| 1876 |
2025-02-19 12:03
|
 kyjilsefqaw.exe ef2bda68775f23bb79519049adfaa4e1
PE File PE32 unpack itself ComputerName crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1877 |
2025-02-19 12:01
|
 1243.exe 0a736eeb2a65ab14079363292764e5f2
Generic Malware Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE PDB Code Injection Creates executable files unpack itself RCE |
|
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1878 |
2025-02-19 12:01
|
 1.exe 40d39e1426b624e504f616d225b8e410
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check Browser Info Stealer Malware download Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Check memory buffers extracted Creates shortcut unpack itself Collect installed applications sandbox evasion IP Check installed browsers check Tofsee Ransomware MeduzaStealer Stealer Browser Email ComputerName DNS |
|
3
api.ipify.org() -
45.93.20.15 -
172.67.74.152 -
|
9
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2
ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
SURICATA Applayer Protocol detection skipped
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
8.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1879 |
2025-02-19 11:48
|
 1.exe b8930ce311970e82b7b52dbfa4d81187
Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library Malicious Packer UPX Socket Http API ScreenShot PWS HTTP DNS Internet API AntiDebug AntiVM PE File DllRegisterServer dll PE32 OS Processor Check Code Injection buffers extracted malicious URLs DNS |
|
1
|
|
|
7.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1880 |
2025-02-19 11:44
|
 pyjksf.exe d26d5412e2228fb671609e601f95fec6
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Malware Telegram PDB Malicious Traffic Tofsee ComputerName DNS |
2
https://steamcommunity.com/profiles/76561199825403037
https://t.me/b4cha00
|
5
t.me() -
steamcommunity.com() -
149.154.167.99 -
95.217.243.100 -
23.49.154.73 -
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1881 |
2025-02-19 11:44
|
 Banderas.exe c0797e1ab7522e82dd0764c42dfa0c67
Malicious Library Malicious Packer UPX PE File PE64 |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1882 |
2025-02-19 11:42
|
 blaq.exe 7176873d83d97247c18a9037ffa5964f
Generic Malware Malicious Library UPX PE File PE32 DLL Browser Info Stealer buffers extracted Creates executable files unpack itself AppData folder Browser |
12
http://www.zkplant.xyz/t2z5/?wHwUOH=8VSe6D3+FdM96toYTkKYm4RfQN80B92Wswse+lRCZ5nd7JghEm3UVr0Q9u8PqQyGlh2BEZGJRS/hf5/2khKxbH6/CmdYSP+iYipsDo45rax8LzXX361i2DUedI4l6JslNrlk314=&li8B=Uh_aOYB7iOocT0e
http://www.sfrouter.express/f0c8/?wHwUOH=AHWHpIA83/7LQm5yWEptZovqcpfzyuCrVryDOXq41boPuGcZhCFYx0rfPVc+QU4vzPoFex3ntizgmAr9Oi8RON6E+Z9iOl73gIFM5BR9EAZ97ZYdmY/eiK7meSUUDtSRRtG1C5s=&li8B=Uh_aOYB7iOocT0e
http://www.meacci.xyz/ieqn/
http://www.trosky.lol/o88r/?wHwUOH=ziUBiNnCPTx0D233h1ca1hydMmiXXNXHNMEY4JnQ/dp2McfnObELxA6oJBnFDOsWb/bM3s4W56oDTG7CCmWbz1/lpBHwSztieMVQct0KvuNR8Sztn05hRZ1RNhlgsM5Legpcclw=&li8B=Uh_aOYB7iOocT0e
http://www.trosky.lol/o88r/
http://www.adventurerepair24.live/gc4d/?wHwUOH=LebFdeUSCMRA/h5sT7+2M2f/vQ1SufiCCUGQxkTYOySh8g+yOOCA1ht778Ujr70KVg4fy0FUcNIIjE4P2FpJife2AASvW/TiUzxRyQ9XEF5r5nlv8N9vw4E60m8WiXkOYycYg/o=&li8B=Uh_aOYB7iOocT0e
http://www.adventurerepair24.live/gc4d/
http://www.zkplant.xyz/t2z5/
http://www.meacci.xyz/ieqn/?wHwUOH=TXRwMNvNe7nWWxt2VYpYoe82JcF/DsRex1DbWUgtb2d4F8KnEpYV4uyghREjRYGlO9HLzYmvfgx+GjFyjye3bAwXsHcICLs5dZyytw3BsbuHZoaHGoXRgZC8N0lOdICFON5OFP4=&li8B=Uh_aOYB7iOocT0e
http://www.sfrouter.express/f0c8/
http://www.xiuqicloud.website/g63r/
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
|
13
www.adventurerepair24.live() -
www.sfrouter.express() -
www.trosky.lol() -
www.xiuqicloud.website() -
www.meacci.xyz() -
www.zkplant.xyz() -
45.33.6.223 -
199.59.243.228 -
76.223.54.146 -
13.248.169.48 -
106.54.8.254 -
172.67.143.33 -
172.67.204.50 -
|
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1883 |
2025-02-19 11:41
|
 minddd.exe cae5f3774bbda4a4fa5f58e42395829a
PE File PE64 MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces DNS |
|
1
|
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1884 |
2025-02-19 11:40
|
 edd.exe 28be9bba86fa8a13cc6cf36724d28589
PE File PE64 Check memory Checks debugger unpack itself Check virtual network interfaces DNS |
|
1
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1885 |
2025-02-19 11:40
|
 ed.ps1 7a20a5ebf46ab756a3781ce55fc8bb63
Hide_EXE Generic Malware UPX Malicious Library Malicious Packer Confuser .NET Antivirus AntiDebug AntiVM PE File DLL PE32 .NET EXE FormBook Browser Info Stealer Malware download Malware powershell Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself powershell.exe wrote AppData folder Browser |
7
http://www.childhealth.pro/b0vh/?Gy99=QUBVmFKdBNxds9OiApRhVsAj+ScDRPHeUPya3YpvxKMFpoL0UXIizO+2Knd5vz9rSJ99vd1oMGbpKodYFcGso7ng1PXq6kPJUf/keZz2BFmCSPb1BPLSFhWLkB5VTYfkmDPjYsE=&A97DD=dIkYLZ1GahSa
http://www.vivamente.shop/p4iy/
http://www.childhealth.pro/b0vh/
http://www.partflix.net/t94t/
http://www.partflix.net/t94t/?Gy99=6wcCudhLkH0VejVFRrMKOuT81SneVTs21TOXThNHeftxWAPzww3VNZ/fA4UNu8KULkzvL+qpdGK+6ln1YlZUcKuT272xiEUSQXi3WiUcrBFdZosaj7GWSIfDKBhRZwCKqwkunqw=&A97DD=dIkYLZ1GahSa
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
http://www.vivamente.shop/p4iy/?Gy99=SRywWHlJneqGbgnZMnkP75yQY1jNoV+uUvrvQ9vwHOg3gIy7AYQSo7rFsMjmhZA0ylqE+AAlROwVtLWgpormrByiUeawEdhj2T0RPVxTjD2FTpAWFNeIi4haYWVZYJq3iwiPjnM=&A97DD=dIkYLZ1GahSa
|
7
www.partflix.net() -
www.childhealth.pro() -
www.vivamente.shop() -
45.33.6.223 -
84.32.84.32 -
66.33.60.194 -
162.213.251.166 -
|
1
ET MALWARE FormBook CnC Checkin (GET) M5
|
|
11.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1886 |
2025-02-19 11:38
|
 Devil.exe eb6beba0181a014ac8c0ec040cb1121a
Generic Malware Malicious Packer PE File PE32 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege MachineGuid Check memory AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName Software |
|
1
|
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1887 |
2025-02-19 11:38
|
 MAGNIFICENT_MAILBOX.exe a1d8035b93923215c7d7cbc17e735deb
Malicious Packer UPX PE File PE64 Checks debugger DNS |
|
1
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1888 |
2025-02-19 11:36
|
main_mpsl e9bcd0799cdb5a780356507ecb0461ff
AntiDebug AntiVM ELF Email Client Info Stealer Code Injection Check memory Checks debugger unpack itself installed browsers check Browser Email |
|
|
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1889 |
2025-02-19 11:35
|
 ikpo.ps1 d8ed066f1231767464642fe846f37d99
Hide_EXE Generic Malware UPX Antivirus Malicious Library Malicious Packer Confuser .NET AntiDebug AntiVM PE File DLL PE32 .NET EXE Browser Info Stealer Phishing powershell Buffer PE Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself powershell.exe wrote AppData folder Browser DNS |
15
http://www.birbacher.online/os5r/?y_h6A2=231uHx8vc2OXjfRp9MqGfmAfw0ORoc0FHs1yPQI+Y8FHV11jaHQ2ftygF7Z20+LhG+hwvpvPffWcTqqpG/gNLui17mhEo7YUi96xAksmd+3++erClo3DLaj5tFD9ebrkUZzk9Dk=&60In=7wl5r0kQG9G
http://www.blissfuljo.life/p8fe/
http://www.blissfuljo.life/p8fe/?y_h6A2=nweR1c0XBtkzZggi0v3dr9kB4xCEwoCGMBQNH/aYwX8LuhjLbL5HUgqXwTet0aQ44oxYgp72GiDpetq5GT3VFYsxr5RBWjhs308QLFo3+dsZTQkp8hunF2AzxzIui5HbDfaQI0w=&60In=7wl5r0kQG9G
http://www.zkderby.xyz/bqyq/
http://www.rds845.shop/h0nr/
http://www.82765.ltd/59d5/
http://www.rds845.shop/h0nr/?y_h6A2=5SMA7S/38P4RaRgCp3VO1tw2rROs9wah4HH5Q6yYr3Nu4ZqcK75SUzG8TXPdlVkL75Uc/7uyt+ZBxF8Sx8kUuaqQBEx7a3bwhtWi8pbBN6KWtUApBidRHQ/G3KkasTH6o4wmaSg=&60In=7wl5r0kQG9G
http://www.zkderby.xyz/bqyq/?y_h6A2=Z6W2Due/iFNSY6roA058AuqdLgygAHlj29B3DLhDfw5gzakQrGCVCfu5pLO3yHC2Q5prfxENXL60nad/MKUoC8UQrxa2M0+WRd3DYf4bgsYWClNewfklrWL3J7GXJ+tZq73l4I4=&60In=7wl5r0kQG9G
http://www.birbacher.online/os5r/
http://www.82765.ltd/59d5/?y_h6A2=qiWz9HwqJLKnYi7JlC6qkRM9oNVOe4dAvB5Yj2dX6M9d0oXA3FTQuLckJRO7ZlKIhJbHCMmlfOuDN9YpFc7H3lclNb/Uy7Zdu1Mg4MyeDmJL6C9SantxWX3ypDcfwQ2eRaZ57U8=&60In=7wl5r0kQG9G
http://www.031234103.xyz/6gd2/
http://www.031234103.xyz/6gd2/?y_h6A2=eDwP/8dm6CwnhXuB5IJF6tcmrP8qMyRusivP8vJ/CAl0CGhAGK7mzvA4v30eghRxdOMQU1afgYEQdjgAooUx1K4I/phOYtNowfmzMvro50gabBLkO4mInrSdt2aBNeYGRLrQQ4U=&60In=7wl5r0kQG9G
http://www.bjogo.top/0ekp/?y_h6A2=pV4l2sJ5SKTfO2UKe3vpYQms7oDV9Z1ZTd//bSk12oBNtulDh+GDNLKspI2ybbM6Ulb9MujLBOrC2bz5gPibbXkxWVg5NcqV4sd6rfkPD23v8QrCPt85paxIo96ZJG6eSxv1+xA=&60In=7wl5r0kQG9G
http://www.bjogo.top/0ekp/
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
|
15
www.82765.ltd() -
www.bjogo.top() -
www.031234103.xyz() -
www.blissfuljo.life() -
www.zkderby.xyz() -
www.rds845.shop() -
www.birbacher.online() -
156.224.194.237 -
144.76.229.203 -
217.160.0.24 -
43.251.56.161 -
148.72.247.70 -
162.0.225.218 -
13.248.169.48 -
45.33.6.223 -
|
5
ET INFO HTTP Request to Suspicious *.life Domain
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Observed DNS Query to .life TLD
ET INFO HTTP Request to a *.top domain
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
11.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1890 |
2025-02-19 11:33
|
 mtyihjksfda.exe eb12e94f260c4e66eb2dbc74bc44bb84
PE File PE32 unpack itself ComputerName crashed |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|