| 10336 |
2023-07-13 07:18
|
 updEdge.exe 3c55617e6b69330386a0350e9f6aa0b4
Themida Packer Generic Malware UPX Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI ICMP traffic unpack itself Checks Bios Collect installed applications Detects VMWare VMware anti-virtualization installed browsers check Stealer Windows Browser ComputerName Firmware Cryptographic key Software crashed |
|
2
rcam.tuktuk.ug(85.209.3.4)
85.209.3.4
|
2
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
15.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10337 |
2023-07-13 07:18
|
 csrssop.exe 11cf36796a468db2f1789d06d01a65f4
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
terminal4.veeblehosting.com(108.170.55.203)
108.170.55.202 - phishing
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10338 |
2023-07-12 17:50
|
 csrssmd.exe dd9ad309b65f30ea83791cec013a90e0
Formbook AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS crashed |
15
http://www.investmentmastr.com/8mwu/?m9izrh97=PsH7VurMFQyD6ju4MnYVKLsngyhRF0i3kpEyk+bvF+v2WbyUoo2xQnfNKDF27FubHa/Uq1yd2iymJaC1K/rhLY6C/0yWRYEJmyt9xCA=&NA=YcFFh3pmG-c-6 - rule_id: 35093
http://www.homesalerealtywi.com/8mwu/?m9izrh97=oINJ/gp/aJeJF1lmtDttIp5zYupEQ9+i41jy+2inlUmQPi8yQegxtF+73D7Viv9VJKhdmECNx8qtF80OZhRsVw7SvxMGhJ4ooOkNn5A=&NA=YcFFh3pmG-c-6 - rule_id: 35096
http://www.framedeals.buzz/8mwu/ - rule_id: 35097
http://www.investmentmastr.com/8mwu/ - rule_id: 35093
http://www.snazzy.top/8mwu/?m9izrh97=hq4LUNPbOJJ32NO4taYz6MbqZKFszgoxkz2vk6DroaZ2ot5/vFuGkg9TSETWpPkUvR5zvHY4W4/OsVbmF+Jpeu4hTeI286k5D1jdj0E=&NA=YcFFh3pmG-c-6 - rule_id: 35094
http://www.framedeals.buzz/8mwu/?m9izrh97=VWM5CmNEXV0Wws5lOi41B/CT5DkRJBR63DKPnwmZQhPPNIeL3HbUg+RwDwZOLCkdO7WSUUICcQ5s3r8q/6yBYhvdm+7LZZAalqtbZFE=&NA=YcFFh3pmG-c-6 - rule_id: 35097
http://www.date-store.info/8mwu/ - rule_id: 35092
http://www.baotrang-jewelry.com/8mwu/?m9izrh97=EU3iIBTa7/FiG89Zkn9giTIgWQjAgZeKQjtjqA56CDWeG/Y64M9bd0fUJ8VEDSTetbKxDk1W+HVeVL/Bv/O0oK42dWysymJF/Fz7e18=&NA=YcFFh3pmG-c-6 - rule_id: 35091
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3260000.zip
http://www.date-store.info/8mwu/?m9izrh97=QCWughoEBLNWlxoKJazXJvFVptHaudS5CtBHXaoHYx4YCXEq+K4liCb7WZlVD+RMuH5kCBUqy3mcV+3Nr6i4SxN+kY5cxzsbKOKS/94=&NA=YcFFh3pmG-c-6 - rule_id: 35092
http://www.niubiseo158.top/8mwu/ - rule_id: 35095
http://www.homesalerealtywi.com/8mwu/ - rule_id: 35096
http://www.niubiseo158.top/8mwu/?m9izrh97=DpBsY/EqeNdrZFzJBhJgkE6I4JhtuhKG/ihhRdK7+ZddsX/RTtTF+8Mul1ZbonjYts59d9bhAh3cEH3KC86wGfwsRy2myXMRgqa2uDs=&NA=YcFFh3pmG-c-6 - rule_id: 35095
http://www.baotrang-jewelry.com/8mwu/ - rule_id: 35091
http://www.snazzy.top/8mwu/ - rule_id: 35094
|
20
www.effmkg.top(206.119.167.205) - mailcious
www.dinohoki85.online() - mailcious
www.homesalerealtywi.com(204.11.56.48) - mailcious
www.niubiseo158.top(192.250.196.82) - mailcious
www.snazzy.top(203.161.55.144) - mailcious
www.framedeals.buzz(104.21.73.200) - mailcious
www.investmentmastr.com(68.178.150.54) - mailcious
www.date-store.info(162.43.104.75) - mailcious
www.ansuzmedia.store() - mailcious
www.baotrang-jewelry.com(54.179.30.8) - mailcious
206.119.167.205 - mailcious
52.74.11.229 - mailcious
108.181.20.35
162.43.104.75 - mailcious
192.250.196.82 - mailcious
104.21.73.200
68.178.150.54 - mailcious
45.33.6.223
204.11.56.48 - phishing
203.161.55.144 - mailcious
|
4
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.buzz domain
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
|
14
http://www.investmentmastr.com/8mwu/
http://www.homesalerealtywi.com/8mwu/
http://www.framedeals.buzz/8mwu/
http://www.investmentmastr.com/8mwu/
http://www.snazzy.top/8mwu/
http://www.framedeals.buzz/8mwu/
http://www.date-store.info/8mwu/
http://www.baotrang-jewelry.com/8mwu/
http://www.date-store.info/8mwu/
http://www.niubiseo158.top/8mwu/
http://www.homesalerealtywi.com/8mwu/
http://www.niubiseo158.top/8mwu/
http://www.baotrang-jewelry.com/8mwu/
http://www.snazzy.top/8mwu/
|
11.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10339 |
2023-07-12 17:47
|
 win.exe d4fe9ca0baa8b18233d058024e4b6f2d
Generic Malware PDF Suspicious Link .NET framework(MSIL) Antivirus UPX Internet API PDF AntiDebug AntiVM .NET EXE PE File PE32 ZIP Format DLL VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Windows Email ComputerName Cryptographic key crashed |
1
|
4
us2.smtp.mailhostbox.com(208.91.199.223)
showip.net(162.55.60.2)
162.55.60.2
208.91.199.225
|
3
ET POLICY IP Check Domain (showip in HTTP Host)
SURICATA Applayer Detect protocol only one direction
ET INFO Possible SMTP Data Exfiltration - File Attachment Named Files.zip
|
|
13.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10340 |
2023-07-12 17:46
|
 ptbinzx.exe 482e0572bd0f90583765ea3e5a06d4fb
Formbook .NET framework(MSIL) PWS AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
3
http://www.automobilecie.com/p3df/?rVIHZp=YrBzZrvx1I6qjf3ADwHBDF2VGGXHvkOpMDHhGmpaT2ZbAW6VafMyKVhTjuVUCS1oyoCow4Y7&EzrxU8=apITk470lpRLDj
http://www.cortexi-work.click/p3df/?rVIHZp=HVkR/x0Ixde6ck7poJTlTnV+G/vNZMhJ5OkvvJIPFSaOBSTRTN16VPdf7GqG1BzUqyz3kfDB&EzrxU8=apITk470lpRLDj
http://www.powerthorn.com/p3df/?rVIHZp=RTvX5YrbEGVLaq9PpE4RvOmBtSGjFbHzFYcCFtjNyi/48m8h3qqorSbHct+p/FUkFK9mMcBT&EzrxU8=apITk470lpRLDj
|
6
www.cortexi-work.click(66.29.153.238)
www.powerthorn.com(204.11.56.48)
www.automobilecie.com(23.227.38.74)
23.227.38.74 - mailcious
66.29.153.238
204.11.56.48 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10341 |
2023-07-12 17:46
|
 Historiers.exe 109dbd7130e7c7e519eddac87ccbc34c
UPX Malicious Library PE File PE32 OS Processor Check DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
3.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10342 |
2023-07-12 17:45
|
 WSD.exe b205c78be14c4df122a02ca9a6261d47
.NET framework(MSIL) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
4
mail.awelleh3.top(185.198.59.26) - mailcious
api.ipify.org(173.231.16.76)
173.231.16.76
185.198.59.26 - mailcious
|
4
SURICATA Applayer Detect protocol only one direction
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10343 |
2023-07-12 17:45
|
 Ads.exe 69479c1cca7d8e7c58a1d4b6d7c02e2a
UPX ScreenShot KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows Cryptographic key |
1
https://kyliansuperm92139124.shop/customer/1017
|
2
kyliansuperm92139124.shop(172.67.183.88)
104.21.18.206
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10344 |
2023-07-12 17:44
|
 crypted1.exe 34b4037287a02c8d02d26e30be52e390
UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces WriteConsoleW IP Check ComputerName |
1
http://ip-api.com/line/?fields=hosting
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
9.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10345 |
2023-07-12 17:39
|
 maintest.exe 836dfa8ecf57ce861f4cacfe4a85572d
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware WMI RWX flags setting unpack itself ComputerName crashed |
|
|
|
|
4.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10346 |
2023-07-12 17:39
|
 firmresource.exe ae830ab4838b8fb88af7a8fcf0071d1b
Gen1 Emotet Malicious Library .NET framework(MSIL) Malicious Packer CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution Cryptographic key |
|
2
files.catbox.moe(108.181.20.35) - malware
108.181.20.35
|
2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10347 |
2023-07-12 17:38
|
 csrss00.exe 601f2b22a16a96c9ddaae24e2c5611f2
UPX Malicious Library PE File PE32 DLL VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder |
|
|
|
|
4.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10348 |
2023-07-12 17:35
|
 crypted.exe aa06cd111cb6800e04353ec34723044b
UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
3
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
10.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10349 |
2023-07-12 17:34
|
 clip64.dll da32ba5704b945ff08dc50e17ce1bb5c
UPX Admin Tool (Sysinternals etc ...) Malicious Library OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10350 |
2023-07-12 17:34
|
ptbinzx.doc f351161a0fbeea7aede8237afb6e9b1f
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://www.lescalorie.com/p3df/?5j=cH9IR1Zqj1peiA7ykqfBFYnXYSicdboJFkzxWEOQWVJAfw6QaHalOv2qzNW+7PV1mniI8/Dk&vTdDF=LJBx
http://www.7777bet.vip/p3df/?5j=Zra03shKt3eO9Abf39385ckXgqCc3/DV1NAUjEsnNUEjXTLujy4t/4c/WXBVS//ixoSYyRgw&vTdDF=LJBx
|
5
www.7777bet.vip(206.119.87.32)
www.lescalorie.com(199.59.243.223)
206.119.87.32 - mailcious
199.59.243.223 - mailcious
87.121.221.212 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|