| 11836 |
2023-07-03 10:36
|
 95.214.25.233:3002 c38abd8bb4501954e6cec0c28f7550a0
Malicious Library PE File PE32 VirusTotal Malware PDB |
|
|
|
|
1.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11837 |
2023-07-03 10:09
|
File.7z e1c1631773503c7756e93f28d1a2285b
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Cryptocurrency Miner Malware Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealer Windows Remote Code Execution DNS |
19
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://www.google.com/
https://sun6-23.userapi.com/c909518/u808950829/docs/d20/baaee8de1eac/WWW1.bmp?extra=_rR46a7mUr_8-NEqIq-FqFurHclM9ugqFt3fSm8tEtp0zd646ZLcSSEqSOVNs5EOURrlfd4PnWbQXhSOWRA-gzH_yA_Nz8iMh3lfXus51K9z0M9R0_KBHQLW2SWR0tUJHWCWaqPL1DevJFu9Ow
https://traffic-to.site/294/setup294.exe - rule_id: 34662
https://sun6-20.userapi.com/c909228/u808950829/docs/d39/714d89c36daf/PMmp.bmp?extra=38nZU46e6ijZEVOhJucw1H9CMvRX5sB8O9Q07Xnx1eE_9ZiNLwcEiNytR9EUJxiYTioJCWWjgETZVsP0IVfKpokzHxWXF6GPmK2kIdWMCpmMf0bRyMln1EPZju_TK22uZIFYsJOSG1E4i7ED6g
https://sun6-22.userapi.com/c909518/u808950829/docs/d56/29ffcaa073db/crypted.bmp?extra=e_8h-OOBwezL78F68vevENKVW0-K_3wYQ6rGUXev84PWEIJRRajImOPEI6wlmgYMJxf6hmTGK_bGnfvP1cliblVG2VJZFI6xkHxT8DbaO-hAqWMUe26QSz2HjuIGScgFCWcKzn5yb1_wlEXvIA
https://vk.com/doc808950829_663702962?hash=VpySEcIQqRT3HECVKkOptxNqKtTEZULY5skqGgWCYd4&dl=LTFAeoMLppF2E62ZnwaASkY0czRdI7QAJlR7Tx0S1s8&api=1&no_preview=1#cryp
https://db-ip.com/
https://vk.com/doc808950829_663648937?hash=eKai4FYeayZCAEjqzlxZ2gWz79KxiwUMuktQ4fZ6rr0&dl=8PltKcE2IQ6oZHvv1IHsdh8qZWM237x2z5umRu20Q5L&api=1&no_preview=1
https://sun6-21.userapi.com/c909618/u808950829/docs/d11/da34c9b97ba8/3kqwpj3h.bmp?extra=1U_qsP4ea-ITUxUuJuDNkqu9l_H-fvbxJHGcwAGtk0n6-vTpbAyG-tbmCZL9cwpv_qqUy1i8OHz4sCndKbGQ33R_PNvGPwW_ESEjFSuIX_eJsBwFA5WAMJLTI573GZiqcfOCboeA9nyFyWuNgw
https://vk.com/doc808950829_663496587?hash=9HBIzrbBWHKqUnGhHt30dMcZIm1RpmRRZBzZ89JCfGw&dl=JRIT3v6zzNFrou8UYI02dSfdibpUzCLo9YvFXREFvCT&api=1&no_preview=1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
|
61
api.db-ip.com(104.26.4.15)
www.maxmind.com(104.17.214.67)
db-ip.com(172.67.75.166)
www.google.com(142.250.207.100)
api.myip.com(172.67.75.163)
hugersi.com(91.215.85.147) - malware
sun6-22.userapi.com(95.142.206.2)
zzz.fhauiehgha.com(156.236.72.121) - mailcious
sun6-23.userapi.com(95.142.206.3)
traffic-to.site(172.67.171.62) - malware
ipinfo.io(34.117.59.81)
iplogger.org(148.251.234.83) - mailcious
bitbucket.org(104.192.141.1) - malware
fastpool.xyz(213.91.128.133)
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.72) - mailcious
vanaheim.cn(193.106.175.125)
sun6-21.userapi.com(95.142.206.1) - mailcious
iplis.ru(148.251.234.93) - mailcious
z.nnnaajjjgc.com(156.236.72.121)
148.251.234.93 - mailcious
95.142.206.0 - mailcious
148.251.234.83
146.59.161.7 - mailcious
104.17.215.67
91.215.85.147 - malware
62.122.184.92
104.26.5.15
208.67.104.60 - mailcious
80.66.75.254
77.91.124.49
172.67.75.166
80.66.75.4
172.67.75.163
104.21.29.16 - malware
157.254.164.98 - mailcious
34.117.59.81
176.113.115.84 - malware
185.157.120.11
142.250.179.164
193.106.175.125
176.113.115.135
176.113.115.136
45.12.253.74 - malware
45.66.230.164
94.142.138.131 - mailcious
104.192.141.1 - mailcious
94.142.138.113 - mailcious
142.251.220.68
95.214.25.233 - malware
156.236.72.121 - mailcious
45.15.156.229 - mailcious
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
45.143.201.238
121.254.136.27
77.91.124.31 - mailcious
95.142.206.2
87.240.132.72 - mailcious
213.91.128.133
|
20
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO TLS Handshake Failure
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY Cryptocurrency Miner Checkin
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET DROP Dshield Block Listed Source group 1
|
7
http://94.142.138.131/api/firegate.php
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://208.67.104.60/api/tracemap.php
https://traffic-to.site/294/setup294.exe
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11838 |
2023-07-03 09:44
|
 1.bat 3e411bd1e848941b8e74434c5800ed2b
LokiBot Gen1 Generic Malware Downloader task schedule UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Create Service Socket DGA Steal credential Escalate priviledges Code injection HTTP PWS Sniff Audio DNS ScreenShot Htt Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS NetSupport |
6
http://geo.netsupportsoftware.com/location/loca.asp
http://94.158.244.118:1203/
http://94.158.244.118/fakeurl.htm
https://bigbirdmarketing.com/a5f1ac4966fe9654e51ca877711b46a3-6226f7cbe59e99a90b5cef6f94f966fd/tempy.7z
https://bigbirdmarketing.com/a5f1ac4966fe9654e51ca877711b46a3-6226f7cbe59e99a90b5cef6f94f966fd/7zz.exe
https://bigbirdmarketing.com/a5f1ac4966fe9654e51ca877711b46a3-6226f7cbe59e99a90b5cef6f94f966fd/2.bat
|
5
bigbirdmarketing.com(188.127.225.160) - mailcious
geo.netsupportsoftware.com(62.172.138.67)
62.172.138.8
188.127.225.160 - mailcious
94.158.244.118 - mailcious
|
3
ET POLICY NetSupport GeoLocation Lookup Request
ET INFO NetSupport Remote Admin Checkin
ET INFO NetSupport Remote Admin Response
|
|
9.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11839 |
2023-07-03 09:41
|
 Tqmjx.wav.exe e4ae709efa85e943dcc67709581c3444
UPX .NET DLL DLL PE File PE32 |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11840 |
2023-07-03 09:35
|
 Tjfgtxur.dat.exe 30d4b0c32df42140933951fd53c41b53
UPX .NET DLL DLL PE File PE32 |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11841 |
2023-07-03 09:35
|
 Ibmxhexusx.pdf.exe 1b8adba2e1058d36ced89a3b3efb6e5d
UPX .NET DLL DLL PE File PE32 |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11842 |
2023-07-03 09:35
|
 Akisikttvm.dat.exe 6eeee2f35e8b6d872c517e5dbdc13067
UPX .NET DLL DLL PE File PE32 |
|
|
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11843 |
2023-07-01 12:41
|
 lwg67u9jwvf.exe 972abf3179291dfac99397b5ae996365
Gen1 UPX Malicious Library Malicious Packer HTTP PWS ScreenShot Http API Internet API AntiDebug AntiVM OS Processor Check PE File PE32 DLL Browser Info Stealer Malware download VirusTotal Malware RecordBreaker Buffer PE MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser DNS crashed |
9
http://79.137.207.76/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://79.137.207.76/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://79.137.207.76/ff28cfba795272727ca2aa8ba6d108c8
http://79.137.207.76/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://79.137.207.76/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://79.137.207.76/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://79.137.207.76/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://79.137.207.76/
http://79.137.207.76/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
|
1
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
|
12.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11844 |
2023-07-01 12:39
|
 c53cfff621a84792162f70e790980e... 7f6638a6d92964abac556675bb6b669d
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11845 |
2023-07-01 12:34
|
 F-VPN.exe 7106aab423db77a92c6e97a70bc8ef84
UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 PE64 VirusTotal Malware PDB Code Injection Creates executable files ComputerName Remote Code Execution crashed |
|
|
|
|
4.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11846 |
2023-07-01 12:32
|
 rocketpro.exe 3a7672c0d0002621ffb756afab204616
RedLine stealer UPX .NET framework(MSIL) Confuser .NET OS Processor Check .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
|
3
api.ip.sb(104.26.12.31)
104.211.55.2
104.26.12.31
|
2
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11847 |
2023-07-01 12:30
|
 bu333ild.exe e2ae5ae3318f8ae3111188f4ed7770a6
RedLine stealer UPX .NET framework(MSIL) OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows Cryptographic key |
|
|
|
|
3.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11848 |
2023-07-01 12:30
|
 4.php 6b59056d039c885c9cdaea63924a97ef
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11849 |
2023-07-01 12:28
|
 7777777.exe 3de3c62bf07b3cc5179139b99378ce6d
RedLine stealer UPX .NET framework(MSIL) OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
|
1
|
|
|
4.2 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11850 |
2023-07-01 12:23
|
 fb.exe 402c4df156c38ca61ccb6652d33878fb
RedLine stealer UPX AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
3
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
11.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|