| 1 |
2025-04-21 12:59
|
 download.php 29e24525c83a49e30fc532e59f769b09
Gen1 Emotet Generic Malware Themida Downloader Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS C Malware download Amadey VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Checks Bios Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization VM Disk Size Check Tofsee Windows ComputerName RCE DNS Cryptographic key crashed |
12
http://185.215.113.41/files/7709196889/hvof1h0.exe
http://185.215.113.41/files/ebash/random.exe
http://185.215.113.41/files/7453936223/LAc2heq.exe
http://185.215.113.41/files/6336929412/Hmcm0Oj.exe
http://185.215.113.41/files/6691015685/xztOH3r.exe
http://185.215.113.41/files/5804781818/eZp5zCz.exe
http://185.215.113.41/files/7881515133/690BRuM.bat
http://185.215.113.41/files/6629342726/i5Kz53x.exe
http://185.215.113.41/files/5561582465/235T1TS.exe
http://185.215.113.41/files/6350437481/lBiQciH.exe
https://paguehojebrasil.shop/download/gamev5%201.0.0.msi
http://185.215.113.59/Dy5h4kus/index.php
|
4
paguehojebrasil.shop(147.79.84.176)
185.215.113.41 - malware
147.79.84.176
185.215.113.59 - mailcious
|
11
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET MALWARE Amadey CnC Response
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
16.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2025-04-21 10:10
|
 download.php 7fabf8c4efb42fd2239eadae059e533e
RedLine stealer Gen1 Emotet XMRig Miner RedlineStealer Generic Malware Themida Downloader Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate privil Browser Info Stealer RedLine Malware download Amadey VirusTotal Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VMWare suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization VM Disk Size Check installed browsers check Stealer Windows Browser ComputerName RCE DNS Cryptographic key crashed |
5
http://185.215.113.41/files/5804781818/eZp5zCz.exe
http://185.215.113.41/files/7881515133/690BRuM.bat
http://185.215.113.41/files/5308024245/pOqYWAZ.exe
http://185.215.113.41/files/7709196889/hvof1h0.exe
http://185.215.113.59/Dy5h4kus/index.php
|
3
185.215.113.41 - malware
193.233.237.109
185.215.113.59 - mailcious
|
12
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET MALWARE Amadey CnC Response
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
19.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2025-04-21 09:47
|
 d4940780-7f90-11e9-8b57-4bd4b6... 74ff57825e5256a5e145c246bdf55a48
Gen1 Emotet Malicious Library UPX Admin Tool (Sysinternals etc ...) PE File PE64 CAB .NET EXE PE32 VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself AppData folder Windows RCE |
|
|
|
|
4.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2025-03-20 10:05
|
 KX7TDcm.exe b3ed4a5d880de0e32a6e2a886cc03d9b
Emotet Gen1 Malicious Library UPX AntiDebug AntiVM PE File PE64 CAB VirusTotal Malware AutoRuns PDB MachineGuid Code Injection Check memory Checks debugger Creates executable files suspicious process Windows ComputerName RCE |
|
|
|
|
5.6 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2025-03-08 12:38
|
 download.php 4677605b34f1e7f4b7c691bd1fddb6a3
Amadey Emotet Gen1 Generic Malware Themida Malicious Library UPX Malicious Packer Antivirus Anti_VM PE File CAB PE32 PE64 DLL OS Processor Check MZP Format .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName RCE DNS Cryptographic key Software crashed plugin |
16
http://45.93.20.28/c66c0eade263c9a8/freebl3.dll
http://176.113.115.7/files/7853925217/ogfNbjS.ps1
http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dll
http://185.215.113.209/Di0Her478/index.php - rule_id: 43900
http://45.93.20.28/85a1cacf11314eb8.php
http://185.125.50.8/mVsXkjvb3/Plugins/clip64.dll
http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll
http://176.113.115.6/Ni9kiput/index.php - rule_id: 44102
http://45.93.20.28/
http://185.125.50.8/mVsXkjvb3/Plugins/cred64.dll
http://45.93.20.28/c66c0eade263c9a8/mozglue.dll
http://176.113.115.7/files/2043702969/9zQZD2e.exe
http://45.93.20.28/c66c0eade263c9a8/sqlite3.dll
http://45.93.20.28/c66c0eade263c9a8/nss3.dll
http://185.125.50.8/mVsXkjvb3/index.php
http://45.93.20.28/c66c0eade263c9a8/softokn3.dll
|
10
github.com(20.200.245.247) - mailcious
176.113.115.7 - malware
176.113.115.6 - mailcious
45.93.20.28 - malware
185.215.113.16 - mailcious
185.125.50.8
185.215.113.209 - malware
45.33.6.223
20.200.245.247 - malware
185.215.113.97 - malware
|
23
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Executable Download from dotted-quad Host
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET INFO Packed Executable Download
ET INFO PS1 Powershell File Request
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
2
http://185.215.113.209/Di0Her478/index.php
http://176.113.115.6/Ni9kiput/index.php
|
23.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2025-03-03 14:55
|
 kinddevelopers.exe 8199d03b6325b026657ac08f637e78de
Emotet Gen1 Generic Malware Malicious Library UPX Antivirus PE File PE64 CAB VirusTotal Malware powershell AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName RCE DNS Cryptographic key |
1
http://23.27.46.60/a0001/0228-01/positivereduce.exe
|
1
|
|
|
10.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2025-03-03 14:55
|
 tg01985462ss.exe 73ff439239900589550d046df99566f7
Emotet Gen1 Generic Malware Malicious Library UPX Antivirus PE File PE64 CAB VirusTotal Malware powershell AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName RCE DNS Cryptographic key |
1
http://23.27.46.60/a0001/tg01985462.exe
|
1
|
|
|
11.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2025-02-28 10:12
|
 MCxU5Fj.exe 9ab697112003c683415084d22b11e2ed
Emotet Gen1 Generic Malware Malicious Library UPX Antivirus PE File PE64 CAB PowerShell VirusTotal Malware powershell AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Windows ComputerName RCE Cryptographic key crashed |
3
https://bitbucket.org/dgfgdfffffffffffg/gdfgdf/downloads/test2.jpg?137113
https://bethesdaserukam.org/info/bIfiaSr.txt
https://ofice365.github.io/1/test.jpg
|
4
ofice365.github.io(185.199.111.153) - malware
bitbucket.org(104.192.140.25) - malware
104.192.140.26 - mailcious
185.199.110.153 - malware
|
|
|
8.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2025-02-18 17:35
|
 update.exe 2b3324576857269e5bd626110108ee53
Emotet Gen1 Malicious Library UPX Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PE File PE64 CAB DLL PE32 .NET DLL .NET EXE icon AutoRuns PDB Creates executable files unpack itself AppData folder Windows RCE crashed |
|
|
|
|
3.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2025-02-10 16:21
|
 bitcoin3000.exe 1e039f12c51a941bb072c73fe2def232
Emotet Gen1 Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Checks debugger Creates executable files WriteConsoleW Windows RCE DNS |
|
1
|
|
|
4.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2025-02-03 10:30
|
 goodboy.exe 11ad0f71caabbadba8ca08663690ca39
Gen1 Emotet Malicious Library UPX .NET framework(MSIL) Malicious Packer PE File PE64 CAB .NET EXE PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Windows Browser ComputerName RCE DNS Cryptographic key Software |
1
|
2
ip-api.com(208.95.112.1) -
208.95.112.1 -
|
2
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
ET POLICY External IP Lookup ip-api.com
|
|
8.6 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2025-01-08 13:51
|
 same.exe 09bfd52dfee36db96073d2340182affc
Gen1 Emotet Themida Malicious Library UPX Anti_VM PE File CAB PE32 OS Processor Check VirusTotal Malware AutoRuns PDB Checks debugger Creates executable files unpack itself Checks Bios Detects VMWare AppData folder AntiVM_Disk VMware anti-virtualization VM Disk Size Check Windows RCE DNS crashed |
|
2
185.215.113.206
185.215.113.43 - mailcious
|
|
|
11.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2025-01-08 13:48
|
 none.exe c2e8e44c11c1001f4072f7733187351c
Gen1 Emotet Themida Malicious Library UPX Anti_VM PE File CAB PE32 VirusTotal Malware AutoRuns PDB Checks debugger Creates executable files unpack itself Checks Bios Detects VMWare AppData folder AntiVM_Disk VMware anti-virtualization VM Disk Size Check Windows RCE DNS crashed |
|
2
185.215.113.206
185.215.113.43 - mailcious
|
|
|
11.0 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2024-11-26 14:14
|
 TikTok18.exe 602876c49237a426d0e27ea8e6b1e0d6
Emotet Gen1 Malicious Library UPX PE64 CAB PE File VirusTotal Malware AutoRuns PDB Check memory Checks debugger Creates executable files unpack itself Windows RCE crashed |
|
|
|
|
3.4 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2024-11-08 17:14
|
 hell9o.exe 2e933118fecbaf64bbd76514c47a2164
Emotet Gen1 Malicious Library UPX PE File PE64 CAB VirusTotal Malware AutoRuns PDB Creates executable files Windows utilities WriteConsoleW Windows RCE |
|
|
|
|
3.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|