| 271 |
2024-09-09 09:46
|
 vrgeh.exe a8fef7b198fa122ead5bcf5b84f2737b
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
https://t.me/fneogr
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
78.47.207.136
118.215.187.181 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 272 |
2024-09-09 09:46
|
 66dcab0bcba58_crypted.exe 751e3d161454b4c4aa4cf9ff902ebe1c
Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 273 |
2024-09-08 10:58
|
 Channel4.exe 12bba7bf40ba77b0ab322d8626dab9aa
Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 DLL Malware download VirusTotal Malware Malicious Traffic AppData folder suspicious TLD CryptBot DNS |
1
http://tventyv20sb.top/v1/upload.php
|
2
tventyv20sb.top(194.87.248.136)
194.87.248.136
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
|
|
3.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 274 |
2024-09-08 10:57
|
 ukr8it4vvz.dll 9c4b2945fb17a2d8e1f9eb357262844a
Malicious Library Malicious Packer PE File DLL PE32 .NET DLL VirusTotal Malware |
|
|
|
|
1.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 275 |
2024-09-08 10:55
|
 ukr8it4vvz.dll 9c4b2945fb17a2d8e1f9eb357262844a
Malicious Library Malicious Packer PE File DLL PE32 .NET DLL VirusTotal Malware |
|
|
|
|
1.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 276 |
2024-09-08 10:53
|
 123.exe 36626d47f99914551e3d5a1691b48a50
Generic Malware Malicious Library UPX PE File DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware RWX flags setting unpack itself AppData folder Remote Code Execution DNS crashed |
3
http://27.25.150.29:20246/api.php?api=kmlogon&app=10000&kami=clEU5yRUaj&markcode=clEU5yRUaj&sign=c10fda4b223ff2f185babccf765c122b
http://27.25.150.29:20246/Re.php
http://27.25.150.29:20246/km.php?km=clEU5yRUaj
|
2
23.224.55.203
27.25.150.29
|
|
|
5.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 277 |
2024-09-08 10:49
|
 RNOLL.txt.exe ec6ab34d1735320d12edba8b85825e52
Browser Login Data Stealer Generic Malware Malicious Library Downloader Malicious Packer UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Remcos Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
ugnrv.duckdns.org(192.3.101.254)
178.237.33.50
192.3.101.254
|
3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
|
|
9.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 278 |
2024-09-08 10:46
|
 WERFFG.txt.exe 432ea49d6aeb2594b6a554bbba941f92
Browser Login Data Stealer Generic Malware Malicious Library Downloader Malicious Packer UPX ScreenShot AntiDebug AntiVM PE File PE32 OS Processor Check Browser Info Stealer Remcos Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check installed browsers check Browser Email ComputerName DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
dremom2.duckdns.org(45.89.247.65)
178.237.33.50
45.89.247.65
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
9.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 279 |
2024-09-07 17:16
|
wescreenthepicturewithbuttersm... 99b11bad85fe65119b8abda67e671e46
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
https://archive.org/download/new_image_vbs/new_image_vbs.jpg
http://85.239.241.184/35/WERFFG.txt
|
3
archive.org(207.241.224.2) - mailcious
207.241.224.2 - mailcious
45.33.6.223
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.2 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 280 |
2024-09-07 17:16
|
storedbananagreattastysweetgif... 6cd9e1a494df3c7bfa955d7a6ae9ed2a
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 281 |
2024-09-07 17:16
|
cutebabygirlwantmetosweetname.... 44ae01e9018c47c3ed86735fbc3111df
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://archive.org/download/new_image_vbs/new_image_vbs.jpg
http://107.173.4.10/119/RNOLL.txt
|
2
archive.org(207.241.224.2) - mailcious
207.241.224.2 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 282 |
2024-09-07 17:11
|
 sky.js c78d4d6ec350000ceba0d488df6239ab
Suspicious_Script_Bin Generic Malware Malicious Library UPX Antivirus ZIP Format PE File DLL PE32 OS Processor Check MSOffice File VirusTotal Malware AutoRuns Check memory buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder Windows Java ComputerName DNS DDNS crashed |
|
9
objects.githubusercontent.com(185.199.111.133) - malware
github.com(20.200.245.247) - mailcious
papacy.ddns.net(146.70.54.98) - mailcious
papacy.line.pm()
repo1.maven.org(199.232.196.209)
151.101.196.209
185.199.110.133 - malware
146.70.54.98
20.200.245.247 - malware
|
2
ET INFO DYNAMIC_DNS Query to a *.line .pm Domain
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
9.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 283 |
2024-09-07 17:10
|
 BroyVyVPFAbkbpg.exe a6d68979cd445f96c05d3a8a5aed1a50
Generic Malware Malicious Library .NET framework(MSIL) Antivirus UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself suspicious process AppData folder suspicious TLD WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
8
http://www.angelenterprise.biz/7zy1/
http://www.top10countdown.info/9iyi/
http://www.erhgtfd.buzz/t10y/?XV8-Hz4=3aJdPJ1a4NI1qu7022ZDLsImYKXculCDO9eSpcnjY+C3XioScyu5qDWRAXoXYiiK/wxdMfYlyHmeWBY6mNj4y2sNHI32v3Z3h9LTFwVjjnhNagd2ZGKm57KEOaM2or23YfUkf78=&6J=y28pNUsNSBrnl
http://www.balclub.top/n6ow/?XV8-Hz4=38ktoOAqlsdBNOwtGPeqpwbXg8XZDhh9hx/T15WN4O7jP341BwXDLasP6fmFWq2yAUzs8E3bhhhZPnVzp6zBa61nEQGZ0KivGuaAZgdniVgPlbL6HIHWJWR+jF5IN+RJ3d250ww=&6J=y28pNUsNSBrnl
http://www.top10countdown.info/9iyi/?XV8-Hz4=TEW93add3/KADuasFVG+dG9MzmMDmk9DxIOIoqonj3JZHbyqUe8ztsbPa/1SzYtypAwxOGB/4yWtN2fN9AzrDYT25iswFDz0kbjUqI5iK6J1mBTFWIVA7pA4sKOe/YVmttHIQcg=&6J=y28pNUsNSBrnl
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
http://www.erhgtfd.buzz/t10y/
http://www.balclub.top/n6ow/
|
10
www.angelenterprise.biz(3.33.130.190)
www.balclub.top(63.250.47.40)
www.erhgtfd.buzz(45.33.30.197)
www.top10countdown.info(15.197.148.33)
www.kxshopmr.store()
15.197.148.33 - mailcious
63.250.47.40
3.33.130.190 - phishing
45.33.30.197 - mailcious
45.33.6.223
|
5
ET INFO HTTP Request to a *.buzz domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .biz TLD
|
|
12.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 284 |
2024-09-07 17:08
|
 tm.vbs e0b9a7748f289bbcdac5546c26475fefVirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
|
2
chongmei33.publicvm.com(46.246.82.84) - mailcious
46.246.82.84
|
1
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
10.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 285 |
2024-09-07 17:06
|
 java.js 961caa8b91ecbca3ce8601dc4a515e51
Antivirus MSOffice File VirusTotal Malware Check memory heapspray unpack itself Java |
|
|
|
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|