11041 |
2023-08-03 10:14
|
Regasm.exe 11918dee7fc7db0c4b2c9bee96e9f9d9 UPX Malicious Library PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.4 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11042 |
2023-08-03 10:14
|
yPcjvliXpKoFFc.exe 8e285d434922e63d303da4e3639fe13c Malicious Library PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11043 |
2023-08-02 20:51
|
dx9_overlay.dll b820ca941ae4e895d4e172de1605a1fd UPX Malicious Library OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Check memory crashed |
|
|
|
|
1.0 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11044 |
2023-08-02 20:51
|
data64_2.exe 6cd65c568257694ab3ec9912419d202e UPX AntiDebug AntiVM .NET EXE PE File PE32 GIF Format VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows ComputerName Remote Code Execution |
|
|
|
|
10.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11045 |
2023-08-02 17:09
|
taskmaskamd.exe 89e9bc7a5d97370a0f4a35041a54a696 Amadey Themida Packer UPX Malicious Library MPRESS Admin Tool (Sysinternals etc ...) PWS SMTP AntiDebug AntiVM PE File PE32 PE64 OS Processor Check JPEG Format Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder WriteConsoleW human activity check installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
6
http://45.15.156.208/jd9dd3Vw/index.php?scr=1 - rule_id: 35315
http://45.15.156.208/jd9dd3Vw/index.php - rule_id: 35315
https://api.ip.sb/ip
http://194.180.49.153/udp/taskmask.exe
http://194.180.49.153/udp/rdpcllp.exe
http://194.180.49.153/udp/taskhostclp.exe
|
6
second.amadgood.com() - mailcious
api.ip.sb(104.26.12.31) 45.15.156.208 - mailcious
104.26.12.31
128.199.192.86
194.180.49.153 - malware
|
12
ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET INFO Packed Executable Download SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Amadey Bot Activity (POST) M1
|
2
http://45.15.156.208/jd9dd3Vw/index.php http://45.15.156.208/jd9dd3Vw/index.php
|
20.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11046 |
2023-08-02 17:06
|
rdpcllp.exe 768200a76def472e675539094047bed9 Themida Packer UPX Admin Tool (Sysinternals etc ...) PE64 PE File VirusTotal Malware unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11047 |
2023-08-02 17:04
|
x-admins.exe 1bdfa5d4db8f961fb85677c4d8bb64f4 UPX PE File PE32 VirusTotal Malware Check virtual network interfaces Tofsee Windows keylogger |
5
http://apps.identrust.com/roots/dstrootcax3.p7c
https://nodejs--veyynveyynov.repl.co/file/epn.html
https://nodejs--veyynveyynov.repl.co/file/1.mp3
https://nodejs--veyynveyynov.repl.co/file/3.mp3
https://nodejs--veyynveyynov.repl.co/file/dx9_overlay.dll
|
3
nodejs--veyynveyynov.repl.co(35.186.245.55) - malware 121.254.136.27
35.186.245.55 - phishing
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11048 |
2023-08-02 17:04
|
obizx.exe 745174884165278ca284212180544a17 Formbook .NET framework(MSIL) AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.danielcavalari.com/oy30/?pPX=Vg+S4qFzPgZ9NO0CSJ2zugEiewt0R6YcxRZqvw1MHs0SRmIRL/ojjp2XbPjlW7/B/VD/z/nS&1bj=jlNDpj_hi
|
4
www.thundershorts.com() www.danielcavalari.com(34.149.87.45) www.dhikaedwina.com() 34.149.87.45 - phishing
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11049 |
2023-08-02 17:02
|
texaszx.exe 4a42f9817aaaee146c4454259baf1333 PWS KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName Software crashed |
|
2
api.ipify.org(173.231.16.76) 104.237.62.211
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11050 |
2023-08-02 17:01
|
texaszx.doc 4988698644f51b49860d75366bd0da92 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://2.59.254.18/_errorpages/texaszx.exe
|
3
api.ipify.org(173.231.16.76) 2.59.254.18 - malware
104.237.62.211
|
7
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11051 |
2023-08-02 17:00
|
obizx.doc 0ca8f60433aa28b78dc0d301b7884df3 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
2
http://www.jaimesinstallglass.com/oy30/?XrFHaDmP=samObAgc8fRSmgyt46cUeNvYftGh2TWlU43Ytmna9VgcgVwYxUKhDBM5jVUDC37CPtwfSBl2&Dzut_N=3fX0
http://2.59.254.18/_errorpages/obizx.exe
|
4
www.jaimesinstallglass.com(34.102.136.180)
www.dhikaedwina.com() 34.102.136.180 - mailcious
2.59.254.18 - malware
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11052 |
2023-08-02 17:00
|
Invoice_RVSJKAM02GH_pdf.lnk ca4756de93f1356c73c37d5ce1e64405 GIF Format Malware download VirusTotal Email Client Info Stealer Malware VBScript Creates shortcut unpack itself Check virtual network interfaces WriteConsoleW Email DNS |
1
http://192.155.91.72:5000/
|
1
|
2
ET INFO Dotted Quad Host VBS Request ET MALWARE Possible Malicious Invoice EXE
|
|
3.0 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11053 |
2023-08-02 16:59
|
taskmask.exe f8f7c8c4cc25ba49c5b591aab8bfdc04 UPX Malicious Library PWS SMTP AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces WriteConsoleW installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(172.67.75.172) 172.67.75.172 - mailcious 128.199.192.86
|
3
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.2 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11054 |
2023-08-02 16:57
|
fntWRciEqcSHEdy.exe 319bc79bf9d98e769dbb2c3a5140524b Malicious Library PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11055 |
2023-08-02 16:57
|
j1neaa.bat 1551e43ba5cc0468ffa4d54d29870ac0 Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|