| 10276 |
2023-07-16 11:07
|
 Inv_LCC_Scan_4.exe 01f50ef4b9419013f3a3967d7ed734cf
UPX OS Processor Check PE64 PE File VirusTotal Malware Malicious Traffic unpack itself |
1
|
2
skofilldrom.com(64.225.70.62) -
64.225.70.62 -
|
|
|
2.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10277 |
2023-07-16 11:06
|
 divinezx.exe 7565de937291fdf2f686f518f1b16fa5
AgentTesla Generic Malware .NET framework(MSIL) Antivirus KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(104.237.62.211) -
64.185.227.156 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10278 |
2023-07-15 08:12
|
...............dot d553bd422c8d3621e21049ccc2ebe680
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Exploit DNS crashed |
|
1
103.125.191.125 - malware
|
|
|
4.2 |
M |
40 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10279 |
2023-07-14 17:27
|
File_pass1234.7z 55d5b448bf5e678fc628f7ea9f132a8f
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Fabookie Stealer Windows RisePro Trojan DNS Downloader |
26
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://content.elite-hacks.ru/test/setStats.php?id=_start
http://content.elite-hacks.ru/test/setStats.php?id=_stop
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://aa.imgjeoogbb.com/check/?sid=562266&key=6c3f7f1320704c1ed0fe959fab6bbb7f - rule_id: 34651
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
http://77.91.124.40/info/photo540.exe - rule_id: 35119
http://85.208.136.10/api/firegate.php - rule_id: 32663
http://95.179.141.133:3002/
http://apps.identrust.com/roots/dstrootcax3.p7c
http://45.66.230.164/g.exe - rule_id: 34813
http://www.maxmind.com/geoip/v2.1/city/me
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
https://camoverde.pw/setup294.exe - rule_id: 34973
https://db-ip.com/demo/home.php?s=175.208.134.152
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-21.userapi.com/c235131/u808950829/docs/d53/3d058453faef/31bhpef20u5o7.bmp?extra=Sk2iuVbY1H06rVGdYq-mFzpkK_0K54Gg304PtafLqXDLbIVHsUda81wvOQqwPGl5F5ajfnCZvZEvpAw4lsO9Lafy7X84d3kyUdFOsITm9TUbfSVrOYpinKz5ihN_utW0swYRZB_Q_Osd8rEOmg
https://sun6-22.userapi.com/c237331/u808950829/docs/d28/ae3bfa00ff0c/PMmp.bmp?extra=J2TWIaPG8nt7VFEEdsoRjaML2uGBOoaWesHpn7S_rEt-8bLY3h8kXOzdKGgyiYkFZ7JQENAekGCG-l1lSB3HmNet-idXGM_O0g3h0VW1MYvH5OuvyNOkFVJKbZ4kwaqz6Fe9_skefq-ZiIhePg
https://sun6-23.userapi.com/c240331/u808950829/docs/d25/b34ec3f5108d/5.bmp?extra=lFuRArKUHaROGi5k6FRvAaY3SvE8fmJ3SopiS96x7YJ6ZQ2Wy0azMyoNTaksC1wWJzsMi2bYWTlngyI951fFVKRMueQKDUHhUQZqsO0U-TbobXmLzjcX84L_-YfHFSphcnp155z-sEpMc5huqA
https://vk.com/doc808950829_664243581?hash=WrzMcu5sQcHQStZvqHgs8NvpTBzI6rH0dAPO5bEZbSw&dl=Ceos7VtAG6OZQeZpZU7obenLsizYQEUV1F7MXPI7iZX&api=1&no_preview=1#rise_test
https://psv4.userapi.com/c909328/u808950829/docs/d27/600eab1b51d3/StealerClient.bmp?extra=xlq-trvJdrtcA1tFaPPMJmS1s2mGKoF5FnF9zt8L_nNVY0MZAD6oDkSrnYia0AJFI5xLlH6KjSP8etm9qtPQpQSD2cdNxi_KwzjuOBY4NiOfYSeioqmtzlRNFcoJz9lre6BVANxgbE_CAop5aA
https://vk.com/doc808950829_664207170?hash=kMt7FUJyRMXd3utd25izhIrZbfZfaKJzCnFJqUmY3Sw&dl=uZ3GDnIBuaFj1FCG7xA3gziJZ6Zba8NMATPW6Lqrzb0&api=1&no_preview=1
|
54
www.maxmind.com(104.17.215.67)
sun6-23.userapi.com(95.142.206.3)
psv4.userapi.com(87.240.190.76)
api.db-ip.com(104.26.4.15)
api.myip.com(172.67.75.163)
hugersi.com(91.215.85.147) - malware
iplis.ru(148.251.234.93) - mailcious
sun6-22.userapi.com(95.142.206.2)
db-ip.com(104.26.5.15)
zzz.fhauiehgha.com(156.236.72.121) - mailcious
ipinfo.io(34.117.59.81)
aa.imgjeoogbb.com(154.221.26.108) - mailcious
us.imgjeoigaa.com(103.100.211.218) - mailcious
bitbucket.org(104.192.141.1) - malware
camoverde.pw(172.67.128.35) - malware
vk.com(87.240.129.133) - mailcious
iplogger.org(148.251.234.83) - mailcious
content.elite-hacks.ru(104.21.56.191) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
transfer.sh(144.76.136.153) - malware
148.251.234.93 - mailcious
194.169.175.128 - mailcious
154.221.26.108 - mailcious
91.215.85.147 - malware
176.123.9.85 - mailcious
45.12.253.74 - malware
172.67.75.163
95.179.141.133
77.91.124.40 - malware
194.26.135.162 - mailcious
85.208.136.10 - mailcious
157.254.164.98 - mailcious
34.117.59.81
87.240.137.164 - mailcious
148.251.234.83
172.67.128.35
104.21.56.191 - malware
87.240.137.134
45.66.230.164 - malware
104.192.141.1 - mailcious
104.17.214.67
156.236.72.121 - mailcious
45.15.156.229 - mailcious
104.26.4.15
147.135.165.22 - mailcious
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
77.91.68.48 - mailcious
121.254.136.27
77.91.124.31 - mailcious
77.91.68.3 - malware
95.142.206.2
103.100.211.218 - malware
|
25
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DNS Query to a *.pw domain - Likely Hostile
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET INFO EXE - Served Attached HTTP
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Observed DNS Query to RisePro Domain (elite-hacks .ru)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
|
12
http://45.15.156.229/api/tracemap.php
http://hugersi.com/dl/6523.exe
http://aa.imgjeoogbb.com/check/
http://aa.imgjeoogbb.com/check/safe
http://77.91.124.40/info/photo540.exe
http://85.208.136.10/api/firegate.php
http://45.66.230.164/g.exe
http://us.imgjeoigaa.com/sts/imagc.jpg
http://77.91.68.3/home/love/index.php
http://85.208.136.10/api/tracemap.php
http://zzz.fhauiehgha.com/m/okka25.exe
https://camoverde.pw/setup294.exe
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10280 |
2023-07-14 17:08
|
 Inv_LCC_Scan_4.exe 01f50ef4b9419013f3a3967d7ed734cf
UPX OS Processor Check PE64 PE File VirusTotal Malware Malicious Traffic unpack itself |
1
|
2
skofilldrom.com(64.225.70.62)
64.225.70.62
|
|
|
2.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10281 |
2023-07-14 17:08
|
 Inv_LCC_Scan_2.exe 9d526a12a1dd2520282bd306e9805559
UPX OS Processor Check PE64 PE File VirusTotal Malware Malicious Traffic unpack itself |
1
|
2
skofilldrom.com(64.225.70.62)
64.225.70.62
|
|
|
2.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10282 |
2023-07-14 17:07
|
 idki.hta 391704abc77b7aeb83bcd9e38ad665c2
Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10283 |
2023-07-14 17:07
|
IBSIBWIBSIBWIBSIBSWIBSIBW%23%2... 0f68f36e7275b4bdcb316a29e1d5fcfb
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://192.3.243.148/500/wins.exe
http://192.3.243.148/500/w/SHpSEzV215.bin
|
1
192.3.243.148 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10284 |
2023-07-14 17:06
|
 cmsh.hta 3c38f1318767a3b84a619187e7e78646
Antivirus VirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10285 |
2023-07-14 17:05
|
 dwmnj.exe f8cfc631cdbba89be07229acfa3bc367
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10286 |
2023-07-14 17:03
|
 IE_NET.hta ab46abca955700f1d0f904cda6442b7c
Antivirus VirusTotal Malware unpack itself crashed |
|
|
|
|
1.0 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10287 |
2023-07-14 17:02
|
IBWIBMWBIWIBWIBWIBWIBW%23%23%2... 6e5cd22b7ce011487f8a178ec60a3941
MS_RTF_Obfuscation_Objects RTF File doc Vulnerability VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS crashed |
1
http://192.3.243.148/450/m/IE_NET.hta
|
1
192.3.243.148 - mailcious
|
3
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
|
|
4.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10288 |
2023-07-14 17:02
|
 wins.exe 2456675bfe2e68d6149c840b1d11dd61
UPX Malicious Library PE File PE32 JPEG Format DLL PE64 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10289 |
2023-07-14 16:55
|
 wins.EXE a8a27695f1bc25512354f2c6b5e9d037
UPX Malicious Library PE File PE32 JPEG Format DLL PE64 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.8 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10290 |
2023-07-14 16:54
|
 maximan2.1.exe d534b629964d561e1e0deccf08ff6687
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder ComputerName |
3
http://www.cabecompetency.com/dh08/?tZU4=6zMJpal1jELWyVXE7kHb6wwT7/dU/IFboNnwxgqTXGKMHLLlLHTleu9daJ1rUWDkLY7oYrRx&Ult8E=GTgP1na8nVYlWF
http://www.futurefmexpo.com/dh08/?tZU4=5gv4dgY5t2k2OqiJ2pc959383q9hiAV1qWA1rKNuG9NjkIQrUUmCD9VJnBdN/x2t6vjHDOZQ&Ult8E=GTgP1na8nVYlWF
http://www.tgecosystem.com/dh08/?tZU4=A2V9+T/OcVJ+R/N/A9wtV6HjqQDkHgT/bH3QOw4mF+D+JFEk4yQjTLfggiip6Wi3+INi1Nnf&Ult8E=GTgP1na8nVYlWF
|
7
www.3cbgi1.cfd()
www.futurefmexpo.com(34.102.136.180)
www.tgecosystem.com(172.67.157.164)
www.cabecompetency.com(216.40.34.41)
34.102.136.180 - mailcious
104.21.8.182
216.40.34.41 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|