| 17821 |
2023-05-14 17:32
|
 ProtonVPN.exe d8560a7c131d8313f0f95e49e1aa0b73
Gen1 Gen2 UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 DLL JPEG Format Browser Info Stealer Malware download VirusTotal Malware RecordBreaker Buffer PE MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Collect installed applications AppData folder WriteConsoleW installed browsers check Stealer Windows Browser DNS crashed |
9
http://165.232.118.86/
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://165.232.118.86/498c5e808a95e0c9bc9684b0df2e9aaa
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://165.232.118.86/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
|
2
165.232.118.86
208.95.112.1
|
6
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information
ET HUNTING Possible Generic Stealer Sending a Screenshot
|
|
12.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17822 |
2023-05-14 17:32
|
 build.exe 1e0be6fd7600c7218b3542af67ab2a0d
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://194.87.151.214:2020/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
194.87.151.214
172.67.75.172 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17823 |
2023-05-14 17:32
|
 44444444.exe 4fda10dd689cf07faf7ccad6eeb5b8b3
PWS .NET framework RAT UPX Confuser .NET OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
5.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17824 |
2023-05-14 17:32
|
 clip64.dll 73c0c85e39b9a63b42f6c4ff6d634f8b
UPX Malicious Library Admin Tool (Sysinternals etc ...) OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17825 |
2023-05-14 17:19
|
 tungbot.exe 1789934e3f3f870ab38fb363701f5b88
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://103.169.34.83:3767/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) -
104.26.12.31
103.169.34.83
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17826 |
2023-05-14 17:12
|
 STnew.exe 9698ef1c3c72a67865b27847f3fcb633
Emotet Gen2 Generic Malware UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 .NET EXE Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows ComputerName RCE DNS Cryptographic key DDNS crashed |
1
http://95.214.27.98/lend/STnew.exe
|
3
searchap.ddns.net(37.120.198.197)
37.120.198.197
95.214.27.98 - malware
|
5
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
16.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17827 |
2023-05-14 17:12
|
 server.exe 30260b612d994b6c7e5ff1febcb9a157
Formbook RAT .NET EXE PE File PE32 VirusTotal Malware VBScript AutoRuns Check memory Checks debugger WMI wscript.exe payload download Creates executable files unpack itself AntiVM_Disk IP Check VM Disk Size Check Tofsee Interception Windows ComputerName DNS DDNS Dropper |
4
http://vj7974.duckdns.org:7974/Vre
http://pastebin.com/raw/A2n1xGpr
http://ip-api.com/json/
https://pastebin.com/raw/A2n1xGpr
|
6
vj7974.duckdns.org(142.202.242.176)
pastebin.com(104.20.68.143) - mailcious
ip-api.com(208.95.112.1)
142.202.242.176
208.95.112.1
104.20.67.143 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET INFO HTTP POST Request to DuckDNS Domain
ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
|
|
10.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17828 |
2023-05-14 17:10
|
 Widgets.bat b03d77953c460064e03d928ce56b1976
Downloader Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot AntiDebug AntiVM suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17829 |
2023-05-14 17:09
|
 file4.ps1 97b66f50d529a72add418aaf982a6b10
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
http://193.233.232.150/view.php
|
|
|
|
4.8 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17830 |
2023-05-14 17:09
|
 bild202.exe a17af46e9c7bba005d9907ad2b722560
Loki_b Loki_m RedLine stealer[m] Gen1 PWS .NET framework RAT Generic Malware Downloader UPX Malicious Library Antivirus Malicious Packer Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escala Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion anti-virtualization installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software |
4
http://195.201.47.75/5571c6168b927d576728413ef32ef92f
http://195.201.47.75/
https://steamcommunity.com/profiles/76561198272578552
https://t.me/libpcre
|
6
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.85.81.130) - mailcious
104.85.81.130
149.154.167.99 - mailcious
194.87.151.202 - mailcious
195.201.47.75
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17831 |
2023-05-14 17:08
|
 lega.exe 72361b9ac961ae2ec3e94022f1ccb0a6
RedLine stealer[m] Gen1 Emotet PWS .NET framework RAT RedLine Stealer UPX Malicious Library Confuser .NET SMTP PWS[m] AntiDebug AntiVM CAB PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName RCE DNS Cryptographic key Software crashed |
|
1
185.161.248.75 - mailcious
|
|
|
14.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17832 |
2023-05-14 17:07
|
 HalogenSySCheck.exe ee0da89ff62475fe63a8cd12c7134c5e
RedLine stealer[m] RAT PWS .NET framework Generic Malware Downloader UPX Malicious Library Antivirus Confuser .NET Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP Key Browser Info Stealer VirusTotal Malware powershell Telegram suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
|
3
api.telegram.org(149.154.167.220)
94.142.138.219
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17833 |
2023-05-14 17:05
|
 sonbot2.exe 862025de8445a34f8543dcc96c806362
PWS .NET framework RAT UPX OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
1
http://108.165.242.115:12664/
|
1
|
|
|
3.2 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17834 |
2023-05-14 17:03
|
 file1.ps1 a02ae4594adc3ed2a6160c84f5cb3a9e
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
1
https://centrovetluanda.com/apply.php
|
|
|
|
4.8 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 17835 |
2023-05-14 17:03
|
 crypted%20%282%29.exe 7934a25163e1500d54aded65ce354308
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
4
camo.githubusercontent.com(185.199.111.133)
fonts.googleapis.com(142.250.207.106)
185.199.109.133 - mailcious
142.251.220.42
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|