| 12166 |
2023-06-16 19:55
|
 42241819076.pdf 622cac7670b6770f2d15ec448ddcd8a9
PDF Suspicious Link PDF VirusTotal Malware |
|
|
|
|
0.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12167 |
2023-06-16 19:43
|
 vbc.exe 191e6663f1c7dd7e357aa9f03ec286f7
.NET EXE PE32 PE File VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12168 |
2023-06-16 17:02
|
KLIPE.exe af6e384dfabdad52d43cf8429ad8779c
UPX MPRESS PE32 PE File VirusTotal Malware Windows utilities WriteConsoleW Windows ComputerName Remote Code Execution |
|
|
|
|
3.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12169 |
2023-06-16 15:02
|
 PO-10152023.exe 8f375217380183e090681f1dc8eba0e8
Formbook .NET EXE PE32 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12170 |
2023-06-16 13:58
|
 Questions.doc 16931bb7322e11eba1b1bdfbf3ecbf35
VBA_macro ZIP Format Word 2007 file format(docx) VirusTotal Malware Creates executable files exploit crash unpack itself Exploit crashed |
1
http://smart.com-coffee.click/trash/conf/vorontsov/mini.vbs
|
2
smart.com-coffee.click(157.7.184.26) - mailcious
157.7.184.26 - mailcious
|
|
|
3.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12171 |
2023-06-16 13:56
|
 update.vbs 92de717394d746b8aa97764201a1eff6VirusTotal Malware unpack itself ComputerName |
5
http://img.fmcity.com/images/reseller/common/img_info.gif
http://html.gethompy.com/favicon.ico
http://well-story.co.kr/adm/inc/js/list.php?query=1 - rule_id: 34418
http://img.fmcity.com/images/reseller/common/tle_info.gif
http://html.gethompy.com/404.html?id=ZGFoYW53
|
6
well-story.co.kr(183.111.141.93) - mailcious
html.gethompy.com(112.175.246.91)
img.fmcity.com(112.175.246.145)
112.175.246.91
183.111.141.93 - mailcious
112.175.246.145
|
|
1
http://well-story.co.kr/adm/inc/js/list.php
|
1.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12172 |
2023-06-16 09:22
|
 cleanmgrse.exe df4f4d8f3a20196e3cbeddfad102cfa5
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(104.237.62.211)
104.237.62.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12173 |
2023-06-16 09:18
|
 개인정보유출내역.hwp ... 8133c5f663f89b01b30a052749b5a988
RAT Generic Malware Antivirus .NET EXE PE File PE32 VirusTotal Malware powershell PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
5
http://img.fmcity.com/images/reseller/common/img_info.gif
http://html.gethompy.com/favicon.ico
http://img.fmcity.com/images/reseller/common/tle_info.gif
http://well-story.co.kr/adm/inc/js/list.php?query=1
http://html.gethompy.com/404.html?id=ZGFoYW53
|
6
well-story.co.kr(183.111.141.93) - mailcious
html.gethompy.com(112.175.246.91)
img.fmcity.com(112.175.246.145)
112.175.246.91
183.111.141.93 - mailcious
112.175.246.145
|
|
|
6.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12174 |
2023-06-16 09:12
|
 stdio.txt.ps1 f05991652398406655a6a5eebe3e5f3a
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.8 |
|
24 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12175 |
2023-06-16 09:08
|
 EBU.exe 87253502cd5f89ac203ebdceb2bf4a58
PWS .NET framework RAT UPX Admin Tool (Sysinternals etc ...) KeyLogger AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(173.231.16.76)
64.185.227.155
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12176 |
2023-06-16 07:42
|
 netTime.exe da9b715fe2a7ed084308e31c989f1c42
Emotet PWS .NET framework RAT Generic Malware UPX Malicious Packer Antivirus PE64 PE File VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process Windows ComputerName Remote Code Execution Cryptographic key |
|
|
|
|
6.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12177 |
2023-06-16 07:41
|
 gjdj.exe fc32f42ee0146b5ac0d96e2f877e77bc
Gen1 UPX Malicious Library Malicious Packer PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Tofsee Browser Email ComputerName DNS Software |
5
http://116.203.166.131/
http://116.203.166.131/update.zip
http://116.203.166.131/89ee4bbf22c7d753e1a9ef8f2bd34ce7
https://steamcommunity.com/profiles/76561199514261168
https://t.me/kamaprimo
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
116.203.166.131
149.154.167.99 - mailcious
104.75.41.21 - mailcious
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
|
|
11.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12178 |
2023-06-16 07:38
|
 gate_011.exe dd0891b669fbe6d2f1442f2f28f57fe3
Gen2 Generic Malware UPX Malicious Library OS Processor Check PE64 PE File Browser Info Stealer Malware download VirusTotal Malware MachineGuid Malicious Traffic Creates executable files Disables Windows Security sandbox evasion IP Check PrivateLoader Tofsee Windows Browser Remote Code Execution DNS |
4
http://208.67.104.60/api/firegate.php - rule_id: 34253
http://208.67.104.60/api/tracemap.php - rule_id: 28876
https://api.myip.com/
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
|
7
ipinfo.io(34.117.59.81)
vk.com(87.240.129.133) - mailcious
api.myip.com(172.67.75.163)
93.186.225.194 - mailcious
104.26.8.59
208.67.104.60 - mailcious
34.117.59.81
|
6
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
|
2
http://208.67.104.60/api/firegate.php
http://208.67.104.60/api/tracemap.php
|
7.8 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12179 |
2023-06-16 07:35
|
 Upshotox64.exe 8c76e949a6b3bfb992ceb54c3be68f69
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself Remote Code Execution DNS |
|
2
|
|
|
2.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12180 |
2023-06-16 07:34
|
 SetUpLyla1408.exe 18a462099db32bb42aa988bd33736f3d
RedLine stealer[m] RAT Emotet Themida Packer UPX Admin Tool (Sysinternals etc ...) Socket DNS Anti_VM AntiDebug AntiVM .NET EXE PE File PE32 PNG Format JPEG Format PE64 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder VMware anti-virtualization installed browsers check Tofsee Interception Stealer Windows Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
13
https://sso.passport.yandex.ru/push?uuid=e9bbb019-fb63-4232-9882-448d38c720b2&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://dzen.ru/?yredirect=true
https://yandex.ru/
http://tokoi45.beget.tech/server.txt
http://tokoi45.beget.tech/server1.txt
http://tokoi45.beget.tech/server2.txt
http://entrenaconraulfit.com/webArg1.txt
http://entrenaconraulfit.com/1/data64_1.exe
http://entrenaconraulfit.com/1/data64_2.exe
http://entrenaconraulfit.com/1/data64_3.exe
http://entrenaconraulfit.com/1/data64_4.exe
http://entrenaconraulfit.com/1/data64_5.exe
http://entrenaconraulfit.com/1/data64_6.exe
|
14
entrenaconraulfit.com(193.84.177.249) - malware
tokoi45.beget.tech(5.101.152.100)
iplogger.com(148.251.234.93) - mailcious
yandex.ru(77.88.55.88)
dzen.ru(62.217.160.2)
sso.passport.yandex.ru(213.180.204.24)
213.180.204.24
148.251.234.93 - mailcious
162.19.139.184 - mailcious
5.101.152.100 - malware
94.130.176.65
193.84.177.249 - malware
62.217.160.2
5.255.255.70
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
20.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|