1501 |
2024-08-06 10:20
|
Check.exe 6f7c0573e0d0c7a2ae1796ad61dbd02d ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL .NET DLL Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
10.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1502 |
2024-08-06 10:20
|
Setup.ps1 15f193ffb1e81682570af9870a7b2b6d Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/MD5.exe
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1503 |
2024-08-06 10:20
|
extrasmilesgivenbygirlflowerso... 0c102f517024df86ddea73ad53686516 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1504 |
2024-08-06 10:18
|
Protect.exe 8884df7aa725803e4f9ba0a99a477401 ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL .NET DLL Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
1
http://147.45.44.131/files/Smart.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
10.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1505 |
2024-08-06 10:18
|
Angel.exe 3142b24b3478b54405e7be11be6c8bbf PE File .NET EXE PE32 Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1506 |
2024-08-06 10:17
|
Baza.ps1 6fc27174eeb4be04079f4f3390041ac1 Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/SHA256.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1507 |
2024-08-06 10:16
|
HxD.exe dbf56776aebe6a46a4098a24250aec57 task schedule PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee DNS |
1
https://pastebin.com/raw/jDAt5ZME
|
3
pastebin.com(104.20.4.235) - mailcious 104.20.3.235 - malware 147.45.44.138
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1508 |
2024-08-06 10:15
|
Smart.exe 52be738bee9464fbca63c454cc942ecc ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1509 |
2024-08-06 10:11
|
ChromeSetup.exe e963c6226c89fbe3d8617658681fb54d Emotet Gen1 Generic Malware PhysicalDrive NSIS NMap Malicious Library UPX Malicious Packer Downloader Admin Tool (Sysinternals etc ...) Antivirus .NET framework(MSIL) ASPack Anti_VM Javascript_Blob PE File PE32 MZP Format OS Processor Check DLL DllRegiste Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder sandbox evasion installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS |
1
https://update.googleapis.com/service/update2
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
71 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1510 |
2024-08-06 10:05
|
ts.exe 6672b19a9ed11eb242c3b50aa23ccbf8 Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
2.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1511 |
2024-08-06 09:47
|
3544436.exe 1de4c3cc42232c1e3d7c09404f57b450 Generic Malware Malicious Library Malicious Packer UPX PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
3.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1512 |
2024-08-06 09:46
|
herso.exe 54dda3a0f0895906ba57a691a4655415 Amadey Stealc RedLine stealer Gen1 Generic Malware EnigmaProtector Malicious Library UPX Admin Tool (Sysinternals etc ...) Antivirus Malicious Packer Code injection Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Checks Bios Collect installed applications Detects VMWare AppData folder malicious URLs sandbox evasion VMware anti-virtualization installed browsers check Tofsee Ransomware Stealc Stealer Windows Exploit Browser Email ComputerName DNS Software crashed plugin |
13
http://185.215.113.24/0d60be0de163924d/vcruntime140.dll http://185.215.113.16/steam/random.exe - rule_id: 41792 http://185.215.113.19/Vi9leo/index.php - rule_id: 41489 http://185.215.113.24/0d60be0de163924d/msvcp140.dll http://185.215.113.24/0d60be0de163924d/nss3.dll http://185.215.113.24/0d60be0de163924d/freebl3.dll http://185.215.113.24/ - rule_id: 41729 http://185.215.113.24/0d60be0de163924d/softokn3.dll http://185.215.113.24/0d60be0de163924d/mozglue.dll http://185.215.113.16/well/random.exe - rule_id: 41492 http://185.215.113.24/0d60be0de163924d/sqlite3.dll http://185.215.113.24/e2b1563c6670f193.php - rule_id: 41793 http://185.215.113.16/num/random.exe
|
5
crash-reports.mozilla.com(34.49.45.138) 34.49.45.138 185.215.113.24 - mailcious 185.215.113.16 - mailcious 185.215.113.19 - malware
|
21
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
5
http://185.215.113.16/steam/random.exe http://185.215.113.19/Vi9leo/index.php http://185.215.113.24/ http://185.215.113.16/well/random.exe http://185.215.113.24/e2b1563c6670f193.php
|
22.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1513 |
2024-08-06 09:45
|
sg3.exe 5f3dd0514c98bab7172a4ccb2f7a152d Malicious Library Malicious Packer PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1514 |
2024-08-06 09:44
|
NamzScript.exe be87988d10070a2a95aa02f5cdab0aab Generic Malware Malicious Library UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE VirusTotal Malware PDB Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
6.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1515 |
2024-08-06 09:43
|
MD5.exe f38bcacf41070de40c329f6792460338 PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
|
8.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|