| 11461 |
2023-07-18 07:28
|
wwwtwwwrwwewwwrwwwewwwtwwwy%23... 2e09089eee318e853c221beded5376e1
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://192.3.109.162/80/wwwr.exe
|
4
api.ipify.org(64.185.227.156) -
192.3.109.162 -
217.194.134.187 -
104.237.62.211 -
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11462 |
2023-07-18 07:28
|
 an.exe 10e841b7d0bff1a7aa989ebdf7f35976
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware RWX flags setting unpack itself DNS crashed |
|
1
|
|
|
2.4 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11463 |
2023-07-18 07:28
|
 csrssfs.exe 2bdd38681778a2be9d40177c6f8a3319
NSIS UPX Malicious Library PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files ICMP traffic unpack itself AppData folder DNS |
23
http://www.fokusdongs89.click/6tjv/?vv-9CC=lddPhGieQ3lEt24wxfGSZqEKUhgeh07HzuUXm/iAUma5yHruZSDAYtghKLMKtfuJW8oz7rp+ckpMDOoMhDPkb2WQy1Gqr+rGodidlkk=&pq2FH=S4AijUGo
http://www.pzr9.com/6tjv/
http://www.touslesjeudis-test2.ovh/6tjv/?vv-9CC=/1l307yFeMFeHrk4mAgZBkH4SykpTjYiA/5hCG+BMYVXlwubXDmDfEwOCf1sFfh9qMjxTdQuOFbq+mW+2MyEO3xWCYiKD3QyLOwlqdk=&pq2FH=S4AijUGo
http://www.ready-sim.com/6tjv/
http://www.jsmaiyou.com/6tjv/
http://www.unrushlagos.life/6tjv/
http://www.wtwbenefitsapp.com/6tjv/?vv-9CC=ZekHcMczm1dRtokxNZDo90S9mkxwTcZYZfHK9EQ1vrBiXxapRt+GBgnIAZ7NmICX8PlBD4kZJKEGkx1iFxsaaM15ARq/tjezy4yawwM=&pq2FH=S4AijUGo
http://www.jsmaiyou.com/6tjv/?vv-9CC=GT7mDBetp/BsCYP1aTCFpL/ADJtJH8x8/gvfm7l4NLF0tD2iOM8XYGcDii6V0tjr8Xc6kwylBNXtOHbYpVwzl/f1TWI72f0ir/DsOw8=&pq2FH=S4AijUGo
http://www.ioddinemax.info/6tjv/?vv-9CC=fT/TJdNtCaICjnQUbIUnRDxeECYphy4YrVvAjvU+q1IskcVwc07AsJLK3tqtGnkOp8a2PyJB1vyRLc2GY7t3W09lxia7P5+VAS1NVX4=&pq2FH=S4AijUGo
http://www.touslesjeudis-test2.ovh/6tjv/
http://www.fokusdongs89.click/6tjv/
http://www.innerpeasnutrition.com/6tjv/
http://www.subicpearlresorthotel.com/6tjv/?vv-9CC=z8EanEHhaicdSPwbUmMymlHZg3JWg4d9/pg0TpyNm6NFsGct/BtDMX7PWnf5Qsg1SQP92ELHhW5VyKkGW4ou1D5KNmy23lxxfwDNRJc=&pq2FH=S4AijUGo
http://www.pzr9.com/6tjv/?vv-9CC=Xe+4czuF8BNTvCl2jtutD0nc61uG19PQTHhiWjCSfHaBQ4NOq8i8K6quZY+U+HiY2tqWNVv2/OiMBhH2zz7G+0xdm39gVqvBoSlQlAk=&pq2FH=S4AijUGo
http://www.ioddinemax.info/6tjv/
http://www.innerpeasnutrition.com/6tjv/?vv-9CC=WCkonbtgklsJqt3U5AwYJ1vBQL+yzEkdXA8xucMJZCRnQC5eVhyQZD76BbsvWN4F2+2X9EJdLRzHIYbKsSuvhyO7xMyIhyiPV1yBlVw=&pq2FH=S4AijUGo
http://www.minsk-adstr.pro/6tjv/
http://www.unrushlagos.life/6tjv/?vv-9CC=xlJUlHglSOoU+WCfb7fTPB0ne55wcB2OinDKM2+2ognpQIYysf1z9BtCtwIQWly94RFYkrYMsBdvlNEOmEGbARRcASpMTevagbuBWCs=&pq2FH=S4AijUGo
http://www.minsk-adstr.pro/6tjv/?vv-9CC=Plpwe/Vj3Si6m7s4WjkFQxqA5vT0CFMrYA9s5aV5DJ4PZlRiX3dSCC0X24ZLQNtV+tbWCzZMNx9DmPvcY1vaNPprvVENxM3YounydDs=&pq2FH=S4AijUGo
http://www.ready-sim.com/6tjv/?vv-9CC=vP6NfS7dbW4c/VsB/A1JURezZpJQ8nsbdWFTlOVf6iuLILrS76/L187Vau3Zr+6SA7xbkoW8K+sU0FMWlbfewoyXotU6Wa8RuVm/2CU=&pq2FH=S4AijUGo
http://www.wtwbenefitsapp.com/6tjv/
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip
http://www.subicpearlresorthotel.com/6tjv/
|
23
www.unrushlagos.life(35.170.205.142) -
www.innerpeasnutrition.com(154.204.233.149) -
www.subicpearlresorthotel.com(192.254.233.88) -
www.jsmaiyou.com(217.194.134.187) -
www.fokusdongs89.click(172.96.191.121) -
www.touslesjeudis-test2.ovh(152.228.216.134) -
www.ready-sim.com(185.104.28.238) -
www.pzr9.com(43.129.164.18) -
www.minsk-adstr.pro(93.125.99.130) -
www.ioddinemax.info(198.177.123.159) -
www.wtwbenefitsapp.com(103.127.237.208) -
154.204.233.149 -
185.104.28.238 -
152.228.216.134 -
217.194.134.187 -
172.96.191.121 -
192.254.233.88 -
18.214.48.22 -
103.127.237.208 -
198.177.123.159 -
45.33.6.223 -
43.129.164.18 -
93.125.99.130 -
|
3
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11464 |
2023-07-18 07:24
|
 foto135.exe 327b57745b8c136ea8d4e4e1519f508d
Gen1 Emotet RedLine Infostealer RedLine stealer UPX Malicious Library .NET framework(MSIL) Confuser .NET Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check .NET EXE DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
9
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054
http://77.91.68.3/home/love/Plugins/clip64.dll
http://77.91.124.31/anon/an.exe
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://77.91.68.3/home/love/index.php
http://77.91.124.31/new/foto135.exe
http://77.91.124.31/new/fotod25.exe
http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053
http://77.91.68.3/home/love/Plugins/cred64.dll
|
3
77.91.68.3 -
77.91.68.56 -
77.91.124.31 -
|
14
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.3/home/love/Plugins/clip64.dll
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll
|
17.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11465 |
2023-07-18 07:24
|
 NBbH87.exe e8a59b068f08284eb4159afadb10110e
LokiBot RedLine Infostealer UltraVNC UPX Malicious Library PWS DNS AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://185.246.220.60/sweetwhore/five/fre.php
|
1
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
13.8 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11466 |
2023-07-18 07:24
|
 file.exe a8dcd1088cd200430129217d92db5f37
Malicious Library PE File PE32 VirusTotal Malware PDB |
|
|
|
|
2.2 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11467 |
2023-07-18 07:23
|
 rofl.exe 2ee4b1df29fe85c016c84d5855b0ec9f
UPX Malicious Library ScreenShot AntiDebug AntiVM OS Processor Check PE File PE32 VirusTotal Malware Buffer PE PDB Code Injection buffers extracted WMI RWX flags setting unpack itself ComputerName crashed |
|
|
|
|
9.4 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11468 |
2023-07-18 07:23
|
 repack.exe d072480d939a819969bab643d14dbab8
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware AutoRuns Windows |
|
|
|
|
3.0 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11469 |
2023-07-18 07:21
|
 fotod25.exe 74b51238ceac125ca090efeb2b3bce46
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053
http://77.91.68.3/home/love/Plugins/cred64.dll
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054
http://77.91.68.3/home/love/Plugins/clip64.dll
|
2
77.91.68.3 -
77.91.68.56 -
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll
http://77.91.68.3/home/love/Plugins/clip64.dll
|
16.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11470 |
2023-07-17 16:49
|
 main.exe c66ec2c36b8a47ae1b81ea9576519478
Gen1 Emotet Generic Malware UPX Malicious Library ASPack Admin Tool (Sysinternals etc ...) Anti_VM OS Processor Check PE64 PE File DLL ZIP Format VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
2.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11471 |
2023-07-17 16:47
|
 jawazx.exe a15da9fdfd935a4b05adc5e0cf0053a0
NSIS UPX Malicious Library PE File PE32 DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
3.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11472 |
2023-07-17 16:46
|
 build.exe eabf49a55264bcc12f51bd2710718d3d
Malicious Library PE File PE32 VirusTotal Malware PDB |
|
|
|
|
2.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11473 |
2023-07-17 16:44
|
2E0ECB2F.Png.msi f725bab929df4fe2626849ba269b7fcb
Malicious Library CAB MSOffice File suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11474 |
2023-07-17 16:44
|
 sp.exe bcaf6001ab90614008b635fc7dcfe7bf
UPX Malicious Library MZP Format PE File PE32 VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11475 |
2023-07-17 16:43
|
 NvProfileUpdate.exe 15eb8ad14a87788df162588c878c6789
UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
135.181.205.149 - mailcious
|
3
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
12.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|