| 10936 |
2023-08-07 09:34
|
 snow.exe e0c895fc97263d8424dcc9946184f476
Generic Malware .NET framework(MSIL) Antivirus PWS KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(64.185.227.156)
api.telegram.org(149.154.167.220)
64.185.227.156
149.154.167.220
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
13.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10937 |
2023-08-07 09:33
|
 shellcommand.ps1 578bed560ab7fb3eb7de6c8e4d468975
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10938 |
2023-08-07 09:32
|
 Gammatraff.exe 120cbb2cca4d4036d54253165cd428d5
Malicious Library PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10939 |
2023-08-07 09:30
|
 pcr.exe bca6e394222e591240d968c68e6ebfc0
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware Checks debugger suspicious TLD DNS |
1
http://AEQhVH.nasongle.t34gs1x.top/cc.txt
|
2
aeqhvh.nasongle.t34gs1x.top(104.21.39.183)
104.21.39.183 - malware
|
2
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
|
|
2.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10940 |
2023-08-07 09:30
|
 ekr8L6VCw7MAc.exe 7266d01b13259f70486280871f90a845
Malicious Library PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10941 |
2023-08-07 09:28
|
 dm2f1807b2.exe c94eff4a0c5bdac49eaba7dd5136ef85
Gen1 UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM PE File PE32 DLL OS Processor Check GIF Format VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Checks debugger Creates shortcut Creates executable files unpack itself AppData folder Windows ComputerName NetSupport |
1
http://geo.netsupportsoftware.com/location/loca.asp
|
4
geo.netsupportsoftware.com(51.142.119.24)
Dmforinenam18.com()
Dmforinenam17.com()
62.172.138.67
|
1
ET POLICY NetSupport GeoLocation Lookup Request
|
|
6.2 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10942 |
2023-08-07 09:28
|
 Setup1234.exe 8d149876b8a3aae84aacaac5a70b4f20
North Korea Generic Malware UPX .NET framework(MSIL) Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer Http API HTTP ScreenShot Internet API AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications sandbox evasion installed browsers check Ransomware Lumma Stealer Browser ComputerName Firmware |
3
http://gstatic-node.io/ - rule_id: 35379
http://gstatic-node.io/c2sock - rule_id: 35381
http://gstatic-node.io/c2conf - rule_id: 35380
|
2
gstatic-node.io(172.67.204.199) - mailcious
172.67.204.199 - mailcious
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt
|
3
http://gstatic-node.io/
http://gstatic-node.io/c2sock
http://gstatic-node.io/c2conf
|
13.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10943 |
2023-08-07 09:24
|
 C3.exe 113206f6a06da35df94d8cd455b3091c
Redline RedLine stealer Emotet Generic Malware .NET framework(MSIL) Admin Tool (Sysinternals etc ...) UPX WinRAR Malicious Library Antivirus PWS AntiDebug AntiVM BitCoin .NET EXE PE File PE32 ZIP Format OS Processor Check DLL Browser Info Stealer RedLine FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW installed browsers check Tofsee Ransomware Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://94.131.105.161:1337/ - rule_id: 35603
https://api.ip.sb/geoip
|
9
myip.opendns.com()
api.ip.sb(172.67.75.172)
resolver1.opendns.com(208.67.222.222)
yello9erylanguage.gromovananii199.repl.co(35.186.245.55) - mailcious
194.59.218.160
172.67.75.172 - mailcious
208.67.222.222
94.131.105.161 - mailcious
35.186.245.55 - phishing
|
9
ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound
ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
SURICATA HTTP unable to match response to request
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://94.131.105.161:1337/
|
20.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10944 |
2023-08-07 09:16
|
Rendestene.doc f4c7f6f75b0bd401889447acb3d9c91b
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://geoplugin.net/json.gp
http://64.188.25.4/harVkpqND3.bin
http://2.59.254.18/_errorpages/Rendestene.exe
|
5
geoplugin.net(178.237.33.50)
178.237.33.50
64.188.25.4
194.59.218.160
2.59.254.18 - malware
|
7
ET MALWARE Generic .bin download from Dotted Quad
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10945 |
2023-08-07 09:14
|
 Xmqgijbudgv.exe c5b41042c6a47872025836fcce77e1bc
UPX .NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
4.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10946 |
2023-08-07 09:13
|
 faman.exe aa836df733f834e30eb28e3125b4c927
UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 DLL PDB Code Injection unpack itself suspicious process AppData folder Remote Code Execution |
|
|
|
|
2.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10947 |
2023-08-07 09:12
|
 4XXR.exe 860c75c9a9ccf966c422e197f4c60c1e
Emotet Generic Malware Downloader UPX WinRAR Malicious Library Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM OS Process VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Firewall state off Windows ComputerName Remote Code Execution Cryptographic key crashed |
|
|
|
|
12.0 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10948 |
2023-08-07 09:11
|
 O77vNQG6.exe 90e1482208611ebf4b36413d6bf05f42
UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 JPEG Format VirusTotal Malware AutoRuns PDB Check memory unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Interception Windows ComputerName |
2
http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/cred64.dll
http://xyl.lat/2BfwEnWXSKj6KgTm/Plugins/clip64.dll
|
1
|
|
|
7.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10949 |
2023-08-07 09:10
|
 akh.exe 1ead0eed2841266723e332cb9144a808
Emotet Gen1 UPX Malicious Library .NET EXE PE File PE32 MZP Format DLL PE64 OS Processor Check CHM Format VirusTotal Malware MachineGuid Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces AppData folder WriteConsoleW Tofsee Windows ComputerName crashed |
|
2
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10950 |
2023-08-07 09:07
|
bullionzx.doc 7d132a7e0881ce43b5f5e89d9710d3a2
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://2.59.254.18/_errorpages/bullionzx.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|