| 10486 |
2023-07-06 17:52
|
nellyzx.doc 492aadf83dc7f018a4328b5d6aed4123
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
4
http://87.121.221.212/nellyzx.exe
http://www.peakvitality.fitness/4hc5/?t8o8st4=W/W+8rYxIgDgggSMCytYm4ri5HsaGcVF//CEQu0DDbz3cDBh1uElJfFB50+79abvTN88UVSG&kPm0q=K4k0
http://www.iqixuehe.com/4hc5/?t8o8st4=+hA7uXL+iFWMHvVtph1HMOS2s85bj4EjFJ9ovq6HPQt8uRBOeiVqbJ7wPA3vouoHcQN2o/wJ&kPm0q=K4k0
http://www.beautybylily.com/4hc5/?t8o8st4=MqvaHSSV8oN+vNWbfUGI924kp/mguzn2YR77kQ5CKAgXn0WC51rbei1V1WBfgd8qyNRHjW83&kPm0q=K4k0
|
7
www.peakvitality.fitness(23.227.38.74) -
www.iqixuehe.com(154.205.127.201) -
www.beautybylily.com(104.21.53.238) -
172.67.220.5 -
23.227.38.74 -
87.121.221.212 -
154.205.127.201 -
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10487 |
2023-07-06 17:50
|
 ibm_Centos.exe 96747c013d4d5da97af5acb7bce91c33
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.76) -
173.231.16.76 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10488 |
2023-07-06 17:49
|
 secslimzx.exe 009dfe5001a2a856a2d15bbb01a1b8a3
AgentTesla PWS KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.76) -
173.231.16.76 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10489 |
2023-07-06 17:46
|
 ExtraSofts_Setup-x64.msix a97c344d176ed2c809ee89f9dada5a42
ZIP Format VirusTotal Malware |
|
|
|
|
0.6 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10490 |
2023-07-06 17:45
|
simox.vbs 6cf4d1674599d213e31c9aa3b9572174
LokiBot Generic Malware Antivirus Socket PWS DNS Hide_URL AntiDebug AntiVM PowerShell Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
4
http://cryptersandtools.minhacasa.tv/e/e - rule_id: 34895
http://cryptersandtools.minhacasa.tv/e/e
http://79.110.49.55/simolz.txt
http://tetiquila.me/sirmomo/five/fre.php
|
5
cryptersandtools.minhacasa.tv(177.106.216.53) -
tetiquila.me(104.21.53.231) -
104.21.53.231 -
79.110.49.55 -
177.106.216.53 -
|
8
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET HUNTING EXE Base64 Encoded potential malware
|
1
http://cryptersandtools.minhacasa.tv/e/e
|
10.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10491 |
2023-07-06 17:05
|
 Wllcsochcbi.exe 45dce82d48aaae2c56cf79f3cc4be96d
Generic Malware UPX .NET framework(MSIL) Antivirus AntiDebug AntiVM .NET EXE PE File PE32 PowerShell Malware download VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://23.137.249.127/efsdff3/frgsrgd/panel/uploads/Iprkfcbtfyj.wav
|
2
77.88.21.158 -
23.137.249.127 -
|
3
ET MALWARE PE EXE or DLL Windows file download disguised as ASCII
ET MALWARE PE EXE or DLL Windows file download Text M2
ET HUNTING [TW] Likely Hex Executable String
|
|
17.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10492 |
2023-07-06 17:02
|
 catzx.exe 8ff79ca4985e0adae1a132ec02ac10ab
Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(64.185.227.156) -
smtp.yandex.com(77.88.21.158) -
64.185.227.156 -
77.88.21.158 -
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
15.0 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10493 |
2023-07-06 15:47
|
 setup294.exe cadf44b7edefc154b772ab4000d7f694
UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 DLL PDB Code Injection Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution crashed |
|
|
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10494 |
2023-07-06 14:25
|
 Invoice_20-28_18846.pdf dd6414d53a9546ba886e9b88e1660f87
PDF Suspicious Link PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10495 |
2023-07-06 13:33
|
 prosperzx.exe f754f9da84951f3c00646cc572d7de45
.NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10496 |
2023-07-06 11:13
|
File_pass1234.7z 6f19b6cd920a34b60b5a59f2f20746b6
UPX Malicious Library Escalate priviledges PWS KeyLogger AntiDebug AntiVM PE File PE64 RedLine Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Fabookie Stealer Windows Trojan DNS Downloader |
38
http://208.67.104.60/api/firegate.php - rule_id: 34253
http://208.67.104.60/api/firegate.php
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
http://aa.imgjeoogbb.com/check/safe
http://176.113.115.84:8080/4.php - rule_id: 34795
http://176.113.115.84:8080/4.php
http://95.214.25.233:3002/ - rule_id: 34794
http://95.214.25.233:3002/
http://apps.identrust.com/roots/dstrootcax3.p7c
http://77.91.124.31/gallery/photo270.exe - rule_id: 34796
http://77.91.124.31/gallery/photo270.exe
http://45.66.230.164/g.exe - rule_id: 34813
http://45.66.230.164/g.exe
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://208.67.104.60/api/tracemap.php
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://us.imgjeoigaa.com/sts/imagc.jpg
http://aa.imgjeoogbb.com/check/?sid=350540&key=0a18d2181acd6532bf70a66142dc16a0 - rule_id: 34651
http://aa.imgjeoogbb.com/check/?sid=350540&key=0a18d2181acd6532bf70a66142dc16a0
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://85.208.136.10/api/tracemap.php
https://camoverde.pw/setup294.exe
https://vk.com/doc808950829_663788437?hash=2eEvnU5tvv0tTTXDhEX8q9Boubn9undHCOt73KTUqzD&dl=EJ05zUitXuxdQoIcYUJ5Zj5KPM6Kzzrdpz0VhUeNkOo&api=1&no_preview=1#WW1
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
https://vk.com/doc808950829_663371568?hash=nCbeQhSdektZCklmCq7XtG48Ee60nv8DORi9fErSJWH&dl=TYjpYtrURbaoeiox6ukI3zcdJlSPMzTTZwoXzpHEm48&api=1&no_preview=1#rise_test
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://vk.com/doc808950829_663648937?hash=eKai4FYeayZCAEjqzlxZ2gWz79KxiwUMuktQ4fZ6rr0&dl=8PltKcE2IQ6oZHvv1IHsdh8qZWM237x2z5umRu20Q5L&api=1&no_preview=1
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://sun6-21.userapi.com/c909618/u808950829/docs/d15/55b2d56c0cdb/WWW1.bmp?extra=LNvJInvcwbEIMsFVEEAn-sruvZLSPLsZ0csa6zoRoJnFOzu5bL_VsP_UlvV0osoFJLByZOzMVdl5mGWRHSDUkmAfxnPZJCC2Na2s-5d633NzeLL8eitoPbDh5O2gUxZAiv2_WD6GGb9_ekgfaA
https://db-ip.com/
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
https://sun6-21.userapi.com/c909618/u808950829/docs/d11/868beb0af33d/3kqwpj3h.bmp?extra=JyCyDG6PFHazUQR0xfP2b1kHp8syIWsC-VEvsQPMUXF14_5CBCtyBObjKu16HaFrJpcXz6RdM4NUQUA7AT7sFQPaNk-kP6fjCJHI-6ei6gbMpdGkitmEut9L_e3922pXGgK44PdThWMcmjfhJg
https://vk.com/doc808950829_663496587?hash=9HBIzrbBWHKqUnGhHt30dMcZIm1RpmRRZBzZ89JCfGw&dl=JRIT3v6zzNFrou8UYI02dSfdibpUzCLo9YvFXREFvCT&api=1&no_preview=1
|
37
db-ip.com(172.67.75.166) -
iplis.ru(148.251.234.93) -
hugersi.com(91.215.85.147) -
camoverde.pw(172.67.128.35) -
sun6-21.userapi.com(95.142.206.1) -
zzz.fhauiehgha.com(156.236.72.121) -
ipinfo.io(34.117.59.81) -
aa.imgjeoogbb.com(154.221.26.108) -
api.myip.com(172.67.75.163) -
www.maxmind.com(104.17.214.67) -
api.db-ip.com(104.26.5.15) -
vk.com(87.240.132.72) -
us.imgjeoigaa.com(103.100.211.218) -
148.251.234.93 -
146.59.161.7 -
87.240.137.164 -
91.215.85.147 -
208.67.104.60 -
45.12.253.74 -
172.67.75.163 -
154.221.26.108 -
194.26.135.162 -
85.208.136.10 -
157.254.164.98 -
34.117.59.81 -
176.113.115.84 -
104.21.0.171 -
45.66.230.164 -
104.17.214.67 -
95.214.25.233 -
156.236.72.121 -
104.26.4.15 -
163.123.143.4 -
95.142.206.1 -
121.254.136.27 -
77.91.124.31 -
103.100.211.218 -
|
19
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE - Served Attached HTTP
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
12
http://208.67.104.60/api/firegate.php
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe
http://176.113.115.84:8080/4.php
http://95.214.25.233:3002/
http://77.91.124.31/gallery/photo270.exe
http://45.66.230.164/g.exe
http://208.67.104.60/api/tracemap.php
http://us.imgjeoigaa.com/sts/imagc.jpg
http://aa.imgjeoogbb.com/check/
http://85.208.136.10/api/tracemap.php
|
7.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10497 |
2023-07-06 11:09
|
 haitianzx.exe b7933e126bd2fadfae8d36319c9e9e26
RedLine Infostealer UltraVNC UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
6.0 |
|
49 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10498 |
2023-07-06 10:59
|
 tonyspecialzx.exe b4df3d7f0826501829e1a03991e1fe81
AgentTesla Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
13.0 |
|
33 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10499 |
2023-07-06 10:51
|
 tonyspecialzx.exe b4df3d7f0826501829e1a03991e1fe81
Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
|
|
|
14.0 |
|
33 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10500 |
2023-07-06 10:22
|
 ENL.exe 6bbf5d0c83cb7c0f014c903367e81952
PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
4
mail.awelleh3.top(185.198.59.26)
api.ipify.org(104.237.62.211)
173.231.16.76
185.198.59.26 - mailcious
|
4
ET DNS Query to a *.top domain - Likely Hostile
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|