| 1501 |
2024-08-06 10:20
|
 Check.exe 6f7c0573e0d0c7a2ae1796ad61dbd02d
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL .NET DLL Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
10.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1502 |
2024-08-06 10:20
|
 Setup.ps1 15f193ffb1e81682570af9870a7b2b6d
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/MD5.exe
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1503 |
2024-08-06 10:20
|
extrasmilesgivenbygirlflowerso... 0c102f517024df86ddea73ad53686516
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1504 |
2024-08-06 10:18
|
 Protect.exe 8884df7aa725803e4f9ba0a99a477401
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL .NET DLL Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
1
http://147.45.44.131/files/Smart.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
10.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1505 |
2024-08-06 10:18
|
 Angel.exe 3142b24b3478b54405e7be11be6c8bbf
PE File .NET EXE PE32 Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1506 |
2024-08-06 10:17
|
 Baza.ps1 6fc27174eeb4be04079f4f3390041ac1
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/SHA256.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1507 |
2024-08-06 10:16
|
 HxD.exe dbf56776aebe6a46a4098a24250aec57
task schedule PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee DNS |
1
https://pastebin.com/raw/jDAt5ZME
|
3
pastebin.com(104.20.4.235) - mailcious
104.20.3.235 - malware
147.45.44.138
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1508 |
2024-08-06 10:15
|
 Smart.exe 52be738bee9464fbca63c454cc942ecc
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1509 |
2024-08-06 10:11
|
 ChromeSetup.exe e963c6226c89fbe3d8617658681fb54d
Emotet Gen1 Generic Malware PhysicalDrive NSIS NMap Malicious Library UPX Malicious Packer Downloader Admin Tool (Sysinternals etc ...) Antivirus .NET framework(MSIL) ASPack Anti_VM Javascript_Blob PE File PE32 MZP Format OS Processor Check DLL DllRegiste Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder sandbox evasion installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS |
1
https://update.googleapis.com/service/update2
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
71 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1510 |
2024-08-06 10:05
|
 ts.exe 6672b19a9ed11eb242c3b50aa23ccbf8
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1511 |
2024-08-06 09:47
|
 3544436.exe 1de4c3cc42232c1e3d7c09404f57b450
Generic Malware Malicious Library Malicious Packer UPX PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
3.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1512 |
2024-08-06 09:46
|
 herso.exe 54dda3a0f0895906ba57a691a4655415
Amadey Stealc RedLine stealer Gen1 Generic Malware EnigmaProtector Malicious Library UPX Admin Tool (Sysinternals etc ...) Antivirus Malicious Packer Code injection Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Checks Bios Collect installed applications Detects VMWare AppData folder malicious URLs sandbox evasion VMware anti-virtualization installed browsers check Tofsee Ransomware Stealc Stealer Windows Exploit Browser Email ComputerName DNS Software crashed plugin |
13
http://185.215.113.24/0d60be0de163924d/vcruntime140.dll
http://185.215.113.16/steam/random.exe - rule_id: 41792
http://185.215.113.19/Vi9leo/index.php - rule_id: 41489
http://185.215.113.24/0d60be0de163924d/msvcp140.dll
http://185.215.113.24/0d60be0de163924d/nss3.dll
http://185.215.113.24/0d60be0de163924d/freebl3.dll
http://185.215.113.24/ - rule_id: 41729
http://185.215.113.24/0d60be0de163924d/softokn3.dll
http://185.215.113.24/0d60be0de163924d/mozglue.dll
http://185.215.113.16/well/random.exe - rule_id: 41492
http://185.215.113.24/0d60be0de163924d/sqlite3.dll
http://185.215.113.24/e2b1563c6670f193.php - rule_id: 41793
http://185.215.113.16/num/random.exe
|
5
crash-reports.mozilla.com(34.49.45.138)
34.49.45.138
185.215.113.24 - mailcious
185.215.113.16 - mailcious
185.215.113.19 - malware
|
21
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
5
http://185.215.113.16/steam/random.exe
http://185.215.113.19/Vi9leo/index.php
http://185.215.113.24/
http://185.215.113.16/well/random.exe
http://185.215.113.24/e2b1563c6670f193.php
|
22.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1513 |
2024-08-06 09:45
|
 sg3.exe 5f3dd0514c98bab7172a4ccb2f7a152d
Malicious Library Malicious Packer PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1514 |
2024-08-06 09:44
|
 NamzScript.exe be87988d10070a2a95aa02f5cdab0aab
Generic Malware Malicious Library UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE VirusTotal Malware PDB Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
6.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1515 |
2024-08-06 09:43
|
 MD5.exe f38bcacf41070de40c329f6792460338
PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
|
8.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|