| 11311 |
2023-07-23 09:46
|
 new.exe 8bb15c76e2d55780ced07a1a2c589486
Lazarus Family Themida Packer UPX Malicious Library Http API HTTP ScreenShot Internet API AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Ransomware Lumma Stealer Windows Browser ComputerName Firmware crashed |
4
http://gstatic-node.io/ - rule_id: 35379
http://gstatic-node.io/c2sock - rule_id: 35381
http://gstatic-node.io/c2sock
http://gstatic-node.io/c2conf - rule_id: 35380
|
2
gstatic-node.io(172.67.204.199) - mailcious
172.67.204.199
|
1
ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
|
3
http://gstatic-node.io/
http://gstatic-node.io/c2sock
http://gstatic-node.io/c2conf
|
17.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11312 |
2023-07-23 09:45
|
System_root.vbs 994ed6b1d35267618f3d7f73833664d7
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://cdn.pixelbin.io/v2/red-wildflower-1b0af4/original/universo_vbs.jpeg
|
2
cdn.pixelbin.io(54.230.167.111)
54.230.167.111
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11313 |
2023-07-23 09:43
|
 bilkad.exe c4fe973e479a2af02dce5b9888e97917
PE64 PE File VirusTotal Malware crashed |
|
|
|
|
2.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11314 |
2023-07-23 09:43
|
 file.exe fff2f00fa9387530fb724fb44855b4f3
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11315 |
2023-07-23 08:11
|
ROOTROOTROOOTROOOTROTROOTROT%2... 1e2437d520b6cf1964cd8146261ab344
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.216.144/500/System_root.vbs
|
3
cdn.pixelbin.io(54.230.167.16)
192.3.216.144 - mailcious
54.230.167.117
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
34 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11316 |
2023-07-23 08:08
|
 qr.png 07ecd12de259e62383d687d8eac0b089
UPX PE64 PE File VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
41 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11317 |
2023-07-22 21:50
|
 qr.png 07ecd12de259e62383d687d8eac0b089
UPX PE64 PE File VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11318 |
2023-07-22 21:50
|
 Setup.exe bdf59f927ef99ae5b7a45d8e3d05700f
Generic Malware Admin Tool (Sysinternals etc ...) Http API HTTP ScreenShot Internet API AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications sandbox evasion installed browsers check Ransomware Lumma Stealer Browser ComputerName Remote Code Execution Firmware |
3
http://gstatic-node.io/
http://gstatic-node.io/c2sock
http://gstatic-node.io/c2conf
|
2
gstatic-node.io(104.21.37.53)
172.67.204.199
|
1
ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
|
|
14.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11319 |
2023-07-22 21:49
|
ROOTROOTROOOTROOOTROTROOTROT%2... 1e2437d520b6cf1964cd8146261ab344
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.216.144/500/System_root.vbs
|
3
cdn.pixelbin.io(54.230.167.117)
192.3.216.144 - mailcious
54.230.167.117
|
2
ET INFO Dotted Quad Host VBS Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11320 |
2023-07-22 21:48
|
 freebobux.bin.exe 794b00893a1b95ade9379710821ac1a4
UPX Malicious Library AntiDebug AntiVM PE File PE32 BMP Format MZP Format VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder WriteConsoleW crashed |
|
|
|
|
5.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11321 |
2023-07-22 21:47
|
 payload.exe 1dc2580260eb3d20bf700457ce0f235c
ScreenShot AntiDebug AntiVM PE File PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files Windows utilities AppData folder sandbox evasion Firewall state off Windows Browser ComputerName DNS |
1
http://209.145.51.44/tef/tasks.php
|
6
alors.deepdns.cryptostorm.net()
onyx.deepdns.cryptostorm.net()
ns1.any.dns.d0wn.biz()
ns.dotbit.me() - mailcious
ns1.random.dns.d0wn.biz(178.17.170.133) - mailcious
209.145.51.44 - malware
|
2
ET INFO Observed DNS Query to .biz TLD
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
|
|
15.0 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11322 |
2023-07-22 21:46
|
 asas.exe 103746e75cc79da6379bc879dd58b17a
Generic Malware UPX Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11323 |
2023-07-22 21:44
|
 build.exe ed3809d571d4d52fa5bf9339b9750b27
Vidar UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware Telegram MachineGuid Malicious Traffic Creates executable files unpack itself WriteConsoleW Tofsee ComputerName DNS |
4
http://116.203.7.113/ba898ce7ff6c6db9d00aca6445e5d347
http://116.203.7.113/upgrade.zip
https://steamcommunity.com/profiles/76561198982268531 - rule_id: 35281
https://t.me/sundayevent
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(184.87.111.197) - mailcious
116.203.7.113
149.154.167.99 - mailcious
104.88.222.199
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
|
1
https://steamcommunity.com/profiles/76561198982268531
|
4.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11324 |
2023-07-22 21:44
|
 photo220.exe 1e91a70b891e93ad6124f5d0bee5c7ea
Gen1 Emotet UPX Malicious Library CAB PE File PE32 PDB Remote Code Execution |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11325 |
2023-07-22 21:43
|
 elevator.exe 5f6c86ec159f2b0d99f88bc3c3c6a641
UPX Malicious Library OS Processor Check PE64 PE File VirusTotal Malware WriteConsoleW |
|
|
|
|
1.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|