| 12526 |
2023-06-07 18:25
|
 SO785000670065_GK3G46943006_PO... 97276eade4a474b02892b080fa0cae20
NSIS Suspicious_Script_Bin UPX Malicious Library PE File PE32 OS Processor Check DLL PE64 PNG Format VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
3.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12527 |
2023-06-07 17:59
|
 file.xls b4b1d0f39ef9ad937d94513e95d324d0
VBA_macro Antivirus MSOffice File VirusTotal Malware exploit crash unpack itself Exploit crashed |
|
|
|
|
1.8 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12528 |
2023-06-07 17:34
|
 cleanmgr.exe 33108fe9d2b46a295190763ebb4083f7
AgentTesla PWS .NET framework browser info stealer Google Chrome User Data Downloader UPX Admin Tool (Sysinternals etc ...) ScreenShot Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE Fi Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key DDNS crashed keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
divdemoce.duckdns.org(192.30.89.67) - mailcious
178.237.33.50
192.30.89.67 - mailcious
|
3
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
15.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12529 |
2023-06-07 17:32
|
 2d7f71dfd2399ffc78575f12b3d751... af1a989a2a9bd61b087cace076971f6a
UPX Malicious Library Malicious Packer PE File PE32 BMP Format VirusTotal Malware Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check |
|
|
|
|
2.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12530 |
2023-06-07 17:31
|
iiihiiiihiiiihiiiihiiihiiih%23... a82d5070b20af38ed372d74774a661b8
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS DDNS crashed |
2
http://geoplugin.net/json.gp
http://192.210.215.42/77/cleanmgr.exe
|
5
geoplugin.net(178.237.33.50)
divdemoce.duckdns.org(192.30.89.67) - mailcious
178.237.33.50
192.30.89.67 - mailcious
192.210.215.42 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12531 |
2023-06-07 17:30
|
 pmCxohhd.exe 2cf24e55ad1aad958e73c67878952c68
PWS .NET framework RAT UPX OS Processor Check PE64 .NET EXE PE File VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12532 |
2023-06-07 17:29
|
llilliliiilllilililililillili%... d34424d4ff9030116dedad2314fabbcf
MS_RTF_Obfuscation_Objects RTF File doc Malware download Remcos VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS DDNS crashed |
2
http://geoplugin.net/json.gp
http://192.210.215.42/88/cleanmgr.exe
|
5
geoplugin.net(178.237.33.50)
divdemoce.duckdns.org(192.30.89.67) - mailcious
178.237.33.50
192.30.89.67 - mailcious
192.210.215.42 - mailcious
|
8
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12533 |
2023-06-07 17:29
|
 ghjkl.exe 6304e54325ff26109e8dcea07bfd74ad
PWS .NET framework RAT Generic Malware UPX Antivirus PWS[m] ScreenShot Anti_VM AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 VirusTotal Malware powershell Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote suspicious process AppData folder Windows ComputerName Cryptographic key crashed |
|
|
|
|
13.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12534 |
2023-06-07 17:28
|
 nevv.exe 58a91896eaf6efe03ffe6ebb7b731792
AgentTesla RAT browser info stealer Google Chrome User Data Downloader Confuser .NET Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
185.65.134.166 - mailcious
|
|
|
7.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12535 |
2023-06-07 16:04
|
File_pass1234.7z dc266faa26395c58a3e0a99c4691be37
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Stealer Windows DNS |
12
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://www.maxmind.com/geoip/v2.1/city/me
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://194.169.175.124:3002/ - rule_id: 34039
http://83.97.73.128/gallery/photo430.exe - rule_id: 34041
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/fa132fba0b7e/buddha.bmp?extra=gRm798kslBaPtRgOAU2D2epFH3ralLJDqzZ37rqKiRAkxV_ocXkFtXAJpSKj_NRdFtLsl280XXYcBIyXTXGXiParMUQ3ahHzvY62RCjMY4tY-vBPNwy1yTJAtku6p8bfbadzHUvteIWkxx7Zdw
https://sun6-21.userapi.com/c240331/u800513317/docs/d20/47ed28b3afbb/PMp123a.bmp?extra=1mMgqmSMjVjqw0R3iI2gcBuuz3j4HzJcVCwS6ZNN2RNLYRVBKnzkbEX3B3wTBN6X_tUum6G61hOC4Wim4Ef_V6rIdysx5OFZk3o_ZAxk7zo8YiNEObqKxi_YMgNjUlPEjLR_BE0SWFw1H7t4Xw
|
31
db-ip.com(172.67.75.166)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(172.67.182.87) - malware
iplogger.org(148.251.234.83) - mailcious
sun6-23.userapi.com(95.142.206.3)
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.214.67)
api.db-ip.com(104.26.5.15)
vk.com(93.186.225.194) - mailcious
172.67.182.87 - malware
148.251.234.83
148.251.234.93 - mailcious
172.67.75.166
104.26.4.15
147.135.231.58 - mailcious
163.123.143.4 - mailcious
95.142.206.1 - mailcious
95.142.206.3
45.15.156.229 - mailcious
194.169.175.124 - mailcious
83.97.73.128 - malware
91.215.85.147 - malware
45.12.253.74 - malware
94.142.138.131 - mailcious
157.254.164.98 - mailcious
34.117.59.81
104.26.5.15
104.17.214.67
87.240.132.72
|
15
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
|
7
http://94.142.138.131/api/firegate.php
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://ji.jahhaega2qq.com/m/p0aw25.exe
http://194.169.175.124:3002/
http://83.97.73.128/gallery/photo430.exe
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12536 |
2023-06-07 13:42
|
 index.html e66507bcd2afe260f82a61cb981ec964
AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
f004.backblazeb2.com(149.137.128.16) - mailcious
149.137.128.16 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12537 |
2023-06-07 13:40
|
System.ERROR.Log.915f56c710ede... 821fa2667e4aec575987afcef2276fe5
CAB MSOffice File DLL PE64 PE File Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check ComputerName DNS |
1
http://sslcom.repository.certum.pl/ctnca.cer
|
4
sslcom.repository.certum.pl(96.7.39.84)
104.26.5.15
104.17.214.67
121.254.136.104
|
|
|
5.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12538 |
2023-06-07 13:34
|
Install_pass1234.7z 21c1b0f8d03d57065b96c639b518886d
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download VirusTotal Malware c&c suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser DNS plugin |
23
http://5.42.199.15/7381b0eb2134edfd/msvcp140.dll
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://5.42.199.15/7381b0eb2134edfd/sqlite3.dll
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://85.208.136.10/api/firegate.php - rule_id: 32663
http://5.42.199.15/14387668e1174a87.php - rule_id: 34035
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://5.42.199.15/7381b0eb2134edfd/softokn3.dll
http://5.42.199.15/7381b0eb2134edfd/nss3.dll
http://5.42.199.15/7381b0eb2134edfd/vcruntime140.dll
http://www.maxmind.com/geoip/v2.1/city/me
http://5.42.199.15/7381b0eb2134edfd/mozglue.dll
http://194.169.175.124:3002/ - rule_id: 34039
http://83.97.73.128/gallery/photo430.exe - rule_id: 34041
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://5.42.199.15/7381b0eb2134edfd/freebl3.dll
https://vk.com/doc228185173_661153352?hash=xdfz7khDaKTZuZfc6eD4kR51HKXjFRBzEoWcJb9wBhL&dl=Pr7rOMXa0zgLcM5qJA9Lq5jiCwQPKFqjLmym9agLrzz&api=1&no_preview=1
https://sun6-22.userapi.com/c235131/u228185173/docs/d18/dcefed7742fe/stcr.bmp?extra=4cMjfsrflUnXqTTqcGy751WstwtljmtnZqSkHC6RZDy1n2v9t-pL7VgO6HA-9WXpkbUJzdkxTDPBcX-hOAbII9gt79CQLL7ldZtFjYp6g0gjQIpYUrezqnYQwJROQ7WCK9Y4yNSKOrSY61YE8g
https://vk.com/doc228185173_661170695?hash=0L1uaqPVMU921w2pmJcrwQkDyu94h0wjzS3p0ld9R4D&dl=kstr1dyAL1ZXBFBl1qg66UJerdx2DZWJ9uOQs1kXZ0T&api=1&no_preview=1#str
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/fa132fba0b7e/buddha.bmp?extra=gRm798kslBaPtRgOAU2D2epFH3ralLJDqzZ37rqKiRAkxV_ocXkFtXAJpSKj_NRdFtLsl280XXYcBIyXTXGXiParMUQ3ahHzvY62RCjMY4tY-vBPNA-1yTJAtku6p8bfbfR3TR-8eYavxErefA
https://sun6-21.userapi.com/c240331/u800513317/docs/d20/47ed28b3afbb/PMp123a.bmp?extra=1mMgqmSMjVjqw0R3iI2gcBuuz3j4HzJcVCwS6ZNN2RNLYRVBKnzkbEX3B3wTBN6X_tUum6G61hOC4Wim4Ef_V6rIdysx5OFZk3o_ZAxk7zo8YiNEOrmKxi_YMgNjUlPEjLd8VxkUWVxlSLN7Cw
|
35
db-ip.com(104.26.4.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(104.21.18.146) - malware
iplogger.org(148.251.234.83) - mailcious
sun6-23.userapi.com(95.142.206.3)
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.17.215.67)
vk.com(87.240.132.78) - mailcious
api.db-ip.com(172.67.75.166)
148.251.234.93 - mailcious
104.17.215.67
83.97.73.128 - malware
91.215.85.147 - malware
87.240.129.133 - mailcious
104.26.5.15
172.67.75.166
157.254.164.98 - mailcious
34.117.59.81
172.67.182.87 - malware
148.251.234.83
45.12.253.74 - malware
5.42.199.15 - mailcious
194.169.175.124 - malware
104.17.214.67
45.15.156.229 - mailcious
104.26.4.15
147.135.231.58
163.123.143.4 - mailcious
95.142.206.1 - mailcious
95.142.206.3
85.208.136.10 - mailcious
95.142.206.2
|
31
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2
|
8
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://85.208.136.10/api/firegate.php
http://5.42.199.15/14387668e1174a87.php
http://ji.jahhaega2qq.com/m/p0aw25.exe
http://194.169.175.124:3002/
http://83.97.73.128/gallery/photo430.exe
http://85.208.136.10/api/tracemap.php
|
6.2 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12539 |
2023-06-07 13:23
|
File_pass1234.7z 5dadedcd20637db80749292fb8d55eb8
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser DNS plugin |
22
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://5.42.199.15/7381b0eb2134edfd/mozglue.dll
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://5.42.199.15/7381b0eb2134edfd/sqlite3.dll
http://83.97.73.128/gallery/photo430.exe
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://5.42.199.15/7381b0eb2134edfd/softokn3.dll
http://5.42.199.15/14387668e1174a87.php
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://5.42.199.15/7381b0eb2134edfd/msvcp140.dll
http://5.42.199.15/7381b0eb2134edfd/nss3.dll
http://5.42.199.15/7381b0eb2134edfd/vcruntime140.dll
http://www.maxmind.com/geoip/v2.1/city/me
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://5.42.199.15/7381b0eb2134edfd/freebl3.dll
https://vk.com/doc228185173_661153352?hash=xdfz7khDaKTZuZfc6eD4kR51HKXjFRBzEoWcJb9wBhL&dl=Pr7rOMXa0zgLcM5qJA9Lq5jiCwQPKFqjLmym9agLrzz&api=1&no_preview=1
https://sun6-21.userapi.com/c240331/u800513317/docs/d20/47ed28b3afbb/PMp123a.bmp?extra=1mMgqmSMjVjqw0R3iI2gcBuuz3j4HzJcVCwS6ZNN2RNLYRVBKnzkbEX3B3wTBN6X_tUum6G61hOC4Wim4Ef_V6rIdysx5OFZk3o_ZAxk7zo8YiNEOruMxi_YMgNjUlPEjLJ4UUoWDFhjTbV6Dw
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc228185173_661170695?hash=0L1uaqPVMU921w2pmJcrwQkDyu94h0wjzS3p0ld9R4D&dl=kstr1dyAL1ZXBFBl1qg66UJerdx2DZWJ9uOQs1kXZ0T&api=1&no_preview=1#str
https://sun6-22.userapi.com/c235131/u228185173/docs/d18/dcefed7742fe/stcr.bmp?extra=4cMjfsrflUnXqTTqcGy751WstwtljmtnZqSkHC6RZDy1n2v9t-pL7VgO6HA-9WXpkbUJzdkxTDPBcX-hOAbII9gt79CQLL7ldZtFjYp6g0gjQIpYUrW1qnYQwJROQ7WCK449ndiDPLfKulQEoA
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/fa132fba0b7e/buddha.bmp?extra=gRm798kslBaPtRgOAU2D2epFH3ralLJDqzZ37rqKiRAkxV_ocXkFtXAJpSKj_NRdFtLsl280XXYcBIyXTXGXiParMUQ3ahHzvY62RCjMY4tY-vBPNA2zyTJAtku6p8bfbfF4HR24eICvwk-NIg
|
34
db-ip.com(104.26.5.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(172.67.182.87) - malware
iplogger.org(148.251.234.83) - mailcious
sun6-23.userapi.com(95.142.206.3)
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.17.215.67)
vk.com(87.240.137.164) - mailcious
api.db-ip.com(104.26.5.15)
148.251.234.93 - mailcious
104.17.215.67
83.97.73.128 - malware
91.215.85.147 - malware
172.67.75.166
157.254.164.98 - mailcious
34.117.59.81
148.251.234.83
45.12.253.74 - malware
5.42.199.15
194.169.175.124 - malware
104.17.214.67
45.15.156.229 - mailcious
104.26.4.15
147.135.231.58
163.123.143.4 - mailcious
95.142.206.1 - mailcious
95.142.206.3
95.142.206.2
87.240.132.72
104.21.18.146
94.142.138.131 - mailcious
|
31
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET INFO EXE - Served Attached HTTP
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET INFO TLS Handshake Failure
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2
|
5
http://94.142.138.131/api/firegate.php
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://ji.jahhaega2qq.com/m/p0aw25.exe
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12540 |
2023-06-07 10:31
|
 003737.exe d93dd4200d1997c9b734bc2b1de77dc8
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
4
http://www.dwcmy.icu/jaux/
http://www.dwcmy.icu/jaux/?RA2Ffnn=dXzChEviWThMepFS/xxtUmXNQtBwn4KvgZ5ardr6ndysj8KT1gjetGIPwrBptW+hnPwvo+gRGgTDVleeJCFvAYnj9Conz55LaaEoVKU=&gLB=QULU5
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip
http://www.brick2theatercompany.org/jaux/?RA2Ffnn=icakqaRty6vlYpraZuLZDt8iqw6TAXaANP93WqO2tXnG28cx2yzbZzs/HE+K7qwLPazhHRQPHP7+Ft+vCQAGl34EUMiC/bZO7D7RKMw=&gLB=QULU5
|
5
www.dwcmy.icu(107.148.132.109)
www.brick2theatercompany.org(184.154.216.162)
107.148.132.109
184.154.216.162
45.33.6.223
|
4
ET INFO DNS Query for Suspicious .icu Domain
ET INFO HTTP POST Request to Suspicious *.icu domain
ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|