286 |
2024-09-07 17:06
|
sheisgoodgirlaroundmewholovedm... 2aaf86224ef3338f2f4817f3684487b4 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://204.44.124.137/452/storedbananagreattastysweetgiftforyou.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware 204.44.124.137 - mailcious
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
287 |
2024-09-07 17:05
|
Chrome.exe f90a0ca2766ad3e02c15fe5622546d01 Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Creates executable files |
|
|
|
|
2.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
288 |
2024-09-07 17:04
|
verynicegirlwantihavetokissher... afb14dcb82dbb041183e8d492c415a13 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://107.173.4.10/119/cutebabygirlwantmetosweetname.Tif
|
3
archive.org(207.241.224.2) - mailcious 207.241.224.2 - mailcious
107.173.4.10 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
289 |
2024-09-07 17:04
|
equitozzmondayMPDW-constraints... ac45ec4efd718861d4c51a619be863a1 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
290 |
2024-09-07 17:02
|
Installer.exe dcb050a81038862531cf2e23a095dbd0 Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
291 |
2024-09-07 16:30
|
mony.exe d3d04b9a91899184dd243d0c9339928a Malicious Library PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
|
|
|
4.2 |
M |
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
292 |
2024-09-06 15:38
|
http://213.21.220.222:8080 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format JPEG Format VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
1
213.21.220.222 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
293 |
2024-09-06 14:32
|
MeMpEng.exe cf43fda6634d7674690c8eaf6c348816 Formbook Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGen Browser Info Stealer VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Java Browser DNS |
19
http://www.onlytradez.club/k1y3/?skJ-Lus=J7VJwuuG4HUA4bFTkbQEdxkpMEpXPBCRRs+F1x6QwwkcPlqAPKpQJUUQrtsDqb7Q+tjdIUGQwp4fGorxq2J//mB+PqSTwbyLcRM9dR0EDrcHS/LNmgUR990rINKp1m+e5VNnNrk=&pvx3S=Xzx0sFPmCssrV - rule_id: 42373 http://www.zenzip.xyz/9pad/?skJ-Lus=1a5ATRlanZ3ATSTMsvfkUs0ciM8umoJS8y8kT4HdOCMJyW9sS8tB9dhHCXeYKtsB5QysC2Hg2jCPifAM2S09CoHR88nq9oCTqozYG6NauxPM4LjmZuBJG1m7wEgFKI64QDVX+78=&pvx3S=Xzx0sFPmCssrV - rule_id: 42371 http://www.32wxd.top/fqtd/ - rule_id: 42374 http://www.32wxd.top/fqtd/?skJ-Lus=NOGaE4zNJ3vPzwJVq9flFF94in2IcnN0bsRklEYFuNltL64f812fYl1xoipxw6mqFzyE6nPBnWGndAD5Tl5FPYyUit02KiWxxW2zK2p9R7C5MnzH/2vAyX3OoZI/vgfMfT+cSXI=&pvx3S=Xzx0sFPmCssrV - rule_id: 42374 http://www.zenzip.xyz/9pad/ - rule_id: 42371 http://www.51cc.top/7i54/?skJ-Lus=SgV//QM+kZDZSmca7ISHR4U/9iG4TLn30ssUgf4MDLRPguhpDtuGIpE5eby1mFBEyx9n6ho2rfFD9SDq3nlePS+8rBqg/0cGFsBGWXu5QF07X9CUnUPZux9wfWAAZevyIeAs5Qc=&pvx3S=Xzx0sFPmCssrV - rule_id: 42370 http://www.foundation-repair.biz/5l7s/ - rule_id: 42369 http://www.foundation-repair.biz/5l7s/?skJ-Lus=5i9IxHyDCONgw46qIHGeUvwlYzbtgN8gQUqUIjK6jcHsfbLgiJ2s3wDRXgbc+h/bICwzf3ddx8E1HmjHsyEg1i4ki39GGAPq3qClCRMeu9QIBTg/A11C17kmPPIEN81gm2sAq9Q=&pvx3S=Xzx0sFPmCssrV - rule_id: 42369 http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip http://www.2886080.xyz/eyiz/?skJ-Lus=XQ7d8vWNf2bTOhYYL6UJlqYAXy7Rg8V7tb7nan5iZXoOR23qJ7xYi6zjP0ZZPC1qNGRbW38doA+CklQhfBW16OH9GbU74opfrouVpsjlwzkQhOIIL+clvr6SJ5uB6xxabU5X5cQ=&pvx3S=Xzx0sFPmCssrV - rule_id: 42368 http://www.d71dg.top/qbiu/ - rule_id: 42375 http://www.2886080.xyz/eyiz/ - rule_id: 42368 http://www.51cc.top/7i54/ - rule_id: 42370 http://www.inmotarget.online/f94d/?skJ-Lus=qXxH1TkJqyQLN7K67UolPOrNVrH3EkVnBHKOJBevZlWzyIWqOcopXSkjMgAVQAiVcEwXsA2AXYdRBAjRF8/XmlFRLYiZtr82nLJKSk2mfCIs3NsTyuUwAMniQ4mBWHwlcbK0rUc=&pvx3S=Xzx0sFPmCssrV - rule_id: 42428 http://www.onlytradez.club/k1y3/ - rule_id: 42373 http://www.d71dg.top/qbiu/?skJ-Lus=cpFY4442L+Bmta8QONEKHiouDvWOZNVLDBDtb0iNjVMT9Lz9+WHyspHM09lzzQ6O3A+WaZO+gSWm6Q36us29ksmtCzg/K1sgttxXiQs+/4tLnxfFR1YWTQNZTBuvIfutPAZp0QU=&pvx3S=Xzx0sFPmCssrV - rule_id: 42375 http://www.inmotarget.online/f94d/ - rule_id: 42428 http://www.meetfactory.biz/xoqw/ - rule_id: 42372 http://www.meetfactory.biz/xoqw/?skJ-Lus=IHXCkUsJunCVOO2Hwv8L1/jebUXenMysZsXgVBD8KQgj+TIAwNGDK5EWhUbKXzAU4KMQODjr0cxiOqiC8Z91HBWngaVBBi9zW0XdtSpa8XSCv8AOb3sJWenXQ9ufn4pifwUOwgs=&pvx3S=Xzx0sFPmCssrV - rule_id: 42372
|
21
www.onlytradez.club(167.172.133.32) - mailcious www.zenzip.xyz(203.161.46.201) - mailcious www.inmotarget.online() - mailcious www.sgcwin77rtplive.fun() - mailcious www.foundation-repair.biz(199.59.243.226) - mailcious www.kej-sii.cloud() - mailcious www.2886080.xyz(103.249.106.91) - mailcious www.32wxd.top(206.119.82.116) - mailcious www.d71dg.top(154.23.184.60) - mailcious www.meetfactory.biz(72.14.185.43) - mailcious www.51cc.top(216.83.36.195) - mailcious 103.249.106.91 - mailcious 98.124.224.17 - mailcious 167.172.133.32 - mailcious 216.83.36.195 - mailcious 199.59.243.226 - phishing 203.161.46.201 - mailcious 206.119.82.116 - mailcious 45.33.6.223 198.58.118.167 - mailcious 154.23.184.60 - mailcious
|
6
ET INFO HTTP Request to a *.top domain ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3 ET DNS Query to a *.top domain - Likely Hostile ET INFO Observed DNS Query to .biz TLD
|
18
http://www.onlytradez.club/k1y3/ http://www.zenzip.xyz/9pad/ http://www.32wxd.top/fqtd/ http://www.32wxd.top/fqtd/ http://www.zenzip.xyz/9pad/ http://www.51cc.top/7i54/ http://www.foundation-repair.biz/5l7s/ http://www.foundation-repair.biz/5l7s/ http://www.2886080.xyz/eyiz/ http://www.d71dg.top/qbiu/ http://www.2886080.xyz/eyiz/ http://www.51cc.top/7i54/ http://www.inmotarget.online/f94d/ http://www.onlytradez.club/k1y3/ http://www.d71dg.top/qbiu/ http://www.inmotarget.online/f94d/ http://www.meetfactory.biz/xoqw/ http://www.meetfactory.biz/xoqw/
|
6.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
294 |
2024-09-06 14:23
|
66d97993e0460_stealc_w9.vmp.ex... a79fa370fdeecbb187f96558a76534b5 Generic Malware Malicious Library UPX PE File PE32 VirusTotal Malware |
|
|
|
|
2.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
295 |
2024-09-06 14:21
|
66ba1a1880f9e_crypta.exe#kiscr a8b732ee59958581b2d5c62bb5b60c7a Stealc Client SW User Data Stealer ftp Client info stealer Generic Malware Malicious Library Malicious Packer .NET framework(MSIL) UPX ASPack Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Malware download FTP Client Info Stealer VirusTotal Malware c&c Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Software plugin |
3
http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194 http://193.176.190.41/9e7fbd3f0393ef32/sqlite3.dll http://193.176.190.41/ - rule_id: 42195
|
1
193.176.190.41 - mailcious
|
8
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
2
http://193.176.190.41/2fa883eebd632382.php http://193.176.190.41/
|
16.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
296 |
2024-09-06 14:21
|
66d98aa7bea3e_newPrime.exe#rea... c4d092354c3f964ee1d9671f2517a6c9 Malicious Library UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName Remote Code Execution |
|
|
|
|
3.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
297 |
2024-09-06 14:19
|
66d9da4dc547c_vrge12.exe#d12 b34fcafdfc4ddbe4db51b22dd618b8d9 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
2
http://147.45.68.138/ - rule_id: 42298 http://147.45.68.138/sql.dll
|
1
147.45.68.138 - mailcious
|
5
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
1
|
13.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
298 |
2024-09-06 14:18
|
66d9de22f231f_crypted.exe#1 e600b6015b0312b52214f459fcc6f3c2 RedLine stealer Malicious Library Antivirus .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://x1.i.lencr.org/ https://smkn2sumbawabesar.sch.id/1.exe
|
5
x1.i.lencr.org(23.40.44.214) smkn2sumbawabesar.sch.id(194.163.35.141) 194.163.35.141 23.41.113.9 147.45.47.36 - malware
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
299 |
2024-09-06 14:17
|
66d9da52f20ba_vghew.exe#space 5f7bdc962aa76f272673ffb86ae8d634 Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Malicious Library Antivirus UPX Malicious Packer Http API PWS HTTP Code injection Internet API ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processo Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
11
http://46.29.235.52/lnef.exe http://46.29.235.52/vjgg.exe http://147.45.68.138/mozglue.dll http://147.45.68.138/softokn3.dll http://147.45.68.138/freebl3.dll http://147.45.68.138/nss3.dll http://147.45.68.138/sql.dll http://147.45.68.138/ - rule_id: 42298 http://147.45.68.138/msvcp140.dll http://147.45.68.138/vcruntime140.dll https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
7
t.me(149.154.167.99) - mailcious steamcommunity.com(104.75.41.21) - mailcious 149.154.167.99 - mailcious 116.203.6.46 - mailcious 104.76.74.15 147.45.68.138 - mailcious 46.29.235.52 - malware
|
15
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
2
http://147.45.68.138/ https://steamcommunity.com/profiles/76561199768374681
|
19.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
300 |
2024-09-06 14:17
|
TikTokTool24.exe 3c0bc60ec3907224b9720d80bf799281 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
5.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|