| 1456 |
2024-08-07 10:18
|
 ienetworks.hta 367299f3b78921590e30252fcc114cc7
Antivirus VirusTotal Malware unpack itself crashed |
|
|
|
|
1.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1457 |
2024-08-07 10:13
|
 3.dat 0c8848c11a91ab74f30abbef17792f8f
Generic Malware UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1458 |
2024-08-07 10:11
|
 wp.vbs 67d660ff76a9414cc62d4ddf7f3223f6VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
1
http://chongmei33.publicvm.com:7045/is-ready
|
2
chongmei33.publicvm.com(46.246.6.6) - mailcious
46.246.6.6
|
1
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
10.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1459 |
2024-08-07 10:11
|
 taskhostw3.exe 06a8e35022b76d751e396d1ab5bb9cf1
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
3.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1460 |
2024-08-07 10:09
|
 az.exe b9fcbae32e294854e2507179d4acef1c
Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
1.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1461 |
2024-08-07 10:08
|
 Eqmosyuwc.exe 5bd96efdf03f3f0758f1822e678dacaa
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1462 |
2024-08-07 10:07
|
 jm.vbs 1e4160cfab325ccbe906be8bfd94fb53VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk IP Check VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
2
http://ip-api.com/json/
http://chongmei33.publicvm.com:7045/is-ready
|
4
chongmei33.publicvm.com(46.246.6.6) - mailcious
ip-api.com(208.95.112.1)
46.246.6.6
208.95.112.1
|
3
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET POLICY External IP Lookup ip-api.com
|
|
10.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1463 |
2024-08-07 10:06
|
masdaaaewebbbMPDW-constraints.... 2bcdb70c9930b9ade4d2f993105816ca
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1464 |
2024-08-07 10:04
|
 sahost.exe 849c7ae770318ac09e0fde466e1becfe
Malicious Library .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself crashed |
|
|
|
|
7.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1465 |
2024-08-07 10:04
|
 amadey.exe 107c3b33e05d1d569cccc2052e56055e
Amadey Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check DLL PE64 JPEG Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Software |
4
http://80.66.75.214/g8djmsaxA/Plugins/cred64.dll
http://80.66.75.214/g8djmsaxA/Plugins/clip64.dll
http://80.66.75.214/g8djmsaxA/index.php?scr=1
http://80.66.75.214/g8djmsaxA/index.php
|
29
197.234.223.180
77.246.158.216
157.97.109.159
83.243.47.17
118.25.101.87
47.99.144.17
79.124.17.242
37.16.7.184
34.43.67.154
162.0.211.158
213.100.160.101
110.42.3.95
80.66.75.214 - malware
63.134.234.92
146.148.25.153
116.202.81.93
125.229.77.252
182.92.155.50
38.249.8.144
38.249.14.69
119.176.96.94
184.154.46.96
213.199.32.146
79.96.222.94
178.17.168.102
155.159.241.238
87.230.85.251
162.240.68.86
68.183.179.133
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET MALWARE Amadey Bot Activity (POST) M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
13.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1466 |
2024-08-07 10:04
|
 193.exe 5a5ccdbe3cdd135a57f61138867932a8
Generic Malware UPX PE File PE32 VirusTotal Malware DNS |
1
http://115.159.47.193/4.jpg
|
1
|
|
|
4.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1467 |
2024-08-07 10:02
|
 ds.exe 3b6b710da92a115329d00c5e55ad7671
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1468 |
2024-08-07 10:00
|
 cred.dll 2fb39d6664f6b415124cf2368db92fb4
Generic Malware Malicious Library UPX Antivirus PE File DLL PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process sandbox evasion installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://ruspyc.top/h9k4kfklCdszZ3/index.php - rule_id: 38931
|
2
ruspyc.top(154.216.20.234) - mailcious
154.216.20.234 - malware
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO HTTP Request to a *.top domain
|
1
|
8.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1469 |
2024-08-07 09:58
|
 clip64.dll 40c8cf4849514e1d32f865bafe75f898
Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://ruspyc.top/h9k4kfklCdszZ3/index.php - rule_id: 38931
|
2
ruspyc.top(154.216.20.234) - mailcious
154.216.20.234 - malware
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
|
1
|
3.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1470 |
2024-08-07 09:57
|
 setup.exe fc99ddf185aa553bf30c431cc897c903
Generic Malware Malicious Library UPX ftp PE File PE32 OS Processor Check VirusTotal Malware Telegram Code Injection unpack itself IP Check DNS |
1
http://myexternalip.com/raw
|
4
myexternalip.com(34.160.111.145)
api.telegram.org(149.154.167.220) - mailcious
34.160.111.145
149.154.167.220 - mailcious
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET POLICY External IP Check myexternalip.com
|
|
5.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|