| 1 |
2024-07-06 18:35
|
 build.exe 2dece3353cda5321fff7c92a697c37ee
Vidar Generic Malware Malicious Library Antivirus UPX AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199730044335 - rule_id: 40948
https://steamcommunity.com/profiles/76561199730044335
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
104.87.193.17
149.154.167.99 - mailcious
95.217.241.48 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199730044335
|
11.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2024-07-06 18:31
|
 RedLineStealer.exe a957dc16d684fbd7e12fc87e8ee12fea
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2024-07-06 18:30
|
 stealc_zov.exe 253ccac8a47b80287f651987c0c779ea
Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
8
http://40.86.87.10/b13597c85f807692/mozglue.dll
http://40.86.87.10/b13597c85f807692/msvcp140.dll
http://40.86.87.10/b13597c85f807692/sqlite3.dll
http://40.86.87.10/b13597c85f807692/softokn3.dll
http://40.86.87.10/b13597c85f807692/vcruntime140.dll
http://40.86.87.10/b13597c85f807692/nss3.dll
http://40.86.87.10/b13597c85f807692/freebl3.dll
http://40.86.87.10/108e010e8f91c38c.php
|
1
|
16
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
|
|
8.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2024-07-06 18:25
|
 leva.exe de1f91ae5c55b1cbbc6d6561464d7d99
Gen1 EnigmaProtector Generic Malware Malicious Library UPX Malicious Packer AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Code Injection Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
8
http://85.28.47.30/69934896f997d5bb/sqlite3.dll
http://85.28.47.30/69934896f997d5bb/softokn3.dll
http://85.28.47.30/69934896f997d5bb/vcruntime140.dll
http://85.28.47.30/920475a59bac849d.php
http://85.28.47.30/69934896f997d5bb/msvcp140.dll
http://85.28.47.30/69934896f997d5bb/nss3.dll
http://85.28.47.30/69934896f997d5bb/freebl3.dll
http://85.28.47.30/69934896f997d5bb/mozglue.dll
|
3
185.172.128.90 - mailcious
77.91.77.81 - mailcious
85.28.47.30 - mailcious
|
16
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
|
12.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2024-07-06 18:25
|
 CryptoWall.exe 919034c8efb9678f96b47a20fa6199f2
ScreenShot KeyLogger AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted IP Check DNS |
2
http://myexternalip.com/raw
http://ip-addr.es/
|
10
myexternalip.com(34.117.118.44)
ip-addr.es(188.165.164.184)
34.117.118.44
91.121.12.127
188.165.164.184
94.247.28.26
94.247.31.19
185.172.128.90 - mailcious
209.148.85.151
94.247.28.156
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO HTTP Request for External IP Check (ip-addr .es)
ET POLICY External IP Check myexternalip.com
|
|
7.8 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2024-07-06 18:22
|
 univ.exe 217b817f890ef7fc49dc9207d55d2a01
GCleaner Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic human activity check DNS |
1
http://185.172.128.90/cpa/name.php - rule_id: 39629
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/name.php
|
3.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2024-07-06 18:21
|
 inte.exe 0da0d1efee859f1fe9cbd3bf5b428af6
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic DNS |
1
http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/ping.php
|
2.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2024-07-05 22:38
|
 64.exe 3e682955546fe3b6b1296a509ff80f65
Malicious Library Malicious Packer UPX PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser |
|
|
|
|
4.8 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2024-07-05 22:38
|
 64.exe 3e682955546fe3b6b1296a509ff80f65
Malicious Library Malicious Packer UPX PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser |
|
|
|
|
4.8 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2024-07-05 15:56
|
 64.exe 3e682955546fe3b6b1296a509ff80f65
Malicious Library Malicious Packer UPX PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
1
|
|
|
5.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2024-07-05 11:07
|
 BestChange.exe 22aea1c65376a239fcead8d4e0ff00e3
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
1.6 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2024-07-04 17:29
|
 UpdaterP.exe 40094e123c89625468665c8c196c2ffd
UPX PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
89.197.154.116 - mailcious
|
|
|
4.8 |
M |
62 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2024-07-04 17:14
|
 UtilityP.exe 771b79f619f789921ac9d720d16323ed
Malicious Library PE File PE64 VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
|
1
89.197.154.116 - mailcious
|
|
|
5.2 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2024-07-04 17:12
|
 5555.exe 99b1f5901c396f5d019f933eb80f6b09
Malicious Packer UPX PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
|
|
|
2.6 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2024-07-04 17:10
|
 a.exe 2d54d9c5710c8a2d09111644b8c6f76c
Generic Malware Malicious Packer PE File PE64 VirusTotal Malware Code Injection unpack itself |
|
|
|
|
2.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|