| 2716 |
2024-06-25 07:57
|
 Main.exe 9ec7f08c85bfa1b267761f225b68ab0b
Malicious Library Antivirus UPX PE File PE32 OS Processor Check VirusTotal Malware Telegram MachineGuid Malicious Traffic WMI Tofsee ComputerName DNS crashed |
2
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
5.75.208.137
104.76.78.101 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
6.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2717 |
2024-06-25 07:55
|
 pic2.exe 5f9be6e22310cc089a32fac1d037ced4
UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2718 |
2024-06-25 07:55
|
 288c47bbc1871b439df19ff4df68f0... ba354d029f0e09cb6b02a4c196524da4
Generic Malware Malicious Library UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
3.6 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2719 |
2024-06-25 07:53
|
 chromedriver.exe 7e9e5a3bb475784e3fd62cd8ec68901b
Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2720 |
2024-06-25 07:52
|
 cap.exe 22e35bea6a2653c8393db13a83b0cf97
Malicious Library PE File PE64 VirusTotal Malware Buffer PE PDB MachineGuid Check memory Checks debugger buffers extracted unpack itself crashed |
|
|
|
|
3.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2721 |
2024-06-25 07:52
|
 num.exe 919db35f2bf4dad6dd23e16b68dbb205
Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName Firmware DNS Software crashed plugin |
8
http://85.28.47.4/69934896f997d5bb/freebl3.dll
http://85.28.47.4/69934896f997d5bb/nss3.dll
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
http://85.28.47.4/69934896f997d5bb/mozglue.dll
http://85.28.47.4/69934896f997d5bb/softokn3.dll
http://85.28.47.4/920475a59bac849d.php
http://85.28.47.4/69934896f997d5bb/msvcp140.dll
http://85.28.47.4/69934896f997d5bb/sqlite3.dll
|
1
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
11.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2722 |
2024-06-25 07:48
|
 288c47bbc1871b439df19ff4df68f0... 4645adc87acf83b55edff3c5ce2fc28e
Generic Malware Malicious Library UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
3.6 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2723 |
2024-06-25 07:48
|
 e0cbefcb1af40c7d4aff4aca26621a... 78a9e69486fa214a1af7dc245ab3ec06
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
|
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2724 |
2024-06-25 07:46
|
 Videopro02.exe 7d91ac0d3852641715e5248d384d27c7
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.2 |
|
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2725 |
2024-06-25 07:44
|
 ExtExport2.exe 901a623dbccaa22525373cd36195ee14
Suspicious_Script_Bin UPX PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces IP Check installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.38.142.10:7474/
|
8
ipinfo.io(34.117.186.192)
api.ipify.org(172.67.74.152)
api.ip.sb(104.26.13.31)
172.67.75.172 - mailcious
34.117.186.192
104.26.12.205
185.38.142.10
114.108.166.82
|
8
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SURICATA HTTP unable to match response to request
|
|
9.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2726 |
2024-06-25 07:44
|
 3.exe 62ae0796c580559b876ecd052ddf80c4
Malicious Library PE File PE32 VirusTotal Malware |
|
|
|
|
1.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2727 |
2024-06-25 05:38
|
70f316a5492848bb_down[1] 555e83ce7f5d280d7454af334571fb25
AntiDebug AntiVM PNG Format Email Client Info Stealer Code Injection Check memory Checks debugger unpack itself installed browsers check Browser Email |
|
|
|
|
3.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2728 |
2024-06-25 05:37
|
a8ae8647bbcca480_recoverystore... bc10f337c3a77c5f9d4bf6a20049e31e
AntiDebug AntiVM MSOffice File Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2729 |
2024-06-25 05:29
|
http://l.instagram.com/?235901...
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava
https://business.instagram.com/micro_site/url/?event_type=click
https://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava
|
3
l.instagram.com(157.240.11.52)
business.instagram.com(157.240.11.52)
157.240.215.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2730 |
2024-06-25 05:29
|
https://business.instagram.com...
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
https://business.instagram.com/micro_site/url/?event_type=click
|
2
business.instagram.com(157.240.11.52)
157.240.215.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|