| 12496 |
2023-06-08 17:40
|
 SY.exe 1190c6a8211a23925ec5342f1b457192
RAT email stealer Downloader Confuser .NET DNS Code injection PWS[m] Escalate priviledges persistence KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself DNS crashed |
|
1
193.42.32.191 - mailcious
|
|
|
9.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12497 |
2023-06-08 17:40
|
clclcllclclclcllclclclclcllclc... 3abfcd50698f63ec13889697874b0dfd
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Windows Exploit DNS crashed |
3
http://www.meter-ooh.com/xchu/?gdBt0P3x=RWcC4MkZSDk3mPucx988ojlBmNB6jNKUkkXC2Ajox5pIO+tnQ1elShzyRn23Myu/RX+OuZHb&M6Al=2dcphnL0DpFDjd
http://107.172.148.217/cl/zbXCSdHkU190.bin
http://107.172.148.217/23/cleanmgr.exe
|
5
www.nadiya.online()
www.meter-ooh.com(194.58.112.174)
194.58.112.174 - mailcious
107.172.148.217 - malware
156.237.242.36
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE FormBook CnC Checkin (GET)
|
|
4.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12498 |
2023-06-08 17:39
|
mdmdmdmdmdmmdmdm%23%23%23%23%2... ce692ee68ccc4b7fb7381f0eabfa6891
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
16
http://www.seseapk.com/hqny/
http://www.gardinalplace.life/hqny/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
http://www.luxeconcept.net/hqny/
http://www.luxeconcept.net/hqny/?0LduG=Hsr+FS3aUC3v5cYG2kJwTz2Fiv05Ac/D2GVn4rP2+cnf/CEwXrKsow638/CQaZGhQs+ww4P4gMYs+x3Lc8BNJT7QU85Ww4GHlJMw20s=&J-FG=X_zm5
http://www.kakekgirang5.shop/hqny/
http://www.uchbfm.cfd/hqny/?0LduG=m+ybVjvh7agWR9kwIW90wxm7xw0mVpAKZ7IrFeQzPIYANX32/SKYYL1eEsf44L+W0nPEXXXW2Q2sM9/iZhRVCXL5a7JofqeU46QhEqQ=&J-FG=X_zm5
http://www.uchbfm.cfd/hqny/
http://www.69573.xyz/hqny/?0LduG=LuFWF9Ua84RDJQoWRjdHaxOOJGr2k3CF/TnoVcaYxo8S6F7pRCZMbcZzZdCEfatU6D3gOhGC0lLUMqABcFj4if2qqDICpO2nO8eNe9I=&J-FG=X_zm5
http://www.montanasapphires.online/hqny/
http://www.69573.xyz/hqny/
http://www.montanasapphires.online/hqny/?0LduG=n1CdPpzxYwqEjsG0Qgxc3fK1e+R7zylx10dE7UARUo2qmYQZkuFozCTNAjLX4OweHcopEvO11zC7KH5OIbyIbW6BPXRJsCk2YfaTf38=&J-FG=X_zm5
http://www.seseapk.com/hqny/?0LduG=mJH9W27z8cbsc7vpY+E6DLxpKObOQHn2HvWQb9G1AeaU7CpO/W7NVY91S6OxE3LAXZsPh7Ioc7rkgvN9xJr9EVPP8ghUoovlGQYiqlI=&J-FG=X_zm5
http://www.kakekgirang5.shop/hqny/?0LduG=CXlbuvDGPZkDZuVIC7pN9bWZtfAlmQpQeGiqx6WAcwFRIivK0QTPVQRfBJCVm9sX5H1lJ3DwQtgXkv6CkHLTc1MyWUNY9q0X0o/sl2U=&J-FG=X_zm5
http://www.gardinalplace.life/hqny/?0LduG=dCEp+0m3P0JUSbGijBo/RSr8kaN/Z3sSlC8vhR/5CqloiAn9JexI0t5iKqyAv6gMC40bfRj5WBEr7LlDi1AuUeAMNiBwlcnzOqfFvew=&J-FG=X_zm5
http://103.57.130.167/winSpace/wininit.exe
|
19
www.uchbfm.cfd(47.57.240.200)
www.luxeconcept.net(216.40.34.41)
www.montanasapphires.online(208.91.197.27)
www.kakekgirang5.shop(198.252.98.107)
www.rosifariasestetica.online()
www.new-balkon-otdelka.site()
www.gardinalplace.life(162.254.37.64)
www.winchespullers.store()
www.seseapk.com(156.237.242.36)
www.69573.xyz(122.10.50.92)
162.254.37.64
208.91.197.27 - mailcious
216.40.34.41 - mailcious
122.10.50.92
156.237.242.36
45.33.6.223
103.57.130.167 - malware
198.252.98.107
47.57.240.200
|
11
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to Suspicious *.life Domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
5.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12499 |
2023-06-08 17:38
|
mimimimimimimiimii%23%23%23%23... f773fdea0e32c51ffea025bc50767210
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
4
http://www.360elemental.com/be03/?GVTh=jhI+vywCMt2npbDJzeD9/lYKEbD8JLwdnODL6xC0Csx6vWRUimADe+yjE737e9SxfNKLZW43&uzu8=jjIxZ4h8M02li4
http://107.172.148.208/mi/md/kp/HSuJRpsszEVxY182.bin
http://www.patronbases.cfd/be03/?GVTh=az/6JVy9Wk8RCbLeWnMudjda35MxTzQJIXkn0z0Udyq1fOX35xGGHIaA46RMb3EB8oPHqyzU&uzu8=jjIxZ4h8M02li4
http://103.170.120.247/winSpace/wininit.exe
|
6
www.patronbases.cfd(109.123.121.243)
www.360elemental.com(91.195.240.123)
109.123.121.243 - mailcious
103.170.120.247 - malware
107.172.148.208 - mailcious
91.195.240.123 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE Generic .bin download from Dotted Quad
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12500 |
2023-06-08 17:36
|
 cleanmgr.exe e95742503cd258666b61c5dde8a9003a
UPX Malicious Library PE File PE32 JPEG Format DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder DNS |
|
1
|
|
|
3.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12501 |
2023-06-08 17:36
|
ijoijoijoijoijoijoijoijoijoijo... e230816a29bb8af0b5f24adfbe5eff62
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed |
4
http://www.triciaaprimrosevp.com/xchu/?tzrL=FfQWrZf95VxT5fbFP2ouR8u1gr6XUpPNH6jyiiRwDUjhhUhOx6/nNPit9Ft1WefXL/7Zht0A&1bYHT=mzrd
http://107.172.148.217/il/AzGEADokio218.bin
http://www.nilhanzsa.net/xchu/?tzrL=UpdBoqvO0VuPJxPINRTvivST/MoTuXfbqSvNaVPeAJ6CiCHZFJ6wtB6ckIFoxPORzmMfQmkP&1bYHT=mzrd
http://107.172.148.217/533/hkcmd.exe
|
6
www.nilhanzsa.net(64.98.135.11)
www.castilloshowroom.com()
www.triciaaprimrosevp.com(165.160.15.20)
64.98.135.11
165.160.15.20 - mailcious
107.172.148.217 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12502 |
2023-06-08 17:34
|
 remcos_a2.exe 9aa44989b63c667ede9f25e26497c20f
Generic Malware UPX Malicious Library Downloader Malicious Packer OS Processor Check PE File PE32 Malware download Remcos VirusTotal Malware AutoRuns Malicious Traffic Check memory Windows DNS |
1
http://geoplugin.net/json.gp
|
3
geoplugin.net(178.237.33.50)
178.237.33.50
94.142.138.111 - malware
|
2
ET MALWARE Remcos 3.x Unencrypted Checkin
ET MALWARE Remcos 3.x Unencrypted Server Response
|
|
3.6 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12503 |
2023-06-08 17:33
|
rsrsrsrsrsrrsrsrsrsrsrsrssrsrs... 39669a47b553f5d6b3ed6b730d7852f9
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12504 |
2023-06-08 14:02
|
 photo250.exe e53eb222dce17efcdcac2c00cacb6c45
RedLine stealer[m] Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) PWS[m] AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.30/music/rock/index.php - rule_id: 34087
http://77.91.68.30/music/rock/Plugins/cred64.dll - rule_id: 34101
http://77.91.68.30/music/rock/Plugins/clip64.dll - rule_id: 34102
|
2
83.97.73.129 - mailcious
77.91.68.30 - malware
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.30/music/rock/index.php
http://77.91.68.30/music/rock/Plugins/cred64.dll
http://77.91.68.30/music/rock/Plugins/clip64.dll
|
20.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12505 |
2023-06-08 14:00
|
 photo250.exe cf66c33d6331c8d39b8058b46d59c108
RedLine stealer[m] Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer PWS[m] AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.30/music/rock/index.php - rule_id: 34087
http://77.91.68.30/music/rock/Plugins/cred64.dll - rule_id: 34101
http://77.91.68.30/music/rock/Plugins/clip64.dll - rule_id: 34102
|
2
77.91.68.30 - malware
83.97.73.129 - mailcious
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.30/music/rock/index.php
http://77.91.68.30/music/rock/Plugins/cred64.dll
http://77.91.68.30/music/rock/Plugins/clip64.dll
|
20.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12506 |
2023-06-08 13:59
|
 2.exe 991184ef5c59ae33725e99a2e828ef8e
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself |
|
|
|
|
2.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12507 |
2023-06-08 13:47
|
 hostdll.exe d8c387e22a23fcdac8444ff9d43ebef8
Generic Malware UPX Malicious Library PE File PE32 VirusTotal Malware AutoRuns Check memory RWX flags setting AntiVM_Disk suspicious TLD sandbox evasion VM Disk Size Check Windows Browser DNS |
|
2
imtieken.top(152.32.138.112)
152.32.138.112
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
4.2 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12508 |
2023-06-08 11:28
|
File_pass1234.7z 66448293af6065ecbcfb9038e202d4b6
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealer Windows Trojan DNS |
20
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://45.9.74.6/2.exe
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://116.203.166.22/
http://83.97.73.130/gallery/photo250.exe
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://116.203.166.22/3a85713b3d5d1b920c3b568392c6a89a
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://194.169.175.124:3002/ - rule_id: 34039
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://116.203.166.22/files.zip
https://sun6-21.userapi.com/c909218/u228185173/docs/d49/e831690feb01/2poy.bmp?extra=ZTKGWIUO1EhJHS9mBKTB5OY_pmLAAMImPXHiT8UJiR3RZ3XvH8dUl5B8ZhhL5uQfGdbY_68Y9cXLOeOHTbvIpkuBtx_Es_exgotwdrhEgC99AyhTxEANoBLOGc8T0e2MA9BH1JwwtuddiJLhFw
https://steamcommunity.com/profiles/76561199511129510
https://vk.com/doc228185173_661224258?hash=vCiUkZVIOFAXqjET3WDU8hdIjjzYstZfhGTRT7qdWhH&dl=GcYUtutpXzkbwR15ZQIkqE7aWmquwiggKIZSr0u1iDL&api=1&no_preview=1#2poy
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/6433426ed486/buddha.bmp?extra=6LBz6bFJP2-IdzuvTEcxMA-WOL_NETdpYpWfPHpcpnJO_fK2G8I2LGf5NDZU1vgcZXWumoS1qS0l4T5WQmzflIHG0Tb3MArA1unEteMfBEo-FUejxbatU0IJb2aUtBaBHOI4eWgU-ph3IRtzWQ
https://vk.com/doc228185173_661187707?hash=E8KBAj0mrQKeVeg1mQqulf9QwzUSNijpeZUdZZRHzOH&dl=e9WRikYkxObWVd60tMcOvsySjPuuoC81YCrbzvtmzA0&api=1&no_preview=1#WW1
https://sun6-20.userapi.com/c240331/u228185173/docs/d10/4b7a72f85de2/WWW1.bmp?extra=jl1aQfFxyg4nmTCmMKFT4qVnPEeE4J5ujDPJmG42gqNuqOxDjDsctdEVNXFT167Kd1O3vinZl4a5LemWEra7pYXKwK8bkDHxNHj77AxY1nCnL7K3jLVDIAHuUFq7Y747JGSUFQvpSMkF_ZUBfA
|
39
sun6-23.userapi.com(95.142.206.3)
db-ip.com(104.26.5.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
steamcommunity.com(104.100.64.90) - mailcious
ji.jahhaega2qq.com(172.67.182.87) - malware
iplogger.org(148.251.234.83) - mailcious
t.me(149.154.167.99) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.215.67)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(172.67.75.166)
vk.com(87.240.132.67) - mailcious
148.251.234.93 - mailcious
104.17.215.67
87.240.137.164 - mailcious
91.215.85.147 - malware
23.198.103.114
104.26.5.15
208.67.104.60 - mailcious
194.169.175.124 - mailcious
149.154.167.99 - mailcious
172.67.75.166
116.203.166.22
157.254.164.98 - mailcious
34.117.59.81
148.251.234.83
45.12.253.74 - malware
94.142.138.131 - mailcious
185.81.68.115
83.97.73.130
147.135.231.58 - mailcious
163.123.143.4 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
95.142.206.3
45.9.74.6
104.21.18.146
|
18
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO Dotted Quad Host ZIP Request
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
|
6
http://94.142.138.131/api/firegate.php
http://hugersi.com/dl/6523.exe
http://94.142.138.131/api/tracemap.php
http://208.67.104.60/api/tracemap.php
http://194.169.175.124:3002/
http://ji.jahhaega2qq.com/m/p0aw25.exe
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12509 |
2023-06-08 11:15
|
 final.docm ea8f8a4cd85177248a08490f05d1b555
VBA_macro ZIP Format Word 2007 file format(docx) VirusTotal Malware exploit crash unpack itself Exploit crashed |
|
|
|
|
3.8 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12510 |
2023-06-08 11:08
|
 cleanmgrs.exe 5acd030fa8d6773c21b19a4468727d05
RAT NSIS UPX Malicious Library PE File PE32 GIF Format PNG Format .NET DLL OS Processor Check DLL PE64 VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder |
|
|
|
|
2.8 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|