| 10966 |
2023-08-07 08:50
|
 Documents-EnemyFrauz.exe a490f1848b792df4dc37c9e1b200578d
UPX Malicious Library Socket Http API ScreenShot Code injection Internet API AntiDebug AntiVM OS Processor Check PE64 PE File Browser Info Stealer Malware download Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Code Injection Check memory Checks debugger buffers extracted Creates shortcut ICMP traffic Windows utilities Detects VirtualBox suspicious process IP Check installed browsers check Tofsee Ransomware MeduzaStealer Stealer Windows Browser Email ComputerName Trojan Banking DNS |
|
3
api.ipify.org(64.185.227.156)
173.231.16.76
89.208.103.63
|
4
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Protocol detection skipped
|
|
17.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10967 |
2023-08-07 08:50
|
 ChromeSetup.exe 4268288fb3dbf0b63cf0836a4201135d
Malicious Library PE File PE32 PDB Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10968 |
2023-08-07 08:45
|
 key.exe 8d3c4b58a9943431b824df429088f51e
Suspicious_Script_Bin UPX OS Processor Check .NET EXE PE File PE32 suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10969 |
2023-08-07 08:45
|
 RunPEx64.exe d9242e75177504019e7c8a78b0f705f2
UPX Malicious Library OS Processor Check PE File PE32 PDB Tofsee Discord DNS |
1
https://cdn.discordapp.com/attachments/1129151671843426358/1133375078348882013/Roblox.exe
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10970 |
2023-08-07 08:43
|
 ChromeSetup.exe 934834b62d84d90afd7bb755aa12ad81
LokiBot Socket PWS DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://194.55.224.9/fresh1/five/fre.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10971 |
2023-08-07 08:43
|
 6dWHunZZcpnEo.exe 11de7138a9df2d5bbfeb112f8d20f2df
Malicious Library PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10972 |
2023-08-07 08:41
|
 demon.x64.exe 9f395db62d14a0ef40d90404de9e6a9c
Generic Malware PE64 PE File VirusTotal Malware Malicious Traffic unpack itself Sliver DNS |
2
https://157.245.47.66/test.txt
https://157.245.47.66/funny_cat.gif
|
1
|
1
ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
|
|
3.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10973 |
2023-08-07 08:40
|
 demon.dll c9e6e4d394d7452b79351028c4da0cac
Generic Malware DLL PE64 PE File VirusTotal Malware Checks debugger unpack itself DNS |
|
1
|
|
|
2.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10974 |
2023-08-07 08:38
|
 BRRR.exe 353479441f9bc398f6fe46feb7740985
Themida Packer UPX Malicious Library Anti_VM .NET EXE PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare VMware anti-virtualization installed browsers check SectopRAT Windows Browser Backdoor ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
|
1
95.143.190.57 - mailcious
|
1
ET MALWARE Arechclient2 Backdoor CnC Init
|
|
11.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10975 |
2023-08-07 08:38
|
 demosyscalls.exe e3f125e7cc88a1c53cc68e1bcb273191
Generic Malware PE64 PE File VirusTotal Malware Malicious Traffic unpack itself Sliver DNS |
2
https://157.245.47.66/test.txt
https://157.245.47.66/funny_cat.gif
|
1
|
1
ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
|
|
4.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10976 |
2023-08-07 08:36
|
 foto5566.exe c5f81f9b7d05d70a0a105b06fc16ce31
Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.61/rock/Plugins/cred64.dll - rule_id: 35515
http://77.91.68.61/rock/Plugins/clip64.dll - rule_id: 35516
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware
77.91.124.156 - mailcious
|
11
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET MALWARE Redline Stealer Activity (Response)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
3
http://77.91.68.61/rock/Plugins/cred64.dll
http://77.91.68.61/rock/Plugins/clip64.dll
http://77.91.68.61/rock/index.php
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10977 |
2023-08-07 08:36
|
 demon1.dll e9d5c93dddcbd74935f1532560ae89e8
Generic Malware DLL PE64 PE File VirusTotal Malware Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10978 |
2023-08-07 08:36
|
 fotod250.exe 08141df58f30575861b2c703dc47c3a9
Gen1 Emotet Amadey SmokeLoader RedLine Infostealer RedLine stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer .NET framework(MSIL) Confuser .NET AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
7
http://77.91.68.1/smo/du.exe
http://77.91.68.61/rock/index.php - rule_id: 35495
http://77.91.68.1/new/foto5566.exe
http://77.91.68.61/rock/Plugins/clip64.dll - rule_id: 35516
http://77.91.68.1/new/fotod250.exe
http://77.91.68.61/rock/Plugins/cred64.dll - rule_id: 35515
http://77.91.68.3/fuzz/faman.exe
|
4
77.91.68.61 - malware
77.91.68.3 - malware
77.91.68.1 - malware
77.91.124.156 - mailcious
|
15
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Redline Stealer Activity (Response)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
3
http://77.91.68.61/rock/index.php
http://77.91.68.61/rock/Plugins/clip64.dll
http://77.91.68.61/rock/Plugins/cred64.dll
|
18.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10979 |
2023-08-07 08:35
|
 winPEASx64_ofs.exe 13876e0c6728fb1cbefe79fcc7315e70
North Korea Generic Malware UPX Malicious Packer Antivirus OS Processor Check PE64 PE File MachineGuid Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10980 |
2023-08-07 08:32
|
 wininit.exe 87c5e0323049fb19c46cba988f525038
NSIS UPX Malicious Library PE File PE32 DLL VirusTotal Malware AppData folder DNS |
|
1
|
|
|
2.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|