10441 |
2023-07-10 07:10
|
http://dhqidctjo3ugevk9u5sev1r... Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File JPEG Format VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://dhqidctjo3ugevk9u5sev1r.webdav.drivehq.com/
|
2
dhqidctjo3ugevk9u5sev1r.webdav.drivehq.com(66.220.9.58) 66.220.9.58 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
|
Allae
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10442 |
2023-07-08 14:16
|
rggrggrggrggrggrggrggrggrggrgg... c07d78c079d6fb8d98501c7c42b7a67c MS_RTF_Obfuscation_Objects RTF File doc Vulnerability VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed |
1
http://23.94.236.203/RGGR/IE_NET.hta
|
2
5.42.65.67 - 23.94.236.203 -
|
3
ET POLICY Possible HTA Application Download ET INFO Dotted Quad Host HTA Request ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
|
|
4.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10443 |
2023-07-08 14:15
|
IE_NET.hta 44b47a2cd519068596c0e8cfcb401904 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://23.94.236.203/730/IBM_cents.exe
|
|
|
|
5.2 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10444 |
2023-07-08 14:15
|
win.exe 261fad7a9f8939250bf2c3c1406f0fe9 NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156) - 173.231.16.76 -
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10445 |
2023-07-08 14:12
|
new64x.dll b63f57d948b00f885ce27af54503df3a Malicious Library DLL PE64 PE File VirusTotal Malware Checks debugger unpack itself Remote Code Execution DNS |
|
2
5.42.65.67 - 172.67.75.172 -
|
|
|
2.4 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10446 |
2023-07-08 14:12
|
norway_cr.exe d6c9402d8f40026fd013020ea8b4c598 UPX Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10447 |
2023-07-08 14:10
|
kudizx.doc c11126e9450b2d9e8717182e077f26ac MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://87.121.221.212/kudizx.exe
|
3
api.ipify.org(64.185.227.156) - 173.231.16.76 - 87.121.221.212 -
|
7
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10448 |
2023-07-08 14:10
|
3qN9jJaXKsSA8e0LiGHt.exe 173f2817975d278fcc3163d9b5302467 .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10449 |
2023-07-08 14:10
|
conhost.exe 197cf1b5f5228af677c04341b43b58f0 Emotet Generic Malware Suspicious_Script_Bin task schedule Downloader UPX Malicious Library Antivirus Malicious Packer .NET framework(MSIL) Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Co VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Cryptographic key |
7
https://raw.githubusercontent.com/S1lentHashhh/watchdog/main/WatchDog.exe https://github.com/S1lentHashhh/watchdog/raw/main/WatchDog.exe https://raw.githubusercontent.com/S1lentHashhh/WinRing/main/WinRing0x64.sys https://github.com/S1lentHashhh/xmrig/raw/main/xmrig.exe https://pastebin.com/raw/btyX5Ze4 https://raw.githubusercontent.com/S1lentHashhh/xmrig/main/xmrig.exe https://github.com/S1lentHashhh/WinRing/raw/main/WinRing0x64.sys
|
6
github.com(20.200.245.247) - raw.githubusercontent.com(185.199.108.133) - pastebin.com(104.20.67.143) - 185.199.108.133 - 20.200.245.247 - 104.20.67.143 -
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10450 |
2023-07-08 14:09
|
bv6.jpg.ps1 59a8cad944c41d6673ca0550b0177016 Generic Malware Antivirus powershell AutoRuns Check memory unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://propagandaetrafego.com/h.html
|
2
propagandaetrafego.com(216.172.161.107) - 216.172.161.107 -
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10451 |
2023-07-08 14:07
|
Aas.EXE c3baac987bee5800b92b7e2d6d42db1a Emotet Suspicious_Script_Bin Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) UPX CAB PE File PE32 DLL VirusTotal Malware AutoRuns PDB Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Remote Code Execution crashed |
|
2
fkswxfc.com(45.74.19.119) - 45.74.19.119 -
|
|
|
7.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10452 |
2023-07-08 14:07
|
bnhost.exe a3be2d1b0cdf0bb7aa40cf2cbe054a51 .NET EXE PE File PE32 Browser Info Stealer RedLine FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI ICMP traffic unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://5.42.92.122:34244/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31) - 5.42.92.122 - 172.67.75.172 -
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound
|
|
10.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10453 |
2023-07-08 14:07
|
PTT_20230707-WA01120xlsx.exe 74c5ede3fd6bf983ae8bf512cdab90ad AgentTesla Generic Malware UPX .NET framework(MSIL) Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.76) - 64.185.227.156 -
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.8 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10454 |
2023-07-08 14:05
|
class-wp-image-editors.php 2796bf32abbebdd11a35603f3453214d Generic Malware task schedule UPX Malicious Library Antivirus AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key crashed |
8
https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys - rule_id: 34841 https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys https://pastebin.com/raw/PTNbBX9V - rule_id: 34840 https://pastebin.com/raw/PTNbBX9V https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe - rule_id: 21519 https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe - rule_id: 21520 https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe
|
4
github.com(20.200.245.247) - pastebin.com(172.67.34.170) - 104.20.68.143 - 20.200.245.247 -
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys https://pastebin.com/raw/PTNbBX9V https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe
|
15.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10455 |
2023-07-08 14:03
|
rcoekta.exe a4341997cbad7d63be6f3a07b9783804 RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET OS Processor Check .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.12.31) - 104.211.55.2 - 104.26.12.31 -
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
7.4 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|