| 11896 |
2023-06-28 16:58
|
thirdagodzx.doc 6a4d531095c70f0e45a6b9cc33be39d0
Formbook MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash Windows Exploit DNS crashed |
3
http://www.brachyurus.com/m42i/?tXxh=gFSPJhCHyHfvj3/OTQ/N209MWCE0ruxWwMKG8/dS7LL4Ng9TPUITJ3jANBDXY8KW/0SAdxND&U48pk=Ntx0ULS8kBu8CrO - rule_id: 34717
http://www.brandof9.com/m42i/?tXxh=HnlFhmlnJCIqG8GostDV8pcZGObG6nb3VDM8KVLCjMrxyVQQaLuo+icXlHEfVnlVYflr3kKe&U48pk=Ntx0ULS8kBu8CrO
http://79.110.49.21/thirdagodzx.exe
|
5
www.brandof9.com(23.227.38.74)
www.brachyurus.com(76.76.21.9) - mailcious
23.227.38.74 - mailcious
79.110.49.21 - malware
76.76.21.22
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://www.brachyurus.com/m42i/
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11897 |
2023-06-28 16:45
|
 Bar0627SetUp.exe e55683d061bb823c5ad9828c506f8c54
RedLine stealer Themida Packer UPX Admin Tool (Sysinternals etc ...) Socket DNS Anti_VM AntiDebug AntiVM .NET EXE PE32 PE File PNG Format PE64 JPEG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder VMware anti-virtualization installed browsers check Tofsee Interception Stealer Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
13
https://sso.passport.yandex.ru/push?uuid=b62b00ef-65a3-48b0-8130-ecb2c8c9a624&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://dzen.ru/?yredirect=true
https://yandex.ru/
http://tokoi45.beget.tech/server.txt
http://tokoi45.beget.tech/server1.txt
http://tokoi45.beget.tech/server2.txt
http://allansworthng.com/2/data64_1.exe
http://allansworthng.com/2/data64_2.exe
http://allansworthng.com/2/data64_3.exe
http://allansworthng.com/2/data64_4.exe
http://allansworthng.com/2/data64_5.exe
http://allansworthng.com/2/data64_6.exe
http://allansworthng.com/webArg2.txt
|
13
allansworthng.com(108.178.17.142) - malware
tokoi45.beget.tech(5.101.152.100) - mailcious
iplogger.com(148.251.234.93) - mailcious
yandex.ru(5.255.255.70)
dzen.ru(62.217.160.2)
sso.passport.yandex.ru(213.180.204.24)
108.178.17.142 - malware
213.180.204.24
148.251.234.93 - mailcious
168.119.239.218 - mailcious
5.101.152.100 - malware
62.217.160.2
5.255.255.70
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
20.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11898 |
2023-06-28 16:42
|
 thirdagodzx.exe 03edaee7120cbf2752ae82e5eed3f5ba
.NET framework(MSIL) .NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11899 |
2023-06-28 16:40
|
thirdagodzx.doc 6a4d531095c70f0e45a6b9cc33be39d0
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit DNS crashed |
|
3
62.217.160.2
5.255.255.77
79.110.49.21 - malware
|
|
|
4.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11900 |
2023-06-28 16:39
|
 Lyla0627SetUp.exe 7a239c74c129efc307f98fd62a605bca
RedLine stealer Themida Packer UPX Admin Tool (Sysinternals etc ...) Socket DNS Anti_VM AntiDebug AntiVM .NET EXE PE32 PE File PNG Format PE64 JPEG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder suspicious TLD VMware anti-virtualization installed browsers check Tofsee Interception Stealer Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
13
https://dzen.ru/?yredirect=true
https://yandex.ru/
https://sso.passport.yandex.ru/push?uuid=8d007376-d291-49ab-b013-d8dcbfea0326&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
http://tokoi45.beget.tech/server.txt
http://tokoi45.beget.tech/server2.txt
http://tokoi45.beget.tech/server1.txt
http://allansworthng.com/1/data64_1.exe
http://allansworthng.com/1/data64_2.exe
http://allansworthng.com/1/data64_3.exe
http://allansworthng.com/1/data64_4.exe
http://allansworthng.com/1/data64_5.exe
http://allansworthng.com/1/data64_6.exe
http://allansworthng.com/webArg1.txt
|
13
allansworthng.com(108.178.17.142) - malware
tokoi45.beget.tech(5.101.152.100) - mailcious
iplogger.com(148.251.234.93) - mailcious
yandex.ru(77.88.55.60)
dzen.ru(62.217.160.2)
sso.passport.yandex.ru(213.180.204.24)
108.178.17.142 - malware
213.180.204.24
148.251.234.93 - mailcious
168.119.239.218 - mailcious
5.101.152.100 - malware
62.217.160.2
5.255.255.77
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET INFO TLS Handshake Failure
|
|
20.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11901 |
2023-06-28 16:37
|
Dhl Docs6272023.doc 5f62b3558fcff678c7e3af65eea16c5d
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash IP Check Tofsee Windows Gmail Exploit DNS crashed |
2
http://79.110.49.21/dollzx.exe
https://api.ipify.org/
|
5
api.ipify.org(104.237.62.211)
smtp.gmail.com(74.125.203.109)
79.110.49.21 - malware
74.125.203.109
64.185.227.155
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11902 |
2023-06-28 16:36
|
 pmexzx.exe 702afdca8f01b2e8cca517d70c86afb4
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Windows Browser Email ComputerName Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(173.231.16.76)
173.231.16.76
|
|
|
14.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11903 |
2023-06-28 16:34
|
 kudizx.exe d884898752a809e39203f30207e8b0c7
Formbook .NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(64.185.227.155)
api.telegram.org(149.154.167.220)
64.185.227.155
149.154.167.220
|
4
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Telegram API Domain in DNS Lookup
|
|
13.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11904 |
2023-06-28 16:33
|
 chamberszx.exe f2707d788cc86c8707eee04679ddf651
.NET framework(MSIL) .NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11905 |
2023-06-28 14:57
|
File_pass1234.7z a391d1c7127c4d323d110d325a8ad4fd
Redline Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows DNS |
26
http://208.67.104.60/api/firegate.php - rule_id: 34253
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://aa.imgjeoogbb.com/check/?sid=276518&key=b5328cbca81c5120b1a821f3fa173faf - rule_id: 34651
http://83.97.73.134/gallery/photo085.exe - rule_id: 34603
http://apps.identrust.com/roots/dstrootcax3.p7c
http://icanhazip.com/
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://77.91.68.63/doma/net/index.php - rule_id: 34361
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://194.169.175.132:3002/ - rule_id: 34588
http://85.208.136.10/api/tracemap.php - rule_id: 32662
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-22.userapi.com/c236331/u808950829/docs/d59/97db56109cc3/PMmp.bmp?extra=3xUHc3vIHtsQ4apnaudEaaOMUwCmuCT6niflMu74sArfyQ6BO1MW5K_lgXqba9BbDXcHHOULMqn-0_5izleDdeGisDVBClQfV7bhzFoQp38yKz78535Pooh6osgYrP3WPHDbx2frougok3yr8g
https://db-ip.com/demo/home.php?s=175.208.134.152
https://db-ip.com/
https://sun6-23.userapi.com/c909518/u808950829/docs/d20/db5f8308e1f9/WWW1.bmp?extra=FNA7yVy05GQ6wVOEZNucpCb6b4M1teQcHl7LIarVuy1dP8AfdlS5w2G5sMhRZG-7yzXm4os_E_Aq9SmiRQmjEtqwJOlQ38yC8iNRsxIyTdf53FnxlRm7ZRell0Yigc5D98LiZCLZpKmhQ47PiQ
https://vk.com/doc808950829_663479541?hash=K0yCWPEa4A7ApJpKzIuTMuHBaXSAot8zL0NuY18rchD&dl=LqAsNGup5PzzrdltO8f4O2XIetwWiPuj1UIdzZ97p40&api=1&no_preview=1
https://sun6-20.userapi.com/c909228/u808950829/docs/d4/31b070f9c2c7/RisePro_0_1_vgWJ8smB7NzPfuCfGTFK.bmp?extra=wCM9GLpF0p59NfnMtAVSYbrsqVTt8DFtQfayqC0SOxSsv1u5Cp_dIG2klbiJu8xODeDQQPpcb_sVIWoc_Mps1nY1FZPHqUuKqQxQKU6QD240PNLfYmhP5BtZX-je24Zi-3VynTW00KVb3jV25Q
https://filetops.com/4444.exe - rule_id: 34661
https://traffic-to.site/294/setup294.exe - rule_id: 34662
https://sun6-22.userapi.com/c909618/u808950829/docs/d28/98c9c22b33e0/ccloudcosmic.bmp?extra=8vDjYTwOMfy2Uk2uqA9i7sJlBOEjdYp1CiXU2QbXgN5VNOJ9w-tEc8evgdnPCNljH_BxwXWoia4-4QI8HDBIwF1ZibiisNI0RPtZ8Ri7xZX54RTOIRYPjSsVJmFW6Sjkl9h_whZo2JjgFCNlEQ
https://sun6-22.userapi.com/c909228/u808950829/docs/d36/855a1208b9a5/123.bmp?extra=8rST-m7cMkdMRkZCAhuuQ9KqgqRBIOP3ztgMUrNp4ACjIUPvMDEJYtJCTV-kVQ33SLq2EuEutrTeM9UoPFnX937kT5WW4PxRkNQ7kecEXFo_UIM-94riMimx9fBmFWiaPIYYhZA1bcS6674WuQ
|
60
db-ip.com(104.26.4.15)
api.mylnikov.org(172.67.196.114)
zzz.fhauiehgha.com(156.236.72.121) - mailcious
traffic-to.site(104.21.29.16) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3)
www.belma.ro(89.37.143.13) - malware
filetops.com(176.123.0.55) - malware
iplogger.org(148.251.234.83) - mailcious
aa.imgjeoogbb.com(154.221.26.108) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(172.67.75.166)
api.telegram.org(149.154.167.220)
us.imgjeoigaa.com(103.100.211.218) - mailcious
bitbucket.org(104.192.141.1) - malware
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.17.214.67)
vk.com(87.240.132.78) - mailcious
icanhazip.com(104.18.114.97)
api.myip.com(172.67.75.163)
148.251.234.93 - mailcious
194.169.175.128 - mailcious
154.221.26.108 - mailcious
95.142.206.2
91.215.85.147 - malware
176.123.0.55 - malware
104.18.115.97
208.67.104.60 - mailcious
172.67.75.166
135.125.27.228 - mailcious
104.21.29.16 - malware
89.37.143.13 - malware
157.254.164.98 - mailcious
34.117.59.81
87.240.137.164 - mailcious
148.251.234.83
194.169.175.132 - mailcious
77.91.68.63 - malware
45.12.253.74 - malware
104.192.141.1 - mailcious
83.97.73.131 - malware
104.17.214.67
83.97.73.134 - malware
156.236.72.121 - mailcious
45.15.156.229 - mailcious
104.26.9.59
104.26.4.15
172.67.196.114 - mailcious
95.142.206.3
163.123.143.4 - mailcious
95.142.206.0 - mailcious
23.67.53.18
23.67.53.19
149.154.167.220
85.208.136.10 - mailcious
45.9.74.6 - malware
176.113.115.239 - malware
103.100.211.218 - malware
|
26
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO EXE - Served Attached HTTP
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET HUNTING Telegram API Domain in DNS Lookup
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
14
http://208.67.104.60/api/firegate.php
http://hugersi.com/dl/6523.exe
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe
http://45.15.156.229/api/tracemap.php
http://aa.imgjeoogbb.com/check/
http://83.97.73.134/gallery/photo085.exe
http://208.67.104.60/api/tracemap.php
http://77.91.68.63/doma/net/index.php
http://us.imgjeoigaa.com/sts/imagc.jpg
http://194.169.175.132:3002/
http://85.208.136.10/api/tracemap.php
https://filetops.com/4444.exe
https://traffic-to.site/294/setup294.exe
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11906 |
2023-06-28 09:24
|
 24_06.zip ad691fbd485d94a8fae1a008b081ec80
ZIP Format VirusTotal Malware Malicious Traffic NetSupport |
3
http://geo.netsupportsoftware.com/location/loca.asp
http://95.179.140.179:1212/
http://95.179.140.179/fakeurl.htm
|
4
geo.netsupportsoftware.com(62.172.138.8)
savastijir1.com(95.179.140.179)
62.172.138.8
95.179.140.179
|
3
ET POLICY NetSupport GeoLocation Lookup Request
ET INFO NetSupport Remote Admin Checkin
ET INFO NetSupport Remote Admin Response
|
|
1.4 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11907 |
2023-06-28 09:21
|
 0loader_p1_dll_64_n1_x64_inf.d... dbf161014034d9a8154eb91e81c6c88d
UPX OS Processor Check DLL PE64 PE File VirusTotal Malware PDB Checks debugger crashed |
|
|
|
|
1.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11908 |
2023-06-28 08:02
|
 NEV.exe 01248782c871923cce056480ce946ab7
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Downloader Google Chrome User Data Confuser .NET Create Service Socket Escalate priviledges PWS Sniff Audio DNS ScreenShot Internet API KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS keylogger |
|
1
|
|
|
10.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11909 |
2023-06-28 07:59
|
 nanobtd.exe 20b05ef6a9a219260ba6a0603687db86
Generic Malware Confuser .NET PE64 PE File VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger unpack itself |
|
|
|
|
5.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11910 |
2023-06-28 07:57
|
 new_project.exe 614a31f01a52c3c9a5819a7962e45c12
.NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger Creates shortcut unpack itself ComputerName DNS |
|
1
|
|
|
3.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|