| 76 |
2023-07-30 09:05
|
 new.EXE c36f10074bd560df1341aeb405b23641
Gen1 Emotet UPX Malicious Library Malicious Packer CAB PE64 PE File OS Processor Check VirusTotal Malware AutoRuns PDB Creates executable files WriteConsoleW Windows Remote Code Execution |
|
|
|
|
3.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 77 |
2023-07-27 10:40
|
 an.exe 691a54b032d616e5f9303557ffd49add
Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution Cryptographic key |
|
2
files.catbox.moe(108.181.20.35) - malware
108.181.20.35 - mailcious
|
2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 78 |
2023-07-27 10:36
|
 foto5566.exe 310049edb1a276ebf198060d9cd3bc5d
Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware
77.91.124.84 - mailcious
|
11
ET INFO Dotted Quad Host DLL Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 79 |
2023-07-27 10:34
|
 foto5566.exe 1608f0e5d9b277a7ba7fb25f736b8c74
Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware
77.91.124.84 - mailcious
|
11
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 80 |
2023-07-27 10:32
|
 fotod250.exe afed523b82c39015e5e8eb6f55906537
Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
http://77.91.68.61/rock/index.php - rule_id: 35495
|
2
77.91.68.61 - malware
77.91.124.84 - mailcious
|
12
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
15.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 81 |
2023-07-27 10:30
|
 photo340.exe f0c28816a58f907591e5e014e049024a
Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL .NET EXE PE64 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Tofsee Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
5
http://77.91.124.47/anon/an.exe
http://77.91.124.47/new/fotod250.exe
http://77.91.68.61/rock/index.php - rule_id: 35495
http://77.91.68.248/fuzz/raman.exe
http://77.91.124.47/new/foto5566.exe
|
7
files.catbox.moe(108.181.20.35) - malware
77.91.68.61 - malware
108.181.20.35 - mailcious
77.91.124.84 - mailcious
77.91.124.47 - malware
77.91.68.248 - malware
141.94.192.217
|
19
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://77.91.68.61/rock/index.php
|
17.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 82 |
2023-07-25 07:37
|
 lega.exe 0cca805bb1bb946b8683dd3cfdaed406
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Lumma Stealer Windows Update Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
10
http://5.42.92.67/norm/Plugins/clip64.dll
http://5.42.92.67/norm/index.php
http://5.42.92.67/norm/Plugins/cred64.dll
http://5.42.92.67/lend/LummaC2.exe
http://westwork-my.xyz/c2sock
http://westwork-my.xyz/c2conf
http://5.42.92.67/lend/
http://5.42.92.67/lend/dewrww7a1z.exe
http://westwork-my.xyz/
https://bitbucket.org/development-ws/applications/downloads/setup-rc18.exe
|
6
westwork-my.xyz(104.21.72.18)
bitbucket.org(104.192.141.1) - malware
77.91.68.68 - mailcious
5.42.92.67 - malware
104.21.72.18
104.192.141.1 - mailcious
|
16
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET INFO TLS Handshake Failure
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey Bot Activity (POST)
ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
18.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 83 |
2023-07-24 07:42
|
 photo170.exe 65c0aab9f3cc5187b6d90b66fc734abc
Gen1 Emotet RedLine Infostealer RedLine stealer UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer .NET framework(MSIL) Confuser .NET CAB PE File PE32 OS Processor Check DLL PE64 .NET EXE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Tofsee Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
6
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054
http://77.91.124.31/anon/an.exe - rule_id: 35218
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://77.91.124.31/new/foto135.exe - rule_id: 35216
http://77.91.124.31/new/fotod25.exe - rule_id: 35217
http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053
|
6
files.catbox.moe(108.181.20.35) - malware
108.181.20.35 - mailcious
77.91.68.3 - malware
77.91.68.68
77.91.68.30 - malware
77.91.124.31 - mailcious
|
18
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Amadey Bot Activity (POST)
|
6
http://77.91.68.3/home/love/Plugins/clip64.dll
http://77.91.124.31/anon/an.exe
http://77.91.68.3/home/love/index.php
http://77.91.124.31/new/foto135.exe
http://77.91.124.31/new/fotod25.exe
http://77.91.68.3/home/love/Plugins/cred64.dll
|
18.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 84 |
2023-07-19 07:37
|
 lega.exe 19771209e384f1f8e7ca013b72e0d1fe
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://87.121.47.63/laker/index.php
http://87.121.47.63/laker/Plugins/cred64.dll
http://87.121.47.63/laker/Plugins/clip64.dll
|
2
77.91.68.56 -
87.121.47.63 -
|
9
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
15.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 85 |
2023-07-19 07:34
|
 photo113.exe 7308bb341cd27493d2939ecbbc6c7436
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053
http://77.91.68.3/home/love/Plugins/cred64.dll
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054
http://77.91.68.3/home/love/Plugins/clip64.dll
|
3
77.91.68.3 -
77.91.68.30 -
77.91.68.56 -
|
11
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Packed Executable Download
ET MALWARE Amadey Bot Activity (POST)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll
http://77.91.68.3/home/love/Plugins/clip64.dll
|
17.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 86 |
2023-07-19 07:21
|
 theoryabilitypro.exe 5b4e9c25ebf1d7e5a91e85be8c2e4594
Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 OS Processor Check AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Remote Code Execution Cryptographic key |
|
2
files.catbox.moe(108.181.20.35) -
108.181.20.35 -
|
2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 87 |
2023-07-18 07:24
|
 foto135.exe 327b57745b8c136ea8d4e4e1519f508d
Gen1 Emotet RedLine Infostealer RedLine stealer UPX Malicious Library .NET framework(MSIL) Confuser .NET Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check .NET EXE DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
9
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054
http://77.91.68.3/home/love/Plugins/clip64.dll
http://77.91.124.31/anon/an.exe
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://77.91.68.3/home/love/index.php
http://77.91.124.31/new/foto135.exe
http://77.91.124.31/new/fotod25.exe
http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053
http://77.91.68.3/home/love/Plugins/cred64.dll
|
3
77.91.68.3 -
77.91.68.56 -
77.91.124.31 -
|
14
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.3/home/love/Plugins/clip64.dll
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll
|
17.8 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 88 |
2023-07-18 07:21
|
 fotod25.exe 74b51238ceac125ca090efeb2b3bce46
Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
6
http://77.91.68.3/home/love/index.php - rule_id: 35049
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll - rule_id: 35053
http://77.91.68.3/home/love/Plugins/cred64.dll
http://77.91.68.3/home/love/Plugins/clip64.dll - rule_id: 35054
http://77.91.68.3/home/love/Plugins/clip64.dll
|
2
77.91.68.3 -
77.91.68.56 -
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host DLL Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.3/home/love/index.php
http://77.91.68.3/home/love/Plugins/cred64.dll
http://77.91.68.3/home/love/Plugins/clip64.dll
|
16.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 89 |
2023-07-11 07:45
|
 photo540.exe 0b18dc187ed40a7a6310a6c4ba98ec91
Gen1 Emotet SmokeLoader UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
5
http://77.91.124.31/smo/du.exe
http://77.91.124.31/new/fotod45.exe
http://77.91.68.3/home/love/index.php
http://77.91.124.31/new/foto175.exe
http://77.91.68.3/home/love/Plugins/cred64.dll
|
3
77.91.124.31 -
77.91.68.48 -
77.91.68.3 -
|
13
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Executable Download from dotted-quad Host
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
17.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 90 |
2023-07-07 07:40
|
 glassadequatepro.exe fa6ec356a90ef16403ad579d87b05ee5
Gen1 Emotet UPX Malicious Library .NET framework(MSIL) CAB PE64 PE File OS Processor Check .NET EXE PE32 AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Windows Remote Code Execution DNS |
|
2
5.42.65.13 -
84.54.50.66 -
|
|
|
6.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|