| 211 |
2023-09-30 13:47
|
 betterconsiderableresspro.exe 99fe507e16e1bc59c788bce2d138b9f4
Gen1 Emotet Malicious Library UPX PE File PE64 CAB PE32 .NET EXE VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution |
|
2
i.ibb.co(104.194.8.143) - mailcious
172.96.160.222 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 212 |
2023-10-02 08:57
|
 kur90.exe 4c131b2d4436b786ff484576934a79b8
RedLine stealer Gen1 Emotet Browser Login Data Stealer Malicious Library UPX .NET framework(MSIL) Confuser .NET ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
21
http://5.42.92.211/loghub/master - rule_id: 36282
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/ogW1H5O-17r.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://www.facebook.com/favicon.ico
https://connect.facebook.net/security/hsts-pixel.gif
https://www.facebook.com/login
https://static.xx.fbcdn.net/rsrc.php/v3/y3/l/0,cross/ikFECARVllV.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/SccipWfTlTT.js?_nc_x=Ij3Wp8lg5Kz
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yT/r/Ovcfo1SlXij.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg
https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/OioQXAqgNbJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yH/l/0,cross/zDdQsF0sOjp.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yD/l/0,cross/dEOkGH79P3Y.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://static.xx.fbcdn.net/rsrc.php/v3/yg/r/tzWkwLNK4bI.js?_nc_x=Ij3Wp8lg5Kz
|
12
www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
static.xx.fbcdn.net(157.240.215.14)
fbcdn.net(157.240.215.35)
accounts.google.com(172.217.25.173)
connect.facebook.net(157.240.215.14)
facebook.com(157.240.215.35)
157.240.215.14
77.91.124.55
157.240.215.35
172.217.25.13
5.42.92.211 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
20.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 213 |
2023-10-06 08:03
|
 foto3553.exe 53ffe4a2e5ff91672c96597ebece2470
RedLine stealer Gen1 Emotet RedLine Infostealer SmokeLoader Amadey Generic Malware UltraVNC Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Update Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
34
http://5.42.92.211/loghub/master - rule_id: 36282
http://77.91.124.1/theme/index.php
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://www.facebook.com/favicon.ico
https://accounts.google.com/generate_204?qq0oQg
https://www.facebook.com/login
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/generate_204?zRkItw
https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhcLz_cnXDIXvz3QIMY97r1jrsQOAnIw1tmulVERc2o6bSWlDbcLriBPSZgdPt1S1cy1gKwoqw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1912069806%3A1696546479888140
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://connect.facebook.net/security/hsts-pixel.gif
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhe5IhkTCdrQCA1yPVmt1oDA_voOW_A_ZqyCLTPdvHyGXJzE-RO7xy3BTH2BA1gxFU3WhShv
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdK1mkizJfifk30A2wUFICseNNCEjJIeVPM5FdrF5tEWuvZIe1OSLr4tRhi1BGsuGKKyagnGg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S2064279959%3A1696546472842958
https://accounts.google.com/
https://static.xx.fbcdn.net/rsrc.php/v3/yF/l/0,cross/LSAcIwftMnp.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/dSpVEafK7Ja.css?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcDvrRvELv2YHAoIozHL4ARKVAwdXih1YzNwd9N0tcW7AThR1PqnPYFBUHlbxzCE9fKQvd2Mg
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0,cross/g5qw7MkrAMe.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhemK6vxa5aVksbZqVqKrPQQwbOqA9SxEdxfxB3QOQidRlZmc0xXtRUEuzzNGlhNobYw0k8Y_g&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S906761759%3A1696546534329684
https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/C7x9HQY1590.js?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/generate_204?qMW9GQ
https://static.xx.fbcdn.net/rsrc.php/v3/yX/l/0,cross/3YxNg1jSEBd.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/4Gbx36-Nu9e.js?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdyfADyPcA7yLXC6h_tQmdvglNolQT6NRsBxSOYAOP9cQ5q7sygQlUcHMx3zc8TEcngtPmlTw
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://static.xx.fbcdn.net/rsrc.php/v3/yk/l/0,cross/mZN0_xqSmFF.css?_nc_x=Ij3Wp8lg5Kz
|
18
ssl.gstatic.com(172.217.25.163)
www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
www.google.com(142.250.206.228)
static.xx.fbcdn.net(157.240.215.14)
fbcdn.net(157.240.215.35)
accounts.google.com(172.217.25.173)
connect.facebook.net(157.240.215.14)
facebook.com(157.240.215.35)
142.251.130.4
142.251.130.13
157.240.215.14
77.91.124.55 - mailcious
77.91.68.52 - mailcious
77.91.124.1 - malware
157.240.215.35
5.42.92.211 - mailcious
172.217.24.67
|
20
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO PS1 Powershell File Request
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://5.42.92.211/loghub/master
|
26.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 214 |
2023-10-06 17:47
|
 fotha0925877.exe 65ef2eef1ccf3146b44010406a235cb7
Gen1 Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 CAB OS Processor Check DLL PE64 Lnk Format GIF Format VirusTotal Malware AutoRuns PDB Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check Windows ComputerName Remote Code Execution crashed |
|
3
61c73c03354116965937587030000611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(172.67.184.100)
61c73c03354116965937587030100611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(176.126.85.160)
176.10.119.186
|
|
|
8.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 215 |
2023-10-09 13:19
|
 lastsciiencepro.exe 81d34d81c4b40ba209760c61baaad458
Gen1 Emotet Malicious Library UPX .NET framework(MSIL) Http API ScreenShot PWS Internet API AntiDebug AntiVM PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware download VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Lumma Stealer Windows Remote Code Execution DNS Cryptographic key crashed |
3
http://blessdeckite.fun/
http://blessdeckite.fun/api
http://172.86.98.101/xs12pro/Czbzftdagy.mp4 - rule_id: 37111
|
3
blessdeckite.fun(172.67.176.124)
172.86.98.101 - mailcious
104.21.31.117
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
1
http://172.86.98.101/xs12pro/
|
14.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 216 |
2023-10-09 13:19
|
 helpscientistpro.exe f54931aaae6cff496f607d6991cc1437
Gen1 Emotet Malicious Library UPX .NET framework(MSIL) PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Windows Remote Code Execution DNS Cryptographic key |
2
http://172.86.98.101/xs12pro/Htjxmgd.pdf - rule_id: 37111
http://172.86.98.101/xs12pro/Akdvsmkkbhu.pdf - rule_id: 37111
|
1
172.86.98.101 - mailcious
|
1
ET INFO Dotted Quad Host PDF Request
|
2
http://172.86.98.101/xs12pro/
http://172.86.98.101/xs12pro/
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 217 |
2023-10-09 13:20
|
 discoversophisticatedpro.exe 79de5ff2273d613a14ca4c8edff7d5ec
Gen1 Emotet Generic Malware Malicious Library UPX .NET framework(MSIL) Http API ScreenShot Internet API AntiDebug AntiVM PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware download Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Lumma Stealer Windows Remote Code Execution DNS Cryptographic key crashed |
3
http://172.86.98.101/xs12pro/Gpflofkmce.dat - rule_id: 37111
http://firmpanacewa.fun/api
http://172.86.98.101/xs12pro/Rglrwzz.vdf - rule_id: 37111
|
3
firmpanacewa.fun(172.67.181.9) - mailcious
172.86.98.101 - mailcious
172.67.181.9 - mailcious
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
2
http://172.86.98.101/xs12pro/
http://172.86.98.101/xs12pro/
|
13.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 218 |
2023-10-09 13:23
|
 helpscientistpro.exe f54931aaae6cff496f607d6991cc1437
Gen1 Emotet Malicious Library UPX Http API ScreenShot PWS Internet API AntiDebug AntiVM PE File PE64 CAB Browser Info Stealer Malware download Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces suspicious TLD sandbox evasion Ransomware Lumma Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key |
3
http://manguvorpmi.pw/api
http://172.86.98.101/xs12pro/Akdvsmkkbhu.pdf - rule_id: 37111
http://manguvorpmi.pw/
|
3
manguvorpmi.pw(104.21.95.127)
172.86.98.101 - mailcious
172.67.144.245
|
5
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Dotted Quad Host PDF Request
ET INFO HTTP Request to a *.pw domain
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
|
1
http://172.86.98.101/xs12pro/
|
15.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 219 |
2023-10-11 11:34
|
 pew.EXE 6b34210f067d66503d97a9fe6925a4cf
Gen1 Emotet Generic Malware Malicious Library UPX Antivirus PE File PE64 CAB VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities WriteConsoleW Windows ComputerName Remote Code Execution Cryptographic key |
|
|
|
|
5.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 220 |
2023-10-16 09:56
|
 foto2552.exe c7523bca22d87a152b8c10c02736a335
Amadey RedLine stealer Gen1 Emotet Generic Malware Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
49
http://5.42.92.88/loghub/master
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.68.52/fuza/foto2552.exe
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/index.php - rule_id: 37040
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://www.facebook.com/favicon.ico
https://www.facebook.com/login
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywqvzTXJCBjF9Krz5UewUtmNlhIo1BS8-fexhnyRwXiKcYoKisy5fbyeo0_7MMbPVvKQe3s
https://static.xx.fbcdn.net/rsrc.php/v3/yB/l/0,cross/qz5m5ZNj4YA.css?_nc_x=Ij3Wp8lg5Kz
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://fonts.googleapis.com/css?family=Roboto:400,500
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://connect.facebook.net/security/hsts-pixel.gif
https://accounts.google.com/generate_204?QoZb0Q
https://www.youtube.com/
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzBQFfM-zgimivF77SXFn_CtNlk_Zx-KTSJ1hmwlPAI3lcCA3Htt7SepazY5A750yWTYAOAag
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://static.xx.fbcdn.net/rsrc.php/v3imQ-4/yl/l/ko_KR/CdEEViHRUhC.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://accounts.google.com/generate_204?6JaKqw
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/u4xvA0Tw-4L.css?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyyvqedP1KTGaespiPNNUuOOhhlNIWdRWejAZmR61I2VV-ku55l7L8gdnH1EC5fauuzoF1J2fA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S504171679%3A1697417176414722
https://static.xx.fbcdn.net/rsrc.php/v3/yi/l/0,cross/s3epWMBo1FX.css?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyz6pDefJyKshYFsDLzJUIYEkQBxjlzW7Psw7k8R--D2gwUfEF8gBSj8fOPfztqQKz1zgy7RqQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-419032450%3A1697417189597662
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywF-mDMSOkEjswyonfbOEtS8T9hact2vcwHgZZt-ZnDN2gujzOMIGtK2wUeYYtVpRN3jXclQg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S50465221%3A1697417225539467
https://static.xx.fbcdn.net/rsrc.php/v3/yH/l/0,cross/zDdQsF0sOjp.css?_nc_x=Ij3Wp8lg5Kz
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yG/r/rAl2Hl1fQTa.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://static.xx.fbcdn.net/rsrc.php/v3/ya/r/v2fcQEWFLez.js?_nc_x=Ij3Wp8lg5Kz
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://static.xx.fbcdn.net/rsrc.php/v3/ye/l/0,cross/seCHURQhRK2.css?_nc_x=Ij3Wp8lg5Kz
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyw4RWVwonSQV9wc-sJ0hblW9eUgDp1jATZxto4xsZPzcpyg4ePyDYNLFo8tESUhKgBEKv4xqw
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://accounts.google.com/generate_204?hKrxwg
https://www.youtube.com/img/desktop/supported_browsers/opera.png
https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
|
26
static.xx.fbcdn.net(157.240.215.14)
www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
www.google.com(142.250.76.132)
connect.facebook.net(157.240.215.14)
www.youtube.com(142.250.198.14) - mailcious
ssl.gstatic.com(142.250.206.227)
fbcdn.net(157.240.215.35)
accounts.google.com(142.250.206.205)
facebook.com(157.240.215.35)
fonts.gstatic.com(142.250.207.99)
fonts.googleapis.com(142.250.207.106)
142.250.207.67
142.251.222.206
157.240.215.14
172.217.24.67
5.42.92.88
77.91.124.55 - mailcious
77.91.68.52 - mailcious
77.91.124.1 - malware
172.217.25.13
172.217.24.227
216.58.200.228
157.240.215.35
142.250.66.67
142.250.199.74
|
19
ET INFO Microsoft net.tcp Connection Initialization Activity
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO PS1 Powershell File Request
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
3
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/index.php
|
26.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 221 |
2023-10-23 16:58
|
 foto2552.exe 4cdb3ee7e130e01a02d7b8a7d8dae6ec
Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File DLL OS Processor Check Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://193.233.255.73/loghub/master - rule_id: 37500
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/index.php - rule_id: 37040
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://www.google.com/favicon.ico
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywD2xgLxszRIN_7MaKSoUaoYTMvRFg50b2S5b8UluthbcUsGRE-8e1g-xdevGcqP20z4uow
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://accounts.google.com/
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://accounts.google.com/_/bscframe
https://accounts.google.com/generate_204?S178ZQ
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywTlS8RSTMSloorftkjj1lY_2tWmEzy5429BwqOoerpQlAzoTk3QhoMS2hENHZmnLEtBloUjQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023002296%3A1698047601366063
https://www.youtube.com/img/desktop/supported_browsers/opera.png
https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://fonts.googleapis.com/css?family=Roboto:400,500
|
17
ssl.gstatic.com(142.250.206.227)
www.facebook.com(157.240.215.35)
www.google.com(142.250.76.132)
www.youtube.com(142.250.207.14) - mailcious
fonts.googleapis.com(142.250.206.234)
accounts.google.com(142.250.206.205)
fonts.gstatic.com(142.250.207.99)
142.250.207.67
157.240.31.35
142.250.204.109
142.250.66.132
193.233.255.73 - mailcious
109.107.182.133
172.217.31.3
77.91.124.1 - malware
172.217.24.110
142.250.66.106
|
13
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.124.1/theme/index.php
|
20.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 222 |
2023-10-24 07:50
|
 foto2552.exe 5e967436bbe28a1b2b6d4016ae7b5024
Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File DLL OS Processor Check Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
24
http://193.233.255.73/loghub/master - rule_id: 37500
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/index.php - rule_id: 37040
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyz5YVxzRBWdpyuUtppgdvRy2Tw194Av0LWqrv008iX9c7bZnoHLo250QAw7Iz6oyudGemXR1A
https://accounts.google.com/_/bscframe
https://accounts.google.com/generate_204?6-E0fA
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://accounts.google.com/
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxQBLRrENNzDGU7Qlkoss48yKJ12ueLob1lnUSvITk9Wdk0c8W1-KA6F38Oypk5hTx5sGjsKg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S470064247%3A1698101077522125
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.google.com/favicon.ico
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://www.youtube.com/img/desktop/supported_browsers/opera.png
https://fonts.gstatic.com/s/youtubesans/v19/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://fonts.googleapis.com/css?family=Roboto:400,500
|
18
ssl.gstatic.com(142.250.206.227)
www.facebook.com(157.240.31.35)
www.google.com(142.250.76.132)
www.youtube.com(142.251.222.14) - mailcious
fonts.googleapis.com(172.217.161.234)
accounts.google.com(142.250.206.205)
fonts.gstatic.com(142.250.207.99)
142.251.220.78
142.251.220.45
77.91.124.86
172.217.27.36
51.68.143.81
193.233.255.73 - mailcious
77.91.124.1 - malware
172.217.24.227
172.217.31.10
157.240.215.35
142.250.66.67
|
13
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.124.1/theme/index.php
|
20.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 223 |
2023-10-26 10:40
|
 foto1661.exe 7613290b26555e6b7b16131d17331960
Amadey RedLine stealer Gen1 Emotet Generic Malware Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB OS Processor Check .NET E Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
25
http://77.91.68.249/fuza/2.ps1 - rule_id: 37524
http://77.91.68.249/fuza/2.ps1
http://193.233.255.73/loghub/master - rule_id: 37500
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.68.249/fuza/foto1661.exe
http://77.91.68.249/fuza/tus.exe
http://77.91.68.249/fuza/nalo.exe - rule_id: 37525
http://77.91.68.249/fuza/nalo.exe
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/index.php - rule_id: 37040
http://77.91.124.1/theme/index.php
https://accounts.google.com/generate_204?KIpSmg
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzOGFzuxGAg2e3DWgR266n9r5qQR7Zrm_rptfo9RAihsFAa9lZDZl4RK6XmLN3Nk2pDoW9bUg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-268318837%3A1698283071925212
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzpjHxpq1INlvGNncWH3u8zcoYJ7-v1sB2hwU2EY24lJvyiM2sMyf-U-uZStEXfb2_J_j288Q
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/generate_204?x9IqeA
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywvEr1d-fiWqWdBLl2arLIwhz5TAKS5Ub4o4j3ERjjUOyhcbjQnhhGNhoBp7mqC14wej4Mn
https://www.google.com/favicon.ico
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywLm9zKARhd3TW4v_bKsXTv35Vp7b1sZNUIHBh4-R3fXErE4ApIG4xaQw9ptWyWfEi9FpYQxg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-150941688%3A1698283074308887
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
14
www.youtube.com(172.217.25.174) - mailcious
ssl.gstatic.com(142.250.206.227)
www.facebook.com(157.240.215.35)
accounts.google.com(142.250.206.205)
www.google.com(142.250.76.132)
142.250.204.36
142.251.220.14
216.58.200.237
77.91.124.86
216.58.203.67
193.233.255.73 - mailcious
77.91.124.1 - malware
157.240.215.35
77.91.68.249 - malware
|
18
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO PS1 Powershell File Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
6
http://77.91.68.249/fuza/2.ps1
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.68.249/fuza/nalo.exe
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/index.php
|
24.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 224 |
2023-11-03 12:23
|
 lom30.exe 701ea7974b3f98830d636e93f836cfce
Amadey RedLine stealer Gen1 Emotet SmokeLoader Generic Malware Malicious Library UPX Antivirus Malicious Packer .NET framework(MSIL) Confuser .NET Admin Tool (Sysinternals etc ...) PWS ScreenShot Javascript_Blob AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Update Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
99
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://193.233.255.73/loghub/master - rule_id: 37500
http://77.91.68.249/fuza/2.ps1 - rule_id: 37524
http://77.91.68.249/fuza/foto1661.exe - rule_id: 37636
http://77.91.68.249/fuza/tus.exe - rule_id: 37637
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/index.php - rule_id: 37040
https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/V9SMX8ENNXW.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Regular.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/shared/css/login.css?v=0H1th98etnSV&l=english&_cdn=cloudflare
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyxxWA0Ljh5xWLEvAJ6NevMd7QB5iL9TprwZYNP8u-n9zXo51MmtGRn25Gjf78sQZ4KzK1Dc
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&load=effects,controls,slider,dragdrop
https://accounts.google.com/generate_204?NO7qPw
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyyT4td1m_8jmCTuLflf4CGZrqIHYxNvv-75kjvDivr6JChBm-48E_vH0foop83wQC67d99m
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Bold.ttf?v=4.015
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxVW6rLt9tLaC8ykc1nwAIgbdXX5n-L35f5sE1jqHcfiXjLMhDRqy2-fP8xGUFUaaXcJSrITA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-570376988%3A1698980725508326
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
https://www.facebook.com/login
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-LightItalic.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Thin.ttf?v=4.015
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyyidh94t-7_letWPwvjNQfl6I8TMheIR3px7R79ys-v-C3n_ey4IpHEeEFVPcsdPA92mVFQPw
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=8BlFIKwdZV37&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=E78TCC6Eu4d1&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=english&_cdn=cloudflare
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/EhJ0QrY2FBP.js?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/generate_204?phWHLQ
https://accounts.google.com/generate_204?FM9MMw
https://www.epicgames.com/id/login
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&l=english&_cdn=cloudflare
https://www.youtube.com/img/desktop/supported_browsers/opera.png
https://community.cloudflare.steamstatic.com/public/shared/images/header/btn_header_installsteam_download.png?v=1
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Black.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=3Pb1f2YLp788&l=english&_cdn=cloudflare
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyz4A49MvhLj_r5ov_AJY5BYrTyapUBFfv7BWCcUgyCaE1ee8Ou4w4nAiEXlupUrsDguPr4bQw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S856045394%3A1698980708442226
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Fd2aj_zaBVQV&l=english&_cdn=cloudflare
https://accounts.google.com/
https://static.xx.fbcdn.net/rsrc.php/v3/y9/l/0,cross/eoEHQM4veKY.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&_cdn=cloudflare
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxHmAuJ7cTrlJwP83uTJIwZEOmrXGcYW_i0uz5KMlDH1JsRYBc2MmUHjR6ye20L2fYuNPufuw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S537282805%3A1698980634624638
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxa6sAB10RaHTDUTJBO3-eoyqwGJOMg6fq-JIxFpsnqcBSN8g6aim1IDWZ3iP__yBBnia-T&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1879541505%3A1698980644017236
https://static-assets-prod.unrealengine.com/account-portal/static/static/js/3.520a7eda.chunk.js
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yp/r/gC0mb5XShS_.js?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=F9Ougyu-CyG3&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Light.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/css/skin_1/home.css?v=-6qQi3rZclGf&l=english&_cdn=cloudflare
https://static.xx.fbcdn.net/rsrc.php/v3/yD/l/0,cross/OeVbDlggYtT.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-BoldItalic.ttf?v=4.015
https://www.facebook.com/favicon.ico
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyy7hCYNnf-0YByYNzHXr3uFjshUMd78hOZpACYJ4Y7BQwyeDu8hhNuK6JppcoPONOvNupzDtw
https://accounts.google.com/generate_204?kjEEiA
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
https://fonts.googleapis.com/css?family=Roboto:400,500
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://static.xx.fbcdn.net/rsrc.php/v3/yz/r/1jo5ZChBkzZ.js?_nc_x=Ij3Wp8lg5Kz
https://static-assets-prod.unrealengine.com/account-portal/static/static/js/main.10a25667.chunk.js
https://connect.facebook.net/security/hsts-pixel.gif
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=RL7hpFRFPE4A&l=english&_cdn=cloudflare
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Medium.ttf?v=4.015
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=uR_4hRD_HUln&l=english&_cdn=cloudflare
https://static.xx.fbcdn.net/rsrc.php/v3/yh/l/0,cross/RvHDSigkA0R.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=eYJYuhv32ILn&l=english&_cdn=cloudflare
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunfWg&l=english&_cdn=cloudflare
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywosNhdGsuZdVCndGpS2K_jZJeHBslOkGyM_5Abhb0zccwpk0a_EpRThKNdW8KNTJvRtoAJFA
https://fonts.gstatic.com/s/youtubesans/v22/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://static.xx.fbcdn.net/rsrc.php/v3/yS/l/0,cross/M8A8jLevlDW.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yN/l/0,cross/zSmMZJhuRfw.css?_nc_x=Ij3Wp8lg5Kz
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyyGAuzn9a3z76ZcjJ_86wbJSidIfjfS9TcjHJMFLojLQH0IkqpoTM2fbcuLmlU3nQm3iQjlHg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1190693834%3A1698980664313585
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywa7Mm0Zk8Gm5Hb9kGiEkDrs_pgduAfwvBWsacz3D950CTr9Khe11ewNMaKJf4MaAiHmWs_
https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/7O04Eyj-1fg.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxVtPgesztclkUEaiZDNru1Lk12ZQXjId8z3gxpZ4pOLgUmGhg-fxuwVplGdjkIvsmeJrFYuA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-871854372%3A1698980704315173
https://community.cloudflare.steamstatic.com/public/shared/javascript/login.js?v=Vbm1kuHoXmMB&l=english&_cdn=cloudflare
https://accounts.google.com/generate_204?Mxmnvw
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
https://steamcommunity.com/openid/loginform/
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-RegularItalic.ttf?v=4.015
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
https://static-assets-prod.unrealengine.com/account-portal/static/epic-favicon-96x96.png
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=tSnvragsq7Tn&l=english&_cdn=cloudflare
https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&_cdn=cloudflare
|
43
ssl.gstatic.com(142.250.207.99)
www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
community.cloudflare.steamstatic.com(172.64.145.151)
www.paypal.com(151.101.193.21)
store.steampowered.com(23.40.44.77)
www.youtube.com(172.217.31.142) - mailcious
static.xx.fbcdn.net(157.240.215.14)
steamcommunity.com(104.76.78.101) - mailcious
static-assets-prod.unrealengine.com(18.64.8.66)
fbcdn.net(157.240.215.35)
connect.facebook.net(157.240.215.14)
twitter.com(104.244.42.1)
accounts.google.com(142.250.206.205)
fonts.gstatic.com(142.250.207.99)
facebook.com(157.240.215.35)
www.google.com(142.250.76.132)
fonts.googleapis.com(142.250.207.106)
www.epicgames.com(52.204.190.22)
142.251.130.3
23.40.44.77
18.64.8.109
77.91.124.1 - malware
193.233.255.73 - mailcious
146.75.49.21
104.244.42.129 - suspicious
104.94.217.48
142.250.204.46
172.217.31.3
142.251.220.78
172.64.145.151
77.91.124.86
104.75.41.21 - mailcious
142.250.66.45
157.240.215.35
77.91.68.249 - malware
52.45.237.32
157.240.215.14
104.76.78.101 - mailcious
216.58.200.228
54.175.89.124
18.64.8.127
142.250.66.42
|
19
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO PS1 Powershell File Request
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
27.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 225 |
2023-11-04 10:41
|
 vah50.exe 03f92deb14398467ee6f9ac147c5b97a
Amadey RedLine stealer Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PWS ScreenShot AntiDebug AntiVM PE File PE32 CAB OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
4
http://193.233.255.73/loghub/master - rule_id: 37500
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/index.php - rule_id: 37040
|
3
193.233.255.73 - mailcious
77.91.124.1 - malware
77.91.124.86
|
12
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
4
http://193.233.255.73/loghub/master
http://77.91.124.1/theme/Plugins/clip64.dll
http://77.91.124.1/theme/Plugins/cred64.dll
http://77.91.124.1/theme/index.php
|
24.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|