31 |
2023-10-09 13:19
|
helpscientistpro.exe f54931aaae6cff496f607d6991cc1437 Gen1 Emotet Malicious Library UPX .NET framework(MSIL) PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Windows Remote Code Execution DNS Cryptographic key |
2
http://172.86.98.101/xs12pro/Htjxmgd.pdf - rule_id: 37111 http://172.86.98.101/xs12pro/Akdvsmkkbhu.pdf - rule_id: 37111
|
1
172.86.98.101 - mailcious
|
1
ET INFO Dotted Quad Host PDF Request
|
2
http://172.86.98.101/xs12pro/ http://172.86.98.101/xs12pro/
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
32 |
2023-10-09 13:19
|
lastsciiencepro.exe 81d34d81c4b40ba209760c61baaad458 Gen1 Emotet Malicious Library UPX .NET framework(MSIL) Http API ScreenShot PWS Internet API AntiDebug AntiVM PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware download VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Lumma Stealer Windows Remote Code Execution DNS Cryptographic key crashed |
3
http://blessdeckite.fun/ http://blessdeckite.fun/api http://172.86.98.101/xs12pro/Czbzftdagy.mp4 - rule_id: 37111
|
3
blessdeckite.fun(172.67.176.124) 172.86.98.101 - mailcious 104.21.31.117
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
1
http://172.86.98.101/xs12pro/
|
14.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
33 |
2023-10-06 17:47
|
fotha0925877.exe 65ef2eef1ccf3146b44010406a235cb7 Gen1 Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 CAB OS Processor Check DLL PE64 Lnk Format GIF Format VirusTotal Malware AutoRuns PDB Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check Windows ComputerName Remote Code Execution crashed |
|
3
61c73c03354116965937587030000611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(172.67.184.100) 61c73c03354116965937587030100611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(176.126.85.160) 176.10.119.186
|
|
|
8.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
34 |
2023-10-06 08:03
|
foto3553.exe 53ffe4a2e5ff91672c96597ebece2470 RedLine stealer Gen1 Emotet RedLine Infostealer SmokeLoader Amadey Generic Malware UltraVNC Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Update Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
34
http://5.42.92.211/loghub/master - rule_id: 36282 http://77.91.124.1/theme/index.php https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://www.facebook.com/favicon.ico https://accounts.google.com/generate_204?qq0oQg https://www.facebook.com/login https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?zRkItw https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhcLz_cnXDIXvz3QIMY97r1jrsQOAnIw1tmulVERc2o6bSWlDbcLriBPSZgdPt1S1cy1gKwoqw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1912069806%3A1696546479888140 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://fbsbx.com/security/hsts-pixel.gif?c=5 https://connect.facebook.net/security/hsts-pixel.gif https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhe5IhkTCdrQCA1yPVmt1oDA_voOW_A_ZqyCLTPdvHyGXJzE-RO7xy3BTH2BA1gxFU3WhShv https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdK1mkizJfifk30A2wUFICseNNCEjJIeVPM5FdrF5tEWuvZIe1OSLr4tRhi1BGsuGKKyagnGg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S2064279959%3A1696546472842958 https://accounts.google.com/ https://static.xx.fbcdn.net/rsrc.php/v3/yF/l/0,cross/LSAcIwftMnp.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/dSpVEafK7Ja.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcDvrRvELv2YHAoIozHL4ARKVAwdXih1YzNwd9N0tcW7AThR1PqnPYFBUHlbxzCE9fKQvd2Mg https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0,cross/g5qw7MkrAMe.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhemK6vxa5aVksbZqVqKrPQQwbOqA9SxEdxfxB3QOQidRlZmc0xXtRUEuzzNGlhNobYw0k8Y_g&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S906761759%3A1696546534329684 https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/C7x9HQY1590.js?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/generate_204?qMW9GQ https://static.xx.fbcdn.net/rsrc.php/v3/yX/l/0,cross/3YxNg1jSEBd.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/4Gbx36-Nu9e.js?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdyfADyPcA7yLXC6h_tQmdvglNolQT6NRsBxSOYAOP9cQ5q7sygQlUcHMx3zc8TEcngtPmlTw https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://static.xx.fbcdn.net/rsrc.php/v3/yk/l/0,cross/mZN0_xqSmFF.css?_nc_x=Ij3Wp8lg5Kz
|
18
ssl.gstatic.com(172.217.25.163) www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) www.google.com(142.250.206.228) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) accounts.google.com(172.217.25.173) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 142.251.130.4 142.251.130.13 157.240.215.14 77.91.124.55 - mailcious 77.91.68.52 - mailcious 77.91.124.1 - malware 157.240.215.35 5.42.92.211 - mailcious 172.217.24.67
|
20
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO PS1 Powershell File Request ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://5.42.92.211/loghub/master
|
26.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
35 |
2023-10-02 08:57
|
kur90.exe 4c131b2d4436b786ff484576934a79b8 RedLine stealer Gen1 Emotet Browser Login Data Stealer Malicious Library UPX .NET framework(MSIL) Confuser .NET ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
21
http://5.42.92.211/loghub/master - rule_id: 36282 https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/ogW1H5O-17r.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://www.facebook.com/favicon.ico https://connect.facebook.net/security/hsts-pixel.gif https://www.facebook.com/login https://static.xx.fbcdn.net/rsrc.php/v3/y3/l/0,cross/ikFECARVllV.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/SccipWfTlTT.js?_nc_x=Ij3Wp8lg5Kz https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yT/r/Ovcfo1SlXij.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/OioQXAqgNbJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yH/l/0,cross/zDdQsF0sOjp.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yD/l/0,cross/dEOkGH79P3Y.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz https://fbsbx.com/security/hsts-pixel.gif?c=5 https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://static.xx.fbcdn.net/rsrc.php/v3/yg/r/tzWkwLNK4bI.js?_nc_x=Ij3Wp8lg5Kz
|
12
www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) accounts.google.com(172.217.25.173) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 157.240.215.14 77.91.124.55 157.240.215.35 172.217.25.13 5.42.92.211 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
20.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
36 |
2023-09-30 13:47
|
betterconsiderableresspro.exe 99fe507e16e1bc59c788bce2d138b9f4 Gen1 Emotet Malicious Library UPX PE File PE64 CAB PE32 .NET EXE VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution |
|
2
i.ibb.co(104.194.8.143) - mailcious 172.96.160.222 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
37 |
2023-09-30 13:47
|
bestunderstandingresspro.exe c64258c1d7fef95b76f9aca64d707ac7 Gen1 Emotet Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Creates executable files Windows Remote Code Execution |
|
|
|
|
3.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
38 |
2023-09-30 13:03
|
foto1221.exe 99e05ed844344417fbf1594c67054ebe RedLine stealer Gen1 Emotet RedLine Infostealer Browser Login Data Stealer Malicious Library UPX .NET framework(MSIL) Confuser .NET AntiDebug AntiVM PE File PE32 CAB .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.55 5.42.92.211 - mailcious
|
7
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
17.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
39 |
2023-09-28 08:41
|
westcompetitiveresspro.exe 41ca6ed3ff003e205d7dae915c20eb59 Gen1 Emotet Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Creates executable files Windows Remote Code Execution |
|
|
|
|
3.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
40 |
2023-09-28 08:38
|
bestunderstandingresspro.exe c64258c1d7fef95b76f9aca64d707ac7 Gen1 Emotet Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Creates executable files Windows Remote Code Execution |
|
|
|
|
3.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
41 |
2023-09-25 17:01
|
zor40.exe 437a676b457457da6e8333831398bb32 RedLine stealer Gen1 Emotet Malicious Library UPX PWS AntiDebug AntiVM PE File PE32 CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious 5.42.92.211 - mailcious
|
7
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
17.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
42 |
2023-09-25 07:44
|
nsi85.exe d9b7a38415b5b12303bf061c9c3d4452 RedLine stealer Gen1 Emotet task schedule Malicious Library UPX PWS Http API HTTP Internet API AntiDebug AntiVM PE File PE32 CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious 5.42.92.211 - mailcious
|
7
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
17.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43 |
2023-09-25 07:41
|
foto7447.exe da23352a594c97e931832f1ece7e3b1e RedLine stealer Gen1 Emotet task schedule Malicious Library UPX Http API PWS HTTP Internet API AntiDebug AntiVM PE File PE32 CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious 5.42.92.211 - mailcious
|
7
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
14.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44 |
2023-09-24 11:19
|
foto7447.exe 9e031f946e78b6ce0af495a760ef67e7 RedLine stealer Gen1 Emotet Browser Login Data Stealer task schedule Malicious Library UPX ASPack Http API PWS HTTP Internet API AntiDebug AntiVM PE File PE32 CAB DLL OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious 5.42.92.211 - mailcious
|
6
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://5.42.92.211/loghub/master
|
16.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45 |
2023-09-23 19:28
|
nsi85.exe a1bc2664e9c74a561ad7d36735914d61 RedLine stealer Gen1 Emotet Browser Login Data Stealer task schedule Malicious Library UPX ASPack Http API PWS HTTP Internet API AntiDebug AntiVM PE File PE32 CAB DLL OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious 5.42.92.211 - mailcious
|
7
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
16.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|