| 2446 |
2024-07-07 18:55
|
 buildj.exe 7debc473f9ec83c3d000a57466eab9b2
Vidar Generic Malware Malicious Library Antivirus UPX AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199730044335 - rule_id: 40948
https://steamcommunity.com/profiles/76561199730044335
https://t.me/bu77un
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
95.217.241.48 - mailcious
184.85.112.102
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199730044335
|
11.0 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2447 |
2024-07-07 18:53
|
 UGcLEmRAhjNb.exe f2a5c7e8313862aca9b7a6314ca73f3a
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2448 |
2024-07-07 18:50
|
 offic%E8%A1%A8%E6%A0%BCluck.ex... 06592a8ca068935d98a5ada152e3393d
UPX PE File PE64 VirusTotal Malware Remote Code Execution |
|
|
|
|
2.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2449 |
2024-07-07 18:48
|
 qwerty.ps1 b099d0ec774fccc05b662d86eaba027a
Hide_EXE Generic Malware Malicious Packer UPX Antivirus AntiDebug AntiVM PE File PE32 VirusTotal Malware powershell Buffer PE Code Injection Check memory buffers extracted heapspray Creates executable files RWX flags setting unpack itself powershell.exe wrote malicious URLs WriteConsoleW Windows crashed |
4
http://lastimaners.ug/zxcvb.exe - rule_id: 26228
http://lastimaners.ug/asdfg.exe - rule_id: 36174
http://lastimaners.ug/asdf.EXE
http://lastimaners.ug/zxcv.EXE
|
2
lastimaners.ug(91.215.85.223) - malware
91.215.85.223 - malware
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
ET POLICY PE EXE or DLL Windows file download HTTP
|
2
http://lastimaners.ug/zxcvb.exe
http://lastimaners.ug/asdfg.exe
|
10.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2450 |
2024-07-07 18:48
|
 PO%2012.04%20pdf.exe d90a72256615ac3ba74c924012fea42c
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
6.0 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2451 |
2024-07-07 18:48
|
 asdfg.exe a2a9c309c5300a53d2c2fc41b71b174b
Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2452 |
2024-07-06 18:35
|
 build.exe 2dece3353cda5321fff7c92a697c37ee
Vidar Generic Malware Malicious Library Antivirus UPX AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199730044335 - rule_id: 40948
https://steamcommunity.com/profiles/76561199730044335
https://t.me/bu77un
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
104.87.193.17
149.154.167.99 - mailcious
95.217.241.48 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199730044335
|
11.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2453 |
2024-07-06 18:33
|
 CoronaVirus.exe 055d1462f66a350d9886542d4d79bc2b
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself suspicious process sandbox evasion shadowcopy delete installed browsers check Ransomware Windows Browser ComputerName Remote Code Execution |
|
|
|
|
9.6 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2454 |
2024-07-06 18:31
|
 RedLineStealer.exe a957dc16d684fbd7e12fc87e8ee12fea
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2455 |
2024-07-06 18:30
|
 stealc_zov.exe 253ccac8a47b80287f651987c0c779ea
Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
8
http://40.86.87.10/b13597c85f807692/mozglue.dll
http://40.86.87.10/b13597c85f807692/msvcp140.dll
http://40.86.87.10/b13597c85f807692/sqlite3.dll
http://40.86.87.10/b13597c85f807692/softokn3.dll
http://40.86.87.10/b13597c85f807692/vcruntime140.dll
http://40.86.87.10/b13597c85f807692/nss3.dll
http://40.86.87.10/b13597c85f807692/freebl3.dll
http://40.86.87.10/108e010e8f91c38c.php
|
1
|
16
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
|
|
8.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2456 |
2024-07-06 18:29
|
 newbuild.exe 9ab4de8b2f2b99f009d32aa790cd091b
RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.67 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
6.2 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2457 |
2024-07-06 18:27
|
 setup.exe 6b189fc6ddde33cba5c63e1dfec82b2a
Malicious Library PE File PE32 VirusTotal Malware Checks debugger WMI Creates executable files RWX flags setting unpack itself Checks Bios anti-virtualization ComputerName DNS |
|
1
|
|
|
5.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2458 |
2024-07-06 18:25
|
 leva.exe de1f91ae5c55b1cbbc6d6561464d7d99
Gen1 EnigmaProtector Generic Malware Malicious Library UPX Malicious Packer AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Code Injection Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
8
http://85.28.47.30/69934896f997d5bb/sqlite3.dll
http://85.28.47.30/69934896f997d5bb/softokn3.dll
http://85.28.47.30/69934896f997d5bb/vcruntime140.dll
http://85.28.47.30/920475a59bac849d.php
http://85.28.47.30/69934896f997d5bb/msvcp140.dll
http://85.28.47.30/69934896f997d5bb/nss3.dll
http://85.28.47.30/69934896f997d5bb/freebl3.dll
http://85.28.47.30/69934896f997d5bb/mozglue.dll
|
3
185.172.128.90 - mailcious
77.91.77.81 - mailcious
85.28.47.30 - mailcious
|
16
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
|
12.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2459 |
2024-07-06 18:25
|
 CryptoWall.exe 919034c8efb9678f96b47a20fa6199f2
ScreenShot KeyLogger AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted IP Check DNS |
2
http://myexternalip.com/raw
http://ip-addr.es/
|
10
myexternalip.com(34.117.118.44)
ip-addr.es(188.165.164.184)
34.117.118.44
91.121.12.127
188.165.164.184
94.247.28.26
94.247.31.19
185.172.128.90 - mailcious
209.148.85.151
94.247.28.156
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO HTTP Request for External IP Check (ip-addr .es)
ET POLICY External IP Check myexternalip.com
|
|
7.8 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2460 |
2024-07-06 18:22
|
 univ.exe 217b817f890ef7fc49dc9207d55d2a01
GCleaner Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic human activity check DNS |
1
http://185.172.128.90/cpa/name.php - rule_id: 39629
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/name.php
|
3.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|