| 12091 |
2023-06-20 17:39
|
 lsass.exe 2f570584d844c86b86f47a5492d2aed6
UPX Malicious Library PE File PE32 PNG Format DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
3.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12092 |
2023-06-20 17:38
|
 lsass.exe fa24b7c4c3dc0c6d0b942eb96e4f18a0
Formbook NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
21
http://www.gnhxxiazai03.com/ogeb/?STILiOsC=wBih4ktWfPNsySsqn3uI1HmQOkxE78XnlLTDvxJFz8Ksfyo9cnxjh72KIWiVUUXAXHwdyJ5YpLQGYf4Z+A02Vjn9hAcAu81BvwPbwlI=&kvoc=Jnm0rJMacH - rule_id: 33861
http://www.nicejunq.com/ogeb/ - rule_id: 33864
http://www.visitel.shop/ogeb/
http://www.gnhxxiazai03.com/ogeb/ - rule_id: 33861
http://www.fb99vn.com/ogeb/?STILiOsC=OXN+k+OlhXjl96bKh2NTgPCFs15ire34/TTevHac9SK8WXddN+80UbpDpODSd5z2qlIY7v82+nyluTO39li1mIxMKX8Jb/R8tbta/VI=&kvoc=Jnm0rJMacH - rule_id: 33865
http://www.fstrainingllc.com/ogeb/ - rule_id: 34471
http://www.drstephaniebest.com/ogeb/ - rule_id: 33863
http://www.ketocanadmqy.cloud/ogeb/?STILiOsC=JCW7LwLHnn7ptjGjE5oXohZmdFlQQ26ARwAmaoNxO6ijvQN7ubUT60jiWusc3p3YeBdlnORuW+NtBTBOf6MBl7CRUR/NRW0MRl+FZL4=&kvoc=Jnm0rJMacH - rule_id: 33860
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zip
http://www.ketocanadmqy.cloud/ogeb/ - rule_id: 33860
http://www.poshkits.info/ogeb/ - rule_id: 33866
http://www.nicejunq.com/ogeb/?STILiOsC=61GncP3LZGSS1NuGOhw0w9YAjVqrgaXoImnMpoqiHfpClz+VkHF1OaSSbCiQjyR+WlMAeIDV0LjpJ/XsdXKhboCqPvNVkna3o/MBoBk=&kvoc=Jnm0rJMacH - rule_id: 33864
http://www.visitel.shop/ogeb/?STILiOsC=JmLU2mTBWsrOHDUrIsVZgtVQRaelVRuf6+I2Xs1ZEo8rZrv8bAAW18MTALrdbAN3gfqX7mOUKpSKY+XC5VOAaGGHACr1P6ttQJNqQi0=&kvoc=Jnm0rJMacH
http://www.poshkits.info/ogeb/?STILiOsC=AqRXXMRheGbbuzNJ7gUd3ELHirevyxJNjMj6aH1i+QGnsBV8j36ZsXkdOVofclXLXJuwnJ0etyY1DKNGveWcGaTGb3YRrubSnMygGeg=&kvoc=Jnm0rJMacH - rule_id: 33866
http://www.cracksoftwaresite.com/ogeb/?STILiOsC=KHI+YMON8GDkJzoILZCxgp2k0vA8qk8w1nm3Hzfxt5cieIBSKAQj/mHyTxk04gzaD6SR3s2U41jQ75g96W4nWpYWemp5ZS7oMYAdX5g=&kvoc=Jnm0rJMacH
http://www.r1146.xyz/ogeb/ - rule_id: 33862
http://www.r1146.xyz/ogeb/?STILiOsC=hQC9FzST15eBXJ4J4T0DlrZN3V4nndOGJI8rCOq0KQaVihaPabvY2aUaE4N/PK/Cku54qUwIUhcWHwQfhhinhH5BJGjDnxoo3iDp4OU=&kvoc=Jnm0rJMacH - rule_id: 33862
http://www.fstrainingllc.com/ogeb/?STILiOsC=3AILmDJPkAUUrpOG/VIeUrZXgpOSZo6R/tiWoTcNtPioWsJTZGZ4drzV2BWU9NJm5Ofj96iGCfDOoWGqNQZdTpxyILTH4aD/oQaBOA8=&kvoc=Jnm0rJMacH - rule_id: 34471
http://www.cracksoftwaresite.com/ogeb/
http://www.drstephaniebest.com/ogeb/?STILiOsC=+v0OuBHGG6cw5ZwrQCjmtsYbU4xaGL5HoMfXaXw9oSi2F/e6KL+7wkfrHW9mkq7nBIGbSiwCyL8lMMQd9mW+kFWaqBx5WK5Isw5ml80=&kvoc=Jnm0rJMacH - rule_id: 33863
http://www.fb99vn.com/ogeb/ - rule_id: 33865
|
24
www.leshka-toshka.online() - mailcious
www.gnhxxiazai03.com(20.255.200.185) - mailcious
www.ketocanadmqy.cloud(195.161.62.100) - mailcious
www.nicejunq.com(91.195.240.123) - mailcious
www.drstephaniebest.com(198.185.159.145) - mailcious
www.fstrainingllc.com(154.39.174.239) - mailcious
www.fb99vn.com(172.67.153.64) - mailcious
www.r1146.xyz(172.67.203.63) - mailcious
www.aplicationcenter.com()
www.visitel.shop(84.32.84.32)
www.poshkits.info(162.0.231.6) - mailcious
www.pymhn.top() - mailcious
www.cracksoftwaresite.com(172.67.185.242)
172.67.203.63 - phishing
84.32.84.32 - mailcious
20.255.200.185 - mailcious
91.195.240.123 - mailcious
162.0.231.6 - mailcious
104.21.12.203 - mailcious
154.39.174.239 - mailcious
45.33.6.223
198.185.159.145 - mailcious
195.161.62.100 - mailcious
172.67.185.242
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
16
http://www.gnhxxiazai03.com/ogeb/
http://www.nicejunq.com/ogeb/
http://www.gnhxxiazai03.com/ogeb/
http://www.fb99vn.com/ogeb/
http://www.fstrainingllc.com/ogeb/
http://www.drstephaniebest.com/ogeb/
http://www.ketocanadmqy.cloud/ogeb/
http://www.ketocanadmqy.cloud/ogeb/
http://www.poshkits.info/ogeb/
http://www.nicejunq.com/ogeb/
http://www.poshkits.info/ogeb/
http://www.r1146.xyz/ogeb/
http://www.r1146.xyz/ogeb/
http://www.fstrainingllc.com/ogeb/
http://www.drstephaniebest.com/ogeb/
http://www.fb99vn.com/ogeb/
|
5.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12093 |
2023-06-20 17:36
|
 DaHost.exe 0698733d4fc9fd6f54059550dbd86211
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12094 |
2023-06-20 17:36
|
 lsass.exe af391ee598dcad6563b79a84a3976215
Formbook NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
20
http://www.gnhxxiazai03.com/ogeb/ - rule_id: 33861
http://www.nicejunq.com/ogeb/ - rule_id: 33864
http://www.nicejunq.com/ogeb/?-HBuafS=61GncP3LZGSS1NuGOhw0w9YAjVqrgaXoImnMpoqiHfpClz+VkHF1OaSSbCiQjyR+WlMAeIDV0LjpJ/XsdXKhboCqPvNVkna3o/MBoBk=&ghEQ8=pD1STWQcgyabP - rule_id: 33864
http://www.ketocanadmqy.cloud/ogeb/ - rule_id: 33860
http://www.poshkits.info/ogeb/ - rule_id: 33866
http://www.drstephaniebest.com/ogeb/ - rule_id: 33863
http://www.visitel.shop/ogeb/
http://www.visitel.shop/ogeb/?-HBuafS=JmLU2mTBWsrOHDUrIsVZgtVQRaelVRuf6+I2Xs1ZEo8rZrv8bAAW18MTALrdbAN3gfqX7mOUKpSKY+XC5VOAaGGHACr1P6ttQJNqQi0=&ghEQ8=pD1STWQcgyabP
http://www.r1146.xyz/ogeb/?-HBuafS=hQC9FzST15eBXJ4J4T0DlrZN3V4nndOGJI8rCOq0KQaVihaPabvY2aUaE4N/PK/Cku54qUwIUhcWHwQfhhinhH5BJGjDnxoo3iDp4OU=&ghEQ8=pD1STWQcgyabP - rule_id: 33862
http://www.fb99vn.com/ogeb/?-HBuafS=OXN+k+OlhXjl96bKh2NTgPCFs15ire34/TTevHac9SK8WXddN+80UbpDpODSd5z2qlIY7v82+nyluTO39li1mIxMKX8Jb/R8tbta/VI=&ghEQ8=pD1STWQcgyabP - rule_id: 33865
http://www.gnhxxiazai03.com/ogeb/?-HBuafS=wBih4ktWfPNsySsqn3uI1HmQOkxE78XnlLTDvxJFz8Ksfyo9cnxjh72KIWiVUUXAXHwdyJ5YpLQGYf4Z+A02Vjn9hAcAu81BvwPbwlI=&ghEQ8=pD1STWQcgyabP - rule_id: 33861
http://www.ketocanadmqy.cloud/ogeb/?-HBuafS=JCW7LwLHnn7ptjGjE5oXohZmdFlQQ26ARwAmaoNxO6ijvQN7ubUT60jiWusc3p3YeBdlnORuW+NtBTBOf6MBl7CRUR/NRW0MRl+FZL4=&ghEQ8=pD1STWQcgyabP - rule_id: 33860
http://www.fstrainingllc.com/ogeb/ - rule_id: 34471
http://www.poshkits.info/ogeb/?-HBuafS=AqRXXMRheGbbuzNJ7gUd3ELHirevyxJNjMj6aH1i+QGnsBV8j36ZsXkdOVofclXLXJuwnJ0etyY1DKNGveWcGaTGb3YRrubSnMygGeg=&ghEQ8=pD1STWQcgyabP - rule_id: 33866
http://www.r1146.xyz/ogeb/ - rule_id: 33862
http://www.fstrainingllc.com/ogeb/?-HBuafS=3AILmDJPkAUUrpOG/VIeUrZXgpOSZo6R/tiWoTcNtPioWsJTZGZ4drzV2BWU9NJm5Ofj96iGCfDOoWGqNQZdTpxyILTH4aD/oQaBOA8=&ghEQ8=pD1STWQcgyabP - rule_id: 34471
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.drstephaniebest.com/ogeb/?-HBuafS=+v0OuBHGG6cw5ZwrQCjmtsYbU4xaGL5HoMfXaXw9oSi2F/e6KL+7wkfrHW9mkq7nBIGbSiwCyL8lMMQd9mW+kFWaqBx5WK5Isw5ml80=&ghEQ8=pD1STWQcgyabP - rule_id: 33863
http://www.cracksoftwaresite.com/ogeb/
http://www.fb99vn.com/ogeb/ - rule_id: 33865
|
24
www.r1146.xyz(172.67.203.63) - mailcious
www.gnhxxiazai03.com(20.255.200.185) - mailcious
www.cracksoftwaresite.com(172.67.185.242)
www.ketocanadmqy.cloud(195.161.62.100) - mailcious
www.nicejunq.com(91.195.240.123) - mailcious
www.drstephaniebest.com(198.185.159.145) - mailcious
www.pymhn.top() - mailcious
www.leshka-toshka.online() - mailcious
www.fb99vn.com(172.67.153.64) - mailcious
www.visitel.shop(84.32.84.32)
www.poshkits.info(162.0.231.6) - mailcious
www.fstrainingllc.com(154.39.174.239) - mailcious
www.aplicationcenter.com()
172.67.203.63 - phishing
84.32.84.32 - mailcious
198.49.23.145 - mailcious
104.21.36.57
162.0.231.6 - mailcious
172.67.153.64
154.39.174.239 - mailcious
45.33.6.223
20.255.200.185 - mailcious
91.195.240.123 - mailcious
195.161.62.100 - mailcious
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
16
http://www.gnhxxiazai03.com/ogeb/
http://www.nicejunq.com/ogeb/
http://www.nicejunq.com/ogeb/
http://www.ketocanadmqy.cloud/ogeb/
http://www.poshkits.info/ogeb/
http://www.drstephaniebest.com/ogeb/
http://www.r1146.xyz/ogeb/
http://www.fb99vn.com/ogeb/
http://www.gnhxxiazai03.com/ogeb/
http://www.ketocanadmqy.cloud/ogeb/
http://www.fstrainingllc.com/ogeb/
http://www.poshkits.info/ogeb/
http://www.r1146.xyz/ogeb/
http://www.fstrainingllc.com/ogeb/
http://www.drstephaniebest.com/ogeb/
http://www.fb99vn.com/ogeb/
|
5.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12095 |
2023-06-20 17:35
|
 bluesubstantialie64.exe 2bd2470d90bd8de8e260ff88a3fb181b
Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName Remote Code Execution |
|
|
|
|
4.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12096 |
2023-06-20 17:34
|
 2023_vp.exe acd82a80283bd3d7b39141dfcc2d5849
UPX Malicious Library Downloader OS Processor Check MZP Format PE File PE32 VirusTotal Malware unpack itself Tofsee Remote Code Execution |
|
2
drownways.com(149.100.151.190) - malware
149.100.151.190 - malware
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12097 |
2023-06-20 17:33
|
 Service64.exe c845efe0b7345f8a3bcfa5f7a5681b9b
UPX Malicious Library Malicious Packer Socket KeyLogger AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Code Injection Check memory buffers extracted sandbox evasion WriteConsoleW Stealer Browser Email DNS Software |
|
1
|
1
ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
|
|
8.8 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12098 |
2023-06-20 17:33
|
 ageelectronicie32.exe 482df2c11dc09fe2bdafae64e2edec32
Gen1 Emotet UPX Malicious Library CAB PE File PE32 VirusTotal Malware AutoRuns PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Remote Code Execution |
|
|
|
|
4.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12099 |
2023-06-20 17:32
|
 jeffilesfe.exe 3221fe4bb3e02d4a03166e83db5fafa2
UPX Malicious Library Downloader OS Processor Check MZP Format PE File PE32 VirusTotal Malware unpack itself Tofsee Remote Code Execution |
1
https://drownways.com/deamn/tndv.zip
|
2
drownways.com(149.100.151.190) - malware
149.100.151.190 - malware
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12100 |
2023-06-20 17:32
|
 DaHost.exe a048d50c92a80b789d2f68ff061376e1
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Windows Browser Email ComputerName Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.155)
173.231.16.76
|
|
|
8.2 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12101 |
2023-06-20 17:30
|
 vp2023.exe 991688eee333cc4d5a0f0b31e6335854
UPX Malicious Library Downloader OS Processor Check MZP Format PE File PE32 VirusTotal Malware unpack itself Tofsee Remote Code Execution |
1
https://drownways.com/deamn/tndv.zip
|
2
drownways.com(149.100.151.190) - malware
149.100.151.190 - malware
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12102 |
2023-06-20 09:47
|
File_pass1234.7z 228119ee4c65cb1007f6a059d9b9ea04
PWS Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Glupteba VirusTotal Malware c&c Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Fabookie Stealer Windows Discord Browser Trojan DNS Downloader plugin GCleaner |
50
http://getnoon.top/c043bcd0ba06ae1d/sqlite3.dll
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://116.203.166.104/
http://116.203.166.104/upload.zip
http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482
http://getnoon.top/c043bcd0ba06ae1d/mozglue.dll
http://getnoon.top/c043bcd0ba06ae1d/freebl3.dll
http://as.imgjeoigaa.com/check/?sid=471204&key=7eee7f9860dae7a11fd31138ce88ab95
http://getnoon.top/c043bcd0ba06ae1d/nss3.dll
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://as.imgjeoigaa.com/check/safe - rule_id: 33483
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://45.12.253.72/default/puk.php
http://83.97.73.131/gallery/photo221.exe - rule_id: 34350
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://getnoon.top/c043bcd0ba06ae1d/softokn3.dll
http://getnoon.top/c043bcd0ba06ae1d/msvcp140.dll
http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixone&substr=mixazed
http://85.208.136.10/api/firegate.php - rule_id: 32663
http://77.91.68.63/doma/net/index.php - rule_id: 34361
http://as.imgjeoigaa.com/check/?sid=471022&key=35ecd06fa094e8e3f819bf02984a598e
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://getnoon.top/410b5129171f10ea.php
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
http://194.169.175.124:3002/ - rule_id: 34039
http://45.12.253.72/default/stuk.php
http://45.9.74.6/2.exe - rule_id: 34108
http://getnoon.top/c043bcd0ba06ae1d/vcruntime140.dll
http://116.203.166.104/a6fcde3d4457e243dbb20bf48006aee2
http://ji.jaoaaoas11.com/m/ss41.exe
http://www.maxmind.com/geoip/v2.1/city/me
https://sun6-23.userapi.com/c909518/u228185173/docs/d38/ebe2315d378a/PMmp.bmp?extra=JWbYlfkMysxxc8Df5osvbr3V7v7mS9WbfKBZ9kle_TXl-aiq7gmaLn7I8Pvj4NRvhfxciCLwzkTLiWdE5ESkuz9gnFqsRNU_O2ZMCFgYWuyQYzgCLqiasyOgw9SgdsP66Rr6NXwHaMCve6dC_w
https://vk.com/doc228185173_661830509?hash=z77Tp2Bt5jc8CbHfC9pdvdFVpeHj77HUzJtS6jx8WZ8&dl=1eqxtSfgbXKz7M994WFagxxb8DLoZQgtZJXs62syX8T&api=1&no_preview=1#rise_test
https://sun6-20.userapi.com/c235031/u808950829/docs/d60/a81c4f542916/file.bmp?extra=r3bEOwW5fpcn_pszMJFzHdmrN3uCe0m8NJ49L66Bld9tJFqjgO4QxkLfMHCR8YhfpZwnmdenDBu3P-qZ8loWjPhEAZjVp8FI5P738Zxko5_6BuXGqWpVQel__0nmSYJloWs6t-bQ81m2T0eaNA
https://db-ip.com/demo/home.php?s=175.208.134.152
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://api.ip.sb/ip
https://vk.com/doc228185173_661755100?hash=DqFpTzZAFcL1uykcukFWUZYHQqF9dETJFT41KF97TWw&dl=OW4FFnitxAElY7BvTyC2XM9E3mNKnhNVijdNbdZORkz&api=1&no_preview=1
https://vk.com/doc228185173_661824370?hash=voN0qMUYyG6idLKUN9WTq6aQoJBZOwLzZiSJPxnGnoz&dl=3UT4z4tzRL1V6VIedoxzLudkL43ZLt4otOi2TuOIPxT&api=1&no_preview=1
https://db-ip.com/
https://msdl.microsoft.com/download/symbols/index2.txt
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://vk.com/doc808950829_663071592?hash=qz8Ck143JrW4Fi1WDdC97jJrmHloy8x9hmvZXd97E9s&dl=qfHkcNpgQQZ4UOrGBdZhBzTkBci2rCyiQzknyB6elo8&api=1&no_preview=1#file
https://sun6-21.userapi.com/c237131/u228185173/docs/d35/cba1dc576daa/RisePro_0_1_mA7L5kJnTfFOiuHxQYaS.bmp?extra=6eFX10003NmkdK20n5UdCb3WEylambZUyUim5R_OPESX2F0_moXizx4HxLPlF3bQclEN7i-gKWYRYOAEwXiW7wKnOQzR5j9q7bB9Mq3I8GYQYrBMtoqTTh3b_PeDpkJl6dJp96wredDP5e_x2Q
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=hUSrRovnIeDO4HsFluzzOEuXXYgJhXBXQrujmuo%2FfAw%3D&spr=https&se=2023-06-21T01%3A35%3A45Z&rscl=x-e2eid-8b6ee53d-b6f54806-8625de8c-833b28c9-session-90d98d86-083144d5-84474651-70773a68
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/86708e41457b/falaxy.bmp?extra=QrIHLQfHihFfoOBO9hsubnI4SNZnkrTh3ABCjFlHY8gB2CcoULfZ8kzd9QqUqKZ7VQVMoICuE450aU3XpQcl69fzFPjQdc01cZdb7tDJFwpt8YcEa8R-LOx6jdxHI1yh2H3Ii5gVjaITrI3Lcw
https://sun6-23.userapi.com/c909418/u228185173/docs/d27/5c0eb308c9d0/WWW1.bmp?extra=gjhLzDJWSRkwWYb9db9Qt7BAlTsoMWakHEa-g3uQI-jbiub7EVtjj6cX0PXK_mc-GZS4ELWmGQl3wImOtBZV7ocXJBluHOWEz6MFlwg4KMrre4fU7wLA_6UpnR3kemsnmM4-DWh0_Ht_xufXmA
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=GK4CxNjf9jwHsJr9pvkhlNPddJOnR0Ftg4qcBBxqVE4%3D&spr=https&se=2023-06-21T01%3A12%3A05Z&rscl=x-e2eid-3b661e3a-a23e4fe9-bfa4bde4-82109d6a-session-784fa5c3-dafa44c9-80492139-03132f02
https://vk.com/doc228185173_661675966?hash=WIZmJ4srelm3loy6LntaCgIGY3LmupjV3W4uezZEqWo&dl=zhVczqBPZOQpqnKDUVkAVPrl9zZlS025dfZ0dmo13KT&api=1&no_preview=1#WW1
|
79
db-ip.com(104.26.4.15)
bc4ef8da-d887-49be-b429-28634ffc09c5.uuid.cdntokiog.studio(185.82.216.49)
as.imgjeoigaa.com(39.109.117.57) - mailcious
getnoon.top(195.22.152.206)
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3)
steamcommunity.com(104.76.78.101) - mailcious
iplogger.org(148.251.234.83) - mailcious
msdl.microsoft.com(204.79.197.219)
cdn.discordapp.com(162.159.135.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.4.15)
lodar2ben.top()
sun6-21.userapi.com(95.142.206.1) - mailcious
stun3.l.google.com(142.251.2.127)
api.ip.sb(172.67.75.172)
us.imgjeoigaa.com(154.221.19.146) - mailcious
bitbucket.org(104.192.141.1) - malware
vsblobprodscussu5shard10.blob.core.windows.net(20.150.70.36)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(104.21.18.146) - malware
luckytradeone.com(172.67.181.198)
www.maxmind.com(104.17.215.67)
server9.cdntokiog.studio(185.82.216.49)
ji.jaoaaoas11.com(154.221.19.146)
vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68)
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.8.59)
148.251.234.93 - mailcious
194.169.175.128 - mailcious
116.203.166.104
104.17.215.67
83.97.73.128 - malware
91.215.85.147 - malware
20.150.70.36
104.26.5.15
45.12.253.56
79.137.204.46
149.154.167.99 - mailcious
45.12.253.75 - mailcious
172.67.75.166
45.12.253.72
45.9.74.80 - malware
104.88.222.199
204.79.197.219
195.22.152.206
87.240.132.78 - mailcious
157.254.164.98 - mailcious
20.150.79.68
34.117.59.81
95.216.249.153
172.67.182.87 - malware
148.251.234.83
104.26.8.59
162.159.130.233 - malware
104.21.35.252
45.12.253.74 - malware
94.142.138.131 - mailcious
104.192.141.1 - mailcious
154.221.19.146 - mailcious
185.81.68.115 - mailcious
83.97.73.131 - malware
194.169.175.124 - mailcious
104.17.214.67
77.91.68.63 - malware
45.15.156.229 - mailcious
172.67.75.172 - mailcious
104.26.4.15
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
185.82.216.49
85.208.136.10 - mailcious
45.9.74.6 - malware
39.109.117.57 - mailcious
74.125.197.127
|
48
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO TLS Handshake Failure
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Potential GCleaner CnC Checkin
ET MALWARE GCleaner CnC Checkin M1
ET MALWARE GCleaner Payload Retrieval Attempt
ET MALWARE GCleaner Downloader - Payload Response
ET INFO EXE - Served Attached HTTP
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET MALWARE Observed Glupteba CnC Domain (cdntokiog .studio in TLS SNI)
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
13
http://hugersi.com/dl/6523.exe
http://us.imgjeoigaa.com/sts/imagc.jpg
http://85.208.136.10/api/tracemap.php
http://as.imgjeoigaa.com/check/safe
http://45.15.156.229/api/tracemap.php
http://83.97.73.131/gallery/photo221.exe
http://ji.jahhaega2qq.com/m/p0aw25.exe
http://85.208.136.10/api/firegate.php
http://77.91.68.63/doma/net/index.php
http://94.142.138.131/api/tracemap.php
http://45.9.74.80/0bjdn2Z/index.php
http://194.169.175.124:3002/
http://45.9.74.6/2.exe
|
7.6 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12103 |
2023-06-20 09:38
|
 game1.exe 1a79aed033b7b222da1bfa1840ceace8
Generic Malware UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware RWX flags setting unpack itself crashed |
|
|
|
|
2.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12104 |
2023-06-20 09:37
|
 exclusion and run rat.bat 195ea5d64645f606cc382a43e1a5023c
PWS Generic Malware Downloader Antivirus UPX Malicious Library Admin Tool (Sysinternals etc ...) Create Service DGA Socket DNS Steal credential Code injection HTTP Sniff Audio Http API Internet API ScreenShot Escalate priviledges P2P FTP KeyLogger AntiDe Malware download Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed Downloader |
1
http://51.79.49.73/crc/Play.exe - rule_id: 34275
|
1
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
1
http://51.79.49.73/crc/Play.exe
|
9.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12105 |
2023-06-20 09:36
|
mokkshk.vbs 0cdf35374e4c56f3d0beaa3a449e5c8d
Antivirus VirusTotal Malware WMI ComputerName DNS |
|
1
|
|
|
4.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|