| 10216 |
2023-07-18 18:22
|
 sss.exe 94d1bb33b8c22334e339d4462d4c0636
Malicious Packer PE64 PE File VirusTotal Malware |
|
|
|
|
1.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10217 |
2023-07-18 18:21
|
 win32.exe 3a11f5f7dcb6e3dd51ef7a864c29403f
NSIS UPX Malicious Library PE File PE32 DLL VirusTotal Malware AutoRuns Check memory Creates executable files RWX flags setting unpack itself AppData folder Windows ComputerName crashed |
1
|
2
showip.net(162.55.60.2) -
162.55.60.2 -
|
1
ET POLICY IP Check Domain (showip in HTTP Host)
|
|
5.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10218 |
2023-07-18 18:19
|
invoice.pdf.lnk e2ef58cea3134177185a50584111495d
Antivirus AntiDebug AntiVM GIF Format PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10219 |
2023-07-18 18:19
|
 Jcojp.jpg d387e700d3de3abafab61f1b5d3b8f27
PE64 PE File MachineGuid Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10220 |
2023-07-18 18:17
|
 Client.jpg c16d714f359d4659a1f5fef8be99fd30
UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
5.2 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10221 |
2023-07-18 18:17
|
 winBx.exe c03d3f3fac3615256c7c0805743819a2
UPX Malicious Library PE File PE32 DLL VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder |
|
|
|
|
3.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10222 |
2023-07-18 18:13
|
 003jfb3bb2.dll 742ac4a9557745ec565ada6511f4a31f
Malicious Library DLL PE64 PE File PDB Checks debugger unpack itself crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10223 |
2023-07-18 18:12
|
 03fdbbbb.dll 5879c02976fe70a64d9dbc0d38b8b973
Malicious Library DLL PE64 PE File PDB Checks debugger unpack itself crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10224 |
2023-07-18 13:57
|
 idbk.hta b4c8fe36366bf1542935f0367270eba5
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
7.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10225 |
2023-07-18 13:57
|
 Invoice-1736478793~pdf.vbs 01a331d778290adb3b875563a34c0c97
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
http://juneckkkk.blogspot.com/atom.xml
https://cff66d08-d3f8-42db-911c-ce670399a441.usrfiles.com//////////////////////////////ugd//////////////////////////cff66d_d5db8a8b5ef84b21ac9ac6ba02b97571.txt
|
|
|
|
5.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10226 |
2023-07-18 13:53
|
 wwwr.exe c9ca9b64c5afd8ff22c00b717966283e
AgentTesla Generic Malware .NET framework(MSIL) Antivirus KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key crashed keylogger |
|
2
api.ipify.org(104.237.62.211) -
104.237.62.211 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10227 |
2023-07-18 13:51
|
 Remittance_Advice_120723.exe 4b53952ca3d4332a530e7a9c9e5f09f7
.NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10228 |
2023-07-18 13:49
|
 g.exe cf2f8459d17cd077ead9115058819b45
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10229 |
2023-07-18 10:18
|
File_pass1234.7z 2e36fd87f02328791390c79351931433
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Cryptocurrency Miner Malware Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Remote Code Execution Trojan DNS Downloader |
44
http://208.67.104.60/api/firegate.php - rule_id: 34253
http://208.67.104.60/api/firegate.php
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
http://aa.imgjeoogbb.com/check/safe
http://77.91.124.40/info/photo540.exe - rule_id: 35119
http://77.91.124.40/info/photo540.exe
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://45.15.156.229/api/tracemap.php
http://87.120.88.198/g.exe
http://176.113.115.84:8080/4.php - rule_id: 34795
http://176.113.115.84:8080/4.php
http://apps.identrust.com/roots/dstrootcax3.p7c
http://aa.imgjeoogbb.com/check/?sid=298022&key=b4f42524f642c0e49e544b134b89766b - rule_id: 34651
http://aa.imgjeoogbb.com/check/?sid=298022&key=b4f42524f642c0e49e544b134b89766b
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://208.67.104.60/api/tracemap.php
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://us.imgjeoigaa.com/sts/imagc.jpg
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://77.91.68.3/home/love/index.php
http://www.google.com/
http://194.169.175.138:3002/file.exe
https://camoverde.pw/setup294.exe - rule_id: 34973
https://camoverde.pw/setup294.exe
https://sun6-20.userapi.com/c909628/u808950829/docs/d40/155c07867695/Setup.bmp?extra=-S2EoGHJnh2jeTB8HNKjYdnwj6Du8mGxwSQ5UwXAkSHl4SEgMe7AHfKHQSoKksDKstj1GGnkWJFmNoi9QOYZ8e9IMjZPi0WzPb6OAV9f8lILm4OGTxxjN_r7Vbv6LV2z0coNyj6nAhRG5sQHZg
https://vk.com/doc808950829_663788437?hash=2eEvnU5tvv0tTTXDhEX8q9Boubn9undHCOt73KTUqzD&dl=EJ05zUitXuxdQoIcYUJ5Zj5KPM6Kzzrdpz0VhUeNkOo&api=1&no_preview=1#WW1
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
https://vk.com/doc808950829_664352898?hash=TpvyQqEeYsjdodWTHrXtKlZqBTWVZrPRit56oUnvQNg&dl=sD0PBsoT1zBUSEgqcJWb3g6HPzuBQ8Yjvhr8mqZxT94&api=1&no_preview=1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://sun6-22.userapi.com/c237031/u808950829/docs/d38/9e626a273537/RisePro_0_2_9rOsvaKa1eDf138eBlTl.bmp?extra=5LvyYRmmLl8tdr8Ya5heHfIfMdNgEKGJCbWFSF2a8RiEodeqwnr-q-HLR8RKKd2ySEMTj4qUMPDE1d5V4NAVgNgh34oW-WAd_uO8rIsPGOWjP5z8ZR7X4pJy84WcJR9vNu5NKPpGxVHYL4Wz_g
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-22.userapi.com/c237331/u808950829/docs/d28/3a37ed672f4f/PMmp.bmp?extra=gcnGDZKNmUI9ILIZltV-06CxoxiUcVZM6a15nmaWisbkvGbAiySFTZuYmIuvNuKeY7WquRScXXJZm0OToeoDD2hOlbsD_3s2T0lYUV2YTBJCIid2vzPwneGNQMY8ygLXJcaHc_FtHwhbF7oRtg
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
https://sun6-22.userapi.com/c909218/u808950829/docs/d53/96be74f81b36/h8d337t1s6ya.bmp?extra=iMdiTqwVj_onJ1LuJ6We14YTEDYuZM_Brr62lq1KsudjEwrtFjIQd3BREwt3fIEGp47rx_msY26ho4sjG3gY49shmqDAGw2CWv26UfCwNeR69DZ5bz3anb_z_mrjE9i5yhj71xHRwlb5AsalzQ
https://vk.com/doc808950829_664295976?hash=wWP2uKSW6vc2Zwh4dERWVq2558nuK0zAmie4S5babxg&dl=fnVWutUVH5EHCOnwUxAqrClRC7zCIeOyomm4pfSrZFc&api=1&no_preview=1#rise_test
https://vk.com/doc808950829_664402789?hash=p2AcukYoSYRh3R7HrdzDlmRExK7FwDhZPzjD3FbEXb0&dl=mCy6gA7S91auE1MrYaS4hBwW7fCACazMjt4KNbkHoYX&api=1&no_preview=1#setup
https://vk.com/doc808950829_664207170?hash=kMt7FUJyRMXd3utd25izhIrZbfZfaKJzCnFJqUmY3Sw&dl=uZ3GDnIBuaFj1FCG7xA3gziJZ6Zba8NMATPW6Lqrzb0&api=1&no_preview=1
|
66
db-ip.com(104.26.4.15) -
imap.cox.net(23.81.68.42) -
camoverde.pw(172.67.128.35) -
vanaheim.cn(46.173.215.12) -
ipinfo.io(34.117.59.81) -
fastpool.xyz(213.91.128.133) -
iplogger.org(148.251.234.83) -
aa.imgjeoogbb.com(154.221.26.108) -
sun6-20.userapi.com(95.142.206.0) -
api.telnyx.com(104.22.12.43) -
api.db-ip.com(172.67.75.166) -
us.imgjeoigaa.com(103.100.211.218) -
bitbucket.org(104.192.141.1) -
zzz.fhauiehgha.com(156.236.72.121) -
www.google.com(142.250.76.132) -
api.myip.com(104.26.9.59) -
hugersi.com(91.215.85.147) -
sun6-22.userapi.com(95.142.206.2) -
www.maxmind.com(104.17.215.67) -
vk.com(93.186.225.194) -
iplis.ru(148.251.234.93) -
87.120.88.198 -
148.251.234.93 -
194.169.175.128 -
154.221.26.108 -
91.215.85.147 -
62.122.184.92 -
208.67.104.60 -
80.66.75.254 -
172.67.75.166 -
80.66.75.4 -
87.240.137.164 -
172.217.25.4 -
77.91.68.56 -
77.91.124.40 -
194.26.135.162 -
157.254.164.98 -
121.254.136.57 -
46.173.215.12 -
34.117.59.81 -
176.113.115.84 -
176.113.115.85 -
104.21.0.171 -
194.169.175.138 -
148.251.234.83 -
23.81.68.42 -
176.113.115.135 -
176.113.115.136 -
45.12.253.74 -
104.192.141.1 -
94.142.138.113 -
104.17.214.67 -
156.236.72.121 -
45.15.156.229 -
104.26.9.59 -
104.26.4.15 -
147.135.165.22 -
163.123.143.4 -
172.67.26.14 -
45.143.201.238 -
77.91.68.3 -
95.142.206.2 -
95.142.206.0 -
185.253.96.117 -
103.100.211.218 -
213.91.128.133 -
|
27
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET DNS Query to a *.pw domain - Likely Hostile
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO EXE - Served Attached HTTP
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET HUNTING ZIP file exfiltration over raw TCP
ET DROP Dshield Block Listed Source group 1
ET POLICY Cryptocurrency Miner Checkin
|
12
http://208.67.104.60/api/firegate.php
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe
http://77.91.124.40/info/photo540.exe
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://aa.imgjeoogbb.com/check/
http://208.67.104.60/api/tracemap.php
http://us.imgjeoigaa.com/sts/imagc.jpg
http://77.91.68.3/home/love/index.php
https://camoverde.pw/setup294.exe
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10230 |
2023-07-18 07:43
|
 wininit.exe a147b043c9bf220c3f7c30e5fab35414
.NET framework(MSIL) PWS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
13
http://www.sisbom.online/pta7/
http://www.maytag36.com/pta7/?UZ=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&E5x3=-G8E_Sw
http://www.playcups.life/pta7/
http://www.yh66985.com/pta7/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.cosmicearthgoddess.com/pta7/?UZ=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&E5x3=-G8E_Sw
http://www.playcups.life/pta7/?UZ=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&E5x3=-G8E_Sw
http://www.yh66985.com/pta7/?UZ=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&E5x3=-G8E_Sw
http://www.cosmicearthgoddess.com/pta7/
http://www.selfstorage.koeln/pta7/?UZ=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&E5x3=-G8E_Sw
http://www.maytag36.com/pta7/
http://www.sisbom.online/pta7/?UZ=9K+XUf37kaVDuc0IEb/en1sQBc6oG59LX1JpxUbzLe92mNGRZFlQ32afb7pO3FMoswo/Nr7Bt7+lgxXjhaaHcK0lGMXqPnmX0dOCo/8=&E5x3=-G8E_Sw
http://www.selfstorage.koeln/pta7/
|
14
www.sisbom.online(162.240.81.18) -
www.yh66985.com(154.215.247.58) -
www.selfstorage.koeln(81.169.145.157) -
www.promptyum.com(52.20.84.62) -
www.playcups.life(203.161.58.192) -
www.cosmicearthgoddess.com(74.208.236.61) -
www.maytag36.com(76.223.26.96) -
74.208.236.61 -
154.215.247.58 -
81.169.145.157 -
13.248.148.254 -
45.33.6.223 -
162.240.81.18 -
203.161.58.192 -
|
2
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
|
|
8.6 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|