| 11926 |
2023-06-28 07:30
|
 AA.exe e6b09f1c7473e375eccf56221de26cc9
PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
2
checkip.dyndns.org(132.226.8.169)
158.101.44.242
|
3
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
|
|
12.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11927 |
2023-06-28 07:28
|
 bird.exe c441075240de1a6f57d05dcae26969f3
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Downloader Google Chrome User Data Confuser .NET Create Service Socket Escalate priviledges PWS Sniff Audio DNS Internet API KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself WriteConsoleW Windows |
|
|
|
|
8.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11928 |
2023-06-28 07:28
|
 rh1.exe af1efddb3afaf3bf4d121a9d4c7e7d68
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware WMI RWX flags setting unpack itself ComputerName DNS crashed |
|
1
|
|
|
4.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11929 |
2023-06-28 07:26
|
 data64_2.exe 11df871909c85e2c2d6ab13b86937749
RedLine stealer UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
|
1
|
1
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
11.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11930 |
2023-06-28 07:26
|
 Lion.exe 1cbb726aada6d392c55f2a52113d05eb
UltraVNC UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
6.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11931 |
2023-06-27 20:02
|
agodzx.doc 2af4d7d7255cb2e719ade02f0c21a41c
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
4
http://www.kickreseme.com/m42i/?GVoxs=tuBsVSYREmwSu8ufK3hQg2nBj+1gCJVu8uhY7/3vk4u/cqMpuY6Pgb1LS9QlY0zU+P7C5DY/&5j=UlSt
http://www.xkrujqqo.shop/m42i/?GVoxs=w3qyr1HBp8Iu34YZrhEFMUfVZI8m3Rg+4Ytg65pgTYBUmxRq5C8foPMI1fc/ELLE1/CH92+K&5j=UlSt
http://www.lks-me.com/m42i/?GVoxs=AkfqlFnVa5qo00kkrGU8lHYLAYpNxr+nxJB5mV0gK++lG32MCmnTt93z53U1FkcI6u4vOqdm&5j=UlSt
http://79.110.49.21/agodzx.exe
|
8
www.xkrujqqo.shop(172.67.145.38)
www.lks-me.com(142.250.206.211)
www.biancagift.com()
www.kickreseme.com(185.53.177.52)
142.250.204.115
172.67.145.38
79.110.49.21 - malware
185.53.177.52 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11932 |
2023-06-27 19:59
|
 hussanzx.exe bbd76370ac91e9e7ee832b127afc4d2e
LokiBot Generic Malware Antivirus Socket PWS DNS AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
|
1
161.35.102.56 - mailcious
|
|
|
15.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11933 |
2023-06-27 19:57
|
 ansazx.exe 1d132b7a35d336fc7b2aba2c52346f3f
Formbook Generic Malware Antivirus PWS AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://www.mymatam.com/fg58/?KzrtE=WpDF5rR8GhL85HDW55HvY2UzFumc4+CxavBF5rgmPNYEZf40Rr2HPxuZ1925OstCFu5iCPlj&p0G=kJEPdT4hIPU4hj
|
2
www.mymatam.com(103.28.91.20)
103.28.91.20
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
11.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11934 |
2023-06-27 19:57
|
 pablozx.exe 40df500e4caa9265ef6bea269c34140d
Formbook Generic Malware .NET framework(MSIL) Antivirus PWS AntiDebug AntiVM .NET EXE PE32 PE File FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
3
http://www.rgmtrucking.com/xchu/?tZi0=1mhodZhB1qnRk72cRiGQGKQ1EZjghQeDkSst0P3G6zwDiNhHcJxkkyyd0Mijq4HX1ruBVoGm&Unt4E=GTd0sn0XuJCLsTR
http://www.ideeintemporelle.com/xchu/?tZi0=t3j26SmWIpincnwYCr1048OEQratwNj3NaIAmhSNt4vAPvcvbjHh9YV3JIDfjMXs/Qq5pWG1&Unt4E=GTd0sn0XuJCLsTR - rule_id: 34173
http://www.wxbaonayue.com/xchu/?tZi0=mY4hZ5B3IXrgLaYN7PrEmvKDAdXbcF63a4JsFYnvPUndT2n4tykPAHMAGz6A4KCHVMxjaycB&Unt4E=GTd0sn0XuJCLsTR
|
6
www.ideeintemporelle.com(84.16.76.212) - mailcious
www.rgmtrucking.com(81.17.18.194)
www.wxbaonayue.com(43.224.154.228)
192.187.111.222 - phishing
43.224.154.228
84.16.76.212 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
1
http://www.ideeintemporelle.com/xchu/
|
11.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11935 |
2023-06-27 19:55
|
 agodzx.exe 8001fc3355e347ebeb82daf3170e884e
NSIS UPX Malicious Library PE32 PE File DLL FormBook Malware download VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder Windows |
3
http://www.brachyurus.com/m42i/?p0G=gFSPJhCHyHfvj3/OTQ/N209MWCE0ruxWwMKG8/dS7LL4Ng9TPUITJ3jANBDXY8KW/0SAdxND&uFNl=XP7LsfJx
http://www.au-t-global.com/m42i/?p0G=N8+KveqynWjjsBQWfyAOVZVM5YmcO/FUxw7ndn9VCxpksnP1cJpjXRLM5l+ZvE4aHsqWuB9n&uFNl=XP7LsfJx
http://www.acmanu-us.site/m42i/?p0G=M8nVTT0r1hADsDyVwfleHwIj0ZqP2E1IoBumjKzXRRezluCu1rC2Qj6VNg+s3TrRfpLzDtWa&uFNl=XP7LsfJx
|
7
www.kaka225.click()
www.au-t-global.com(82.180.138.100)
www.brachyurus.com(76.76.21.61)
www.acmanu-us.site(64.190.62.22)
82.180.138.100
76.76.21.9
64.190.62.22 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11936 |
2023-06-27 19:53
|
 europowerzx.exe b39ec4e8104e06705f1eea981c75ebce
Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process IP Check Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.76)
64.185.227.155
|
|
|
13.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11937 |
2023-06-27 19:53
|
 as.exe 58c867b6280648039f05f3702e565474
UPX Malicious Library OS Processor Check PE32 PE File Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
176.123.9.142 - mailcious
|
3
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
6.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11938 |
2023-06-27 19:51
|
 ip_network.exe 5e6ffe8f38644e73dbf42cfc39300028
NSIS UPX Malicious Library PE32 PE File DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
3.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11939 |
2023-06-27 19:51
|
 good.exe 6cd68ce9a80f20a78a5f1202bb4fa900
NSIS UPX Malicious Library PE32 PE File DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(64.185.227.155)
64.185.227.155
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11940 |
2023-06-27 15:18
|
File_pass1234.7z e7dce44fd1c02623719da154a73530b2
Redline Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Trojan DNS |
23
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://45.9.74.6/2.exe - rule_id: 34108
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://zzz.fhauiehgha.com/m/okka25.exe
http://aa.imgjeoogbb.com/check/safe - rule_id: 34652
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://aa.imgjeoogbb.com/check/?sid=354058&key=261e8714cf3e2b180a837ebbd2a1c23c - rule_id: 34651
http://83.97.73.134/gallery/photo085.exe - rule_id: 34603
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://uu.imgjeoogbb.com/sts/imagd.jpg
http://77.91.68.63/doma/net/index.php - rule_id: 34361
http://194.169.175.132:3002/ - rule_id: 34588
http://www.maxmind.com/geoip/v2.1/city/me
https://sun6-22.userapi.com/c909618/u808950829/docs/d28/4cc4a57587ba/ccloudcosmic.bmp?extra=hHbSkZOK2ypGoMGzMoVQIr34dIpL0jTc8rXuzfN2ryQIRHb2k10RaYX8vYHrK_ToUtUxqtf6MXUWfKWjZyMQWDkKKVzj_NAAmmghn5N7LIn0XzvZfo1VtOhZArvjtdNybTjTPF3xhw_DWNxxOw
https://traffic-to.site/294/setup294.exe - rule_id: 34662
https://sun6-23.userapi.com/c909518/u808950829/docs/d20/2835e0dc946a/WWW1.bmp?extra=0U3fP80VLnKgSldciJ_-gch_IEehor9ECKfJOZpq-rCazGYOvo9sLOkRpthki4weVfbYGA1osnWQ00TzHm9VIMUPWWg55h4tRe0N0C-jDw7VYzTxraDQwZ_efL7w064L3WrFmtkfRudDJ-9omQ
https://vk.com/doc808950829_663416193?hash=TwgmTA3pMX5XUbfBEPazmzdRVPdFw9t8BbYBqJvidU8&dl=H6DzAmaBeDTytHVbTKfRExM88kxUqIpLizX7g2YgUEL&api=1&no_preview=1#WW1
https://db-ip.com/
https://sun6-22.userapi.com/c236331/u808950829/docs/d59/6c7c94721e59/PMmp.bmp?extra=Td7m8ilGNTufWxPe9pFLAAOe8OwQZ90naWSrI4Rh0fmDFiTjJFLIwtb519vvOhlyAQpe5vpdbxZQxszQ9hyCoguP3HPqowRF-o32W9qYIgqjO8LYNmXY3eFSpR-MYkxzYU6XyqvRT_VAGnK-YA
https://sun6-20.userapi.com/c909228/u808950829/docs/d4/34c44c30e5c7/RisePro_0_1_vgWJ8smB7NzPfuCfGTFK.bmp?extra=gibRZ-sXuHYaozzUPic6nwAA337chNSn8nvt5Mb_uz0O2gGqP6txMYpLGVd9lXsiJ86PjC-e4W0CoO211bOYz02AzVwWNUqxEoM_k0UP2mIABX1ZpSveaJl2-u5fhxquyIsxrckEsFPTdW-k4w
https://db-ip.com/demo/home.php?s=175.208.134.152
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
|
49
uu.imgjeoogbb.com(156.236.72.121)
db-ip.com(172.67.75.166)
api.db-ip.com(104.26.5.15)
api.myip.com(104.26.8.59)
hugersi.com(91.215.85.147) - malware
sun6-22.userapi.com(95.142.206.2)
zzz.fhauiehgha.com(156.236.72.121)
sun6-23.userapi.com(95.142.206.3)
traffic-to.site(172.67.171.62) - malware
ipinfo.io(34.117.59.81)
aa.imgjeoogbb.com(154.221.26.108) - mailcious
bitbucket.org(104.192.141.1) - malware
www.maxmind.com(104.17.215.67)
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.137.164) - mailcious
iplogger.org(148.251.234.83) - mailcious
iplis.ru(148.251.234.93) - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
154.221.26.108 - mailcious
95.142.206.2
104.17.215.67
91.215.85.147 - malware
94.142.138.113 - mailcious
172.67.75.166
135.125.27.228 - mailcious
157.254.164.98 - mailcious
34.117.59.81
148.251.234.83
194.169.175.132 - mailcious
77.91.68.63 - malware
45.12.253.74 - malware
94.142.138.131 - mailcious
104.192.141.1 - mailcious
185.81.68.115 - mailcious
83.97.73.131 - malware
104.17.214.67
83.97.73.134 - malware
156.236.72.121
45.15.156.229 - mailcious
104.26.9.59
95.142.206.3
163.123.143.4 - mailcious
95.142.206.0 - mailcious
121.254.136.27
87.240.132.78 - mailcious
45.9.74.6 - malware
176.113.115.239 - malware
172.67.171.62
|
21
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO EXE - Served Attached HTTP
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
11
http://94.142.138.131/api/firegate.php
http://45.9.74.6/2.exe
http://hugersi.com/dl/6523.exe
http://aa.imgjeoogbb.com/check/safe
http://45.15.156.229/api/tracemap.php
http://aa.imgjeoogbb.com/check/
http://83.97.73.134/gallery/photo085.exe
http://94.142.138.131/api/tracemap.php
http://77.91.68.63/doma/net/index.php
http://194.169.175.132:3002/
https://traffic-to.site/294/setup294.exe
|
6.2 |
M |
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|