| 10411 |
2023-07-11 09:36
|
 schtasks.exe b32e6ee308372d87ba59b9e851b35972
AsyncRAT UPX .NET framework(MSIL) Malicious Packer OS Processor Check .NET EXE PE File PE32 Malware download AsyncRAT NetWireRC Malware DNS |
|
1
|
2
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10412 |
2023-07-11 09:34
|
 194.169.175.136:3002 beb8f75815003ffcee31bc2626bbe2d9
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB |
|
|
|
|
1.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10413 |
2023-07-11 09:33
|
 h.html 1c87f3cd6fb4a0197977a9d7365a5e09unpack itself crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10414 |
2023-07-11 07:59
|
 csrssd.exe c415c178036686bf3a3fbd8dc296a686
.NET framework(MSIL) AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious TLD DNS crashed |
18
http://www.niubiseo158.top/8mwu/
http://www.framedeals.buzz/8mwu/
http://www.investmentmastr.com/8mwu/
http://www.date-store.info/8mwu/
http://www.uty186.com/8mwu/
http://www.framedeals.buzz/8mwu/?AtRS=VWM5CmNEXV0Wws5lOi41B/CT5DkRJBR63DKPnwmZQhPPNIeL3HbUg+RwDwZOLCkdO7WSUUICcQ5s3r8q/6yBYhvdm+7LZZAalqtbZFE=&L08E=VdmpZkW2d
http://www.homesalerealtywi.com/8mwu/?AtRS=oINJ/gp/aJeJF1lmtDttIp5zYupEQ9+i41jy+2inlUmQPi8yQegxtF+73D7Viv9VJKhdmECNx8qtF80OZhRsVw7SvxMGhJ4ooOkNn5A=&L08E=VdmpZkW2d
http://www.snazzy.top/8mwu/
http://www.effmkg.top/8mwu/
http://www.snazzy.top/8mwu/?AtRS=hq4LUNPbOJJ32NO4taYz6MbqZKFszgoxkz2vk6DroaZ2ot5/vFuGkg9TSETWpPkUvR5zvHY4W4/OsVbmF+Jpeu4hTeI286k5D1jdj0E=&L08E=VdmpZkW2d
http://www.homesalerealtywi.com/8mwu/
http://www.niubiseo158.top/8mwu/?AtRS=DpBsY/EqeNdrZFzJBhJgkE6I4JhtuhKG/ihhRdK7+ZddsX/RTtTF+8Mul1ZbonjYts59d9bhAh3cEH3KC86wGfwsRy2myXMRgqa2uDs=&L08E=VdmpZkW2d
http://www.effmkg.top/8mwu/?AtRS=cuz6fZ9rAQU+AblclZ0dz+AWyQnWqvDu1YxezGquJoJchTSyh9fWxECepA/LrKXAq+eZ/F2gxCu5cJ8yEGWuS25DvJh6mlleb3H+l3g=&L08E=VdmpZkW2d
http://www.baotrang-jewelry.com/8mwu/
http://www.date-store.info/8mwu/?AtRS=QCWughoEBLNWlxoKJazXJvFVptHaudS5CtBHXaoHYx4YCXEq+K4liCb7WZlVD+RMuH5kCBUqy3mcV+3Nr6i4SxN+kY5cxzsbKOKS/94=&L08E=VdmpZkW2d
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
http://www.investmentmastr.com/8mwu/?AtRS=PsH7VurMFQyD6ju4MnYVKLsngyhRF0i3kpEyk+bvF+v2WbyUoo2xQnfNKDF27FubHa/Uq1yd2iymJaC1K/rhLY6C/0yWRYEJmyt9xCA=&L08E=VdmpZkW2d
http://www.baotrang-jewelry.com/8mwu/?AtRS=EU3iIBTa7/FiG89Zkn9giTIgWQjAgZeKQjtjqA56CDWeG/Y64M9bd0fUJ8VEDSTetbKxDk1W+HVeVL/Bv/O0oK42dWysymJF/Fz7e18=&L08E=VdmpZkW2d
|
21
www.effmkg.top(206.119.167.205)
www.dinohoki85.online()
www.homesalerealtywi.com(204.11.56.48)
www.niubiseo158.top(192.250.196.82)
www.snazzy.top(203.161.55.144)
www.framedeals.buzz(104.21.73.200)
www.investmentmastr.com(68.178.150.54)
www.uty186.com(122.10.20.248)
www.date-store.info(162.43.104.75)
www.ansuzmedia.store()
www.baotrang-jewelry.com(13.215.123.39)
206.119.167.205
68.178.150.54
162.43.104.75
192.250.196.82
172.67.165.207
54.179.30.8
45.33.6.223
204.11.56.48 - phishing
203.161.55.144
122.10.20.248
|
4
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET INFO HTTP Request to a *.buzz domain
|
|
10.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10415 |
2023-07-11 07:47
|
 2.jpg 7416ede6924c85117720a8a9d158c67f
.NET EXE PE File PE32 Malware download NetWireRC VirusTotal Malware PDB suspicious TLD IP Check RAT DNS |
1
|
4
frp-bar.top(116.10.184.211) -
ip-api.com(208.95.112.1) -
116.10.184.211 -
208.95.112.1 -
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Common RAT Connectivity Check Observed
ET POLICY External IP Lookup ip-api.com
|
|
3.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10416 |
2023-07-11 07:46
|
haitianzx.doc 39c47863ba1127bb0f46600ac15e2349
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://87.121.221.212/haitianzx.exe
|
4
mail.bretoffice.com(185.174.174.220) -
87.121.221.212 -
121.254.136.27 -
185.174.174.220 -
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10417 |
2023-07-11 07:45
|
 photo540.exe 0b18dc187ed40a7a6310a6c4ba98ec91
Gen1 Emotet SmokeLoader UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
5
http://77.91.124.31/smo/du.exe
http://77.91.124.31/new/fotod45.exe
http://77.91.68.3/home/love/index.php
http://77.91.124.31/new/foto175.exe
http://77.91.68.3/home/love/Plugins/cred64.dll
|
3
77.91.124.31 -
77.91.68.48 -
77.91.68.3 -
|
13
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Executable Download from dotted-quad Host
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
17.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10418 |
2023-07-11 07:37
|
 LUG.exe 467aa373b20db6d16cd7a3a5d9bab790
.NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10419 |
2023-07-11 07:33
|
templezx.doc 96908698ef1a19e7b6c4cc2f52637d3b
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.2 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10420 |
2023-07-11 07:33
|
 Your.exe 1344dd42f796869f3091e194b0d819da
UPX .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.2 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10421 |
2023-07-10 18:55
|
 a.exe 1d35572dfa6a564b147bad355ad1be78
UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 VirusTotal Malware |
|
|
|
|
1.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10422 |
2023-07-10 18:20
|
 foto175.exe 2415dbdd83d587bd33b25678273cb84a
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer OS Processor Check PE File PE32 DLL .NET EXE CAB Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed |
3
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll
http://77.91.68.3/home/love/Plugins/clip64.dll
|
2
77.91.68.3 - malware
77.91.68.48
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10423 |
2023-07-10 18:17
|
 new64.dll e8adc07619649cf7775aca6366e44505
Malicious Library DLL PE64 PE File VirusTotal Malware Checks debugger unpack itself DNS |
|
1
|
|
|
2.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10424 |
2023-07-10 18:16
|
 fotod45.exe 09cea48e485e3b4f35e25db8aef6926c
Gen1 Emotet SmokeLoader UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer OS Processor Check PE File PE32 DLL CAB .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed Downloader |
4
http://77.91.124.31/new/fotod45.exe
http://77.91.68.3/home/love/index.php
http://77.91.124.31/new/foto175.exe
http://77.91.68.3/home/love/Plugins/cred64.dll
|
3
77.91.124.31 - mailcious
77.91.68.48
77.91.68.3 - malware
|
13
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET INFO Executable Download from dotted-quad Host
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Dotted Quad Host DLL Request
|
|
17.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10425 |
2023-07-10 18:13
|
notepad.exe f2e100f576b44fdb37d874db2e48085c
Emotet UPX MPRESS PE64 PE File VirusTotal Malware Remote Code Execution crashed |
|
|
|
|
2.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|