| 31 |
2023-10-09 13:19
|
 helpscientistpro.exe f54931aaae6cff496f607d6991cc1437
Gen1 Emotet Malicious Library UPX .NET framework(MSIL) PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Windows Remote Code Execution DNS Cryptographic key |
2
http://172.86.98.101/xs12pro/Htjxmgd.pdf - rule_id: 37111
http://172.86.98.101/xs12pro/Akdvsmkkbhu.pdf - rule_id: 37111
|
1
172.86.98.101 - mailcious
|
1
ET INFO Dotted Quad Host PDF Request
|
2
http://172.86.98.101/xs12pro/
http://172.86.98.101/xs12pro/
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32 |
2023-10-09 13:19
|
 lastsciiencepro.exe 81d34d81c4b40ba209760c61baaad458
Gen1 Emotet Malicious Library UPX .NET framework(MSIL) Http API ScreenShot PWS Internet API AntiDebug AntiVM PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware download VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Lumma Stealer Windows Remote Code Execution DNS Cryptographic key crashed |
3
http://blessdeckite.fun/
http://blessdeckite.fun/api
http://172.86.98.101/xs12pro/Czbzftdagy.mp4 - rule_id: 37111
|
3
blessdeckite.fun(172.67.176.124)
172.86.98.101 - mailcious
104.21.31.117
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
1
http://172.86.98.101/xs12pro/
|
14.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33 |
2023-10-06 17:47
|
 fotha0925877.exe 65ef2eef1ccf3146b44010406a235cb7
Gen1 Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 CAB OS Processor Check DLL PE64 Lnk Format GIF Format VirusTotal Malware AutoRuns PDB Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check Windows ComputerName Remote Code Execution crashed |
|
3
61c73c03354116965937587030000611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(172.67.184.100)
61c73c03354116965937587030100611db13292a50ae8009b6b46004d42bf.aoa.aent78.sbs(176.126.85.160)
176.10.119.186
|
|
|
8.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 34 |
2023-10-06 08:03
|
 foto3553.exe 53ffe4a2e5ff91672c96597ebece2470
RedLine stealer Gen1 Emotet RedLine Infostealer SmokeLoader Amadey Generic Malware UltraVNC Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Update Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
34
http://5.42.92.211/loghub/master - rule_id: 36282
http://77.91.124.1/theme/index.php
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://www.facebook.com/favicon.ico
https://accounts.google.com/generate_204?qq0oQg
https://www.facebook.com/login
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/generate_204?zRkItw
https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhcLz_cnXDIXvz3QIMY97r1jrsQOAnIw1tmulVERc2o6bSWlDbcLriBPSZgdPt1S1cy1gKwoqw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1912069806%3A1696546479888140
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://connect.facebook.net/security/hsts-pixel.gif
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhe5IhkTCdrQCA1yPVmt1oDA_voOW_A_ZqyCLTPdvHyGXJzE-RO7xy3BTH2BA1gxFU3WhShv
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdK1mkizJfifk30A2wUFICseNNCEjJIeVPM5FdrF5tEWuvZIe1OSLr4tRhi1BGsuGKKyagnGg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S2064279959%3A1696546472842958
https://accounts.google.com/
https://static.xx.fbcdn.net/rsrc.php/v3/yF/l/0,cross/LSAcIwftMnp.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/dSpVEafK7Ja.css?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcDvrRvELv2YHAoIozHL4ARKVAwdXih1YzNwd9N0tcW7AThR1PqnPYFBUHlbxzCE9fKQvd2Mg
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0,cross/g5qw7MkrAMe.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhemK6vxa5aVksbZqVqKrPQQwbOqA9SxEdxfxB3QOQidRlZmc0xXtRUEuzzNGlhNobYw0k8Y_g&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S906761759%3A1696546534329684
https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/C7x9HQY1590.js?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/generate_204?qMW9GQ
https://static.xx.fbcdn.net/rsrc.php/v3/yX/l/0,cross/3YxNg1jSEBd.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/4Gbx36-Nu9e.js?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdyfADyPcA7yLXC6h_tQmdvglNolQT6NRsBxSOYAOP9cQ5q7sygQlUcHMx3zc8TEcngtPmlTw
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://static.xx.fbcdn.net/rsrc.php/v3/yk/l/0,cross/mZN0_xqSmFF.css?_nc_x=Ij3Wp8lg5Kz
|
18
ssl.gstatic.com(172.217.25.163)
www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
www.google.com(142.250.206.228)
static.xx.fbcdn.net(157.240.215.14)
fbcdn.net(157.240.215.35)
accounts.google.com(172.217.25.173)
connect.facebook.net(157.240.215.14)
facebook.com(157.240.215.35)
142.251.130.4
142.251.130.13
157.240.215.14
77.91.124.55 - mailcious
77.91.68.52 - mailcious
77.91.124.1 - malware
157.240.215.35
5.42.92.211 - mailcious
172.217.24.67
|
20
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO PS1 Powershell File Request
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://5.42.92.211/loghub/master
|
26.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 35 |
2023-10-02 08:57
|
 kur90.exe 4c131b2d4436b786ff484576934a79b8
RedLine stealer Gen1 Emotet Browser Login Data Stealer Malicious Library UPX .NET framework(MSIL) Confuser .NET ScreenShot PWS AntiDebug AntiVM PE File PE32 CAB PNG Format MSOffice File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
21
http://5.42.92.211/loghub/master - rule_id: 36282
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/ogW1H5O-17r.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://www.facebook.com/favicon.ico
https://connect.facebook.net/security/hsts-pixel.gif
https://www.facebook.com/login
https://static.xx.fbcdn.net/rsrc.php/v3/y3/l/0,cross/ikFECARVllV.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/SccipWfTlTT.js?_nc_x=Ij3Wp8lg5Kz
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yT/r/Ovcfo1SlXij.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg
https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/OioQXAqgNbJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yH/l/0,cross/zDdQsF0sOjp.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yD/l/0,cross/dEOkGH79P3Y.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://static.xx.fbcdn.net/rsrc.php/v3/yg/r/tzWkwLNK4bI.js?_nc_x=Ij3Wp8lg5Kz
|
12
www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
static.xx.fbcdn.net(157.240.215.14)
fbcdn.net(157.240.215.35)
accounts.google.com(172.217.25.173)
connect.facebook.net(157.240.215.14)
facebook.com(157.240.215.35)
157.240.215.14
77.91.124.55
157.240.215.35
172.217.25.13
5.42.92.211 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
20.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 36 |
2023-09-30 13:47
|
 betterconsiderableresspro.exe 99fe507e16e1bc59c788bce2d138b9f4
Gen1 Emotet Malicious Library UPX PE File PE64 CAB PE32 .NET EXE VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution |
|
2
i.ibb.co(104.194.8.143) - mailcious
172.96.160.222 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 37 |
2023-09-30 13:47
|
 bestunderstandingresspro.exe c64258c1d7fef95b76f9aca64d707ac7
Gen1 Emotet Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Creates executable files Windows Remote Code Execution |
|
|
|
|
3.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38 |
2023-09-30 13:03
|
 foto1221.exe 99e05ed844344417fbf1594c67054ebe
RedLine stealer Gen1 Emotet RedLine Infostealer Browser Login Data Stealer Malicious Library UPX .NET framework(MSIL) Confuser .NET AntiDebug AntiVM PE File PE32 CAB .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.55
5.42.92.211 - mailcious
|
7
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
17.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39 |
2023-09-28 08:41
|
 westcompetitiveresspro.exe 41ca6ed3ff003e205d7dae915c20eb59
Gen1 Emotet Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Creates executable files Windows Remote Code Execution |
|
|
|
|
3.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40 |
2023-09-28 08:38
|
 bestunderstandingresspro.exe c64258c1d7fef95b76f9aca64d707ac7
Gen1 Emotet Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Creates executable files Windows Remote Code Execution |
|
|
|
|
3.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41 |
2023-09-25 17:01
|
 zor40.exe 437a676b457457da6e8333831398bb32
RedLine stealer Gen1 Emotet Malicious Library UPX PWS AntiDebug AntiVM PE File PE32 CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious
5.42.92.211 - mailcious
|
7
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
17.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42 |
2023-09-25 07:44
|
 nsi85.exe d9b7a38415b5b12303bf061c9c3d4452
RedLine stealer Gen1 Emotet task schedule Malicious Library UPX PWS Http API HTTP Internet API AntiDebug AntiVM PE File PE32 CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious
5.42.92.211 - mailcious
|
7
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
17.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43 |
2023-09-25 07:41
|
 foto7447.exe da23352a594c97e931832f1ece7e3b1e
RedLine stealer Gen1 Emotet task schedule Malicious Library UPX Http API PWS HTTP Internet API AntiDebug AntiVM PE File PE32 CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious
5.42.92.211 - mailcious
|
7
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
14.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44 |
2023-09-24 11:19
|
 foto7447.exe 9e031f946e78b6ce0af495a760ef67e7
RedLine stealer Gen1 Emotet Browser Login Data Stealer task schedule Malicious Library UPX ASPack Http API PWS HTTP Internet API AntiDebug AntiVM PE File PE32 CAB DLL OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious
5.42.92.211 - mailcious
|
6
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://5.42.92.211/loghub/master
|
16.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45 |
2023-09-23 19:28
|
 nsi85.exe a1bc2664e9c74a561ad7d36735914d61
RedLine stealer Gen1 Emotet Browser Login Data Stealer task schedule Malicious Library UPX ASPack Http API PWS HTTP Internet API AntiDebug AntiVM PE File PE32 CAB DLL OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
2
77.91.124.82 - mailcious
5.42.92.211 - mailcious
|
7
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
1
http://5.42.92.211/loghub/master
|
16.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|