1006 |
2024-08-17 22:18
|
tuesdayequitossssdroiudMPDW-co... 7a3fa640d6740b436c7fb40056e94edc Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
3
ia803104.us.archive.org(207.241.232.154) - malware 45.138.16.71
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1007 |
2024-08-17 22:18
|
file1.exe a107fbd4b2549ebb3babb91cd462cec8 Generic Malware Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File .NET EXE PE32 PowerShell OS Processor Check PE64 DLL Browser Info Stealer Malware download VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW anti-virtualization installed browsers check Tofsee CryptBot Windows Discord Browser ComputerName DNS Cryptographic key crashed |
8
http://tvezx20pt.top/v1/upload.php http://194.58.114.223/d/385104 - rule_id: 41929 http://58yongzhe.com/parts/setup1.exe - rule_id: 42034 http://91.121.59.207/Files/6ec431703915b7c3a66be6ef8e2bf8f9.exe http://91.121.59.207/Files/Channel1.exe https://pastebin.com/raw/E0rY26ni - rule_id: 37702 https://yip.su/RNWPd.exe - rule_id: 37623 https://cdn.discordapp.com/attachments/1272578305203110022/1274336696627892317/setup.exe?ex=66c1e208&is=66c09088&hm=d301fab09c009c8ddf7bbdaccf84e9e284b1d644909338534cae1eab5b7ee0ef&
|
12
tvezx20pt.top(77.232.42.234) 58yongzhe.com(62.133.62.93) - malware pastebin.com(172.67.19.24) - mailcious yip.su(104.21.79.77) - mailcious cdn.discordapp.com(162.159.133.233) - malware 91.121.59.207 77.232.42.234 104.21.79.77 - phishing 162.159.135.233 - malware 62.133.62.93 194.58.114.223 - mailcious 172.67.19.24 - mailcious
|
13
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET DNS Query for .su TLD (Soviet Union) Often Malware Related SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 ET HUNTING Redirect to Discord Attachment Download
|
4
http://194.58.114.223/d/385104 http://58yongzhe.com/parts/setup1.exe https://pastebin.com/raw/E0rY26ni https://yip.su/RNWPd.exe
|
19.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1008 |
2024-08-17 22:17
|
sss.exe f93a30378f7682e1bf9f4adfbe5729be Generic Malware Malicious Library Malicious Packer .NET framework(MSIL) UPX Anti_VM PE File .NET EXE PE32 OS Processor Check JPEG Format VirusTotal Malware Telegram Malicious Traffic Windows utilities IP Check Tofsee Windows DNS |
2
http://icanhazip.com/ https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00
|
7
icanhazip.com(104.16.184.241) api.mylnikov.org(104.21.44.66) api.telegram.org(149.154.167.220) - mailcious 104.16.184.241 194.58.114.223 - mailcious 104.21.44.66 149.154.167.220 - mailcious
|
7
ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET POLICY IP Check Domain (icanhazip. com in HTTP Host) ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com) ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
|
|
3.4 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1009 |
2024-08-17 22:16
|
gsprout.exe 92ae7a1286d992e104c0072f639941f7 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic DNS |
1
http://45.138.16.71/cfg/?data=IDaJhCHdIlfHcldJAISHfgpYzZhgReLDAihcV0Oa
|
1
|
|
|
3.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1010 |
2024-08-17 22:14
|
zzzz1.exe a5c740eb48fafb9b25d06c22b6f4a7e9 Gen1 Generic Malware Malicious Library UPX Antivirus Malicious Packer Anti_VM PE File PE64 DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
3.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1011 |
2024-08-17 22:14
|
seethesmoothofbutterburnwhicht... d18067e4be9ca434241869dda26c5f8f MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.210.150.33/143/mekissedbutterburnwithstronglips.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware 192.210.150.33 - mailcious 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1012 |
2024-08-17 22:12
|
1111.exe 7b0e99178f36fa152761f55ccd20a2ab Malicious Library PE File PE64 Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1013 |
2024-08-17 10:20
|
contorax.exe 771b8e84ba4f0215298d9dadfe5a10bf Malicious Library PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1014 |
2024-08-16 18:36
|
Mnemonic.chm 55c6005f361c9011182379ba8f7a875f Gen1 Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM CHM Format PE Fil VirusTotal Malware AutoRuns MachineGuid Code Injection Check memory Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Windows |
|
|
|
|
5.4 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1015 |
2024-08-16 18:35
|
님.jse 7756b4230adfa16e18142d1dbe6934af ROMCOM RAT Generic Malware Suspicious_Script_Bin Hide_EXE Antivirus Malicious Library UPX Anti_VM PDF AntiDebug AntiVM PowerShell ZIP Format PE File DLL PE64 DllRegisterServer dll OS Processor Check MSOffice File VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Interception Windows Exploit ComputerName DNS Cryptographic key crashed |
1
|
7
peras1.n-e.kr() x1.i.lencr.org(23.40.44.214) v4imgs.pointshop.co.kr(61.111.21.173) www.coinstore.kr(61.111.21.172) 61.111.21.173 23.41.113.9 61.111.21.172 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1016 |
2024-08-16 18:31
|
베트남 녹지원 상춘재 행사 견적서.hwp .exe... 35d60d2723c649c97b414b3cb701df1c Generic Malware Malicious Library UPX HWP PE File DllRegisterServer dll MSOffice File PE32 OS Processor Check DLL VirusTotal Malware PDB Check memory Checks debugger Creates executable files unpack itself suspicious process AppData folder WriteConsoleW Remote Code Execution crashed |
2
http://gaja79.com/link/fow-mh1004.html http://antichrist.or.kr/data/cheditor/dir1/lyric64
|
3
gaja79.com(182.162.73.77) antichrist.or.kr(182.162.73.77) - mailcious 182.162.73.77 - suspicious
|
1
ET HUNTING Double User-Agent (User-Agent User-Agent)
|
|
5.6 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1017 |
2024-08-16 18:20
|
Doc1.docm 0fee354732496cdbdb4e78ecb218a81a VBA_macro Word 2007 file format(docx) ZIP Format VirusTotal Malware unpack itself Windows utilities Windows |
1
https://gitlab.com/DemoTrojan/real/-/raw/main/check.bat
|
2
gitlab.com(172.65.251.78) - malware 172.65.251.78 - malware
|
|
|
4.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1018 |
2024-08-16 18:16
|
bb.jpg.ps1 35cc87966b1583d624d2be67dd4c5a91 Client SW User Data Stealer browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection BitCoin Internet API Browser Info Stealer VirusTotal Malware powershell MachineGuid Code Injection Check memory Checks debugger Creates shortcut Creates executable files exploit crash unpack itself powershell.exe wrote malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Exploit Browser ComputerName Cryptographic key crashed |
1
http://45.61.137.37/stea.zip
|
|
|
|
9.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1019 |
2024-08-16 18:04
|
new_image.jpg.exe 9bc67a353e3056bac82436a1667350ab Malicious Library UPX PE File DLL PE32 .NET DLL OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1020 |
2024-08-16 17:56
|
ChaveBB-2024.exe d46fbf03a71245869dc5c89805e6d8f1 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
0.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|