| 1486 |
2024-08-06 17:38
|
nicelookgreatthingsneedherbuty... 8cf9f47e0c81cd947cd31d27b1174921
Generic Malware Antivirus Hide_URL PowerShell Malware download Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
2
servidorwindows.ddns.com.br(187.72.79.111) - malware
187.72.79.111 - malware
|
2
ET MALWARE Base64 Encoded MZ In Image
ET MALWARE Malicious Base64 Encoded Payload In Image
|
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1487 |
2024-08-06 17:37
|
1111MPDW-constraints.vbs d75c9dd456d79d5f59cbd1766741273a
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1488 |
2024-08-06 15:26
|
 solara.exe d61a862be780c78ac1b87594b6b2f155
Malicious Library PE File .NET EXE PE32 VirusTotal Malware GameoverP2P DNS |
|
2
SIGMA125789-39601.portmap.host(193.161.193.99)
193.161.193.99 - mailcious
|
2
ET POLICY DNS Query to a Reverse Proxy Service Observed
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
|
|
2.8 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1489 |
2024-08-06 15:12
|
 Meta.jpg.exe 6ebf7d764e9c709a018c8faf636aa08b
RedLine stealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1490 |
2024-08-06 15:09
|
 T.exe 9cc2a5a252f3593c04906c12a7ac76c0
Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Library .NET framework(MSIL) Antivirus Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Internet API VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself Check virtual network interfaces suspicious process Windows ComputerName Cryptographic key |
1
http://45.138.183.226/upload/585
|
4
plunder.dedyn.io(45.138.183.226)
plunder.jumpingcrab.com(45.138.183.226)
enargy.co()
45.138.183.226
|
1
ET INFO DYNAMIC_DNS Query to a *.jumpingcrab .com Domain
|
|
13.6 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1491 |
2024-08-06 15:06
|
schedule.lnk 62d5389d43931237e9d3d1aa77c87483
Lnk Format GIF Format VirusTotal Malware heapspray Creates shortcut Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName DNS |
3
http://216.9.224.58:5555/files
http://216.9.224.58:5555/files/Erlianaw.exe
http://216.9.224.58:5555/
|
1
|
2
ET INFO Executable Download from dotted-quad Host
ET HUNTING WebDAV Retrieving .exe
|
|
3.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1492 |
2024-08-06 15:06
|
MS_calendar.lnk 88a0d644536b00f6d49bd9891223784c
Lnk Format GIF Format VirusTotal Malware Creates shortcut Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName DNS |
3
http://216.9.224.58:5555/files
http://216.9.224.58:5555/files/MS_calendar_service.exe
http://216.9.224.58:5555/
|
1
|
2
ET INFO Executable Download from dotted-quad Host
ET HUNTING WebDAV Retrieving .exe
|
|
2.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1493 |
2024-08-06 15:01
|
 Niuztafxlya.exe 6fc5dfa94c6baaf54e5413b643ae72e6
Hide_EXE Malicious Library .NET framework(MSIL) DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW human activity check Windows Cryptographic key |
|
2
indialongvenomminister01connection.myddns.rocks(198.23.201.84)
198.23.201.84
|
|
|
14.8 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1494 |
2024-08-06 15:01
|
 Update.js 866b0c5274ee3ddae55d782644816251Malware download Malware VBScript wscript.exe payload download Tofsee SocGholish DNS Dropper |
1
https://jbwf.donors.eucharisticjesus.net/orderReview
|
2
jbwf.donors.eucharisticjesus.net(50.114.37.59)
50.114.37.59 - mailcious
|
4
ET MALWARE SocGholish CnC Domain in TLS SNI (* .donors .eucharisticjesus .net)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET MALWARE SocGholish CnC Domain in DNS (* .donors .eucharisticjesus .net)
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1495 |
2024-08-06 11:30
|
 random.exe 59eefb04a8cb9a94d148464cd4324e93
Stealc Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://185.215.113.24/0d60be0de163924d/vcruntime140.dll
http://185.215.113.24/0d60be0de163924d/msvcp140.dll
http://185.215.113.24/0d60be0de163924d/nss3.dll
http://185.215.113.24/ - rule_id: 41729
http://185.215.113.24/0d60be0de163924d/softokn3.dll
http://185.215.113.24/0d60be0de163924d/mozglue.dll
http://185.215.113.24/0d60be0de163924d/freebl3.dll
http://185.215.113.24/e2b1563c6670f193.php - rule_id: 41793
http://185.215.113.24/0d60be0de163924d/sqlite3.dll
|
1
185.215.113.24 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.215.113.24/
http://185.215.113.24/e2b1563c6670f193.php
|
8.4 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1496 |
2024-08-06 11:00
|
sweeethoneymoongirlfriendwithm... 43a3a025a180bb5e47d9275d88e050ab
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1497 |
2024-08-06 11:00
|
 Studio.ps1 2fdc1e6058d9d9b1c40fc8899a98e104
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/HxD.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1498 |
2024-08-06 10:59
|
 Setup.ps1 15f193ffb1e81682570af9870a7b2b6d
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/MD5.exe
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1499 |
2024-08-06 10:26
|
 Update.exe 462bafe35754bf6c0057f8e033c9950a
Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files unpack itself crashed |
|
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1500 |
2024-08-06 10:22
|
 C2.exe 16788ca72d788dfc2df6956fff775d95
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|