| 12736 |
2023-05-31 00:32
|
 InvictaStealer.exe 986a9cd4347aa2207ae5fdbffecfae5a
UPX Malicious Library OS Processor Check PE64 PE File VirusTotal Malware anti-virtualization |
|
|
|
|
2.4 |
|
46 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12737 |
2023-05-31 00:26
|
 Builder.exe 1866f69cfaeeda3915074a0aab36717a
UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File PDB Check memory ComputerName |
|
|
|
|
0.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12738 |
2023-05-30 18:07
|
Install_pass1234.7z 6c43db16ae6a2ad7ec9b609447cbb0ac
PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealer Windows DNS |
11
http://hugersi.com/dl/6523.exe - rule_id: 32660
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://85.208.136.10/api/firegate.php - rule_id: 32663
http://85.208.136.10/api/tracemap.php - rule_id: 32662
http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779
http://83.97.73.126/gallery/photo660.exe - rule_id: 33780
http://www.maxmind.com/geoip/v2.1/city/me
https://sun6-20.userapi.com/c237331/u791620691/docs/d11/350130cbb9c6/PMp123a.bmp?extra=tONVqElPo-mONv9H1N77dl5gnf0qx0RIDWhnQv0pfnggFyTSr0lcbBRhJPwYJlQIn69bcwZK5a77VAfW3irjaK0ObffcoXk5OiNOBL_6TNiZ1gJsMLeYqiluWsgsUZ703J9-VLfEFRywpKnOuw
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://sun6-21.userapi.com/c237031/u791620691/docs/d10/1bb194217104/cosmic.bmp?extra=OzP24DVVNdJlAer6TrgAxQeVsgO593sZw5mfKKl8xTWXj7lwr_z097-pN9i5YcJ_4RF8zAGPCKGry1YMyyMfhUwODYfgzyVCvqJBZ4tscygTmOcjlYrjai4gNPweG2FKerGXbbFxZN0pG_KMwQ
|
31
db-ip.com(104.26.5.15)
iplis.ru(148.251.234.93) - mailcious
hugersi.com(91.215.85.147) - malware
ji.jahhaega2qq.com(172.67.182.87) - malware
iplogger.org(148.251.234.83) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.214.67)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
vk.com(87.240.137.164) - mailcious
172.67.182.87 - malware
148.251.234.83
148.251.234.93 - mailcious
172.67.75.166
104.26.4.15
45.63.40.48 - mailcious
163.123.143.4 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
45.15.156.229 - mailcious
104.17.215.67
91.215.85.147 - malware
45.12.253.74 - malware
157.254.164.98
176.113.115.239 - malware
85.208.136.10 - mailcious
34.117.59.81
87.240.132.78 - mailcious
83.97.73.126 - malware
83.97.73.127 - mailcious
|
13
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
|
6
http://hugersi.com/dl/6523.exe
http://45.15.156.229/api/tracemap.php
http://85.208.136.10/api/firegate.php
http://85.208.136.10/api/tracemap.php
http://ji.jahhaega2qq.com/m/p0aw25.exe
http://83.97.73.126/gallery/photo660.exe
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12739 |
2023-05-30 17:46
|
 6475b089e47aa.zip 6e2306600d820049c30f438bc39c2edf
ZIP Format Malware Malicious Traffic NetSupport |
3
http://geo.netsupportsoftware.com/location/loca.asp
http://91.215.85.180:5222/
http://91.215.85.180/fakeurl.htm
|
4
balibumba1.com(91.215.85.180)
geo.netsupportsoftware.com(62.172.138.67)
51.142.119.24
91.215.85.180 - mailcious
|
5
ET POLICY NetSupport GeoLocation Lookup Request
ET INFO NetSupport Remote Admin Checkin
ET INFO NetSupport Remote Admin Response
SURICATA HTTP Unexpected Request body
SURICATA HTTP unable to match response to request
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12740 |
2023-05-30 17:40
|
 wefrswer.exe a5d280743e7a6cb631f3868a410596ad
Raccoon Stealer Generic Malware UPX PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
1.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12741 |
2023-05-30 17:38
|
oceanzx.doc 929bfc2d650dfa49c9a6133095ecf2fb
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Telegram Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
1
http://194.180.48.59/oceanzx.exe
|
3
api.telegram.org(149.154.167.220)
194.180.48.59 - malware
149.154.167.220
|
9
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Telegram API Domain in DNS Lookup
|
|
4.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12742 |
2023-05-30 17:36
|
 internet.exe 993d95f1880cbd2145649f02734b2a94
AgentTesla browser info stealer Generic Malware Google Chrome User Data Downloader Antivirus Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName DNS Cryptographic key DDNS crashed |
|
2
pekonomia.duckdns.org(185.225.74.112) - mailcious
185.225.74.112 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
12.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12743 |
2023-05-30 17:36
|
 IE_BROWSER.exe 506c7276a56ad45ffe3845e55849e013
Loki Loki_b Loki_m PWS .NET framework RAT Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://171.22.30.164/fred1/five/fre.php - rule_id: 33826
|
1
171.22.30.164 - mailcious
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://171.22.30.164/fred1/five/fre.php
|
14.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12744 |
2023-05-30 17:34
|
kakazx.doc d89bca5a30ab63889a8d2829dc6704a6
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash Tofsee Windows Exploit DNS crashed |
1
http://194.180.48.59/kakazx.exe
|
3
cp5ua.hyperhost.ua(91.235.128.141) - mailcious
194.180.48.59 - malware
91.235.128.141 - mailcious
|
7
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12745 |
2023-05-30 17:34
|
 ewrue.exe c814a51d0729f9c380eb939550abe75c
Raccoon Stealer Generic Malware UPX PE File PE32 VirusTotal Malware Remote Code Execution |
|
|
|
|
1.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12746 |
2023-05-30 17:32
|
 smss.exe d9e03dba3c5cce141156dc0cdd710b31
NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself AppData folder Windows crashed |
|
|
|
|
4.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12747 |
2023-05-30 17:32
|
 6523.exe 72b9eecc26102e197e4fd9bd33d93783
UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12748 |
2023-05-30 17:30
|
 oceanzx.exe b63a30317660234ab69e300dde19bf68
KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12749 |
2023-05-30 17:29
|
kiikikikikikikiikikii%23%23%23... 454cb4cd20f392c5147c69ecdab428f4
Loki MS_RTF_Obfuscation_Objects RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed |
2
http://185.246.220.85/line/five/fre.php - rule_id: 33747
http://192.3.189.133/270/IE_NET.exe
|
2
192.3.189.133 - malware
185.246.220.85 - mailcious
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://185.246.220.85/line/five/fre.php
|
5.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12750 |
2023-05-30 17:28
|
 jahah.png 908da2b3f1932cce84084df7d5ba2218
PWS .NET framework SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed |
1
|
2
api.ipify.org(64.185.227.155)
173.231.16.76
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|