| 10306 |
2023-09-21 18:17
|
 money.exe 0e7b53dca579f5526e521db1e75005b5
Admin Tool (Sysinternals etc ...) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.212)
173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10307 |
2023-09-21 18:16
|
 7RVuMkLvXuAoxru.exe b19d7259f18dc6881b79c875c08c6abd
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10308 |
2023-09-21 18:14
|
 foto7447.exe 80d85ad1d3d69763537f3c1a75cc7390
RedLine stealer Gen1 Emotet Malicious Library UPX AntiDebug AntiVM PE File PE32 CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
3
91.235.128.141
77.91.124.82 - mailcious
5.42.92.211 - mailcious
|
7
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
15.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10309 |
2023-09-21 18:14
|
 exto.exe 27e81eda70881f1875c07fb6a9da8a5e
Malicious Library UPX PWS AntiDebug AntiVM PE File PE32 OS Processor Check Malware download VirusTotal Malware PDB Code Injection Malicious Traffic buffers extracted unpack itself WriteConsoleW Stealc Browser DNS |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
1
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://5.42.92.211/loghub/master
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10310 |
2023-09-21 18:13
|
 TiWorker.exe 5c6c71c7d5550896ed29fceb19e76649
Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
4
http://www.gk84.com/sy22/?kDHl=EZXT1couL1SMJvG2qeg6eanykcNOwoSwRkeI+9JF3ekTKFJ8rStu/JDK0lzRposG9gxESXnb&KtxD=PnCTGx9Pf - rule_id: 36323
http://www.gracefullytouchedartistry.com/sy22/?kDHl=32OyyUZHwqvJixPuiOQtM5MnMYIWhWk0yyAoMHrFdBB4wJvVGBkivZFh4+NGsLP7HahAbSBt&KtxD=PnCTGx9Pf - rule_id: 35940
http://www.sarthaksrishticreation.com/sy22/?kDHl=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&KtxD=PnCTGx9Pf - rule_id: 35905
http://www.giallozafferrano.com/sy22/?kDHl=e3Wc7AYKmxnABbA5XplRDASPAW2hX0g2E4j6p3U7Sf2osunLtU3wLL64mGQYR58Cg+KdkSKM&KtxD=PnCTGx9Pf
|
8
www.gk84.com(107.148.223.82) - mailcious
www.sarthaksrishticreation.com(119.18.49.69) - mailcious
www.giallozafferrano.com(62.149.128.45)
www.gracefullytouchedartistry.com(34.149.87.45) - mailcious
62.149.128.45 - mailcious
119.18.49.69 - mailcious
107.148.223.82 - mailcious
34.149.87.45 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
3
http://www.gk84.com/sy22/
http://www.gracefullytouchedartistry.com/sy22/
http://www.sarthaksrishticreation.com/sy22/
|
4.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10311 |
2023-09-21 18:12
|
 spacezx.exe f00db5f7d365a7a8236a34cb9e9ce590
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10312 |
2023-09-21 13:41
|
 gametools.exe 19a0306a4a57683c3e14dc5ec13e89ed
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10313 |
2023-09-21 13:33
|
 netTime.exe 927783a38772fd607fb4dfbf34dceaf3
UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself Remote Code Execution |
|
|
|
|
2.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10314 |
2023-09-21 10:29
|
 Akjnagosfmwanr.exe 047324921fcd5ca64134a367d389e900
Malicious Library UPX PE File PE32 MZP Format VirusTotal Malware RWX flags setting unpack itself crashed |
|
1
|
|
|
2.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10315 |
2023-09-21 10:20
|
 55aa5e.exe 56c197e493f74f9233a16cdefab3109f
Emotet Malicious Library UPX VMProtect PE File PE32 OS Processor Check VirusTotal Malware Check memory RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Windows Remote Code Execution |
|
|
|
|
4.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10316 |
2023-09-21 09:49
|
EGU.vbs 87340d35d75234ff3dcde21240b08f9e
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
https://yorkrefrigerent.md/public/cvb/yay.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10317 |
2023-09-21 09:48
|
omob.vbs 51c03a309d16578fe5a97464df18cac9
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://79.110.48.52/omox.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
104.21.45.138 - malware
182.162.106.33 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10318 |
2023-09-21 09:47
|
eveningmmeddddFile.vbs 62154436f26a9ce3557b89b54e54fe16
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/613/515/original/rump_vbs_antivm.jpg?1695147255
http://193.42.33.63/mohammedfilebase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
23.43.165.66
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10319 |
2023-09-21 09:46
|
idex.vbs 3a386e7b334d9214f8d5fcf3f6876fd3
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://79.110.48.52/idesh.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10320 |
2023-09-21 09:45
|
aktivosssssssfileapamaFile.vbs cd664601408fb5dac516050fb44fe31c
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/614/536/original/rump_private.jpg?1695227110
http://193.42.33.63/mohammedfilebase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|