| 11176 |
2023-07-28 10:29
|
 ChromeSetup.exe 00de3f6450d30cbd9f268eb62eee33ab
AgentTesla Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.76)
64.185.227.156
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11177 |
2023-07-28 10:29
|
secbobbyzx.doc 50a7ad2ace11903c9d16a6c8660631de
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11178 |
2023-07-28 10:26
|
 secbobbyzx.exe b05e3ab4699177f4dcad8e34ceda8efb
Confuser .NET .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName DNS |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
transfer.sh(144.76.136.153) - malware
121.254.136.27
144.76.136.153 - mailcious
|
5
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
|
|
3.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11179 |
2023-07-28 10:26
|
 dhvedok.exe f0f5e6f32198fa1837b3090b7fd71fbb
HermeticWiper UPX Malicious Library MZP Format PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11180 |
2023-07-28 10:24
|
 156.exe 7a27d073c224d7f811999469d13c18ab
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11181 |
2023-07-28 10:24
|
 156.exe 7a27d073c224d7f811999469d13c18ab
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11182 |
2023-07-27 11:51
|
 Zqbpytwp.exe f369250db766a9469a786daf30c43d97
UPX Socket Http API Escalate priviledges HTTP Internet API AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW Ransom Message Turn off Windows Error Recovery notification window IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Tor ComputerName Trojan Banking DNS Cryptographic key |
3
http://80.66.75.37/Gqfnqspsx.pdf
http://api.ipify.org/
https://whyers.io/QWEwqdsvsf/ap.php - rule_id: 26448
|
5
whyers.io(172.67.191.103) - mailcious
api.ipify.org(104.237.62.211)
80.66.75.37 - mailcious
104.21.76.77
104.237.62.211
|
5
ET INFO Dotted Quad Host PDF Request
ET MALWARE Mallox Ransomware CnC Domain (whyers .io) in DNS Lookup
ET POLICY External IP Lookup api.ipify.org
ET MALWARE Observed Mallox Ransomware Domain (whyers .io) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://whyers.io/QWEwqdsvsf/ap.php
|
24.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11183 |
2023-07-27 10:45
|
 buildqwer.exe e668ac854e5cdedfc7c2d194f9845614
Browser Login Data Stealer UPX Malicious Library ASPack OS Processor Check PE File PE32 DLL Browser Info Stealer VirusTotal Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder Browser DNS |
1
http://89.23.103.80/loghub/master
|
1
|
1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
|
4.2 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11184 |
2023-07-27 10:40
|
 an.exe 691a54b032d616e5f9303557ffd49add
Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution Cryptographic key |
|
2
files.catbox.moe(108.181.20.35) - malware
108.181.20.35 - mailcious
|
2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11185 |
2023-07-27 10:38
|
 calc2.exe aa936f35ba4f0386a975a3a65d992048
Malicious Library PE File PE32 VirusTotal Malware PDB |
|
|
|
|
2.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11186 |
2023-07-27 10:36
|
 foto5566.exe 310049edb1a276ebf198060d9cd3bc5d
Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware
77.91.124.84 - mailcious
|
11
ET INFO Dotted Quad Host DLL Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11187 |
2023-07-27 10:34
|
 foto5566.exe 1608f0e5d9b277a7ba7fb25f736b8c74
Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware
77.91.124.84 - mailcious
|
11
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11188 |
2023-07-27 10:32
|
 fotod250.exe afed523b82c39015e5e8eb6f55906537
Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware
77.91.124.84 - mailcious
|
12
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11189 |
2023-07-27 10:30
|
 photo340.exe f0c28816a58f907591e5e014e049024a
Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL .NET EXE PE64 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Tofsee Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
5
http://77.91.124.47/anon/an.exe
http://77.91.124.47/new/fotod250.exe
http://77.91.68.61/rock/index.php - rule_id: 35495
http://77.91.68.248/fuzz/raman.exe
http://77.91.124.47/new/foto5566.exe
|
7
files.catbox.moe(108.181.20.35) - malware
77.91.68.61 - malware
108.181.20.35 - mailcious
77.91.124.84 - mailcious
77.91.124.47 - malware
77.91.68.248 - malware
141.94.192.217
|
19
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
17.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11190 |
2023-07-27 10:30
|
 main.exe d367dbc08b40198ffa3ccb0653345007
Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware |
|
|
|
|
0.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|