271 |
2024-09-09 09:46
|
vrgeh.exe a8fef7b198fa122ead5bcf5b84f2737b Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
https://t.me/fneogr
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious 149.154.167.99 - mailcious
78.47.207.136
118.215.187.181 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
272 |
2024-09-09 09:46
|
66dcab0bcba58_crypted.exe 751e3d161454b4c4aa4cf9ff902ebe1c Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
273 |
2024-09-08 10:58
|
Channel4.exe 12bba7bf40ba77b0ab322d8626dab9aa Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 DLL Malware download VirusTotal Malware Malicious Traffic AppData folder suspicious TLD CryptBot DNS |
1
http://tventyv20sb.top/v1/upload.php
|
2
tventyv20sb.top(194.87.248.136) 194.87.248.136
|
3
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 ET INFO HTTP Request to a *.top domain
|
|
3.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
274 |
2024-09-08 10:57
|
ukr8it4vvz.dll 9c4b2945fb17a2d8e1f9eb357262844a Malicious Library Malicious Packer PE File DLL PE32 .NET DLL VirusTotal Malware |
|
|
|
|
1.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
275 |
2024-09-08 10:55
|
ukr8it4vvz.dll 9c4b2945fb17a2d8e1f9eb357262844a Malicious Library Malicious Packer PE File DLL PE32 .NET DLL VirusTotal Malware |
|
|
|
|
1.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
276 |
2024-09-08 10:53
|
123.exe 36626d47f99914551e3d5a1691b48a50 Generic Malware Malicious Library UPX PE File DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware RWX flags setting unpack itself AppData folder Remote Code Execution DNS crashed |
3
http://27.25.150.29:20246/api.php?api=kmlogon&app=10000&kami=clEU5yRUaj&markcode=clEU5yRUaj&sign=c10fda4b223ff2f185babccf765c122b http://27.25.150.29:20246/Re.php http://27.25.150.29:20246/km.php?km=clEU5yRUaj
|
2
23.224.55.203 27.25.150.29
|
|
|
5.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
277 |
2024-09-08 10:49
|
RNOLL.txt.exe ec6ab34d1735320d12edba8b85825e52 Browser Login Data Stealer Generic Malware Malicious Library Downloader Malicious Packer UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Remcos Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) ugnrv.duckdns.org(192.3.101.254) 178.237.33.50 192.3.101.254
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET JA3 Hash - Remcos 3.x/4.x TLS Connection
|
|
9.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
278 |
2024-09-08 10:46
|
WERFFG.txt.exe 432ea49d6aeb2594b6a554bbba941f92 Browser Login Data Stealer Generic Malware Malicious Library Downloader Malicious Packer UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Remcos Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) dremom2.duckdns.org(45.89.247.65) 178.237.33.50 45.89.247.65
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 4 ET JA3 Hash - Remcos 3.x/4.x TLS Connection ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
279 |
2024-09-07 17:16
|
wescreenthepicturewithbuttersm... 99b11bad85fe65119b8abda67e671e46 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
https://archive.org/download/new_image_vbs/new_image_vbs.jpg
http://85.239.241.184/35/WERFFG.txt
|
3
archive.org(207.241.224.2) - mailcious 207.241.224.2 - mailcious
45.33.6.223
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
280 |
2024-09-07 17:16
|
storedbananagreattastysweetgif... 6cd9e1a494df3c7bfa955d7a6ae9ed2a Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
281 |
2024-09-07 17:16
|
cutebabygirlwantmetosweetname.... 44ae01e9018c47c3ed86735fbc3111df Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://archive.org/download/new_image_vbs/new_image_vbs.jpg
http://107.173.4.10/119/RNOLL.txt
|
2
archive.org(207.241.224.2) - mailcious 207.241.224.2 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
282 |
2024-09-07 17:11
|
sky.js c78d4d6ec350000ceba0d488df6239ab Suspicious_Script_Bin Generic Malware Malicious Library UPX Antivirus ZIP Format PE File DLL PE32 OS Processor Check MSOffice File VirusTotal Malware AutoRuns Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder Windows Java ComputerName DNS DDNS crashed |
|
9
objects.githubusercontent.com(185.199.111.133) - malware github.com(20.200.245.247) - mailcious papacy.ddns.net(146.70.54.98) - mailcious papacy.line.pm() repo1.maven.org(199.232.196.209) 151.101.196.209 185.199.110.133 - malware 146.70.54.98 20.200.245.247 - malware
|
2
ET INFO DYNAMIC_DNS Query to a *.line .pm Domain ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
9.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
283 |
2024-09-07 17:10
|
BroyVyVPFAbkbpg.exe a6d68979cd445f96c05d3a8a5aed1a50 Generic Malware Malicious Library .NET framework(MSIL) Antivirus UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself suspicious process AppData folder suspicious TLD WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
8
http://www.angelenterprise.biz/7zy1/ http://www.top10countdown.info/9iyi/ http://www.erhgtfd.buzz/t10y/?XV8-Hz4=3aJdPJ1a4NI1qu7022ZDLsImYKXculCDO9eSpcnjY+C3XioScyu5qDWRAXoXYiiK/wxdMfYlyHmeWBY6mNj4y2sNHI32v3Z3h9LTFwVjjnhNagd2ZGKm57KEOaM2or23YfUkf78=&6J=y28pNUsNSBrnl http://www.balclub.top/n6ow/?XV8-Hz4=38ktoOAqlsdBNOwtGPeqpwbXg8XZDhh9hx/T15WN4O7jP341BwXDLasP6fmFWq2yAUzs8E3bhhhZPnVzp6zBa61nEQGZ0KivGuaAZgdniVgPlbL6HIHWJWR+jF5IN+RJ3d250ww=&6J=y28pNUsNSBrnl http://www.top10countdown.info/9iyi/?XV8-Hz4=TEW93add3/KADuasFVG+dG9MzmMDmk9DxIOIoqonj3JZHbyqUe8ztsbPa/1SzYtypAwxOGB/4yWtN2fN9AzrDYT25iswFDz0kbjUqI5iK6J1mBTFWIVA7pA4sKOe/YVmttHIQcg=&6J=y28pNUsNSBrnl http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip http://www.erhgtfd.buzz/t10y/ http://www.balclub.top/n6ow/
|
10
www.angelenterprise.biz(3.33.130.190) www.balclub.top(63.250.47.40) www.erhgtfd.buzz(45.33.30.197) www.top10countdown.info(15.197.148.33) www.kxshopmr.store() 15.197.148.33 - mailcious 63.250.47.40 3.33.130.190 - phishing 45.33.30.197 - mailcious 45.33.6.223
|
5
ET INFO HTTP Request to a *.buzz domain ET DNS Query to a *.top domain - Likely Hostile ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO HTTP Request to a *.top domain ET INFO Observed DNS Query to .biz TLD
|
|
12.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
284 |
2024-09-07 17:08
|
tm.vbs e0b9a7748f289bbcdac5546c26475fefVirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
|
2
chongmei33.publicvm.com(46.246.82.84) - mailcious 46.246.82.84
|
1
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
10.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
285 |
2024-09-07 17:06
|
java.js 961caa8b91ecbca3ce8601dc4a515e51 Antivirus MSOffice File VirusTotal Malware Check memory heapspray unpack itself Java |
|
|
|
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|