2626 |
2024-06-30 23:34
|
https://t.co/WRGTyuOptG 5d97f0c23481feb8b29ced43e5391035 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
t.co(117.18.232.195) - phishing 117.18.232.195 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2627 |
2024-06-30 20:07
|
space.php 67cef2b94174d0883a8e8b9ad9c217c7 Client SW User Data Stealer LokiBot RedLine stealer ftp Client info stealer Malicious Library Malicious Packer .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199707802586
https://t.me/g067n
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious 149.154.167.99 - mailcious
65.109.243.105
23.1.179.144 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
16.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2628 |
2024-06-29 15:39
|
amadka.exe 7858fdd5d237ed2531bb9d0ac0a756bc PE File PE32 Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Checks debugger unpack itself Checks Bios Detects VMWare AppData folder VMware anti-virtualization Windows DNS crashed |
2
http://77.91.77.82/Hun4Ko/index.php
http://77.91.77.81/stealc/random.exe
|
2
77.91.77.82 - malware
77.91.77.81 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 8 ET MALWARE Amadey Bot Activity (POST)
|
|
10.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2629 |
2024-06-29 15:37
|
loaded28062024.exe 3db7f780cfc50d086820b95947a61e59 Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2630 |
2024-06-29 15:37
|
Photo.scr 1c16a630f64fcde9c94e5fa219374330 Generic Malware Malicious Library UPX PE File OS Processor Check VirusTotal Malware |
|
|
|
|
0.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2631 |
2024-06-29 15:31
|
XClient2.exe 7b20c6c1ae8a7fb30666a20540ed992a Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2632 |
2024-06-29 15:29
|
UpdateSetup.exe a492c3a7274138520cb977971fb13fb5 Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2633 |
2024-06-29 15:28
|
Slovakia.exe ee1ffa80e2398a0f01a99856c1189b21 Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2634 |
2024-06-29 15:27
|
XClient1.exe dedb302aba9b69536c287633fbe41f5d Antivirus UPX PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName keylogger |
|
|
|
|
6.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2635 |
2024-06-29 15:26
|
XClientx3.exe 1fee5ce12cd61659dd46575a2e378361 Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2636 |
2024-06-29 15:25
|
ot.o.o.ooo.doc b0d399c7eee1ee84aa8e55b81a4ac56f MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://51.81.235.253/44155/amazingflowerspcitureshere.gif https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 - rule_id: 40652 https://paste.ee/d/I1BAU
|
5
paste.ee(104.21.84.67) - mailcious uploaddeimagens.com.br(104.21.45.138) - malware 104.21.84.67 - malware 51.81.235.253 - mailcious 172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2637 |
2024-06-29 15:24
|
lamda.cmd b9b513ba600e0bbf6f72129ba99ba72e Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM powershell suspicious privilege Check memory Checks debugger heapspray Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
6
http://45.88.91.103/LgGFdDAm/AntiVirus.exe
http://45.88.91.103/LgGFdDAm/AntiVirus2.exe
http://45.88.91.103/LgGFdDAm/AntiVirus3.exe
http://45.88.91.103/LgGFdDAm/AntiVirus4.exe
http://45.88.91.103/LgGFdDAm/main.exe
http://45.88.91.103/LgGFdDAm/main2.exe
|
|
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2638 |
2024-06-29 15:24
|
neste.exe b3badd1cd2cba4f587bd6737d34d3569 Gen1 EnigmaProtector Generic Malware Malicious Packer Malicious Library UPX PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://85.28.47.4/69934896f997d5bb/freebl3.dll
http://85.28.47.4/69934896f997d5bb/nss3.dll
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
http://85.28.47.4/69934896f997d5bb/mozglue.dll
http://85.28.47.4/69934896f997d5bb/softokn3.dll
http://85.28.47.4/920475a59bac849d.php - rule_id: 40635
http://85.28.47.4/69934896f997d5bb/msvcp140.dll
http://85.28.47.4/69934896f997d5bb/sqlite3.dll
http://77.91.77.81/mine/amadka.exe
|
2
85.28.47.4 - mailcious
77.91.77.81 - mailcious
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
http://85.28.47.4/920475a59bac849d.php
|
10.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2639 |
2024-06-29 15:23
|
go.exe a8a5bb77ad9c654a552178b562d8f860 Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AS5LTARyH5Kd-rVBKeWnqUj906AGGHofujSb8AgwWKsTypD2yBBYr3WBtOnUhGtxSOgxIU3lQHJc9Q https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AS5LTARz2rTindXOxtKWlV36tkFtVGW8sAyWc6Y640azCnTxNjcf0x1986tGgMcPtexJF55x92Pocw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023256178%3A1719641978822264 https://accounts.google.com/generate_204?e342lA https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.206.195) accounts.google.com(74.125.23.84) www.google.com(142.250.206.196) 142.250.71.163 216.58.203.68 74.125.203.84
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2640 |
2024-06-29 15:20
|
XClient.exe ada4045ee6399dc5733826a4d7e43a10 Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
|
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|