| 11296 |
2023-07-24 16:56
|
IBNSDIFBSDNIWEFBSIFNFSIDFBISDN... f6abfd2fa1bf65db8d73e3c3ed3c76a5
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed |
2
http://192.3.243.150/windows/n/IE_NET.vbs
http://serverftp.online/imgs/bat_native.jpeg
|
3
serverftp.online(198.12.119.208)
198.12.119.208
192.3.243.150 - malware
|
1
ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11297 |
2023-07-24 16:30
|
 FreeWMAToMP3Converter.exe b4d654755e5fb496138ed0e9c4121e84
Emotet Gen1 UPX Malicious Library Malicious Packer AntiDebug AntiVM MZP Format PE File PE32 MSOffice File PNG Format DLL PE64 GIF Format OS Processor Check JPEG Format Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder AntiVM_Disk VM Disk Size Check Tofsee Windows Exploit ComputerName DNS crashed |
1
http://mp3-tools.com/smart-mp3-converter.html
|
2
mp3-tools.com(45.84.226.205)
45.84.226.205
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
7.0 |
|
|
Speedmeup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11298 |
2023-07-24 13:20
|
"https://tglrrran.0rg.shop/"
AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCenter
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11299 |
2023-07-24 09:33
|
 kgec63hr0ubmn.exe 79982cf6836eebddfc2aa3e773f54f38
Generic Malware UPX Malicious Library Antivirus AntiDebug AntiVM OS Processor Check PE File PE32 PowerShell VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process WriteConsoleW IP Check Tofsee Windows ComputerName DNS Cryptographic key crashed |
5
http://www.microsoft.com/
http://ip-api.com/json/?fields=query,status,countryCode,city,timezone
http://185.228.234.30/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys
http://pastebin.com/raw/r0KhEEzi
https://pastebin.com/raw/r0KhEEzi
|
10
www.microsoft.com(104.94.217.134)
pastebin.com(172.67.34.170) - mailcious
ip-api.com(208.95.112.1)
185.149.146.118
185.159.129.168 - mailcious
77.91.77.144
208.95.112.1
104.94.217.134
185.228.234.30
172.67.34.170 - mailcious
|
3
ET POLICY External IP Lookup ip-api.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Microsoft user-agent automated process response to automated request
|
|
14.4 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11300 |
2023-07-24 09:32
|
 setup294.exe ea7a66c1eaf1ddaca7ad98a7b8490099
UPX Malicious Library Create Service Escalate priviledges AntiDebug AntiVM OS Processor Check PE File PE32 DLL PDB Code Injection unpack itself AppData folder Remote Code Execution DNS |
|
1
|
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11301 |
2023-07-24 09:13
|
 install-alevrola.exe 8d6d682cbd51a88075c184966aa0de17
Generic Malware Malicious Library UPX PE File PE32 PNG Format MZP Format GIF Format AutoRuns Check memory Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName Remote Code Execution DNS |
|
8
80.66.75.4
213.91.128.133 - mailcious
45.143.201.238
176.113.115.135
176.113.115.136
62.122.184.92
176.113.115.84 - mailcious
176.113.115.85
|
2
ET DROP Dshield Block Listed Source group 1
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11302 |
2023-07-24 09:12
|
 install-alevrola.exe 8d6d682cbd51a88075c184966aa0de17
Generic Malware Malicious Library UPX PE File PE32 GIF Format PNG Format MZP Format VirusTotal Malware AutoRuns Check memory Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName |
|
|
|
|
4.4 |
|
57 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11303 |
2023-07-24 09:06
|
File_pass1234.7z 4d25d513d85869b1c08713a0f9c11718
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Cryptocurrency Miner Malware Cryptocurrency Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Remote Code Execution Trojan DNS Downloader |
28
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://www.microsoft.com/
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://87.120.88.198/g.exe - rule_id: 35229
http://176.113.115.84:8080/4.php - rule_id: 34795
http://aa.imgjeoogbb.com/check/?sid=264684&key=159175a7edd0b25e9c835df79aa00f9e - rule_id: 34651
http://ip-api.com/json/?fields=query,status,countryCode,city,timezone
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://www.google.com/
https://hooligapps.site/setup294.exe
https://sun6-22.userapi.com/c909218/u801981293/docs/d17/e63cac1f34e6/PMmp.bmp?extra=JSZmi3lRDlLBvysi7G2k0PMnw9wqHxLMnf7FARS6kST7q2QTR68L9KPweJ8Zi9G-6y5u2B-wJYgU5SaiapXpmw6Nf-IZX5N0WtS04aL89D3vS04WsInzdw1JZeA7GgJoIh0rWvy-av1wdDU0vg
https://vk.com/doc801981293_666823296?hash=IkJXfnuRw7ihxGiXRSyiY2Z66FKnxYargchJZwaWxKw&dl=zHJ4ClZYwxBgGwgirt2pehVBbUfVD7lazG0pZS1wCZ8&api=1&no_preview=1
https://transfer.sh/get/1YKo4A8Wqj/12.exe
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-21.userapi.com/c237031/u801981293/docs/d45/afe6b4201ea0/WWW1.bmp?extra=Ahkwb4X7D03MOVnuohrOn5GaJOSm-ySjjpWB8o4YjiTyV8BFSKMzX0zWOGJyn2lzCKP7OAgybf4Y4BKzWFlfqax1i0ppeQp_MKFC8eWfoIneuuU7UXGOzuUqVHnBRBKxF8M01xk8Dy4jZd7MpA
https://sun6-22.userapi.com/c235131/u801981293/docs/d11/116f9d602a25/siddharthabuddh4_4.bmp?extra=zkyMG_R3qc33Emr1Cl3mpi0mF28Gk_cCLAcfZBeum5io9FHkKTy5Dp0PqaVi7M96RtGK1_UnwA0QvZVpqzqZ9_t7r791eyVCkWLSzwl5GMtGh_rRKvTXCnT_6j85oh-liVkYZ8uBjvH_DJhClg
https://transfer.sh/get/g41szIYKqo/kgec63hr0ubmn.exe
https://vk.com/doc801981293_666878057?hash=1cohXPp9aLK2Xz7H2hezj89drs50PYuLRBoirKPj3B8&dl=vMZbPrQFZIXfQgzBVvuUmx7NUXxKHs9ZVFMOgU7roi0&api=1&no_preview=1#WW1
https://vk.com/doc801981293_666823290?hash=C40VUqDqCeh9PmntwYoL5pVZTrUVqPDt6gbkO0YPVBz&dl=5eyzOvvEImXidOsKxS45wfidN1CDlCKKPGBOYBev5Ag&api=1&no_preview=1
|
69
db-ip.com(104.26.4.15)
fastpool.xyz(213.91.128.133) - mailcious
zzz.fhauiehgha.com(156.236.72.121) - mailcious
ipinfo.io(34.117.59.81)
ip-api.com(208.95.112.1)
hooligapps.site(104.21.6.229)
iplogger.org(148.251.234.83) - mailcious
aa.imgjeoogbb.com(154.221.26.108) - mailcious
api.db-ip.com(172.67.75.166)
transfer.sh(144.76.136.153) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
us.imgjeoigaa.com(103.100.211.218) - mailcious
bitbucket.org(104.192.141.1) - malware
vanaheim.cn(193.106.175.66)
www.microsoft.com(59.151.173.138)
www.google.com(142.250.76.132)
api.myip.com(104.26.8.59)
hugersi.com(91.215.85.147) - malware
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.17.214.67)
vk.com(87.240.132.78) - mailcious
iplis.ru(148.251.234.93) - mailcious
87.120.88.198 - malware
148.251.234.93 - mailcious
154.221.26.108 - mailcious
59.151.173.138
104.192.141.1 - mailcious
104.17.215.67
91.215.85.147 - malware
194.169.175.142 - malware
149.202.8.114
62.122.184.92
104.26.5.15
208.95.112.1
208.67.104.60 - mailcious
80.66.75.254
172.67.75.166
80.66.75.4
185.159.129.168 - mailcious
77.91.124.47 - malware
194.26.135.162 - mailcious
87.240.132.67 - mailcious
157.254.164.98 - mailcious
34.117.59.81
176.113.115.84 - mailcious
176.113.115.85
148.251.234.83
104.26.8.59
77.91.68.68
176.113.115.135
95.142.206.2
176.113.115.136
45.12.253.74 - malware
94.142.138.131 - mailcious
144.76.136.153 - mailcious
142.251.220.100
172.67.135.110
156.236.72.121 - mailcious
23.67.53.17
104.26.4.15
77.91.68.3 - malware
163.123.143.4 - mailcious
95.142.206.1 - mailcious
45.143.201.238
121.254.136.27
45.15.156.229 - mailcious
193.106.175.66
103.100.211.218 - malware
213.91.128.133 - mailcious
|
31
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
ET POLICY Cryptocurrency Miner Checkin
ET POLICY External IP Lookup ip-api.com
ET DROP Dshield Block Listed Source group 1
ET POLICY Microsoft user-agent automated process response to automated request
|
12
http://94.142.138.131/api/firegate.php
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe
http://45.15.156.229/api/tracemap.php
http://87.120.88.198/g.exe
http://176.113.115.84:8080/4.php
http://aa.imgjeoogbb.com/check/
http://94.142.138.131/api/tracemap.php
http://208.67.104.60/api/tracemap.php
http://us.imgjeoigaa.com/sts/imagc.jpg
http://77.91.68.3/home/love/index.php
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11304 |
2023-07-24 07:42
|
 photo170.exe 65c0aab9f3cc5187b6d90b66fc734abc
Gen1 Emotet RedLine Infostealer RedLine stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer .NET framework(MSIL) Confuser .NET CAB PE File PE32 OS Processor Check DLL PE64 .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Tofsee Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
6
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054
http://77.91.124.31/anon/an.exe - rule_id: 35218
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://77.91.124.31/new/foto135.exe - rule_id: 35216
http://77.91.124.31/new/fotod25.exe - rule_id: 35217
http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053
|
6
files.catbox.moe(108.181.20.35) - malware
108.181.20.35 - mailcious
77.91.68.3 - malware
77.91.68.68
77.91.68.30 - malware
77.91.124.31 - mailcious
|
18
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Amadey Bot Activity (POST)
|
6
http://77.91.68.3/home/love/Plugins/clip64.dll
http://77.91.124.31/anon/an.exe
http://77.91.68.3/home/love/index.php
http://77.91.124.31/new/foto135.exe
http://77.91.124.31/new/fotod25.exe
http://77.91.68.3/home/love/Plugins/cred64.dll
|
18.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11305 |
2023-07-24 07:39
|
 file.exe a931716cf0d4b79b442699547acce00a
UPX Malicious Library OS Processor Check PE File PE32 unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11306 |
2023-07-24 07:39
|
 taskmask.exe 126db18bbcf58a186b422970c57e4dbf
Emotet UPX Admin Tool (Sysinternals etc ...) Malicious Library PWS SMTP AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.12.31)
172.67.75.172 - mailcious
167.99.14.220 - mailcious
|
2
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11307 |
2023-07-24 07:37
|
 file.exe 8fa8bfb9b75a7c33d9d8cc65a7172a7c
UPX Malicious Library OS Processor Check PE File PE32 unpack itself |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11308 |
2023-07-24 05:09
|
IMG-20230723-WA0017.jpg 3bdfda87698750389aa90c72652c25bf
JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11309 |
2023-07-23 13:33
|
ROOTROOTROOOTROOOTROTROOTROT%2... 1e2437d520b6cf1964cd8146261ab344
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.216.144/500/System_root.vbs - rule_id: 35378
|
3
cdn.pixelbin.io(54.230.167.16)
192.3.216.144 - mailcious
54.230.167.126
|
2
ET INFO Dotted Quad Host VBS Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://192.3.216.144/500/System_root.vbs
|
4.6 |
M |
34 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11310 |
2023-07-23 09:54
|
 safevpn20.11342.2k.exe 6bafba4a43173045136e95abe78666e8
Gen1 Emotet Suspicious_Script_Bin Generic Malware UPX Malicious Library ASPack Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM OS Processor Check PE64 PE File icon DLL ZIP Format BMP Format Browser Info Stealer VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself Windows Browser |
|
|
|
|
3.6 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|