| 12316 |
2023-06-13 08:38
|
 wandony.exe c78dff796b8db5060a32c5e514bd67f0
Admin Tool (Sysinternals etc ...) SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(173.231.16.76)
104.237.62.211
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12317 |
2023-06-13 08:33
|
 XbAfLj1MS5joDLv.exe 82577fe70348c57e8f1d6c71cdcaeeb7
PWS .NET framework RAT .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
3.2 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12318 |
2023-06-13 08:33
|
 s.exe 7d726c8be35f9e9f010363c050ee86b3
UPX Malicious Library OS Processor Check PE File PE32 unpack itself |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12319 |
2023-06-13 08:32
|
 photo912.exe 1b005ef861fb3ff7c09d89c3f752d62f
Gen1 Emotet PWS .NET framework RAT UPX Malicious Library Malicious Packer Confuser .NET Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check .NET EXE DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
5
http://77.91.68.30/music/rock/Plugins/cred64.dll - rule_id: 34101
http://77.91.68.30/music/rock/index.php - rule_id: 34087
http://77.91.68.30/DSC01491/fotod75.exe - rule_id: 34217
http://77.91.68.30/DSC01491/foto164.exe - rule_id: 34218
http://77.91.68.30/music/rock/Plugins/clip64.dll - rule_id: 34102
|
2
83.97.73.129 - mailcious
77.91.68.30 - malware
|
11
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
|
5
http://77.91.68.30/music/rock/Plugins/cred64.dll
http://77.91.68.30/music/rock/index.php
http://77.91.68.30/DSC01491/fotod75.exe
http://77.91.68.30/DSC01491/foto164.exe
http://77.91.68.30/music/rock/Plugins/clip64.dll
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12320 |
2023-06-13 08:31
|
 Origins.exe 44b6359226d9c9ac0813792def47aab2
RAT Generic Malware Antivirus .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.8 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12321 |
2023-06-12 18:12
|
ijijijijijijijijijijijijiji%23... 18de0cc6af559b80698181bce1ab907b
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted exploit crash unpack itself Exploit crashed |
|
|
|
|
3.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12322 |
2023-06-12 18:11
|
 obins.exe 8a06751312436a705c6404180c8b1519
RAT Generic Malware Malicious Library UPX Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 OS Processor Check PE64 Malware download Amadey VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS |
3
http://45.9.74.80/setup.exe
http://45.9.74.80/toolspub2.exe
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
|
1
|
7
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
1
http://45.9.74.80/0bjdn2Z/index.php
|
14.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12323 |
2023-06-12 13:11
|
 message.html 8840dc3329993782c0ff500a220a000e
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12324 |
2023-06-12 09:03
|
 fotod75.exe 5ee5ec1032f4ff7e3fc5cbab00e2758e
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.30/music/rock/index.php - rule_id: 34087
http://77.91.68.30/music/rock/Plugins/cred64.dll - rule_id: 34101
http://77.91.68.30/music/rock/Plugins/clip64.dll - rule_id: 34102
|
3
83.97.73.129 - mailcious
77.91.68.30 - malware
91.208.236.70
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.30/music/rock/index.php
http://77.91.68.30/music/rock/Plugins/cred64.dll
http://77.91.68.30/music/rock/Plugins/clip64.dll
|
15.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12325 |
2023-06-12 09:01
|
 output_64.dll 91479a5bad88f0f0cfd0e9adb5c995e1
Generic Malware UPX Malicious Library Malicious Packer Antivirus Anti_VM DLL PE64 PE File VirusTotal Malware PDB Check memory Checks debugger unpack itself AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check Browser DNS crashed |
|
1
|
|
|
6.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12326 |
2023-06-12 08:59
|
 output_32.dll 66e7b3b20b4d259f0056624ed55e917f
Generic Malware UPX Malicious Library Malicious Packer Antivirus Anti_VM OS Processor Check DLL PE File PE32 PDB Check memory Checks debugger unpack itself AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check Browser DNS |
|
1
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12327 |
2023-06-12 08:41
|
 SCREEN.exe 339fbfa154755393b2baec483e5f1257
Loki_b Loki_m RAT UPX Code injection BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself malicious URLs Tofsee Browser ComputerName DNS crashed |
4
http://128.140.35.86/files.zip
http://128.140.35.86/a64ca0c195d3c6bc2a04ada079183388
https://steamcommunity.com/profiles/76561199511129510 - rule_id: 34104
https://t.me/rechnungsbetrag
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
104.76.78.101 - mailcious
128.140.35.86
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
|
1
https://steamcommunity.com/profiles/76561199511129510
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12328 |
2023-06-12 08:41
|
 ai%E8%BF%9B%E7%A8%8B%E5%AE%88%... a3b7a00315b7ff714ea9f2a2660bb5b9
UPX Malicious Library Downloader OS Processor Check PE64 PE File Malware download Malware PDB Malicious Traffic Zeus DNS |
1
http://118.107.7.166/azu/64.bin
|
3
193.134.208.217
118.107.7.166 - mailcious
128.140.35.86
|
3
ET MALWARE Zbot Generic URI/Header Struct .bin
ET MALWARE Generic .bin download from Dotted Quad
ET HUNTING Rejetto HTTP File Sever Response
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12329 |
2023-06-12 08:40
|
 lui06.exe 1cb6d749453b29c6052c5de20bf6e5b6
RAT NSIS UPX Malicious Library PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications AppData folder installed browsers check SectopRAT Windows Browser Backdoor ComputerName DNS Cryptographic key Software crashed |
|
1
|
1
ET MALWARE Arechclient2 Backdoor CnC Init
|
|
11.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12330 |
2023-06-12 08:39
|
 output_32.dll 63585f2e36f932a92014e4c6f95fd74d
Generic Malware UPX Malicious Library Malicious Packer Antivirus Anti_VM OS Processor Check DLL PE File PE32 PDB Check memory Checks debugger unpack itself AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check human activity check Browser DNS |
|
1
|
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|