1546 |
2024-08-05 15:48
|
66af4e35e761b_doz.exe#mene c7904602501fb4a18a2ceb29d1c7748b Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199747278259 - rule_id: 41798
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(173.222.146.99) - mailcious 149.154.167.99 - mailcious
168.119.176.241 - mailcious
184.26.241.154 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199747278259
|
16.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1547 |
2024-08-05 15:46
|
66ade58a5e39e_tgertert.exe f9e341ea64be4ee1007755cd909aaa8c Themida Packer Anti_VM PE File PE32 Lnk Format GIF Format Malware download VirusTotal Malware AutoRuns Check memory Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization human activity check Windows RisePro ComputerName Firmware DNS crashed |
|
2
77.105.164.24 125.253.92.50
|
3
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
10.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1548 |
2024-08-05 15:44
|
66af531b832ee_main.exe#space 46bb5bf831f8b516b87078f35286a4d6 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199747278259 - rule_id: 41798
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(184.87.103.42) - mailcious 149.154.167.99 - mailcious
168.119.176.241 - mailcious
184.26.241.154 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199747278259
|
16.4 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1549 |
2024-08-05 15:43
|
66af31c75d213_123p.exe 3b24971c5fef776db7df10a769f0857a ftp PE File PE64 VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
2
pool.hashvault.pro(125.253.92.50) - mailcious 125.253.92.50
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
1.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1550 |
2024-08-05 15:41
|
herso.exe fc195e7f832004c004c41441a5658b50 Amadey Anti_VM PE File PE32 Malware AutoRuns Malicious Traffic Checks debugger unpack itself Checks Bios Detects VMWare AppData folder VMware anti-virtualization Windows DNS crashed |
1
http://185.215.113.19/Vi9leo/index.php - rule_id: 41489
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.215.113.19/Vi9leo/index.php
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1551 |
2024-08-05 15:41
|
crt.exe f0958ee9db38d69ba0c9757926f0b895 Emotet Gen1 Malicious Library UPX PE File PE32 MZP Format PE64 DLL DllRegisterServer dll OS Processor Check Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1552 |
2024-08-05 15:39
|
setup.exe 91debd6b56717f90a922f0ea33155e68 Generic Malware Malicious Library Antivirus AntiDebug AntiVM PE File PE32 PowerShell powershell suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios suspicious process WriteConsoleW anti-virtualization Windows ComputerName Cryptographic key |
|
|
|
|
10.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1553 |
2024-08-05 15:39
|
66af45d13a3cb_xincz.exe#xin 50d48645ac2526fbc7f99c5d7fb9eb42 Generic Malware Malicious Library Malicious Packer UPX DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
0.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1554 |
2024-08-05 15:24
|
archive.7z 662ee89f76cfb8a8bddc6894b08203a6 Amadey Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Amadey Vidar Cryptocurrency Miner Malware c&c Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check Tofsee Stealc Stealer Windows Discord Browser RisePro DNS plugin CoinMiner |
28
http://detectportal.firefox.com/canonical.html http://185.225.200.214/api/crazyfish.php http://185.215.113.24/0d60be0de163924d/sqlite3.dll http://185.215.113.24/0d60be0de163924d/vcruntime140.dll http://185.215.113.24/0d60be0de163924d/msvcp140.dll http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin http://185.215.113.16/well/random.exe - rule_id: 41492 http://194.58.114.223/d/525403 http://185.215.113.19/Vi9leo/index.php - rule_id: 41489 http://185.215.113.24/ - rule_id: 41729 http://176.111.174.109/socker http://147.45.44.104/prog/66af31c75d213_123p.exe http://185.215.113.24/0d60be0de163924d/softokn3.dll http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe http://147.45.44.104/prog/66af531b832ee_main.exe#space http://185.215.113.24/e2b1563c6670f193.php http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene http://detectportal.firefox.com/success.txt?ipv4 http://185.215.113.24/0d60be0de163924d/nss3.dll http://185.225.200.214/api/twofish.php http://185.215.113.24/0d60be0de163924d/freebl3.dll http://185.215.113.16/nemo/herso.exe http://185.215.113.24/0d60be0de163924d/mozglue.dll http://www.google.com/ https://stan.pinefootsteps.com/ssl/crt.exe https://steamcommunity.com/profiles/76561199747278259 https://iplogger.org/1nhuM4.js https://api.myip.com/
|
81
detectportal.firefox.com(34.107.221.82) stan.pinefootsteps.com(104.21.32.226) www.reddit.com(151.101.1.140) vanaheim.cn(213.226.112.95) - mailcious firefox.settings.services.mozilla.com(34.149.100.209) example.org(93.184.215.14) - mailcious ipinfo.io(34.117.59.81) accounts.google.com(64.233.188.84) prod.content-signature-chains.prod.webservices.mozgcp.net(34.160.144.191) accounts.youtube.com(142.250.206.206) - phishing contile.services.mozilla.com(34.117.188.166) www.wikipedia.org(103.102.166.224) play.google.com(142.250.206.206) steamcommunity.com(23.194.74.106) - mailcious prod.balrog.prod.cloudops.mozgcp.net(35.244.181.201) iplogger.org(104.21.4.208) - mailcious www.gstatic.com(142.250.206.227) twitter.com(104.244.42.129) star-mini.c10r.facebook.com(157.240.215.35) shavar.services.mozilla.com(35.165.99.161) cdn.discordapp.com(162.159.133.233) - malware content-signature-2.cdn.mozilla.net(34.160.144.191) tracking-protection.cdn.mozilla.net(34.120.158.37) shavar.prod.mozaws.net(44.239.110.200) pool.hashvault.pro(142.202.242.43) - mailcious youtube-ui.l.google.com(172.217.161.206) push.services.mozilla.com(34.107.243.93) www.youtube.com(172.217.161.206) - mailcious prod.remote-settings.prod.webservices.mozgcp.net(34.149.100.209) www3.l.google.com(142.250.206.206) ipv4only.arpa(192.0.0.170) prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82) fonts.gstatic.com(142.250.207.99) dyna.wikimedia.org(103.102.166.224) reddit.map.fastly.net(151.101.1.140) aus5.mozilla.org(35.244.181.201) t.me(149.154.167.99) - mailcious www.facebook.com(157.240.215.35) www.google.com(142.250.76.132) api.myip.com(104.26.8.59) tracking-protection.prod.mozaws.net(34.120.158.37) benimmekansohbet.com(178.63.100.241) 34.107.243.93 77.105.164.24 142.250.207.99 44.239.110.200 34.107.221.82 34.160.144.191 162.159.135.233 - malware 178.63.100.241 168.119.176.241 34.120.158.37 184.26.241.154 - mailcious 149.154.167.99 - mailcious 185.215.113.24 - mailcious 194.58.114.223 176.111.174.92 193.143.1.5 142.250.76.132 34.117.59.81 213.226.112.95 34.149.100.209 176.113.115.84 - mailcious 176.111.174.109 - malware 104.26.8.59 147.45.44.104 185.225.200.214 176.113.115.135 - mailcious 176.113.115.136 - mailcious 104.21.32.226 - malware 35.244.181.201 34.117.188.166 125.253.92.50 142.250.206.206 - mailcious 185.215.113.16 - mailcious 185.215.113.19 - malware 45.143.201.238 - mailcious 142.250.206.227 62.122.184.58 - mailcious 64.233.187.84 172.67.132.113
|
44
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) ET DROP Spamhaus DROP Listed Traffic Inbound group 33 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET INFO Executable Download from dotted-quad Host ET DROP Spamhaus DROP Listed Traffic Inbound group 30 ET HUNTING Redirect to Discord Attachment Download ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO TLS Handshake Failure ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET DROP Spamhaus DROP Listed Traffic Inbound group 6 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET DROP Spamhaus DROP Listed Traffic Inbound group 5
|
3
http://185.215.113.16/well/random.exe http://185.215.113.19/Vi9leo/index.php http://185.215.113.24/
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1555 |
2024-08-05 15:06
|
Update.js 965ef5d776d9b91d2743a44b4093298aVBScript wscript.exe payload download Tofsee Dropper |
1
https://bwly.living.miraclesofeucharisticjesus.org/orderReview
|
2
bwly.living.miraclesofeucharisticjesus.org(162.252.175.41) 162.252.175.41 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1556 |
2024-08-05 14:47
|
wanmgr.exe 27aa8ad8930fa0d076510cfb6573ce74 Malicious Library DNS AntiDebug AntiVM PE File .NET EXE PE32 Malware download Nanocore Cobalt Strike NetWireRC VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process human activity check Windows RAT ComputerName DNS DDNS |
|
2
blackangel.hopto.org(103.89.91.169) 103.89.91.169
|
5
ET POLICY DNS Query to DynDNS Domain *.hopto .org ET MALWARE NanoCore RAT CnC 7 ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) ET MALWARE NanoCore RAT Keepalive Response 1 ET MALWARE NanoCore RAT Keepalive Response 3
|
|
13.0 |
|
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1557 |
2024-08-05 14:30
|
민혜지2.jse 6fba482cb866a3c51dc9063527886f5d Generic Malware Hide_EXE Antivirus Malicious Library VMProtect Anti_VM JPEG Format PE File PE64 VirusTotal Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://pmlroma.kro.kr/index.php
|
2
pmlroma.kro.kr(77.73.69.166) 77.73.69.166
|
|
|
10.2 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1558 |
2024-08-05 14:04
|
Na.exe e91d7d92b5c5ab6d2c6ee2da175bb119 UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows utilities WriteConsoleW Windows crashed |
|
|
|
|
5.0 |
M |
52 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1559 |
2024-08-05 14:01
|
SS.exe 1f0754128f1fd32781886c3d9e7dc138 UPX PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Windows utilities WriteConsoleW Windows crashed |
|
|
|
|
5.0 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1560 |
2024-08-05 13:56
|
Apex.exe 017933f498a5e5fec5429ac2a1dc3b4a UPX PE File PE32 VirusTotal Malware unpack itself DNS crashed |
1
http://42.193.241.116:19920/1p172BRmPZK29yhc1OKl/?card=&mac=&soft=apex&Var=1 - rule_id: 41762
|
1
|
|
1
http://42.193.241.116:19920/
|
3.4 |
M |
54 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|