211 |
2023-09-30 13:47
|
betterconsiderableresspro.exe 99fe507e16e1bc59c788bce2d138b9f4 Gen1 Emotet Malicious Library UPX PE File PE64 CAB PE32 .NET EXE VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution |
|
2
i.ibb.co(104.194.8.143) - mailcious 172.96.160.222 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
212 |
2023-10-02 08:57
|
kur90.exe 4c131b2d4436b786ff484576934a79b8 RedLine stealer Gen1 Emotet Browser Login Data Stealer Malicious Library UPX .NET framework(MSIL) Confuser .NET ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
21
http://5.42.92.211/loghub/master - rule_id: 36282 https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/ogW1H5O-17r.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://www.facebook.com/favicon.ico https://connect.facebook.net/security/hsts-pixel.gif https://www.facebook.com/login https://static.xx.fbcdn.net/rsrc.php/v3/y3/l/0,cross/ikFECARVllV.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/SccipWfTlTT.js?_nc_x=Ij3Wp8lg5Kz https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yT/r/Ovcfo1SlXij.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/OioQXAqgNbJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yH/l/0,cross/zDdQsF0sOjp.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yD/l/0,cross/dEOkGH79P3Y.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz https://fbsbx.com/security/hsts-pixel.gif?c=5 https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://static.xx.fbcdn.net/rsrc.php/v3/yg/r/tzWkwLNK4bI.js?_nc_x=Ij3Wp8lg5Kz
|
12
www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) accounts.google.com(172.217.25.173) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 157.240.215.14 77.91.124.55 157.240.215.35 172.217.25.13 5.42.92.211 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
20.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
213 |
2023-10-06 08:03
|
foto3553.exe 53ffe4a2e5ff91672c96597ebece2470 RedLine stealer Gen1 Emotet RedLine Infostealer SmokeLoader Amadey Generic Malware UltraVNC Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Update Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
34
http://5.42.92.211/loghub/master - rule_id: 36282 http://77.91.124.1/theme/index.php https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://www.facebook.com/favicon.ico https://accounts.google.com/generate_204?qq0oQg https://www.facebook.com/login https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?zRkItw https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhcLz_cnXDIXvz3QIMY97r1jrsQOAnIw1tmulVERc2o6bSWlDbcLriBPSZgdPt1S1cy1gKwoqw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1912069806%3A1696546479888140 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://fbsbx.com/security/hsts-pixel.gif?c=5 https://connect.facebook.net/security/hsts-pixel.gif https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhe5IhkTCdrQCA1yPVmt1oDA_voOW_A_ZqyCLTPdvHyGXJzE-RO7xy3BTH2BA1gxFU3WhShv https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdK1mkizJfifk30A2wUFICseNNCEjJIeVPM5FdrF5tEWuvZIe1OSLr4tRhi1BGsuGKKyagnGg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S2064279959%3A1696546472842958 https://accounts.google.com/ https://static.xx.fbcdn.net/rsrc.php/v3/yF/l/0,cross/LSAcIwftMnp.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/dSpVEafK7Ja.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcDvrRvELv2YHAoIozHL4ARKVAwdXih1YzNwd9N0tcW7AThR1PqnPYFBUHlbxzCE9fKQvd2Mg https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0,cross/g5qw7MkrAMe.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhemK6vxa5aVksbZqVqKrPQQwbOqA9SxEdxfxB3QOQidRlZmc0xXtRUEuzzNGlhNobYw0k8Y_g&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S906761759%3A1696546534329684 https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/C7x9HQY1590.js?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/generate_204?qMW9GQ https://static.xx.fbcdn.net/rsrc.php/v3/yX/l/0,cross/3YxNg1jSEBd.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/4Gbx36-Nu9e.js?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdyfADyPcA7yLXC6h_tQmdvglNolQT6NRsBxSOYAOP9cQ5q7sygQlUcHMx3zc8TEcngtPmlTw https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://static.xx.fbcdn.net/rsrc.php/v3/yk/l/0,cross/mZN0_xqSmFF.css?_nc_x=Ij3Wp8lg5Kz
|
18
ssl.gstatic.com(172.217.25.163) www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) www.google.com(142.250.206.228) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) accounts.google.com(172.217.25.173) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 142.251.130.4 142.251.130.13 157.240.215.14 77.91.124.55 - mailcious 77.91.68.52 - mailcious 77.91.124.1 - malware 157.240.215.35 5.42.92.211 - mailcious 172.217.24.67
|
20
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO PS1 Powershell File Request ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://5.42.92.211/loghub/master
|
26.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
214 |
2023-10-06 17:47
|
fotha0925877.exe 65ef2eef1ccf3146b44010406a235cb7 Gen1 Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 CAB OS Processor Check DLL PE64 Lnk Format GIF Format VirusTotal Malware AutoRuns PDB Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check Windows ComputerName Remote Code Execution crashed |
|
3
61c73c03354116965937587030000611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(172.67.184.100) 61c73c03354116965937587030100611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(176.126.85.160) 176.10.119.186
|
|
|
8.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
215 |
2023-10-09 13:19
|
lastsciiencepro.exe 81d34d81c4b40ba209760c61baaad458 Gen1 Emotet Malicious Library UPX .NET framework(MSIL) Http API ScreenShot PWS Internet API AntiDebug AntiVM PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware download VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Lumma Stealer Windows Remote Code Execution DNS Cryptographic key crashed |
3
http://blessdeckite.fun/ http://blessdeckite.fun/api http://172.86.98.101/xs12pro/Czbzftdagy.mp4 - rule_id: 37111
|
3
blessdeckite.fun(172.67.176.124) 172.86.98.101 - mailcious 104.21.31.117
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
1
http://172.86.98.101/xs12pro/
|
14.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
216 |
2023-10-09 13:19
|
helpscientistpro.exe f54931aaae6cff496f607d6991cc1437 Gen1 Emotet Malicious Library UPX .NET framework(MSIL) PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Windows Remote Code Execution DNS Cryptographic key |
2
http://172.86.98.101/xs12pro/Htjxmgd.pdf - rule_id: 37111 http://172.86.98.101/xs12pro/Akdvsmkkbhu.pdf - rule_id: 37111
|
1
172.86.98.101 - mailcious
|
1
ET INFO Dotted Quad Host PDF Request
|
2
http://172.86.98.101/xs12pro/ http://172.86.98.101/xs12pro/
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
217 |
2023-10-09 13:20
|
discoversophisticatedpro.exe 79de5ff2273d613a14ca4c8edff7d5ec Gen1 Emotet Generic Malware Malicious Library UPX .NET framework(MSIL) Http API ScreenShot Internet API AntiDebug AntiVM PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware download Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Lumma Stealer Windows Remote Code Execution DNS Cryptographic key crashed |
3
http://172.86.98.101/xs12pro/Gpflofkmce.dat - rule_id: 37111 http://firmpanacewa.fun/api http://172.86.98.101/xs12pro/Rglrwzz.vdf - rule_id: 37111
|
3
firmpanacewa.fun(172.67.181.9) - mailcious 172.86.98.101 - mailcious 172.67.181.9 - mailcious
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
2
http://172.86.98.101/xs12pro/ http://172.86.98.101/xs12pro/
|
13.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
218 |
2023-10-09 13:23
|
helpscientistpro.exe f54931aaae6cff496f607d6991cc1437 Gen1 Emotet Malicious Library UPX Http API ScreenShot PWS Internet API AntiDebug AntiVM PE File PE64 CAB Browser Info Stealer Malware download Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces suspicious TLD sandbox evasion Ransomware Lumma Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key |
3
http://manguvorpmi.pw/api http://172.86.98.101/xs12pro/Akdvsmkkbhu.pdf - rule_id: 37111 http://manguvorpmi.pw/
|
3
manguvorpmi.pw(104.21.95.127) 172.86.98.101 - mailcious 172.67.144.245
|
5
ET DNS Query to a *.pw domain - Likely Hostile ET INFO Dotted Quad Host PDF Request ET INFO HTTP Request to a *.pw domain ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
|
1
http://172.86.98.101/xs12pro/
|
15.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
219 |
2023-10-11 11:34
|
pew.EXE 6b34210f067d66503d97a9fe6925a4cf Gen1 Emotet Generic Malware Malicious Library UPX Antivirus PE File PE64 CAB VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities WriteConsoleW Windows ComputerName Remote Code Execution Cryptographic key |
|
|
|
|
5.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
220 |
2023-10-16 09:56
|
foto2552.exe c7523bca22d87a152b8c10c02736a335 Amadey RedLine stealer Gen1 Emotet Generic Malware Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
49
http://5.42.92.88/loghub/master http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.68.52/fuza/foto2552.exe http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/index.php - rule_id: 37040 https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://www.facebook.com/favicon.ico https://www.facebook.com/login https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywqvzTXJCBjF9Krz5UewUtmNlhIo1BS8-fexhnyRwXiKcYoKisy5fbyeo0_7MMbPVvKQe3s https://static.xx.fbcdn.net/rsrc.php/v3/yB/l/0,cross/qz5m5ZNj4YA.css?_nc_x=Ij3Wp8lg5Kz https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://fonts.googleapis.com/css?family=Roboto:400,500 https://fbsbx.com/security/hsts-pixel.gif?c=5 https://connect.facebook.net/security/hsts-pixel.gif https://accounts.google.com/generate_204?QoZb0Q https://www.youtube.com/ https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzBQFfM-zgimivF77SXFn_CtNlk_Zx-KTSJ1hmwlPAI3lcCA3Htt7SepazY5A750yWTYAOAag https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://static.xx.fbcdn.net/rsrc.php/v3imQ-4/yl/l/ko_KR/CdEEViHRUhC.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://accounts.google.com/generate_204?6JaKqw https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/u4xvA0Tw-4L.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyyvqedP1KTGaespiPNNUuOOhhlNIWdRWejAZmR61I2VV-ku55l7L8gdnH1EC5fauuzoF1J2fA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S504171679%3A1697417176414722 https://static.xx.fbcdn.net/rsrc.php/v3/yi/l/0,cross/s3epWMBo1FX.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyz6pDefJyKshYFsDLzJUIYEkQBxjlzW7Psw7k8R--D2gwUfEF8gBSj8fOPfztqQKz1zgy7RqQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-419032450%3A1697417189597662 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywF-mDMSOkEjswyonfbOEtS8T9hact2vcwHgZZt-ZnDN2gujzOMIGtK2wUeYYtVpRN3jXclQg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S50465221%3A1697417225539467 https://static.xx.fbcdn.net/rsrc.php/v3/yH/l/0,cross/zDdQsF0sOjp.css?_nc_x=Ij3Wp8lg5Kz https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yG/r/rAl2Hl1fQTa.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://static.xx.fbcdn.net/rsrc.php/v3/ya/r/v2fcQEWFLez.js?_nc_x=Ij3Wp8lg5Kz https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://static.xx.fbcdn.net/rsrc.php/v3/ye/l/0,cross/seCHURQhRK2.css?_nc_x=Ij3Wp8lg5Kz https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyw4RWVwonSQV9wc-sJ0hblW9eUgDp1jATZxto4xsZPzcpyg4ePyDYNLFo8tESUhKgBEKv4xqw https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://accounts.google.com/generate_204?hKrxwg https://www.youtube.com/img/desktop/supported_browsers/opera.png https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
|
26
static.xx.fbcdn.net(157.240.215.14) www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) www.google.com(142.250.76.132) connect.facebook.net(157.240.215.14) www.youtube.com(142.250.198.14) - mailcious ssl.gstatic.com(142.250.206.227) fbcdn.net(157.240.215.35) accounts.google.com(142.250.206.205) facebook.com(157.240.215.35) fonts.gstatic.com(142.250.207.99) fonts.googleapis.com(142.250.207.106) 142.250.207.67 142.251.222.206 157.240.215.14 172.217.24.67 5.42.92.88 77.91.124.55 - mailcious 77.91.68.52 - mailcious 77.91.124.1 - malware 172.217.25.13 172.217.24.227 216.58.200.228 157.240.215.35 142.250.66.67 142.250.199.74
|
19
ET INFO Microsoft net.tcp Connection Initialization Activity ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO PS1 Powershell File Request ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
3
http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/index.php
|
26.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
221 |
2023-10-23 16:58
|
foto2552.exe 4cdb3ee7e130e01a02d7b8a7d8dae6ec Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File DLL OS Processor Check Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://193.233.255.73/loghub/master - rule_id: 37500 http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/index.php - rule_id: 37040 https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://www.google.com/favicon.ico https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywD2xgLxszRIN_7MaKSoUaoYTMvRFg50b2S5b8UluthbcUsGRE-8e1g-xdevGcqP20z4uow https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://accounts.google.com/ https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?S178ZQ https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywTlS8RSTMSloorftkjj1lY_2tWmEzy5429BwqOoerpQlAzoTk3QhoMS2hENHZmnLEtBloUjQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023002296%3A1698047601366063 https://www.youtube.com/img/desktop/supported_browsers/opera.png https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff https://fonts.googleapis.com/css?family=Roboto:400,500
|
17
ssl.gstatic.com(142.250.206.227) www.facebook.com(157.240.215.35) www.google.com(142.250.76.132) www.youtube.com(142.250.207.14) - mailcious fonts.googleapis.com(142.250.206.234) accounts.google.com(142.250.206.205) fonts.gstatic.com(142.250.207.99) 142.250.207.67 157.240.31.35 142.250.204.109 142.250.66.132 193.233.255.73 - mailcious 109.107.182.133 172.217.31.3 77.91.124.1 - malware 172.217.24.110 142.250.66.106
|
13
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.124.1/theme/index.php
|
20.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
222 |
2023-10-24 07:50
|
foto2552.exe 5e967436bbe28a1b2b6d4016ae7b5024 Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File DLL OS Processor Check Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://193.233.255.73/loghub/master - rule_id: 37500 http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/index.php - rule_id: 37040 https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyz5YVxzRBWdpyuUtppgdvRy2Tw194Av0LWqrv008iX9c7bZnoHLo250QAw7Iz6oyudGemXR1A https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?6-E0fA https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://accounts.google.com/ https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxQBLRrENNzDGU7Qlkoss48yKJ12ueLob1lnUSvITk9Wdk0c8W1-KA6F38Oypk5hTx5sGjsKg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S470064247%3A1698101077522125 https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://www.google.com/favicon.ico https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://www.youtube.com/img/desktop/supported_browsers/opera.png https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff https://fonts.googleapis.com/css?family=Roboto:400,500
|
18
ssl.gstatic.com(142.250.206.227) www.facebook.com(157.240.31.35) www.google.com(142.250.76.132) www.youtube.com(142.251.222.14) - mailcious fonts.googleapis.com(172.217.161.234) accounts.google.com(142.250.206.205) fonts.gstatic.com(142.250.207.99) 142.251.220.78 142.251.220.45 77.91.124.86 172.217.27.36 51.68.143.81 193.233.255.73 - mailcious 77.91.124.1 - malware 172.217.24.227 172.217.31.10 157.240.215.35 142.250.66.67
|
13
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.124.1/theme/index.php
|
20.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
223 |
2023-10-26 10:40
|
foto1661.exe 7613290b26555e6b7b16131d17331960 Amadey RedLine stealer Gen1 Emotet Generic Malware Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB OS Processor Check .NET E Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
25
http://77.91.68.249/fuza/2.ps1 - rule_id: 37524 http://77.91.68.249/fuza/2.ps1 http://193.233.255.73/loghub/master - rule_id: 37500 http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.68.249/fuza/foto1661.exe http://77.91.68.249/fuza/tus.exe http://77.91.68.249/fuza/nalo.exe - rule_id: 37525 http://77.91.68.249/fuza/nalo.exe http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/index.php - rule_id: 37040 http://77.91.124.1/theme/index.php https://accounts.google.com/generate_204?KIpSmg https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzOGFzuxGAg2e3DWgR266n9r5qQR7Zrm_rptfo9RAihsFAa9lZDZl4RK6XmLN3Nk2pDoW9bUg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-268318837%3A1698283071925212 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzpjHxpq1INlvGNncWH3u8zcoYJ7-v1sB2hwU2EY24lJvyiM2sMyf-U-uZStEXfb2_J_j288Q https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?x9IqeA https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywvEr1d-fiWqWdBLl2arLIwhz5TAKS5Ub4o4j3ERjjUOyhcbjQnhhGNhoBp7mqC14wej4Mn https://www.google.com/favicon.ico https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywLm9zKARhd3TW4v_bKsXTv35Vp7b1sZNUIHBh4-R3fXErE4ApIG4xaQw9ptWyWfEi9FpYQxg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-150941688%3A1698283074308887 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
www.youtube.com(172.217.25.174) - mailcious ssl.gstatic.com(142.250.206.227) www.facebook.com(157.240.215.35) accounts.google.com(142.250.206.205) www.google.com(142.250.76.132) 142.250.204.36 142.251.220.14 216.58.200.237 77.91.124.86 216.58.203.67 193.233.255.73 - mailcious 77.91.124.1 - malware 157.240.215.35 77.91.68.249 - malware
|
18
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO PS1 Powershell File Request ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
6
http://77.91.68.249/fuza/2.ps1 http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.68.249/fuza/nalo.exe http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/index.php
|
24.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
224 |
2023-11-03 12:23
|
lom30.exe 701ea7974b3f98830d636e93f836cfce Amadey RedLine stealer Gen1 Emotet SmokeLoader Generic Malware Malicious Library UPX Antivirus Malicious Packer .NET framework(MSIL) Confuser .NET Admin Tool (Sysinternals etc ...) PWS ScreenShot Javascript_Blob AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Update Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
99
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://193.233.255.73/loghub/master - rule_id: 37500 http://77.91.68.249/fuza/2.ps1 - rule_id: 37524 http://77.91.68.249/fuza/foto1661.exe - rule_id: 37636 http://77.91.68.249/fuza/tus.exe - rule_id: 37637 http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/index.php - rule_id: 37040 https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/V9SMX8ENNXW.css?_nc_x=Ij3Wp8lg5Kz https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Regular.ttf?v=4.015 https://community.cloudflare.steamstatic.com/public/shared/css/login.css?v=0H1th98etnSV&l=english&_cdn=cloudflare https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyxxWA0Ljh5xWLEvAJ6NevMd7QB5iL9TprwZYNP8u-n9zXo51MmtGRn25Gjf78sQZ4KzK1Dc https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&load=effects,controls,slider,dragdrop https://accounts.google.com/generate_204?NO7qPw https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyyT4td1m_8jmCTuLflf4CGZrqIHYxNvv-75kjvDivr6JChBm-48E_vH0foop83wQC67d99m https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Bold.ttf?v=4.015 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxVW6rLt9tLaC8ykc1nwAIgbdXX5n-L35f5sE1jqHcfiXjLMhDRqy2-fP8xGUFUaaXcJSrITA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-570376988%3A1698980725508326 https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png https://www.facebook.com/login https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-LightItalic.ttf?v=4.015 https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Thin.ttf?v=4.015 https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyyidh94t-7_letWPwvjNQfl6I8TMheIR3px7R79ys-v-C3n_ey4IpHEeEFVPcsdPA92mVFQPw https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=8BlFIKwdZV37&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=E78TCC6Eu4d1&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=english&_cdn=cloudflare https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/EhJ0QrY2FBP.js?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/generate_204?phWHLQ https://accounts.google.com/generate_204?FM9MMw https://www.epicgames.com/id/login https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&l=english&_cdn=cloudflare https://www.youtube.com/img/desktop/supported_browsers/opera.png https://community.cloudflare.steamstatic.com/public/shared/images/header/btn_header_installsteam_download.png?v=1 https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Black.ttf?v=4.015 https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=3Pb1f2YLp788&l=english&_cdn=cloudflare https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyz4A49MvhLj_r5ov_AJY5BYrTyapUBFfv7BWCcUgyCaE1ee8Ou4w4nAiEXlupUrsDguPr4bQw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S856045394%3A1698980708442226 https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Fd2aj_zaBVQV&l=english&_cdn=cloudflare https://accounts.google.com/ https://static.xx.fbcdn.net/rsrc.php/v3/y9/l/0,cross/eoEHQM4veKY.css?_nc_x=Ij3Wp8lg5Kz https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&_cdn=cloudflare https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxHmAuJ7cTrlJwP83uTJIwZEOmrXGcYW_i0uz5KMlDH1JsRYBc2MmUHjR6ye20L2fYuNPufuw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S537282805%3A1698980634624638 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxa6sAB10RaHTDUTJBO3-eoyqwGJOMg6fq-JIxFpsnqcBSN8g6aim1IDWZ3iP__yBBnia-T&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1879541505%3A1698980644017236 https://static-assets-prod.unrealengine.com/account-portal/static/static/js/3.520a7eda.chunk.js https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yp/r/gC0mb5XShS_.js?_nc_x=Ij3Wp8lg5Kz https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=F9Ougyu-CyG3&l=english&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Light.ttf?v=4.015 https://community.cloudflare.steamstatic.com/public/css/skin_1/home.css?v=-6qQi3rZclGf&l=english&_cdn=cloudflare https://static.xx.fbcdn.net/rsrc.php/v3/yD/l/0,cross/OeVbDlggYtT.css?_nc_x=Ij3Wp8lg5Kz https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-BoldItalic.ttf?v=4.015 https://www.facebook.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyy7hCYNnf-0YByYNzHXr3uFjshUMd78hOZpACYJ4Y7BQwyeDu8hhNuK6JppcoPONOvNupzDtw https://accounts.google.com/generate_204?kjEEiA https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&_cdn=cloudflare https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png https://fonts.googleapis.com/css?family=Roboto:400,500 https://fbsbx.com/security/hsts-pixel.gif?c=5 https://static.xx.fbcdn.net/rsrc.php/v3/yz/r/1jo5ZChBkzZ.js?_nc_x=Ij3Wp8lg5Kz https://static-assets-prod.unrealengine.com/account-portal/static/static/js/main.10a25667.chunk.js https://connect.facebook.net/security/hsts-pixel.gif https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=RL7hpFRFPE4A&l=english&_cdn=cloudflare https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Medium.ttf?v=4.015 https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=uR_4hRD_HUln&l=english&_cdn=cloudflare https://static.xx.fbcdn.net/rsrc.php/v3/yh/l/0,cross/RvHDSigkA0R.css?_nc_x=Ij3Wp8lg5Kz https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=eYJYuhv32ILn&l=english&_cdn=cloudflare https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunfWg&l=english&_cdn=cloudflare https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywosNhdGsuZdVCndGpS2K_jZJeHBslOkGyM_5Abhb0zccwpk0a_EpRThKNdW8KNTJvRtoAJFA https://fonts.gstatic.com/s/youtubesans/v22/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff https://static.xx.fbcdn.net/rsrc.php/v3/yS/l/0,cross/M8A8jLevlDW.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yN/l/0,cross/zSmMZJhuRfw.css?_nc_x=Ij3Wp8lg5Kz https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyyGAuzn9a3z76ZcjJ_86wbJSidIfjfS9TcjHJMFLojLQH0IkqpoTM2fbcuLmlU3nQm3iQjlHg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1190693834%3A1698980664313585 https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywa7Mm0Zk8Gm5Hb9kGiEkDrs_pgduAfwvBWsacz3D950CTr9Khe11ewNMaKJf4MaAiHmWs_ https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/7O04Eyj-1fg.css?_nc_x=Ij3Wp8lg5Kz https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxVtPgesztclkUEaiZDNru1Lk12ZQXjId8z3gxpZ4pOLgUmGhg-fxuwVplGdjkIvsmeJrFYuA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-871854372%3A1698980704315173 https://community.cloudflare.steamstatic.com/public/shared/javascript/login.js?v=Vbm1kuHoXmMB&l=english&_cdn=cloudflare https://accounts.google.com/generate_204?Mxmnvw https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016 https://steamcommunity.com/openid/loginform/ https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-RegularItalic.ttf?v=4.015 https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1 https://static-assets-prod.unrealengine.com/account-portal/static/epic-favicon-96x96.png https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=tSnvragsq7Tn&l=english&_cdn=cloudflare https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&_cdn=cloudflare
|
43
ssl.gstatic.com(142.250.207.99) www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) community.cloudflare.steamstatic.com(172.64.145.151) www.paypal.com(151.101.193.21) store.steampowered.com(23.40.44.77) www.youtube.com(172.217.31.142) - mailcious static.xx.fbcdn.net(157.240.215.14) steamcommunity.com(104.76.78.101) - mailcious static-assets-prod.unrealengine.com(18.64.8.66) fbcdn.net(157.240.215.35) connect.facebook.net(157.240.215.14) twitter.com(104.244.42.1) accounts.google.com(142.250.206.205) fonts.gstatic.com(142.250.207.99) facebook.com(157.240.215.35) www.google.com(142.250.76.132) fonts.googleapis.com(142.250.207.106) www.epicgames.com(52.204.190.22) 142.251.130.3 23.40.44.77 18.64.8.109 77.91.124.1 - malware 193.233.255.73 - mailcious 146.75.49.21 104.244.42.129 - suspicious 104.94.217.48 142.250.204.46 172.217.31.3 142.251.220.78 172.64.145.151 77.91.124.86 104.75.41.21 - mailcious 142.250.66.45 157.240.215.35 77.91.68.249 - malware 52.45.237.32 157.240.215.14 104.76.78.101 - mailcious 216.58.200.228 54.175.89.124 18.64.8.127 142.250.66.42
|
19
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO PS1 Powershell File Request ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
27.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
225 |
2023-11-04 10:41
|
vah50.exe 03f92deb14398467ee6f9ac147c5b97a Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PWS ScreenShot AntiDebug AntiVM PE File PE32 CAB OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
4
http://193.233.255.73/loghub/master - rule_id: 37500 http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036 http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037 http://77.91.124.1/theme/index.php - rule_id: 37040
|
3
193.233.255.73 - mailcious 77.91.124.1 - malware 77.91.124.86
|
12
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master http://77.91.124.1/theme/Plugins/clip64.dll http://77.91.124.1/theme/Plugins/cred64.dll http://77.91.124.1/theme/index.php
|
24.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|