| 12136 |
2023-06-19 17:11
|
 dc.exe a1dc3e2f998031a7c96685e6571f4f5f
Gen1 Emotet Generic Malware UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM OS Processor Check PE64 PE File DLL ZIP Format VirusTotal Malware Check memory Creates executable files |
|
|
|
|
1.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12137 |
2023-06-19 17:09
|
 DaHosts.exe 9babf546962a147ee1c5b50d0313fd38
UPX Malicious Library OS Processor Check PE32 PE File VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12138 |
2023-06-19 16:24
|
 WannaCry.exe 84c82835a5d21bbcf75a61706d8ab549
PWS Suspicious_Script_Bin Generic Malware Downloader UPX Malicious Library Admin Tool (Sysinternals etc ...) Antivirus Create Service DGA Socket DNS BitCoin Steal credential Hijack Network Code injection HTTP Sniff Audio Http API Internet API ScreenShot E Browser Info Stealer WannaCry VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW shadowcopy delete Ransom Message Turn off Windows Error Recovery notification window VM Disk Size Check human activity check Ransomware WannaCryptor Windows Browser Tor MalSpam ComputerName Remote Code Execution DNS Cryptographic key crashed |
|
5
163.172.13.165
171.25.193.9 - mailcious
193.11.164.243 - mailcious
81.7.10.93
89.147.109.179
|
5
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 344
ET JA3 Hash - Possible Malware - Malspam
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 796
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271
|
|
23.4 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12139 |
2023-06-19 12:45
|
http://175.196.214.225
PWS Downloader Create Service DGA Socket DNS Steal credential Hijack Network Code injection HTTP Sniff Audio Http API Internet API ScreenShot Escalate priviledges P2P persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12140 |
2023-06-19 09:44
|
 11.exe 807e357f04ecc60c6ee77725b584cbda
UPX Malicious Library OS Processor Check PE32 PE File Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
1
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
6.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12141 |
2023-06-19 09:43
|
 fiki0614242.exe d0fe5e997fb01417b2fe62989f94f6d6
Gen1 Emotet Gen2 Generic Malware UPX Malicious Library Malicious Packer CAB PE32 PE File OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution crashed |
|
5
883c5b2846721687166301796.bag.sack55.net()
883c5b2846721687166301796.bag.sack54.net(185.82.126.147)
deb2533e357016871662949520000611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(46.30.190.83)
46.249.49.132
176.10.119.186
|
|
|
10.8 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12142 |
2023-06-19 09:40
|
 hza93jto37.exe 77202c57066c182a76514cae6c1aa0e1
UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check PE32 PE File VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs ComputerName crashed |
|
|
|
|
8.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12143 |
2023-06-19 07:50
|
 game.exe e94ec358349808b167fe25704bbb1c43
PWS .NET framework(MSIL) Gen1 Gen2 UPX Malicious Library Malicious Packer AntiDebug AntiVM .NET EXE PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Malware RecordBreaker Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser DNS Cryptographic key |
9
http://5.42.64.17/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://5.42.64.17/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://5.42.64.17/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://5.42.64.17/50404579ee07953eb087d9c143270c92
http://5.42.64.17/
http://5.42.64.17/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://5.42.64.17/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://5.42.64.17/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://5.42.64.17/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
|
2
77.91.68.63 - malware
5.42.64.17
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
|
13.6 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12144 |
2023-06-19 07:47
|
 fotod85.exe 2769dce2f501a2a1e34bf2804532fcd5
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
83.97.73.129 - mailcious
77.91.68.63 - malware
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
16.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12145 |
2023-06-19 07:46
|
 undoo.exe ee0516a44d6e7cc5e2bef2ca0e5cf461
UPX Malicious Library Malicious Packer .NET EXE PE32 PE File PE64 OS Processor Check Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
1
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
|
2
77.91.68.63 - malware
45.9.74.80 - malware
|
2
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
|
1
http://45.9.74.80/0bjdn2Z/index.php
|
8.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12146 |
2023-06-19 07:45
|
 foto166.exe 5588669e4aad613744e9d61d340fd20d
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
83.97.73.129 - mailcious
77.91.68.63 - malware
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12147 |
2023-06-19 07:44
|
 fotod85.exe 1b434201661bf03643dee979e896d283
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
77.91.68.63 - malware
83.97.73.129 - mailcious
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
16.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12148 |
2023-06-19 07:43
|
 foto166.exe dcd1665de97611f10d80135ba296d0c0
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
5
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362
http://77.91.68.63/DSC01491/foto166.exe
http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363
http://77.91.68.63/DSC01491/fotod85.exe
http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
83.97.73.129 - mailcious
77.91.68.63 - malware
|
12
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll
http://77.91.68.63/doma/net/Plugins/clip64.dll
http://77.91.68.63/doma/net/index.php
|
17.6 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12149 |
2023-06-18 12:19
|
wsawsawsawsawsawsawsawsawsawsa... 1cc42155aac8301b04acf2dd24e00037
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Windows Exploit DNS crashed |
1
http://192.3.193.194/67/cleanmgr.exe
|
3
api.ipify.org(104.237.62.211)
192.3.193.194 - malware
64.185.227.155
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12150 |
2023-06-18 12:19
|
 %E7%82%B9%E5%87%BB%E6%AD%A4%E5... 8f26838bcfe78a273701af789c8a8922
Malicious Library ASPack VMProtect PE32 PE File VirusTotal Malware suspicious privilege Check memory RWX flags setting sandbox evasion Browser Remote Code Execution DNS |
|
1
|
|
|
5.2 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|