1 |
2024-07-06 18:35
|
build.exe 2dece3353cda5321fff7c92a697c37ee Vidar Generic Malware Malicious Library Antivirus UPX AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199730044335 - rule_id: 40948 https://steamcommunity.com/profiles/76561199730044335
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(23.59.200.146) - mailcious 104.87.193.17 149.154.167.99 - mailcious 95.217.241.48 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199730044335
|
11.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2024-07-06 18:31
|
RedLineStealer.exe a957dc16d684fbd7e12fc87e8ee12fea Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2024-07-06 18:30
|
stealc_zov.exe 253ccac8a47b80287f651987c0c779ea Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
8
http://40.86.87.10/b13597c85f807692/mozglue.dll http://40.86.87.10/b13597c85f807692/msvcp140.dll http://40.86.87.10/b13597c85f807692/sqlite3.dll http://40.86.87.10/b13597c85f807692/softokn3.dll http://40.86.87.10/b13597c85f807692/vcruntime140.dll http://40.86.87.10/b13597c85f807692/nss3.dll http://40.86.87.10/b13597c85f807692/freebl3.dll http://40.86.87.10/108e010e8f91c38c.php
|
1
|
16
ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting Screenshot to C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
|
|
8.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2024-07-06 18:25
|
leva.exe de1f91ae5c55b1cbbc6d6561464d7d99 Gen1 EnigmaProtector Generic Malware Malicious Library UPX Malicious Packer AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Code Injection Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
8
http://85.28.47.30/69934896f997d5bb/sqlite3.dll http://85.28.47.30/69934896f997d5bb/softokn3.dll http://85.28.47.30/69934896f997d5bb/vcruntime140.dll http://85.28.47.30/920475a59bac849d.php http://85.28.47.30/69934896f997d5bb/msvcp140.dll http://85.28.47.30/69934896f997d5bb/nss3.dll http://85.28.47.30/69934896f997d5bb/freebl3.dll http://85.28.47.30/69934896f997d5bb/mozglue.dll
|
3
185.172.128.90 - mailcious 77.91.77.81 - mailcious 85.28.47.30 - mailcious
|
16
ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
|
12.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2024-07-06 18:25
|
CryptoWall.exe 919034c8efb9678f96b47a20fa6199f2 ScreenShot KeyLogger AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted IP Check DNS |
2
http://myexternalip.com/raw http://ip-addr.es/
|
10
myexternalip.com(34.117.118.44) ip-addr.es(188.165.164.184) 34.117.118.44 91.121.12.127 188.165.164.184 94.247.28.26 94.247.31.19 185.172.128.90 - mailcious 209.148.85.151 94.247.28.156
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO HTTP Request for External IP Check (ip-addr .es) ET POLICY External IP Check myexternalip.com
|
|
7.8 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2024-07-06 18:22
|
univ.exe 217b817f890ef7fc49dc9207d55d2a01 GCleaner Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic human activity check DNS |
1
http://185.172.128.90/cpa/name.php - rule_id: 39629
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/name.php
|
3.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2024-07-06 18:21
|
inte.exe 0da0d1efee859f1fe9cbd3bf5b428af6 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic DNS |
1
http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/ping.php
|
2.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2024-07-05 22:38
|
64.exe 3e682955546fe3b6b1296a509ff80f65 Malicious Library Malicious Packer UPX PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser |
|
|
|
|
4.8 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2024-07-05 22:38
|
64.exe 3e682955546fe3b6b1296a509ff80f65 Malicious Library Malicious Packer UPX PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser |
|
|
|
|
4.8 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2024-07-05 15:56
|
64.exe 3e682955546fe3b6b1296a509ff80f65 Malicious Library Malicious Packer UPX PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
1
|
|
|
5.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2024-07-05 11:07
|
BestChange.exe 22aea1c65376a239fcead8d4e0ff00e3 Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2024-07-04 17:29
|
UpdaterP.exe 40094e123c89625468665c8c196c2ffd UPX PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
89.197.154.116 - mailcious
|
|
|
4.8 |
M |
62 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2024-07-04 17:14
|
UtilityP.exe 771b79f619f789921ac9d720d16323ed Malicious Library PE File PE64 VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
|
1
89.197.154.116 - mailcious
|
|
|
5.2 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2024-07-04 17:12
|
5555.exe 99b1f5901c396f5d019f933eb80f6b09 Malicious Packer UPX PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
|
|
|
2.6 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2024-07-04 17:10
|
a.exe 2d54d9c5710c8a2d09111644b8c6f76c Generic Malware Malicious Packer PE File PE64 VirusTotal Malware Code Injection unpack itself |
|
|
|
|
2.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|