| 11146 |
2023-07-28 17:43
|
 iiis12211221.iso 4406fceeb2803aebc2345867a9ae292c
UPX Malicious Library OS Processor Check DLL PE64 PE File VirusTotal Malware PDB Checks debugger crashed |
|
|
|
|
1.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11147 |
2023-07-28 17:41
|
 1751181521.exe 3ceea9ca97ab640b53ce77eccb5da1fd
UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
5.252.178.30
94.228.169.160
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
6.6 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11148 |
2023-07-28 17:40
|
 postmon.exe 8bdd901591eb90456ad781e3c79bb4ad
Generic Malware UPX Malicious Library Malicious Packer Antivirus OS Processor Check PE File PE32 PowerShell Malware download VirusTotal Malware powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows ComputerName Remote Code Execution DNS Cryptographic key Downloader |
10
http://elturky.net/ERP/public/js/cc4.exe
http://38.180.1.27/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=HnTgSX1R - rule_id: 34768
http://elturky.net/ERP/public/js/cc5.exe
http://elturky.net/ERP/public/js/cc3.php
http://elturky.net/ERP/public/js/debug2.ps1
http://elturky.net/ERP/public/js/cc3.exe
http://elturky.net/ERP/public/js/dd_64.exe
http://elturky.net/ERP/public/js/cc2.php
http://elturky.net/ERP/public/js/cc1.php
http://elturky.net/ERP/public/js/cc2.exe
|
3
elturky.net(68.178.227.97) - malware
68.178.227.97 - malware
38.180.1.27 - mailcious
|
2
ET INFO PS1 Powershell File Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
1
http://38.180.1.27/index.php
|
10.0 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11149 |
2023-07-28 17:39
|
 videoLan.exe 62472c78b3ab085422418e49dd2aa11c
PE64 PE File VirusTotal Cryptocurrency Miner Malware Cryptocurrency unpack itself |
|
2
mine.bmpool.org(5.252.178.30) - mailcious
5.252.178.30
|
1
ET POLICY Cryptocurrency Miner Checkin
|
|
2.0 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11150 |
2023-07-28 17:34
|
 resource2.exe 8f271cac1a0930295f3a9355008729f4
Vidar LokiBot Gen1 UPX Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer PWS AntiDebug AntiVM BitCoin .NET EXE PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser Email ComputerName DNS Software |
5
http://116.202.188.78/pack.zip
http://116.202.188.78/
http://116.202.188.78/591cfdea51c58732cfc74c03a6ae659b
https://steamcommunity.com/profiles/76561199529242058 - rule_id: 35413
https://t.me/dastantim
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(184.87.111.197) - mailcious
149.154.167.99 - mailcious
104.88.222.199
116.202.188.78
|
4
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199529242058
|
19.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11151 |
2023-07-28 17:34
|
 777888_2023-07-27_17-35.exe 0a8d5dd535e009d4109c690be03bb0c1
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11152 |
2023-07-28 17:30
|
 22222.exe d42a28aa817408fdfeb8f26528521253
RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET OS Processor Check .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
6.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11153 |
2023-07-28 17:28
|
 cred64.dll ad29bf6fe83170168693e9a8b2707b58
Browser Login Data Stealer UPX Malicious Library OS Processor Check DLL PE64 PE File VirusTotal Malware PDB Checks debugger installed browsers check Browser ComputerName crashed |
|
|
|
|
2.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11154 |
2023-07-28 17:27
|
 wininit.exe a0bfccb8cc68d350b02287d70507e70d
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL VirusTotal Malware suspicious privilege Check memory Creates executable files unpack itself AppData folder suspicious TLD DNS |
11
http://www.venusoutfitters.com/egtq/
http://www.ionbet88s.top/egtq/
http://www.ionbet88s.top/egtq/?aO=JpbngjiX6O9g3ygRoA4H1UbRh4cNSG6rKa2sZMHI38JPoS8sDChuKI7wn0j5oSg+PVRxv5HG+vHHa6u8dIR+bPRFSMXfcXnRdl9nJjk=&SWD__T=KKmxdR_Mh8yQsLY3
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip
http://www.18openai.com/egtq/?aO=BEFxgyEhfwgGN5USHx2zrNUqAIC83z3/D0cA5Mihd1ofFN8Iz71zyO++mpZ3G1shHvRyqvcTqr8AVxBqNInK/d3Y2zubNQdlXVdEQ9s=&SWD__T=KKmxdR_Mh8yQsLY3
http://www.creditworld.online/egtq/?aO=461q18RMOxDnaqNJkfUvY5IkWUicQOOUykzcHkGDr0ojiLNEzcqHfSdPNleOyJBeadYyul1KhY7SHM+u3o5PCPusFJY9E0Tu3vQ30G0=&SWD__T=KKmxdR_Mh8yQsLY3
http://www.venusoutfitters.com/egtq/?aO=AG/8kS8hRI7iSvIQVXo4bLIk8R036qZtlLK3QEpyWmEDwEtJlP4N3V8/1EyQAIIfeNFCTAf3Fb8poTCACfVw9c6yosc2Tpj7usW0+/E=&SWD__T=KKmxdR_Mh8yQsLY3
http://www.18openai.com/egtq/
http://www.fumart.info/egtq/?aO=fw90bLaqAcmFERwnqJAYPoE2BeWi5Uid+2aFH0/PJfU3kufJIFUcu6PL/Pz6bf1s8lPkFRRtp+LRMBkR5Fml0evqjrgFZcXS4OlyoU0=&SWD__T=KKmxdR_Mh8yQsLY3
http://www.creditworld.online/egtq/
http://www.fumart.info/egtq/
|
14
www.ionbet88s.top(91.195.240.123)
www.creditworld.online(66.235.200.146)
www.venusoutfitters.com(154.26.204.85)
www.3ycgf7x2.com(156.235.147.223)
www.letsyogabarcelona.com()
www.fumart.info(203.161.55.148)
www.18openai.com(206.233.135.199)
66.235.200.146 - malware
203.161.55.148
206.233.135.199
156.235.147.223
45.33.6.223
91.195.240.123 - mailcious
154.26.204.85
|
2
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
|
6.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11155 |
2023-07-28 17:27
|
damianozx.doc f69ceb677edfd92ee1cececc01fcfeba
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://185.246.220.85/damianozx.exe
|
3
api.ipify.org(173.231.16.76)
185.246.220.85 - mailcious
64.185.227.156
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11156 |
2023-07-28 17:27
|
 util.exe 37e965330586a51125db2a420917db17
UPX .NET framework(MSIL) Malicious Library Malicious Packer Antivirus OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11157 |
2023-07-28 17:24
|
 damianozx.exe 370c0660c08162ab7d2a8737cd3ab1e0
.NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11158 |
2023-07-28 14:20
|
HMSDFHJSJDHFJHIIFSIDH%23%23%23... a659a09f30b9663ba5f22a784856729a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed |
1
http://23.94.37.197/330/chromium.exe
|
1
|
1
ET INFO Executable Download from dotted-quad Host
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11159 |
2023-07-28 14:17
|
 n47FJITc.exe f078b804fc4d54586eea6a32dd7463e6
PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
2
5.181.80.123 - malware
45.33.6.223
|
|
|
3.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11160 |
2023-07-28 14:15
|
 vbc.exe c12fbddc2c7ae2eb6b4431bb52646d4d
UPX Malicious Library PE File PE32 DLL .NET DLL PE64 GIF Format VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself suspicious process AppData folder crashed |
1
http://www.inmobilianda.com/wp-includes/JwtrOw38.bin
|
|
|
|
4.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|