| 11551 |
2023-07-13 11:29
|
Passw0rdsz_8686_Setup_Full.rar 265512707cae9867fa087ed8ba84ae4f
Escalate priviledges PWS KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11552 |
2023-07-13 11:25
|
File_pass1234.7z 93c547f9499216b529205c418fb4e7b0
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Trojan DNS Downloader |
25
http://208.67.104.60/api/firegate.php - rule_id: 34253
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
http://apps.identrust.com/roots/dstrootcax3.p7c
http://45.66.230.164/g.exe - rule_id: 34813
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://aa.imgjeoogbb.com/check/?sid=375432&key=e30653e3ff4508e77d6101bf354e66ea - rule_id: 34651
http://45.15.156.229/api/tracemap.php - rule_id: 33783
https://camoverde.pw/setup294.exe - rule_id: 34973
https://vk.com/doc808950829_663933421?hash=ioG5QB3qvIws86ott1cKJe6Pb7yplHVFXBwsSvr5HZs&dl=mmMqy1dNgzrQdMHtVCaer8XyZ5fyDV65DqKrscCiZKT&api=1&no_preview=1
https://sun6-21.userapi.com/c235131/u808950829/docs/d53/768dda3e213b/31bhpef20u5o7.bmp?extra=dgmz4H72H5rvy_EBF4On77fbct5UBiCHg6aSLsmzFCBhDfvNnlr2E6WPbQDljvi-waBkmv0xSg8yRpLQO23hZ-sRBEpulUOykXPpY1Ka14ypP4q2T6_UWXBzUVGWmHL24z_RWK1DLXlNeHJBtw
https://vk.com/doc808950829_663974118?hash=dOMWUsvinJ2cpviUzz7vnxpsK8egTpcGetxzR7zZrlH&dl=jOHjRjzy9zAt3pzHP5nbHskFZI2CUKmKC4cOjJyWMzc&api=1&no_preview=1#5
https://vk.com/doc808950829_664186552?hash=1s9iE5Kgt9FANPHVKZA2SevYzVjMVZoFv12OonZIzaT&dl=BQIZXKyYvEtMx9159XykdFJl2YsvYGygHeUBECzJOOX&api=1&no_preview=1#grey
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc808950829_663871412?hash=8ehIwnmHBe3gPQFQr33m9RxU44AQihyQbijm4RaLc48&dl=Mq7velIvPVVgNnqKI27x77nmBa5DkTDs5e4oXZ7UFF8&api=1&no_preview=1
https://sun6-20.userapi.com/c909518/u808950829/docs/d27/7e44ee901e11/RisePro_0_2_9OlnHESIYJe6q7VK6ha9.bmp?extra=mFRh8hRuIL4PQbqjQpKrFn-yk8q7e2BWnJcqbaqBfpWrw12CSNwXPiydpOm7fdZW-VkLBpEDSQCAh9N4wgX73nDTC4QfkafUuRdE_zB6PAkYt8WkLBnXWRCZYzL9R1d-09AeGMl-jkyxHZJY2w
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-23.userapi.com/c240331/u808950829/docs/d25/053a5d3ab851/5.bmp?extra=MgPqKvSpJRVzdc1sy4MhZh-5VcUgelLtlp5JQWONauDmpOLNKT3Dn1g342miQlipJZwQuz-T04bTlW8_-12eYUYB4gplokbQobMBlLGgw595euXc8GEBMSrVok_cNx30FkomqGcWsGu6S74xlg
https://vk.com/doc808950829_664179824?hash=7y975z01doW0l1g0cI8z6K8SmxVd0YYXHDhMKKaBTZz&dl=XbJyBV6ZufZQ2A2vwUeIeNZ42zKjemc02v0szs3TE6z&api=1&no_preview=1#rise_test
https://sun6-21.userapi.com/c237331/u808950829/docs/d45/9e7526772d0a/Grey_MAsttre03.bmp?extra=8T3GVnRSHkbnOoamPgnW-Cv4xANxtyuLJC8y0QjDtpRD-bEhN0Uh8mhU3WHYrtyD-5SBhAokPpIvJ7QfT1aoGL667fCB4gXDv6A4mFx_xqyCDYuGNxB3ZlDyNeZUV-cCTGDP234li6pKF_DT4w
https://sun6-20.userapi.com/c235031/u808950829/docs/d20/7255882231b8/PMmp.bmp?extra=y_OyY7INsH6aj7-dRXOZMRg8E7fAVBvEPjv-ZYd1fS-NIL0_vUy0d6mwXew80qrwMnqyLGSBlfN7EDlJ08NCr224j8-e2KmiUheMEur5pNv8keQ7m1wygBsWX9iPegCBlecLPMoWvecOtgldtA
|
48
watson.microsoft.com(104.208.16.93)
db-ip.com(104.26.5.15)
api.db-ip.com(104.26.4.15)
api.myip.com(104.26.8.59)
hugersi.com(91.215.85.147) - malware
iplis.ru(148.251.234.93) - mailcious
zzz.fhauiehgha.com(156.236.72.121) - mailcious
sun6-23.userapi.com(95.142.206.3)
ipinfo.io(34.117.59.81)
aa.imgjeoogbb.com(154.221.26.108) - mailcious
us.imgjeoigaa.com(103.100.211.218) - mailcious
bitbucket.org(104.192.141.1) - malware
camoverde.pw(104.21.0.171) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.67) - mailcious
iplogger.org(148.251.234.83) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
www.maxmind.com(104.17.215.67)
148.251.234.93 - mailcious
194.169.175.128 - mailcious
154.221.26.108 - mailcious
104.17.215.67
91.215.85.147 - malware
208.67.104.60 - mailcious
176.123.9.85 - mailcious
45.12.253.74 - malware
77.91.124.40 - malware
194.26.135.162 - mailcious
157.254.164.98 - mailcious
34.117.59.81
104.21.0.171 - malware
87.240.137.164 - mailcious
148.251.234.83
194.169.175.136 - malware
45.66.230.164 - malware
104.192.141.1 - mailcious
104.208.16.93
156.236.72.121 - mailcious
45.15.156.229 - mailcious
104.26.9.59
104.26.4.15
147.135.165.22
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
121.254.136.27
103.100.211.218 - malware
|
21
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.pw domain - Likely Hostile
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO TLS Handshake Failure
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO EXE - Served Attached HTTP
|
10
http://208.67.104.60/api/firegate.php
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe
http://45.66.230.164/g.exe
http://208.67.104.60/api/tracemap.php
http://us.imgjeoigaa.com/sts/imagc.jpg
http://aa.imgjeoogbb.com/check/
http://45.15.156.229/api/tracemap.php
https://camoverde.pw/setup294.exe
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11553 |
2023-07-13 11:19
|
 b.jpg.vbs 92589da336f8a80a34a764cb763c7e01
Hide_EXE VirusTotal Malware crashed |
|
|
|
|
0.8 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11554 |
2023-07-13 09:09
|
 imgengine.dll 511f56b74826a4e053db05e34f72bd6b
UPX OS Processor Check MZP Format DLL PE File PE32 VirusTotal Malware Checks debugger WMI RWX flags setting unpack itself Check virtual network interfaces Tofsee ComputerName crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
esp-78-56-65-23.esp.artforcemusic.de(185.8.51.230)
185.8.51.230
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11555 |
2023-07-13 09:06
|
 imgengine.dll 511f56b74826a4e053db05e34f72bd6b
UPX OS Processor Check MZP Format DLL PE File PE32 VirusTotal Malware Checks debugger WMI RWX flags setting unpack itself Check virtual network interfaces Tofsee ComputerName crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
esp-78-56-65-23.esp.artforcemusic.de(185.8.51.230)
185.8.51.230
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11556 |
2023-07-13 09:00
|
 vaferias.png 922605e4469c97bcfd19b2ae07d18464
ZIP Format VirusTotal Malware |
|
|
|
|
0.6 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11557 |
2023-07-13 09:00
|
 SHIPPING_COPY_DOCUMENTS-QRYTR-... 0bbe430413435af44cd3af7dd542d158
Generic Malware Antivirus Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities suspicious process Windows ComputerName DNS Cryptographic key crashed |
1
http://91.244.197.9/new/Unsl.java
|
1
|
|
|
8.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11558 |
2023-07-13 08:58
|
 Forrderes.exe ceaf606490044679c681b1cae6f67bd0
UPX Malicious Library PE File PE32 DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
2.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11559 |
2023-07-13 07:28
|
 wins.exe da4dd59a4f7d449bb43fe614c762ae38
AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
11
http://www.tarolstroy.store/qm18/
http://www.730fk.xyz/qm18/
http://www.alanyatourism.xyz/qm18/?xs=8yjR8OkqZsLgqgg7gsAnt9sRWmylVlMEAxFyQR+87b8k5Gg/ax0RqztMVyiPMRF4yHdlgzXjXrp7BwoK+VpKnzjB0M5ilLConlpTI80=&7_Tgr=8F27_b
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
http://www.730fk.xyz/qm18/?xs=cS0MUmEuziINzum9OR3H3Euew837JAcIMkWGfSRnR2f7lAx+oHNoxC8gZ6/Im1YEedzL0fYD6ipq0E7DEb+QJjS1oWgfM4LU+yKhVMM=&7_Tgr=8F27_b
http://www.alanyatourism.xyz/qm18/
http://www.ambadisuites.com/qm18/?xs=twXCj9A/PBdHHBdbgfhfoKfy0OvMxBrR7XgKnX6RRfPX7TPrrS+E6KrIgDtMBZNbiGs0TPR0LnIhOu0L+1GkXKnNk0tJIaTniUgBoks=&7_Tgr=8F27_b
http://www.aamset-paris.com/qm18/
http://www.tarolstroy.store/qm18/?xs=tYbfVfqRpdwQJ/YJuVYmyuISTDSHLEnDniy2NKZKgIv4fPjbo9CoucMX+KvaGEkPto8yDaPVXY4DfYfGNv37QRxsTZWK/du1jcc6Ng8=&7_Tgr=8F27_b
http://www.aamset-paris.com/qm18/?xs=7X6yuSlu+dj6VbT/HVTP3sWDLGeGVibSxR+wMAjD3OxW5b3fRHJrY5KvZj4pHfXU1KvsFeR8UWVvxmvaZ57ytJibuesW4OAEDl3ofUc=&7_Tgr=8F27_b
http://www.ambadisuites.com/qm18/
|
12
www.tarolstroy.store(91.106.207.17) - mailcious
www.alanyatourism.xyz(31.186.11.254)
www.ambadisuites.com(103.235.104.55)
www.730fk.xyz(34.149.24.8)
www.aamset-paris.com(213.171.195.105)
108.170.55.202 - phishing
103.235.104.55
213.171.195.105 - mailcious
34.149.24.8
45.33.6.223
31.186.11.254 - mailcious
91.106.207.17 - malware
|
2
ET MALWARE FormBook CnC Checkin (POST) M2
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11560 |
2023-07-13 07:27
|
logszx.doc 9efc5bf89911efa2f7c3e6eb52313b24
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://87.121.221.212/logszx.exe
|
3
smtp.quartziax.com(208.91.199.225)
208.91.199.224 - mailcious
87.121.221.212 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SURICATA Applayer Detect protocol only one direction
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11561 |
2023-07-13 07:25
|
contactzx.doc 79055da8c7237e6101b284018ab23880
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware AgentTesla Malicious Traffic ICMP traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
1
http://87.121.221.212/contactzx.exe
|
4
smtp.soctracao.com(185.98.131.211)
31.186.11.254 - mailcious
185.98.131.211
87.121.221.212 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
7.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11562 |
2023-07-13 07:24
|
 logszx.exe ebf3233ae74cc600e4c41f2454be000f
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
smtp.quartziax.com(208.91.198.143)
208.91.198.143
|
1
SURICATA Applayer Detect protocol only one direction
|
|
11.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11563 |
2023-07-13 07:20
|
 contactzx.exe b8c4c01af54105fef68157252a11bb69
.NET framework(MSIL) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11564 |
2023-07-13 07:18
|
 updEdge.exe 3c55617e6b69330386a0350e9f6aa0b4
Themida Packer Generic Malware UPX Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI ICMP traffic unpack itself Checks Bios Collect installed applications Detects VMWare VMware anti-virtualization installed browsers check Stealer Windows Browser ComputerName Firmware Cryptographic key Software crashed |
|
2
rcam.tuktuk.ug(85.209.3.4)
85.209.3.4
|
2
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
15.4 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11565 |
2023-07-13 07:18
|
 csrssop.exe 11cf36796a468db2f1789d06d01a65f4
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
terminal4.veeblehosting.com(108.170.55.203)
108.170.55.202 - phishing
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|