| 2656 |
2024-06-28 12:59
|
 setup.exe 578b99fc6beb29265631e1dffe80a719
Malicious Library UPX DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Windows Remote Code Execution |
|
|
|
|
8.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2657 |
2024-06-28 12:56
|
bh.h.h.h.hhhhh.doC 71ee0c2a6053262bfceb4cd2b0aa4117
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://172.232.175.155/88122/flowersarebautifulforeveryonegraden.gif
https://paste.ee/d/oB1cd
|
3
paste.ee(104.21.84.67) - mailcious
172.232.175.155 - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2658 |
2024-06-28 12:54
|
fe.ee.e.e.eee.doc b42c7a60e045a89970b33577980acd7d
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed |
1
http://103.186.67.211/22133/beautifulimagesflowersraininggood.gif
|
2
103.186.67.211 - mailcious
66.70.160.254 - mailcious
|
|
|
6.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2659 |
2024-06-28 12:54
|
hd.d.d.d.dddd.doC 147baf4802996992bb3346811ce5e373
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Exploit DNS crashed |
1
http://51.81.235.253/66166/catcallingfemalecattogiveflowersgreat.gif
|
2
66.70.160.254 - mailcious
51.81.235.253 - mailcious
|
|
|
6.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2660 |
2024-06-28 12:53
|
 random.exe 97ddaf205149ee9833a9b79cbfa33e68
Gen1 EnigmaProtector Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS crashed plugin |
8
http://85.28.47.4/69934896f997d5bb/freebl3.dll
http://85.28.47.4/69934896f997d5bb/nss3.dll
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
http://85.28.47.4/69934896f997d5bb/mozglue.dll
http://85.28.47.4/69934896f997d5bb/softokn3.dll
http://85.28.47.4/920475a59bac849d.php - rule_id: 40635
http://85.28.47.4/69934896f997d5bb/msvcp140.dll
http://85.28.47.4/69934896f997d5bb/sqlite3.dll
|
1
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
http://85.28.47.4/920475a59bac849d.php
|
8.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2661 |
2024-06-28 12:53
|
sw.w.w.w.www.doc 80e1ba7b421fd01f5319de00cf5420f7
MS_RTF_Obfuscation_Objects RTF File doc Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://198.46.178.144/wednesdayfile.jpeg
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498
https://paste.ee/d/RgwiL
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
172.67.187.200 - mailcious
198.46.178.144 - mailcious
104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2662 |
2024-06-28 12:50
|
au.u.u.u.uuuu.doc d268f6028d5fcdb70bf64bf7419852a4
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed |
1
http://103.186.67.211/44155/sweetflowerislookbeautifulhereimages.gif
|
2
103.186.67.211 - mailcious
66.70.160.254 - mailcious
|
|
|
6.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2663 |
2024-06-28 12:50
|
 alex5555555.exe a80a86c701801cbd77cf7406be6d11f0
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2664 |
2024-06-28 12:48
|
 alphazxv.scr e4979c53302e30f656edf76043b5944a
LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://midwestsoil.top/alpha/five/fre.php
|
2
midwestsoil.top(104.21.23.190)
172.67.212.234
|
8
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP Request to a *.top domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
|
16.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2665 |
2024-06-28 12:47
|
 intalls555.exe 7e30a1a92f86e8e0a25154b1521d0588
Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Telegram suspicious privilege MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Tofsee Windows ComputerName DNS keylogger |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2666 |
2024-06-28 12:46
|
 %E5%9B%BD%E5%BA%86%E5%BB%B6%E8... d0e72468c01cf13b48c0a5ee2a310cb2
Malicious Library PE File PE64 VirusTotal Malware RWX flags setting DNS crashed |
|
1
|
|
|
4.0 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2667 |
2024-06-28 12:45
|
 123.exe cd581d68ed550455444ee6e099c44266
RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check PNG Format MSOffice File JPEG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://x1.i.lencr.org/
https://moreapp4you.online/George.exe - rule_id: 40536
|
10
x1.i.lencr.org(23.52.33.11)
moreapp4you.online(31.31.196.208) - malware
iplogger.co(104.21.82.93)
77.91.77.81 - mailcious
23.41.113.9
31.31.196.208 - mailcious
121.254.136.74
104.21.82.93
121.254.136.9
185.215.113.67 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://moreapp4you.online/George.exe
|
12.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2668 |
2024-06-28 12:44
|
 chisel.exe 6ddee3e7fa0969931f9ec465e9c8965a
Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2669 |
2024-06-28 12:42
|
 mimikatz.exe e930b05efe23891d19bc354a4209be3e
Generic Malware Malicious Packer UPX PE File PE64 VirusTotal Malware Check memory WriteConsoleW |
|
|
|
|
1.6 |
|
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2670 |
2024-06-27 18:24
|
 system.exe e920056a531d4a0635ba526fabeda4ce
Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files crashed |
|
|
|
|
2.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|