| 11986 |
2023-06-26 07:47
|
 fotod95.exe 83737fac22d88dc2efcde05dd1868c5d
Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 OS Processor Check CAB DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
77.91.68.63 - malware
83.97.73.131 - malware
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
15.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11987 |
2023-06-26 07:46
|
 AAA1d.exe ea3c4d4b4fcef4410f25f4f8c58babb5
PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself DNS crashed |
|
1
|
|
|
2.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11988 |
2023-06-26 07:45
|
 fotod95.exe 83737fac22d88dc2efcde05dd1868c5d
Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE CAB OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed |
5
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/DSC01491/fotod95.exe
http://77.91.68.63/DSC01491/foto172.exe
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
77.91.68.63 - malware
83.97.73.131 - malware
|
13
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11989 |
2023-06-26 07:45
|
 BABYLON.exe 072428ed08c736d6f81aea71741389b8
UPX Downloader PE File PE32 suspicious privilege unpack itself sandbox evasion human activity check Windows DNS keylogger |
|
1
179.43.162.58 - mailcious
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11990 |
2023-06-26 07:42
|
 Qfczuiq.exe 4ee88295d65b7a6e566d200a1c842801
UPX OS Processor Check PE64 PE File VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
4.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11991 |
2023-06-26 07:40
|
 Deep.exe 131b8279f1ee7a282d8ae1dcf2d51e1b
UPX OS Processor Check PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11992 |
2023-06-26 07:40
|
 WARZERO.exe bfabce83cee13bb8b8d72f5c38e2af65
UPX OS Processor Check PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
179.43.162.58 - mailcious
|
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11993 |
2023-06-26 07:39
|
 wa.exe 4a04139d91df7de08a286bfe99cb4303
Ave Maria WARZONE RAT Gen1 Generic Malware UPX Malicious Library Downloader Malicious Packer Antivirus OS Processor Check PE File PE32 DLL PE64 Browser Info Stealer Malware download AveMaria NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Check memory buffers extracted WMI Creates executable files unpack itself Windows utilities AppData folder AntiVM_Disk WriteConsoleW Firewall state off VM Disk Size Check human activity check installed browsers check Windows Browser RAT Email ComputerName Remote Code Execution DNS |
|
3
microsoft.com(20.112.250.133)
179.43.162.58 - mailcious
20.70.246.20
|
2
ET MALWARE Warzone RAT Response (Inbound)
SURICATA Applayer Detect protocol only one direction
|
|
10.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11994 |
2023-06-26 07:38
|
 PureLogis2.exe 0185c909c96a40ed81f64afc897a9b52
UPX OS Processor Check PE64 PE File MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11995 |
2023-06-24 13:29
|
 kashef2.1.exe 77aa11300e110d3934f871a3820dbd12
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.recursiveinscription.com/sy18/?RP=KPeiby82jqGhSMQbNWuPTQn/VEtViEjHyFbuZ4fT1aezpnNm+OcjcEK4Pg2vm0/5mKSj/0q4&rXLpvR=P0D4a24
http://www.buddybooster.net/sy18/?RP=7xIcpkxuu/QPGdPC2Ekjdv0mq2KJC/gXHlUprK9IsP1hRP3hg/mzSB0QOIH6rOv7w2PG0FEB&rXLpvR=P0D4a24
http://www.grav2.com/sy18/?RP=OFxPEWWALJm4Nri65u3BwqPVT+oqCgujz7tO2il5cY7vQnmdWutr8kocId+lsYuNNFBWF86f&rXLpvR=P0D4a24
|
7
www.buddybooster.net(76.76.21.9)
www.recursiveinscription.com(13.248.169.48)
www.goqyfriy.com()
www.grav2.com(210.114.23.163)
76.76.21.241 - mailcious
210.114.23.163
13.248.169.48
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.4 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11996 |
2023-06-24 13:27
|
 s64.dll e66dec71ef0ffbb33127f41b8ab1fe3e
Themida Packer DLL PE64 PE File VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11997 |
2023-06-24 13:27
|
 sEF8Y16selYCixT.exe a51cd19552a652c9059f84649f2455ce
.NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11998 |
2023-06-24 13:25
|
 ojonakon2.1.exe eb4ec13e49edaa7b70956780c01e766a
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
4
http://www.b8q9h.fun/k2l0/?et7=yDXfeSaoVg4EOiWeCzO5jbJIjxnJy4Im+UpnfUNj2xfr2ukliHzvCVJCKv+T9Uhi9CNiHOI9&5jux=7n9td6SpW8W8Fb0p
http://www.zhujiangceramics.com/k2l0/?et7=w/amAVEeHsT0ockBMaPHDJEzvsW5yv4xC0HXwYG8QrwNNgxRArkov9GiS04nGjSSujB8LG3Z&5jux=7n9td6SpW8W8Fb0p
http://www.quanhuipeng.com/k2l0/?et7=ehnWh6x91mVzwNcpWDzdoJ9yh07oeU6EPCyFRiCBJSGph3mCImtupSdIwKJ1t7SOctty0VcS&5jux=7n9td6SpW8W8Fb0p
http://www.unforgettableai.com/k2l0/?et7=GWJQPt23CmZW8l1RfRXJMRgmXc4gq/e0RYpm5vWm2RQt/KnmLa0HJZrI9jqDuec6X6YSgzaU&5jux=7n9td6SpW8W8Fb0p
|
8
www.unforgettableai.com(52.20.84.62)
www.quanhuipeng.com(154.197.63.186)
www.b8q9h.fun(154.219.176.123)
www.zhujiangceramics.com(172.121.74.157)
154.219.176.123
52.20.84.62 - mailcious
172.121.74.157
154.197.63.186
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11999 |
2023-06-24 13:25
|
 festkon2.1.exe f14a6c2f0c53470577f1e3a66e34fe64
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
3
http://www.getflooringservices.today/k2l0/?RP=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&rXLpvR=P0D4a24
http://www.alltiett.net/k2l0/?RP=CLWhMEEH+TKpZCs82dDMH40MtEeqU8fVsX2BTRkbuaHTGaAdqzqBoXZ1eBBCJkRM4luJ5zo3&rXLpvR=P0D4a24
http://www.usdrub.com/k2l0/?RP=R+iha7GQYIR128qb/ePPYcj+8Pay4Nrp+ciVv5jeZEPMbb+7/2J83xwbNHNe0GBur2Js8QJC&rXLpvR=P0D4a24
|
7
www.alltiett.net(81.169.145.70)
www.capitalrepros.com()
www.usdrub.com(13.248.169.48)
www.getflooringservices.today(172.67.183.64)
81.169.145.70 - mailcious
104.21.48.94
13.248.169.48
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12000 |
2023-06-23 16:53
|
File_pass1234.7z 517df90c3607b04503a88799117744de
PWS Escalate priviledges KeyLogger AntiDebug AntiVM Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee DNS |
5
http://208.67.104.60/api/firegate.php - rule_id: 34253
http://208.67.104.60/api/tracemap.php - rule_id: 28876
https://psv4.userapi.com/c909328/u808950829/docs/d32/ddd157d16075/miz.bmp?extra=AobtdlaolqZ26rkiW0hvXrm5q5YVxQ_Eh1DhlbE_gvwPS8pI7fhNbdUAijRTOH8Y1rYZ0RDNqjreYYzbJCMZvt-TD7tTRpkmsPW21xEYjbVTSYMnotEMrv0KkU4QZDpW1mqINC26LzAXukrcCw&dl=1
https://vk.com/doc808950829_663208963?hash=7lnLHpejCjd7NAr2eRYJAn51pcxMR9crPOzJfqZV4zP&dl=YZ4Lw1mgCHC7WgzxmLDpK4QEWazFpX5neZjKQp4kuoT&api=1&no_preview=1
https://api.myip.com/
|
13
psv4.userapi.com(87.240.190.76)
iplis.ru(148.251.234.93) - mailcious
iplogger.org(148.251.234.83) - mailcious
ipinfo.io(34.117.59.81)
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.9.59)
148.251.234.83
104.26.8.59
87.240.137.164 - mailcious
148.251.234.93 - mailcious
87.240.137.134
34.117.59.81
208.67.104.60 - mailcious
|
9
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
|
2
http://208.67.104.60/api/firegate.php
http://208.67.104.60/api/tracemap.php
|
5.4 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|