23.34.107.26
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
|
|
12.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10172 |
2023-07-19 09:11
|
 NewInquiry.exe 0f8e91832e32058f848f5855908e0e59
Formbook Generic Malware .NET framework(MSIL) Antivirus PWS AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
http://www.kissedjewellery.com/fa75/?Tj=CFx8XQvkVq5caF79NVl8rV41zBO/lNuM0cqcj3ENhZZYT9r0S/DnLufNYrjqSaMj3H0B11L7&RX=dn68O0k82nipA2d
http://www.gulkanya.com/fa75/?Tj=ScsaBBbm9En5ziEHRO2VuSYmNWqSfSCRU5jiDNPU7ZMOC5qk8QjO+2lR8SHzbyHS4SeDxoWG&RX=dn68O0k82nipA2d
|
5
www.earningmehelp.com()
www.gulkanya.com(198.54.117.210)
www.kissedjewellery.com(23.227.38.74)
23.227.38.74 - mailcious
198.54.117.215 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10173 |
2023-07-19 09:10
|
 dma.hta 9302aa42d7bd92c8bfe93a441fe7b147VirusTotal Malware unpack itself crashed |
|
|
|
|
1.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10174 |
2023-07-19 09:05
|
 Svmninge.vbs 862907006745ef6b2bdc5dd2664f06ec
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
www.taramulalbinelor.ro(31.14.23.109) - mailcious
31.14.23.109 - mailcious
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10175 |
2023-07-19 09:04
|
 41b98681-d329-4aa6-b4a2-8363ee... 988d5bae53c91628093b527af3da0dcd
UPX .NET framework(MSIL) Malicious Library Malicious Packer Antivirus OS Processor Check .NET EXE PE File PE32 Check memory Checks debugger unpack itself |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10176 |
2023-07-19 09:01
|
 4000c697-1826-4119-9050-597c59... f6a377ac917f0dbf3f2bbd523848cd88
.NET framework(MSIL) Malicious Packer .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10177 |
2023-07-19 08:58
|
 Kimlik fotokopileri.bat 4a8b70cd1762106c5b75a6b946f53630
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM suspicious process WriteConsoleW Discord DNS |
1
https://cdn.discordapp.com/attachments/1110260898305683626/1126694291331367063/OBF1x-obflazim_2.bat
|
2
cdn.discordapp.com(162.159.133.233) - malware
162.159.135.233 - malware
|
2
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10178 |
2023-07-19 07:54
|
r_IAITO15TDUFRHSKV.bin 1e269967ea1fafd10db80aadc6dc918c
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10179 |
2023-07-19 07:41
|
 c9665058c3ef16b 0acb06da48d86e1ef15c27a4f5a3bddd
UPX Malicious Library PE File PE32 PDB Check memory WriteConsoleW |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10180 |
2023-07-19 07:37
|
 lega.exe 19771209e384f1f8e7ca013b72e0d1fe
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://87.121.47.63/laker/index.php
http://87.121.47.63/laker/Plugins/cred64.dll
http://87.121.47.63/laker/Plugins/clip64.dll
|
2
77.91.68.56 -
87.121.47.63 -
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
15.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10181 |
2023-07-19 07:34
|
 photo113.exe 7308bb341cd27493d2939ecbbc6c7436
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053
http://77.91.68.3/home/love/Plugins/cred64.dll
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054
http://77.91.68.3/home/love/Plugins/clip64.dll
|
3
77.91.68.3 -
77.91.68.30 -
77.91.68.56 -
|
11
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Packed Executable Download
ET MALWARE Amadey Bot Activity (POST)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll
http://77.91.68.3/home/love/Plugins/clip64.dll
|
17.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10182 |
2023-07-19 07:34
|
 dmw.exe 51173f4615fda6188760cb468b593a27
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket Escalate priviledges PWS Sniff Audio DNS ScreenShot Internet API KeyLogger AntiDebug AntiVM .NET EXE PE Malware download Remcos Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key crashed keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) -
favor-grace-fax.home-webserver.de(85.31.44.129) -
178.237.33.50 -
85.31.44.129 -
|
2
ET MALWARE Remcos 3.x Unencrypted Checkin
ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
12.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10183 |
2023-07-19 07:34
|
officialzx.doc aed387c2000a4a37308a90431ddf9070
MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download Malware c&c Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
2
http://87.121.221.212/officialzx.exe
http://185.246.220.60/official/five/fre.php
|
2
185.246.220.60 -
87.121.221.212 -
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10184 |
2023-07-19 07:33
|
 logzx.exe 2bbe7bfa4829bf0bcdc2952b93bd9bd9
.NET framework(MSIL) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware AgentTesla PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
smtp.quartziax.com(208.91.199.225) -
208.91.199.224 -
85.31.44.129 -
|
2
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
11.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10185 |
2023-07-19 07:27
|
 officialzx.exe f3fca96a7b2dbbd19c62c9a798e4ddb0
LokiBot .NET framework(MSIL) Socket PWS DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software |
1
http://185.246.220.60/official/five/fre.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|