151 |
2023-06-19 07:44
|
fotod85.exe 1b434201661bf03643dee979e896d283 Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362 http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363 http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
77.91.68.63 - malware 83.97.73.129 - mailcious
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll http://77.91.68.63/doma/net/Plugins/clip64.dll http://77.91.68.63/doma/net/index.php
|
16.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
152 |
2023-06-19 07:45
|
foto166.exe 5588669e4aad613744e9d61d340fd20d Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362 http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363 http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
83.97.73.129 - mailcious 77.91.68.63 - malware
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll http://77.91.68.63/doma/net/Plugins/clip64.dll http://77.91.68.63/doma/net/index.php
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
153 |
2023-06-19 07:47
|
fotod85.exe 2769dce2f501a2a1e34bf2804532fcd5 Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.63/doma/net/Plugins/cred64.dll - rule_id: 34362 http://77.91.68.63/doma/net/Plugins/clip64.dll - rule_id: 34363 http://77.91.68.63/doma/net/index.php - rule_id: 34361
|
2
83.97.73.129 - mailcious 77.91.68.63 - malware
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.63/doma/net/Plugins/cred64.dll http://77.91.68.63/doma/net/Plugins/clip64.dll http://77.91.68.63/doma/net/index.php
|
16.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
154 |
2023-06-19 09:43
|
fiki0614242.exe d0fe5e997fb01417b2fe62989f94f6d6 Gen1 Emotet Gen2 Generic Malware UPX Malicious Library Malicious Packer CAB PE32 PE File OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution crashed |
|
5
883c5b2846721687166301796.bag.sack55.net() 883c5b2846721687166301796.bag.sack54.net(185.82.126.147) deb2533e357016871662949520000611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(46.30.190.83) 46.249.49.132 176.10.119.186
|
|
|
10.8 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
155 |
2023-06-20 17:33
|
ageelectronicie32.exe 482df2c11dc09fe2bdafae64e2edec32 Gen1 Emotet UPX Malicious Library CAB PE File PE32 VirusTotal Malware AutoRuns PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Remote Code Execution |
|
|
|
|
4.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
156 |
2023-06-20 17:35
|
bluesubstantialie64.exe 2bd2470d90bd8de8e260ff88a3fb181b Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder Windows ComputerName Remote Code Execution |
|
|
|
|
4.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
157 |
2023-07-07 07:40
|
glassadequatepro.exe fa6ec356a90ef16403ad579d87b05ee5 Gen1 Emotet UPX Malicious Library .NET framework(MSIL) CAB PE64 PE File OS Processor Check .NET EXE PE32 AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Windows Remote Code Execution DNS |
|
2
5.42.65.13 - 84.54.50.66 -
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
158 |
2023-07-11 07:45
|
photo540.exe 0b18dc187ed40a7a6310a6c4ba98ec91 Gen1 Emotet SmokeLoader UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
5
http://77.91.124.31/smo/du.exe http://77.91.124.31/new/fotod45.exe http://77.91.68.3/home/love/index.php http://77.91.124.31/new/foto175.exe http://77.91.68.3/home/love/Plugins/cred64.dll
|
3
77.91.124.31 - 77.91.68.48 - 77.91.68.3 -
|
13
ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Executable Download from dotted-quad Host ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
17.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
159 |
2023-07-18 07:21
|
fotod25.exe 74b51238ceac125ca090efeb2b3bce46 Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.68.3/home/love/index.php - rule_id: 35049 http://77.91.68.3/home/love/index.php http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053 http://77.91.68.3/home/love/Plugins/cred64.dll http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054 http://77.91.68.3/home/love/Plugins/clip64.dll
|
2
77.91.68.3 - 77.91.68.56 -
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Dotted Quad Host DLL Request ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.3/home/love/index.php http://77.91.68.3/home/love/Plugins/cred64.dll http://77.91.68.3/home/love/Plugins/clip64.dll
|
16.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
160 |
2023-07-18 07:24
|
foto135.exe 327b57745b8c136ea8d4e4e1519f508d Gen1 Emotet RedLine Infostealer RedLine stealer UPX Malicious Library .NET framework(MSIL) Confuser .NET Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check .NET EXE DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
9
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054 http://77.91.68.3/home/love/Plugins/clip64.dll http://77.91.124.31/anon/an.exe http://77.91.68.3/home/love/index.php - rule_id: 35049 http://77.91.68.3/home/love/index.php http://77.91.124.31/new/foto135.exe http://77.91.124.31/new/fotod25.exe http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053 http://77.91.68.3/home/love/Plugins/cred64.dll
|
3
77.91.68.3 - 77.91.68.56 - 77.91.124.31 -
|
14
ET MALWARE Possible Kelihos.F EXE Download Common Structure ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.3/home/love/Plugins/clip64.dll http://77.91.68.3/home/love/index.php http://77.91.68.3/home/love/Plugins/cred64.dll
|
17.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
161 |
2023-07-19 07:21
|
theoryabilitypro.exe 5b4e9c25ebf1d7e5a91e85be8c2e4594 Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 OS Processor Check AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution Cryptographic key |
|
2
files.catbox.moe(108.181.20.35) - 108.181.20.35 -
|
2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
162 |
2023-07-19 07:34
|
photo113.exe 7308bb341cd27493d2939ecbbc6c7436 Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.68.3/home/love/index.php - rule_id: 35049 http://77.91.68.3/home/love/index.php http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053 http://77.91.68.3/home/love/Plugins/cred64.dll http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054 http://77.91.68.3/home/love/Plugins/clip64.dll
|
3
77.91.68.3 - 77.91.68.30 - 77.91.68.56 -
|
11
ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Dotted Quad Host DLL Request ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Packed Executable Download ET MALWARE Amadey Bot Activity (POST) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.3/home/love/index.php http://77.91.68.3/home/love/Plugins/cred64.dll http://77.91.68.3/home/love/Plugins/clip64.dll
|
17.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
163 |
2023-07-19 07:37
|
lega.exe 19771209e384f1f8e7ca013b72e0d1fe Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://87.121.47.63/laker/index.php http://87.121.47.63/laker/Plugins/cred64.dll http://87.121.47.63/laker/Plugins/clip64.dll
|
2
77.91.68.56 - 87.121.47.63 -
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
15.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
164 |
2023-07-24 07:42
|
photo170.exe 65c0aab9f3cc5187b6d90b66fc734abc Gen1 Emotet RedLine Infostealer RedLine stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer .NET framework(MSIL) Confuser .NET CAB PE File PE32 OS Processor Check DLL PE64 .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Tofsee Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
6
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054 http://77.91.124.31/anon/an.exe - rule_id: 35218 http://77.91.68.3/home/love/index.php - rule_id: 35049 http://77.91.124.31/new/foto135.exe - rule_id: 35216 http://77.91.124.31/new/fotod25.exe - rule_id: 35217 http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053
|
6
files.catbox.moe(108.181.20.35) - malware 108.181.20.35 - mailcious 77.91.68.3 - malware 77.91.68.68 77.91.68.30 - malware 77.91.124.31 - mailcious
|
18
ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Executable Download from dotted-quad Host ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Possible Kelihos.F EXE Download Common Structure ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Amadey Bot Activity (POST)
|
6
http://77.91.68.3/home/love/Plugins/clip64.dll http://77.91.124.31/anon/an.exe http://77.91.68.3/home/love/index.php http://77.91.124.31/new/foto135.exe http://77.91.124.31/new/fotod25.exe http://77.91.68.3/home/love/Plugins/cred64.dll
|
18.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
165 |
2023-07-25 07:37
|
lega.exe 0cca805bb1bb946b8683dd3cfdaed406 Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Lumma Stealer Windows Update Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
10
http://5.42.92.67/norm/Plugins/clip64.dll
http://5.42.92.67/norm/index.php
http://5.42.92.67/norm/Plugins/cred64.dll
http://5.42.92.67/lend/LummaC2.exe
http://westwork-my.xyz/c2sock
http://westwork-my.xyz/c2conf
http://5.42.92.67/lend/
http://5.42.92.67/lend/dewrww7a1z.exe
http://westwork-my.xyz/
https://bitbucket.org/development-ws/applications/downloads/setup-rc18.exe
|
6
westwork-my.xyz(104.21.72.18)
bitbucket.org(104.192.141.1) - malware 77.91.68.68 - mailcious
5.42.92.67 - malware
104.21.72.18
104.192.141.1 - mailcious
|
16
ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET INFO TLS Handshake Failure ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Amadey Bot Activity (POST) ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
18.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|