| 12451 |
2023-06-11 21:33
|
 [Content_Types].xml 7084b736cec7aca9dcd6448907d35fb2
Downloader Create Service DGA Socket DNS Hijack Network Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges persistence FTP KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12452 |
2023-06-11 21:33
|
 movijediz.pdf 0ff2c5b81c1798b89b8615c9a7921af1
PDF Suspicious Link PDF VirusTotal Malware |
|
|
|
|
0.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12453 |
2023-06-11 11:31
|
Screenshot_20230610_211553_Chr... 4ae76d53f0c8224aabf8b3e503bd5c98
JPEG Format |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12454 |
2023-06-10 03:39
|
swagger.yaml d0ee497143db1977852d705d03f21728
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12455 |
2023-06-10 03:17
|
swagger.yaml d0ee497143db1977852d705d03f21728
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12456 |
2023-06-10 01:53
|
 Pure Chat Report (2).csv 6ab8955aa20aa2626dc06762f08ddf09
PWS[m] KeyLogger ScreenShot AntiDebug AntiVM Vulnerability MachineGuid unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12457 |
2023-06-09 17:57
|
 HBZ.exe cc0a1c96c14263e48f82965ff47e0521
NSIS Generic Malware UPX Malicious Library Antivirus PE File PE32 PowerShell JPEG Format powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key crashed |
|
|
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12458 |
2023-06-09 17:22
|
File_pass1234.7z cc9553fe73f1f3663db568a4c369037f
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealer Windows Trojan DNS |
24
http://45.9.74.6/2.exe - rule_id: 34108
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://85.208.136.10/api/firegate.php - rule_id: 32663
http://116.203.166.22/ - rule_id: 34107
http://83.97.73.130/gallery/photo250.exe - rule_id: 34109
http://116.203.166.22/effac36d75f663b40573349eaf0d29c2
http://www.maxmind.com/geoip/v2.1/city/me
http://194.169.175.124:3002/ - rule_id: 34039
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://116.203.166.22/files.zip - rule_id: 34110
http://85.208.136.10/api/tracemap.php - rule_id: 32662
https://sun6-22.userapi.com/c235031/u228185173/docs/d57/271991937740/StealerClient.bmp?extra=nUwZ3urlcpJWb5buM4j1C3uurrA75ncT7Y8ja2S8SZeccnkIYiq4JI0DGQGCDGohP5gzT_1NL2hattso3bUw-fv-X7lmgzoYf3jQlg55rHKQd3M6W-Mz7SFzqYmmA4tdNg5-nWCzcZgZiRXJOg
https://vk.com/doc228185173_661242222?hash=jvSDU9niHKm7avSk5biMgGcB8ajBwZ00v357ZyLgE30&dl=ZpvFZTDfSmr3XjrqtkatOVZmXtSnGx3S7ZYmAK1oANo&api=1&no_preview=1
https://steamcommunity.com/profiles/76561199511129510 - rule_id: 34104
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-20.userapi.com/c237131/u228185173/docs/d31/d61282cf17c5/PMp123a.bmp?extra=jpS1mcdi_7rrDDLa0YfgJXQayEOFyktks04giOuuWEY3hWMqQOMVZNRTpEvwwq3ywtXN7w7Y5nkSPnJwlrYp3H2w-E0lJZavGOhZUsKSSiMnCZwq-9DBBjNh8vAMvcT-wOVO33uJU2m82FlBoA
https://sun6-20.userapi.com/c237031/u228185173/docs/d51/fecaf204d551/renew.bmp?extra=vIuWGHqxPdgZld-5oVPAhUN1GLaqKzloB14eUpW1YMMbWznTFd9jeI48Fn1MBBPKuJ9VmKVp3oAv5X2qn1hZauWWnBWaLlltSf-APvNgnO91NRKpXwO9lkaceFLdU39mpcHe-HPVgYSeVS9rTA
https://vk.com/doc228185173_661280694?hash=LcOcxIbtNthGjnzSXeXSSAzVfBr8EGZBgLKzPXqWynk&dl=cdRvVDWq0OGsCiRSFjO96pk5Fmcj4N3fjjz3OswJms4&api=1&no_preview=1#2poy
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/ec3fc025b125/buddha.bmp?extra=ItWX8lUpMY9z_ly_RUM2j6231aQMN2O3dOMmHiUUFAplCs1fFbcqhs_PqAf8aGvblUyAxsy3N0ETowsDhzFafdmzb4mn6XNmjU0Ru5BLzQKzyXrHwNE2C8ycp1039xCecIa0iBJ-q_Dvy_WQXQ
https://vk.com/doc228185173_661300051?hash=7XHdfsFNo9ZpzE4OdlAEVKeNG1wECrIdNZhIodvgJ5D&dl=oCC28ZZdx4YZFxLmWLBGqrvxCN6z7TMBcssMXwmMT7s&api=1&no_preview=1#rise_test
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-20.userapi.com/c240331/u228185173/docs/d10/2038bfb9eba6/WWW1.bmp?extra=M7axVLpBNCjbx-e0W7cRT19iKKPxoLsCXCs6BGNBCpzk1y5zHa8vhuObpHW_ekWnqWCC0UQTYqIkDnMXrhput1bpGVguoN9m52uD2pQP9iycfvLtkl6Nqu0kYQIz7uh6fUqvNRI14l_RBkiveg
|
46
sun6-23.userapi.com(95.142.206.3)
watson.microsoft.com(104.208.16.93)
db-ip.com(104.26.5.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
steamcommunity.com(104.75.41.21) - mailcious
ji.jahhaega2qq.com(104.21.18.146) - malware
iplogger.org(148.251.234.83) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.17.214.67)
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.72) - mailcious
api.db-ip.com(172.67.75.166)
148.251.234.93 - mailcious
194.169.175.128
104.17.215.67
91.215.85.147 - malware
87.240.129.133 - mailcious
94.142.138.113 - mailcious
104.26.5.15
149.154.167.99 - mailcious
172.67.75.166
116.203.166.22 - mailcious
20.189.173.21
157.254.164.98 - mailcious
34.117.59.81
172.67.182.87 - malware
148.251.234.83
104.75.41.21 - mailcious
83.97.73.130 - malware
45.12.253.74 - malware
185.81.68.115 - mailcious
194.169.175.124 - mailcious
104.17.214.67
45.15.156.229 - mailcious
104.26.4.15
83.97.73.129 - mailcious
147.135.231.58 - mailcious
163.123.143.4 - mailcious
95.142.206.0 - mailcious
95.142.206.3
85.208.136.10 - mailcious
45.9.74.6 - malware
95.142.206.2
|
18
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO EXE - Served Attached HTTP
ET INFO Dotted Quad Host ZIP Request
|
11
http://45.9.74.6/2.exe
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://85.208.136.10/api/firegate.php
http://116.203.166.22/
http://83.97.73.130/gallery/photo250.exe
http://194.169.175.124:3002/
http://ji.jahhaega2qq.com/m/p0aw25.exe
http://116.203.166.22/files.zip
http://85.208.136.10/api/tracemap.php
https://steamcommunity.com/profiles/76561199511129510
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12459 |
2023-06-09 16:56
|
 Setup.exe df3795e6842e839cf45e694b7164ee17
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12460 |
2023-06-09 16:55
|
 Mcdonalds3.php 68be007bd3fa09d26fcee584a9157770
UPX Malicious Library Malicious Packer PE File PE32 Malware download VirusTotal Malware AutoRuns Malicious Traffic Creates executable files AppData folder Windows DNS |
2
http://45.159.189.105/bot/online?key=ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4&guid=test22-PC\test22 - rule_id: 26212
http://45.159.189.105/bot/regex - rule_id: 26211
|
1
45.159.189.105 - mailcious
|
3
ET MALWARE Laplas Clipper - Regex CnC Request
ET USER_AGENTS Go HTTP Client User-Agent
ET MALWARE Laplas Clipper - SetOnline CnC Checkin
|
2
http://45.159.189.105/bot/online
http://45.159.189.105/bot/regex
|
6.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12461 |
2023-06-09 16:54
|
 tdc.jpg 4c7c7f9e5fb5f706972574aca7a21260
PWS .NET framework RAT UPX Confuser .NET OS Processor Check .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
70.36.101.185 - mailcious
|
3
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
|
|
6.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12462 |
2023-06-09 16:38
|
 LokiLocker.exe d03823a205919b6927f3fa3164be5ac5
UltraVNC UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware powershell AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW shadowcopy delete Ransom Message Turn off Windows Error Recovery notification window Firewall state off anti-virtualization Creates autorun.inf IP Check VM Disk Size Check human activity check installed browsers check Windows Browser ComputerName Cryptographic key crashed |
1
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
19.6 |
|
56 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12463 |
2023-06-09 16:18
|
 SOA-0438.xlsx 261cc699f2de3e15d63c9a9180cb8625
ZIP Format Malware download Remcos VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
3
http://109.206.240.64/HBZ.exe
http://geoplugin.net/json.gp
http://109.206.240.64/tl/ZriAIHCKuK34.bin
|
5
geoplugin.net(178.237.33.50)
gdyhjjdhbvxgsfe.gotdns.ch(45.81.39.214) - mailcious
109.206.240.64 - malware
178.237.33.50
45.81.39.214
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Generic .bin download from Dotted Quad
ET INFO DYNAMIC_DNS Query to a *.gotdns .ch Domain
ET JA3 Hash - Remcos 3.x TLS Connection
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12464 |
2023-06-09 15:50
|
 LokiLocker.exe d03823a205919b6927f3fa3164be5ac5
UltraVNC UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware powershell AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW shadowcopy delete Ransom Message Turn off Windows Error Recovery notification window Firewall state off anti-virtualization Creates autorun.inf IP Check VM Disk Size Check human activity check installed browsers check Windows Browser ComputerName Cryptographic key crashed |
1
|
2
ip-api.com(208.95.112.1)
208.95.112.1
|
1
ET POLICY External IP Lookup ip-api.com
|
|
18.6 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12465 |
2023-06-09 11:12
|
 upgrade.exe a07dc64946ef6ed57eb50821ee02415b
UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself crashed |
|
|
|
|
2.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|