1486 |
2024-08-06 17:38
|
nicelookgreatthingsneedherbuty... 8cf9f47e0c81cd947cd31d27b1174921 Generic Malware Antivirus Hide_URL PowerShell Malware download Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
2
servidorwindows.ddns.com.br(187.72.79.111) - malware 187.72.79.111 - malware
|
2
ET MALWARE Base64 Encoded MZ In Image ET MALWARE Malicious Base64 Encoded Payload In Image
|
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1487 |
2024-08-06 17:37
|
1111MPDW-constraints.vbs d75c9dd456d79d5f59cbd1766741273a Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1488 |
2024-08-06 15:26
|
solara.exe d61a862be780c78ac1b87594b6b2f155 Malicious Library PE File .NET EXE PE32 VirusTotal Malware GameoverP2P DNS |
|
2
SIGMA125789-39601.portmap.host(193.161.193.99) 193.161.193.99 - mailcious
|
2
ET POLICY DNS Query to a Reverse Proxy Service Observed ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
|
|
2.8 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1489 |
2024-08-06 15:12
|
Meta.jpg.exe 6ebf7d764e9c709a018c8faf636aa08b RedLine stealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1490 |
2024-08-06 15:09
|
T.exe 9cc2a5a252f3593c04906c12a7ac76c0 Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Library .NET framework(MSIL) Antivirus Create Service Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Internet API VirusTotal Malware powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself Check virtual network interfaces suspicious process Windows ComputerName Cryptographic key |
1
http://45.138.183.226/upload/585
|
4
plunder.dedyn.io(45.138.183.226) plunder.jumpingcrab.com(45.138.183.226) enargy.co() 45.138.183.226
|
1
ET INFO DYNAMIC_DNS Query to a *.jumpingcrab .com Domain
|
|
13.6 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1491 |
2024-08-06 15:06
|
schedule.lnk 62d5389d43931237e9d3d1aa77c87483 Lnk Format GIF Format VirusTotal Malware heapspray Creates shortcut Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName DNS |
3
http://216.9.224.58:5555/files http://216.9.224.58:5555/files/Erlianaw.exe http://216.9.224.58:5555/
|
1
|
2
ET INFO Executable Download from dotted-quad Host ET HUNTING WebDAV Retrieving .exe
|
|
3.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1492 |
2024-08-06 15:06
|
MS_calendar.lnk 88a0d644536b00f6d49bd9891223784c Lnk Format GIF Format VirusTotal Malware Creates shortcut Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName DNS |
3
http://216.9.224.58:5555/files http://216.9.224.58:5555/files/MS_calendar_service.exe http://216.9.224.58:5555/
|
1
|
2
ET INFO Executable Download from dotted-quad Host ET HUNTING WebDAV Retrieving .exe
|
|
2.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1493 |
2024-08-06 15:01
|
Niuztafxlya.exe 6fc5dfa94c6baaf54e5413b643ae72e6 Hide_EXE Malicious Library .NET framework(MSIL) DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW human activity check Windows Cryptographic key |
|
2
indialongvenomminister01connection.myddns.rocks(198.23.201.84) 198.23.201.84
|
|
|
14.8 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1494 |
2024-08-06 15:01
|
Update.js 866b0c5274ee3ddae55d782644816251Malware download Malware VBScript wscript.exe payload download Tofsee SocGholish DNS Dropper |
1
https://jbwf.donors.eucharisticjesus.net/orderReview
|
2
jbwf.donors.eucharisticjesus.net(50.114.37.59) 50.114.37.59 - mailcious
|
4
ET MALWARE SocGholish CnC Domain in TLS SNI (* .donors .eucharisticjesus .net) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET MALWARE SocGholish CnC Domain in DNS (* .donors .eucharisticjesus .net)
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1495 |
2024-08-06 11:30
|
random.exe 59eefb04a8cb9a94d148464cd4324e93 Stealc Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://185.215.113.24/0d60be0de163924d/vcruntime140.dll http://185.215.113.24/0d60be0de163924d/msvcp140.dll http://185.215.113.24/0d60be0de163924d/nss3.dll http://185.215.113.24/ - rule_id: 41729 http://185.215.113.24/0d60be0de163924d/softokn3.dll http://185.215.113.24/0d60be0de163924d/mozglue.dll http://185.215.113.24/0d60be0de163924d/freebl3.dll http://185.215.113.24/e2b1563c6670f193.php - rule_id: 41793 http://185.215.113.24/0d60be0de163924d/sqlite3.dll
|
1
185.215.113.24 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.215.113.24/ http://185.215.113.24/e2b1563c6670f193.php
|
8.4 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1496 |
2024-08-06 11:00
|
sweeethoneymoongirlfriendwithm... 43a3a025a180bb5e47d9275d88e050ab Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1497 |
2024-08-06 11:00
|
Studio.ps1 2fdc1e6058d9d9b1c40fc8899a98e104 Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/HxD.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1498 |
2024-08-06 10:59
|
Setup.ps1 15f193ffb1e81682570af9870a7b2b6d Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/MD5.exe
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1499 |
2024-08-06 10:26
|
Update.exe 462bafe35754bf6c0057f8e033c9950a Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files unpack itself crashed |
|
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1500 |
2024-08-06 10:22
|
C2.exe 16788ca72d788dfc2df6956fff775d95 ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|