| 11821 |
2023-07-03 11:16
|
 14013878658799951837.bin cf5bca52109e8952fb47b0b7cbb0b148
Gen1 UPX Malicious Library OS Processor Check PE File PE32 unpack itself Windows utilities WriteConsoleW Windows ComputerName crashed |
|
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11822 |
2023-07-03 11:14
|
 g.exe d3ea7d6746f35904fd821dbdd9883e08
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11823 |
2023-07-03 11:00
|
Passw0rd_1122_To_Open_Archive.... 2b3d3bcf435c1400b8a85945d6fe2d15
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware RecordBreaker suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Stealer Windows DNS Downloader |
11
http://91.103.252.3/29337380ca3f6eacdd49120039f37335
http://94.158.245.22/SK2E6ZYBFLD885TK/14013878658799951837.bin
http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://91.103.252.3/
http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://79.137.195.246/client7/enc.exe
http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
|
3
91.103.252.3
79.137.195.246 - mailcious
94.158.245.22
|
15
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Generic .bin download from Dotted Quad
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11824 |
2023-07-03 10:52
|
 fotod45.exe 5aec2b6124e5e88c393e67f578338eff
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE File PE32 CAB DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
77.91.124.49 - mailcious
77.91.68.63 - malware
|
11
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
16.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11825 |
2023-07-03 10:50
|
 foto175.exe af5bf582ca4bbeed9781ae86775f0db6
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE File PE32 .NET EXE DLL CAB Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
77.91.124.49 - mailcious
77.91.68.63 - malware
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
16.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11826 |
2023-07-03 10:47
|
 Dll1.dll ffdd3195aa485d0d40b4f117a415afc0
UPX OS Processor Check DLL PE File PE32 VirusTotal Malware PDB |
|
|
|
|
1.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11827 |
2023-07-03 10:45
|
 g.exe a87285233af602f80c067f2a45897389
Malicious Library PE File PE32 PDB unpack itself DNS |
|
1
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11828 |
2023-07-03 10:45
|
 fotod45.exe d356793a5ac96f386bbf5b1891a00464
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE File PE32 DLL CAB Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
77.91.124.49 - mailcious
77.91.68.63 - malware
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
16.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11829 |
2023-07-03 10:43
|
 Lowes.exe 15ffe14a177ee7b6327370e89b027cbb
UPX Malicious Library OS Processor Check PE File PE32 Check memory Tofsee Remote Code Execution |
|
2
nginx.org(3.125.197.172)
52.58.199.22
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11830 |
2023-07-03 10:43
|
 foto175.exe e6b26ffa3c4e3b0d9382c578b3136483
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE File PE32 CAB DLL .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
77.91.124.49 - mailcious
77.91.68.63 - malware
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
15.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11831 |
2023-07-03 10:41
|
 photo230.exe 535bee03acddc2ef19f532f8c53db308
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer OS Processor Check PE File PE32 CAB DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
77.91.68.63 - malware
83.97.73.134 - malware
|
11
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
16.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11832 |
2023-07-03 10:41
|
 nmcn.exe 9c66d28e37853ca1e2481acc88691743
PE64 PE File VirusTotal Malware PDB MachineGuid Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
kyliansuperm92139124.sbs(104.21.17.88) - mailcious
172.67.175.101 - mailcious
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11833 |
2023-07-03 10:40
|
File_pass1234.7z 8161084437581de1c90b00a7962c7e6a
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Cryptocurrency Miner Malware Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealer Windows Remote Code Execution Trojan DNS Downloader |
19
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://176.113.115.84:8080/4.php - rule_id: 34795
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://95.214.25.233:3002/ - rule_id: 34794
http://apps.identrust.com/roots/dstrootcax3.p7c
http://77.91.124.31/gallery/photo270.exe - rule_id: 34796
http://45.66.230.164/g.exe
http://www.maxmind.com/geoip/v2.1/city/me
http://www.google.com/
https://sun6-21.userapi.com/c909618/u808950829/docs/d11/da34c9b97ba8/3kqwpj3h.bmp?extra=1U_qsP4ea-ITUxUuJuDNkqu9l_H-fvbxJHGcwAGtk0n6-vTpbAyG-tbmCZL9cwpv_qqUy1i8OHz4sCndKbGQ33R_PNvGPwW_ESEjFSuIX_eJsBwFA5SIMJLTI573GZiqcaOPa4WBrXrSxjWLgQ
https://traffic-to.site/294/setup294.exe - rule_id: 34662
https://sun6-23.userapi.com/c909518/u808950829/docs/d20/baaee8de1eac/WWW1.bmp?extra=_rR46a7mUr_8-NEqIq-FqFurHclM9ugqFt3fSm8tEtp0zd646ZLcSSEqSOVNs5EOURrlfd4PnWbQXhSOWRA-gzH_yA_Nz8iMh3lfXus51K9z0M9R0_OJHQLW2SWR0tUJHTGROKfIgzehJVO9Zw
https://sun6-20.userapi.com/c909228/u808950829/docs/d39/714d89c36daf/PMmp.bmp?extra=38nZU46e6ijZEVOhJucw1H9CMvRX5sB8O9Q07Xnx1eE_9ZiNLwcEiNytR9EUJxiYTioJCWWjgETZVsP0IVfKpokzHxWXF6GPmK2kIdWMCpmMf0bRyMhv1EPZju_TK22uZNZatJGVTwVrheYB6g
https://db-ip.com/
https://sun6-22.userapi.com/c909518/u808950829/docs/d56/29ffcaa073db/crypted.bmp?extra=e_8h-OOBwezL78F68vevENKVW0-K_3wYQ6rGUXev84PWEIJRRajImOPEI6wlmgYMJxf6hmTGK_bGnfvP1cliblVG2VJZFI6xkHxT8DbaO-hAqWMUe2-YSz2HjuIGScgFCTdZnnEjbQmgxBLhIA
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
|
60
www.maxmind.com(104.17.214.67)
db-ip.com(104.26.5.15)
bitbucket.org(104.192.141.1) - malware
www.google.com(142.250.207.100)
api.myip.com(104.26.8.59)
hugersi.com(91.215.85.147) - malware
iplis.ru(148.251.234.93) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
vanaheim.cn(193.106.175.125)
sun6-23.userapi.com(95.142.206.3)
traffic-to.site(172.67.171.62) - malware
ipinfo.io(34.117.59.81)
sun6-22.userapi.com(95.142.206.2)
iplogger.org(148.251.234.83) - mailcious
fastpool.xyz(213.91.128.133)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(172.67.75.166)
zzz.fhauiehgha.com(156.236.72.121) - mailcious
vk.com(87.240.132.72) - mailcious
z.nnnaajjjgc.com(156.236.72.121)
148.251.234.93 - mailcious
95.142.206.0 - mailcious
146.59.161.7 - mailcious
104.17.215.67
91.215.85.147 - malware
62.122.184.92
80.66.75.254
77.91.124.49
172.67.75.166
80.66.75.4
194.26.135.162
142.250.66.36
104.21.29.16 - malware
157.254.164.98 - mailcious
34.117.59.81
176.113.115.84 - mailcious
185.157.120.11 - mailcious
148.251.234.83
104.26.8.59
193.106.175.125
176.113.115.135
176.113.115.136
45.12.253.74 - malware
45.66.230.164
94.142.138.131 - mailcious
104.192.141.1 - mailcious
94.142.138.113 - mailcious
95.214.25.233 - mailcious
156.236.72.121 - mailcious
45.15.156.229 - mailcious
104.26.4.15
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
45.143.201.238
121.254.136.27
77.91.124.31 - mailcious
95.142.206.2
87.240.132.72 - mailcious
213.91.128.133
|
22
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 27
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET DROP Dshield Block Listed Source group 1
ET POLICY Cryptocurrency Miner Checkin
|
9
http://94.142.138.131/api/firegate.php
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://94.142.138.131/api/tracemap.php
http://95.214.25.233:3002/
http://77.91.124.31/gallery/photo270.exe
https://traffic-to.site/294/setup294.exe
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11834 |
2023-07-03 10:40
|
 photo270.exe 4f3cb2d446bbe7ecb9053e974c76503e
Gen1 Emotet SmokeLoader UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE File PE32 CAB DLL .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed Downloader |
6
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/index.php - rule_id: 34361
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.157/new/foto175.exe
http://77.91.68.157/new/fotod45.exe
http://77.91.68.157/smo/du.exe
|
3
77.91.68.157 - malware
77.91.124.49
77.91.68.63 - malware
|
15
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/index.php
http://77.91.68.63/doma/net/Plugins/clip64.dll
|
17.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11835 |
2023-07-03 10:38
|
 w-11.exe a4f5f1769e9bfd6c4510d7b73aa3332f
UPX PE File PE32 VirusTotal Malware WriteConsoleW |
|
|
|
|
3.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|