| 286 |
2024-09-07 17:06
|
sheisgoodgirlaroundmewholovedm... 2aaf86224ef3338f2f4817f3684487b4
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://204.44.124.137/452/storedbananagreattastysweetgiftforyou.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware
204.44.124.137 - mailcious
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 287 |
2024-09-07 17:05
|
 Chrome.exe f90a0ca2766ad3e02c15fe5622546d01
Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Creates executable files |
|
|
|
|
2.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 288 |
2024-09-07 17:04
|
verynicegirlwantihavetokissher... afb14dcb82dbb041183e8d492c415a13
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://107.173.4.10/119/cutebabygirlwantmetosweetname.Tif
|
3
archive.org(207.241.224.2) - mailcious
207.241.224.2 - mailcious
107.173.4.10 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 289 |
2024-09-07 17:04
|
equitozzmondayMPDW-constraints... ac45ec4efd718861d4c51a619be863a1
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 290 |
2024-09-07 17:02
|
 Installer.exe dcb050a81038862531cf2e23a095dbd0
Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 291 |
2024-09-07 16:30
|
 mony.exe d3d04b9a91899184dd243d0c9339928a
Malicious Library PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
|
|
|
4.2 |
M |
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 292 |
2024-09-06 15:38
|
http://213.21.220.222:8080
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format JPEG Format VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
1
213.21.220.222 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 293 |
2024-09-06 14:32
|
 MeMpEng.exe cf43fda6634d7674690c8eaf6c348816
Formbook Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGen Browser Info Stealer VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Java Browser DNS |
19
http://www.onlytradez.club/k1y3/?skJ-Lus=J7VJwuuG4HUA4bFTkbQEdxkpMEpXPBCRRs+F1x6QwwkcPlqAPKpQJUUQrtsDqb7Q+tjdIUGQwp4fGorxq2J//mB+PqSTwbyLcRM9dR0EDrcHS/LNmgUR990rINKp1m+e5VNnNrk=&pvx3S=Xzx0sFPmCssrV - rule_id: 42373
http://www.zenzip.xyz/9pad/?skJ-Lus=1a5ATRlanZ3ATSTMsvfkUs0ciM8umoJS8y8kT4HdOCMJyW9sS8tB9dhHCXeYKtsB5QysC2Hg2jCPifAM2S09CoHR88nq9oCTqozYG6NauxPM4LjmZuBJG1m7wEgFKI64QDVX+78=&pvx3S=Xzx0sFPmCssrV - rule_id: 42371
http://www.32wxd.top/fqtd/ - rule_id: 42374
http://www.32wxd.top/fqtd/?skJ-Lus=NOGaE4zNJ3vPzwJVq9flFF94in2IcnN0bsRklEYFuNltL64f812fYl1xoipxw6mqFzyE6nPBnWGndAD5Tl5FPYyUit02KiWxxW2zK2p9R7C5MnzH/2vAyX3OoZI/vgfMfT+cSXI=&pvx3S=Xzx0sFPmCssrV - rule_id: 42374
http://www.zenzip.xyz/9pad/ - rule_id: 42371
http://www.51cc.top/7i54/?skJ-Lus=SgV//QM+kZDZSmca7ISHR4U/9iG4TLn30ssUgf4MDLRPguhpDtuGIpE5eby1mFBEyx9n6ho2rfFD9SDq3nlePS+8rBqg/0cGFsBGWXu5QF07X9CUnUPZux9wfWAAZevyIeAs5Qc=&pvx3S=Xzx0sFPmCssrV - rule_id: 42370
http://www.foundation-repair.biz/5l7s/ - rule_id: 42369
http://www.foundation-repair.biz/5l7s/?skJ-Lus=5i9IxHyDCONgw46qIHGeUvwlYzbtgN8gQUqUIjK6jcHsfbLgiJ2s3wDRXgbc+h/bICwzf3ddx8E1HmjHsyEg1i4ki39GGAPq3qClCRMeu9QIBTg/A11C17kmPPIEN81gm2sAq9Q=&pvx3S=Xzx0sFPmCssrV - rule_id: 42369
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.2886080.xyz/eyiz/?skJ-Lus=XQ7d8vWNf2bTOhYYL6UJlqYAXy7Rg8V7tb7nan5iZXoOR23qJ7xYi6zjP0ZZPC1qNGRbW38doA+CklQhfBW16OH9GbU74opfrouVpsjlwzkQhOIIL+clvr6SJ5uB6xxabU5X5cQ=&pvx3S=Xzx0sFPmCssrV - rule_id: 42368
http://www.d71dg.top/qbiu/ - rule_id: 42375
http://www.2886080.xyz/eyiz/ - rule_id: 42368
http://www.51cc.top/7i54/ - rule_id: 42370
http://www.inmotarget.online/f94d/?skJ-Lus=qXxH1TkJqyQLN7K67UolPOrNVrH3EkVnBHKOJBevZlWzyIWqOcopXSkjMgAVQAiVcEwXsA2AXYdRBAjRF8/XmlFRLYiZtr82nLJKSk2mfCIs3NsTyuUwAMniQ4mBWHwlcbK0rUc=&pvx3S=Xzx0sFPmCssrV - rule_id: 42428
http://www.onlytradez.club/k1y3/ - rule_id: 42373
http://www.d71dg.top/qbiu/?skJ-Lus=cpFY4442L+Bmta8QONEKHiouDvWOZNVLDBDtb0iNjVMT9Lz9+WHyspHM09lzzQ6O3A+WaZO+gSWm6Q36us29ksmtCzg/K1sgttxXiQs+/4tLnxfFR1YWTQNZTBuvIfutPAZp0QU=&pvx3S=Xzx0sFPmCssrV - rule_id: 42375
http://www.inmotarget.online/f94d/ - rule_id: 42428
http://www.meetfactory.biz/xoqw/ - rule_id: 42372
http://www.meetfactory.biz/xoqw/?skJ-Lus=IHXCkUsJunCVOO2Hwv8L1/jebUXenMysZsXgVBD8KQgj+TIAwNGDK5EWhUbKXzAU4KMQODjr0cxiOqiC8Z91HBWngaVBBi9zW0XdtSpa8XSCv8AOb3sJWenXQ9ufn4pifwUOwgs=&pvx3S=Xzx0sFPmCssrV - rule_id: 42372
|
21
www.onlytradez.club(167.172.133.32) - mailcious
www.zenzip.xyz(203.161.46.201) - mailcious
www.inmotarget.online() - mailcious
www.sgcwin77rtplive.fun() - mailcious
www.foundation-repair.biz(199.59.243.226) - mailcious
www.kej-sii.cloud() - mailcious
www.2886080.xyz(103.249.106.91) - mailcious
www.32wxd.top(206.119.82.116) - mailcious
www.d71dg.top(154.23.184.60) - mailcious
www.meetfactory.biz(72.14.185.43) - mailcious
www.51cc.top(216.83.36.195) - mailcious
103.249.106.91 - mailcious
98.124.224.17 - mailcious
167.172.133.32 - mailcious
216.83.36.195 - mailcious
199.59.243.226 - phishing
203.161.46.201 - mailcious
206.119.82.116 - mailcious
45.33.6.223
198.58.118.167 - mailcious
154.23.184.60 - mailcious
|
6
ET INFO HTTP Request to a *.top domain
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Observed DNS Query to .biz TLD
|
18
http://www.onlytradez.club/k1y3/
http://www.zenzip.xyz/9pad/
http://www.32wxd.top/fqtd/
http://www.32wxd.top/fqtd/
http://www.zenzip.xyz/9pad/
http://www.51cc.top/7i54/
http://www.foundation-repair.biz/5l7s/
http://www.foundation-repair.biz/5l7s/
http://www.2886080.xyz/eyiz/
http://www.d71dg.top/qbiu/
http://www.2886080.xyz/eyiz/
http://www.51cc.top/7i54/
http://www.inmotarget.online/f94d/
http://www.onlytradez.club/k1y3/
http://www.d71dg.top/qbiu/
http://www.inmotarget.online/f94d/
http://www.meetfactory.biz/xoqw/
http://www.meetfactory.biz/xoqw/
|
6.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 294 |
2024-09-06 14:23
|
 66d97993e0460_stealc_w9.vmp.ex... a79fa370fdeecbb187f96558a76534b5
Generic Malware Malicious Library UPX PE File PE32 VirusTotal Malware |
|
|
|
|
2.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 295 |
2024-09-06 14:21
|
 66ba1a1880f9e_crypta.exe#kiscr a8b732ee59958581b2d5c62bb5b60c7a
Stealc Client SW User Data Stealer ftp Client info stealer Generic Malware Malicious Library Malicious Packer .NET framework(MSIL) UPX ASPack Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Malware download FTP Client Info Stealer VirusTotal Malware c&c Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Software plugin |
3
http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194
http://193.176.190.41/9e7fbd3f0393ef32/sqlite3.dll
http://193.176.190.41/ - rule_id: 42195
|
1
193.176.190.41 - mailcious
|
8
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
2
http://193.176.190.41/2fa883eebd632382.php
http://193.176.190.41/
|
16.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 296 |
2024-09-06 14:21
|
 66d98aa7bea3e_newPrime.exe#rea... c4d092354c3f964ee1d9671f2517a6c9
Malicious Library UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName Remote Code Execution |
|
|
|
|
3.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 297 |
2024-09-06 14:19
|
 66d9da4dc547c_vrge12.exe#d12 b34fcafdfc4ddbe4db51b22dd618b8d9
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
2
http://147.45.68.138/ - rule_id: 42298
http://147.45.68.138/sql.dll
|
1
147.45.68.138 - mailcious
|
5
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
1
|
13.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 298 |
2024-09-06 14:18
|
 66d9de22f231f_crypted.exe#1 e600b6015b0312b52214f459fcc6f3c2
RedLine stealer Malicious Library Antivirus .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://x1.i.lencr.org/
https://smkn2sumbawabesar.sch.id/1.exe
|
5
x1.i.lencr.org(23.40.44.214)
smkn2sumbawabesar.sch.id(194.163.35.141)
194.163.35.141
23.41.113.9
147.45.47.36 - malware
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 299 |
2024-09-06 14:17
|
 66d9da52f20ba_vghew.exe#space 5f7bdc962aa76f272673ffb86ae8d634
Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Malicious Library Antivirus UPX Malicious Packer Http API PWS HTTP Code injection Internet API ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processo Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
11
http://46.29.235.52/lnef.exe
http://46.29.235.52/vjgg.exe
http://147.45.68.138/mozglue.dll
http://147.45.68.138/softokn3.dll
http://147.45.68.138/freebl3.dll
http://147.45.68.138/nss3.dll
http://147.45.68.138/sql.dll
http://147.45.68.138/ - rule_id: 42298
http://147.45.68.138/msvcp140.dll
http://147.45.68.138/vcruntime140.dll
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
7
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.75.41.21) - mailcious
149.154.167.99 - mailcious
116.203.6.46 - mailcious
104.76.74.15
147.45.68.138 - mailcious
46.29.235.52 - malware
|
15
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
2
http://147.45.68.138/
https://steamcommunity.com/profiles/76561199768374681
|
19.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 300 |
2024-09-06 14:17
|
 TikTokTool24.exe 3c0bc60ec3907224b9720d80bf799281
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
5.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|