| 11386 |
2023-07-20 07:03
|
 smbscanlocal-1bf850b4d9587c101... 1bf850b4d9587c1017a75a47680584c4
UPX PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
3.0 |
M |
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11387 |
2023-07-20 06:58
|
 smbscanlocal-1bf850b4d9587c101... 1bf850b4d9587c1017a75a47680584c4
UPX PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
3.0 |
M |
56 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11388 |
2023-07-19 15:41
|
 smbscanlocal-1bf850b4d9587c101... 1bf850b4d9587c1017a75a47680584c4
UPX PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
3.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11389 |
2023-07-19 15:39
|
 watchdog.exe 8e67f58837092385dcf01e8a2b4f5783
UPX PE File PE32 VirusTotal Malware Creates executable files WriteConsoleW Trojan DNS |
|
1
|
|
|
4.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11390 |
2023-07-19 15:38
|
 ChromeSetup.exe 70462b94519e8f0354cdde7584e536ce
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL VirusTotal Email Client Info Stealer Malware AutoRuns Check memory Creates executable files RWX flags setting unpack itself AppData folder Windows Email ComputerName crashed |
1
|
4
us2.smtp.mailhostbox.com(208.91.199.225)
showip.net(162.55.60.2)
162.55.60.2
208.91.199.225 - mailcious
|
2
SURICATA Applayer Detect protocol only one direction
ET POLICY IP Check Domain (showip in HTTP Host)
|
|
6.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11391 |
2023-07-19 15:36
|
 dollzx.exe 948b8c028268c704b439071a9fe65538
Formbook UPX .NET framework(MSIL) AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
3
http://www.qcekilps.cfd/xy18/?tVm0=CobHos0ThlylGiAR2zv9RvzHI+kC/8Rc/SjBmoL5wtzyxr1JtCEg9O7v3RA+ey7kApaOT51Q&U48Ho=NtetP4UP-6iH6twP
http://www.ktkequipment.com/xy18/?tVm0=rlnqg79HyDd2tQF7x0KFF1quRFOsgzpqr/yEKpdcbBK9rQNvTE641ocQblQ5wb+rgoxEVrgd&U48Ho=NtetP4UP-6iH6twP
http://www.ex-sideproject.com/xy18/?tVm0=X56z6+zy1MKrxoKWKU//XnGdtRx6ueWJln4Kjq7+x+gu62rHDZsWTxOq5YLIV5B2+0bJxpLu&U48Ho=NtetP4UP-6iH6twP
|
6
www.ktkequipment.com(162.254.38.89)
www.qcekilps.cfd(150.95.255.38)
www.ex-sideproject.com(198.54.117.216)
162.254.38.89
150.95.255.38 - mailcious
198.54.117.218 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11392 |
2023-07-19 15:35
|
 11.sfx.exe 1ac19ec30a52e2b8c80bd93f8aab003a
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB Creates executable files Remote Code Execution |
|
|
|
|
2.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11393 |
2023-07-19 15:03
|
File_pass1234.7z 46ad54c4ee3c4d92f87f62c0d7ca7c38
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Cryptocurrency Miner Malware Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Remote Code Execution Trojan DNS Downloader |
27
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
http://aa.imgjeoogbb.com/check/safe
http://176.113.115.84:8080/4.php - rule_id: 34795
http://176.113.115.84:8080/4.php
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://45.15.156.229/api/tracemap.php
http://87.120.88.198/g.exe - rule_id: 35229
http://87.120.88.198/g.exe
http://aa.imgjeoogbb.com/check/?sid=461810&key=12d22f1e6641af4b6121fa40717f1c68 - rule_id: 34651
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://www.maxmind.com/geoip/v2.1/city/me
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://www.google.com/
http://194.169.175.138:3002/file.exe - rule_id: 35230
https://vk.com/doc808950829_664443643?hash=BMSfO07vvSfVgzBLa3AhQ2T8ZfTsYk5klLKtxOZyNZT&dl=PkFfe0R1U4A4nZCFzzMLIHdvp6Lpl8cZoPyc3f4s1g0&api=1&no_preview=1#3
https://sun6-22.userapi.com/c909218/u808950829/docs/d53/58e33ed5db21/h8d337t1s6ya.bmp?extra=CPXirvuFil6wae1g7IzRKLCuKaBG5TMNvah7vd8GEz_qhtFRRku91mgqgiq76or0u2ti2o0zTN89ctJv3eG53ZlBxfMxw-IYA776yUdrGBSY26Z4EfetiDoRLEeWerrhtc2_i9f6b90E94we8g
https://sun6-22.userapi.com/c237331/u808950829/docs/d28/86e75507997e/PMmp.bmp?extra=gA4zaT6Xr3h2ftzx9AuPCMbqvjUtc-wRsrEKNOhevLqt_SZZwdVTPal8iTx6xd2U97xgKU53JupP_eejmSYNdmzSQRzU982T2aZornEsede4YUpcvteGCqHEQW4bsNatQleffyY9lAwLiXRnZg
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-22.userapi.com/c237031/u808950829/docs/d38/ea4433a2b522/RisePro_0_2_9rOsvaKa1eDf138eBlTl.bmp?extra=DnpHLlKvtxovB1KUV49UCSmwoMRpKlllUvvs5vFdMDd9kEn--_oArRN2soMPvOpEI-bb2dSpQpeWyz19HgECB7QD057wQXbgM_yxe6Qe4PwZmwkS5S0weMFY6E7oO0zeiqN5poXsMtje8Ga45g
https://sun6-21.userapi.com/c236331/u808950829/docs/d20/0cef145379dd/3.bmp?extra=sissnLmA8_-6n9mrlaFvFGqsuE8xRQHYK27yqnUnxwCijQuiveAV-H1daYlYFGiEZwSXhdTHhRGRsJ1mxNlypFuQCV04gy5jZ4xe1_1nBm9bazUTI_xskEd39VLXPyTmLgdCohnnm6fC-d9b4Q
|
60
www.maxmind.com(104.17.215.67)
iplis.ru(148.251.234.93) - mailcious
www.google.com(142.250.76.132)
api.myip.com(104.26.9.59)
hugersi.com(91.215.85.147) - malware
camoverde.pw() - malware
sun6-22.userapi.com(95.142.206.2)
zzz.fhauiehgha.com(156.236.72.121) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
aa.imgjeoogbb.com(154.221.26.108) - mailcious
us.imgjeoigaa.com(103.100.211.218) - mailcious
iplogger.org(148.251.234.83) - mailcious
fastpool.xyz(213.91.128.133) - mailcious
astergo.in(194.195.113.17)
db-ip.com(104.26.4.15)
vk.com(87.240.137.164) - mailcious
vanaheim.cn(46.173.215.12)
api.db-ip.com(104.26.5.15)
87.120.88.198 - malware
148.251.234.93 - mailcious
194.169.175.128 - mailcious
154.221.26.108 - mailcious
91.215.85.147 - malware
62.122.184.92
104.26.5.15
176.123.9.85 - mailcious
80.66.75.254
45.12.253.74 - malware
80.66.75.4
172.67.75.163
77.91.68.56 - mailcious
77.91.124.40 - malware
194.26.135.162 - mailcious
87.240.132.67 - mailcious
157.254.164.98 - mailcious
46.173.215.12
34.117.59.81
142.251.220.36
176.113.115.84 - mailcious
176.113.115.85
194.169.175.138 - malware
148.251.234.83
176.113.115.135
176.113.115.136
194.195.113.17
94.142.138.131 - mailcious
176.123.9.142 - mailcious
104.17.214.67
156.236.72.121 - mailcious
45.15.156.229 - mailcious
104.26.4.15
147.135.165.22 - mailcious
163.123.143.4 - mailcious
95.142.206.1 - mailcious
45.143.201.238
77.91.68.3 - malware
95.142.206.2
103.100.211.218 - malware
213.91.128.133 - mailcious
|
27
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO TLS Handshake Failure
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY Cryptocurrency Miner Checkin
ET DROP Dshield Block Listed Source group 1
|
12
http://94.142.138.131/api/firegate.php
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe
http://176.113.115.84:8080/4.php
http://45.15.156.229/api/tracemap.php
http://87.120.88.198/g.exe
http://aa.imgjeoogbb.com/check/
http://94.142.138.131/api/tracemap.php
http://us.imgjeoigaa.com/sts/imagc.jpg
http://77.91.68.3/home/love/index.php
http://194.169.175.138:3002/file.exe
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11394 |
2023-07-19 14:41
|
 미군 구인공고 웹사이트 주소 및 사용방법 안내.zip... 6277fee38a64f218291c73db5326e1bf
ZIP Format VirusTotal Malware |
|
|
|
|
0.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11395 |
2023-07-19 14:31
|
 dma.hta 9302aa42d7bd92c8bfe93a441fe7b147
Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
9.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11396 |
2023-07-19 09:38
|
 CTFMON.EXE 842b0d0eb01716a9f526acd866d8bad3
Emotet Gen1 UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 VirusTotal Malware Malicious Traffic Check memory unpack itself |
1
http://www.notebooksell.kr/mall/m_schema.php
|
2
www.notebooksell.kr(183.111.169.84)
183.111.169.84
|
1
ET INFO SUSPICIOUS UA starting with Mozilla/8
|
|
2.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11397 |
2023-07-19 09:26
|
Multi National Recruitment Sys... 3c5aacd54c4f9baa9a58423b3fe0969d
Antivirus AntiDebug AntiVM GIF Format VirusTotal Malware Code Injection Creates shortcut suspicious process WriteConsoleW |
|
|
|
|
2.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11398 |
2023-07-19 09:16
|
Document_of_file_newshipment_p... 5d13e163a153f92e5f656a1fd26269dfVirusTotal Malware wscript.exe payload download Check virtual network interfaces Tofsee DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://pastebin.com/raw/NVAgzFRR
https://wtools.io/code/dl/bOoA
|
5
wtools.io(172.67.135.130) - malware
pastebin.com(172.67.34.170) - mailcious
104.21.6.247 - malware
104.20.68.143 - mailcious
121.254.136.27
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
|
|
3.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11399 |
2023-07-19 09:15
|
 DIEN TT_SACOMBANK 15052023_907... e70e36db9a2ee974d0f245b469b0b7c7
Suspicious_Script_Bin UPX Malicious Library PE File PE32 PNG Format DLL OS Processor Check PE64 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
3.8 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11400 |
2023-07-19 09:12
|
 My_Map.scr 33647ca452ca1a5d88fa6f08aa6f146c
RedLine Infostealer Gen1 UltraVNC UPX Malicious Library Malicious Packer Anti_VM OS Processor Check PE File PE32 DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
5
http://116.202.177.109/upgrade.zip
http://116.202.177.109/
http://116.202.177.109/c2413e9d86eb61b5af540798875f05ed
https://steamcommunity.com/profiles/76561198982268531
https://t.me/sundayevent
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.81.130.161) - mailcious
149.154.167.99 - mailcious
116.202.177.109
23.34.107.26
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
|
|
12.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|