301 |
2024-09-07 17:08
|
tm.vbs e0b9a7748f289bbcdac5546c26475fef VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName DNS DDNS Dropper |
|
2
chongmei33.publicvm.com(46.246.82.84) - mailcious 46.246.82.84
|
1
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
|
|
10.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
302 |
2024-09-07 17:06
|
java.js 961caa8b91ecbca3ce8601dc4a515e51 Antivirus MSOffice File VirusTotal Malware Check memory heapspray unpack itself Java |
|
|
|
|
4.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
303 |
2024-09-07 17:06
|
sheisgoodgirlaroundmewholovedm... 2aaf86224ef3338f2f4817f3684487b4 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://204.44.124.137/452/storedbananagreattastysweetgiftforyou.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware 204.44.124.137 - mailcious
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
304 |
2024-09-07 17:05
|
Chrome.exe f90a0ca2766ad3e02c15fe5622546d01 Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Creates executable files |
|
|
|
|
2.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
305 |
2024-09-07 17:04
|
verynicegirlwantihavetokissher... afb14dcb82dbb041183e8d492c415a13 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://107.173.4.10/119/cutebabygirlwantmetosweetname.Tif
|
3
archive.org(207.241.224.2) - mailcious 207.241.224.2 - mailcious
107.173.4.10 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
306 |
2024-09-07 17:04
|
equitozzmondayMPDW-constraints... ac45ec4efd718861d4c51a619be863a1 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
307 |
2024-09-07 17:02
|
Installer.exe dcb050a81038862531cf2e23a095dbd0 Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
308 |
2024-09-07 16:30
|
mony.exe d3d04b9a91899184dd243d0c9339928a Malicious Library PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces ComputerName DNS |
|
1
|
|
|
4.2 |
M |
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
309 |
2024-09-06 15:38
|
http://213.21.220.222:8080 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format JPEG Format VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
1
213.21.220.222 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
310 |
2024-09-06 14:32
|
MeMpEng.exe cf43fda6634d7674690c8eaf6c348816 Formbook Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGen Browser Info Stealer VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Java Browser DNS |
19
http://www.onlytradez.club/k1y3/?skJ-Lus=J7VJwuuG4HUA4bFTkbQEdxkpMEpXPBCRRs+F1x6QwwkcPlqAPKpQJUUQrtsDqb7Q+tjdIUGQwp4fGorxq2J//mB+PqSTwbyLcRM9dR0EDrcHS/LNmgUR990rINKp1m+e5VNnNrk=&pvx3S=Xzx0sFPmCssrV - rule_id: 42373 http://www.zenzip.xyz/9pad/?skJ-Lus=1a5ATRlanZ3ATSTMsvfkUs0ciM8umoJS8y8kT4HdOCMJyW9sS8tB9dhHCXeYKtsB5QysC2Hg2jCPifAM2S09CoHR88nq9oCTqozYG6NauxPM4LjmZuBJG1m7wEgFKI64QDVX+78=&pvx3S=Xzx0sFPmCssrV - rule_id: 42371 http://www.32wxd.top/fqtd/ - rule_id: 42374 http://www.32wxd.top/fqtd/?skJ-Lus=NOGaE4zNJ3vPzwJVq9flFF94in2IcnN0bsRklEYFuNltL64f812fYl1xoipxw6mqFzyE6nPBnWGndAD5Tl5FPYyUit02KiWxxW2zK2p9R7C5MnzH/2vAyX3OoZI/vgfMfT+cSXI=&pvx3S=Xzx0sFPmCssrV - rule_id: 42374 http://www.zenzip.xyz/9pad/ - rule_id: 42371 http://www.51cc.top/7i54/?skJ-Lus=SgV//QM+kZDZSmca7ISHR4U/9iG4TLn30ssUgf4MDLRPguhpDtuGIpE5eby1mFBEyx9n6ho2rfFD9SDq3nlePS+8rBqg/0cGFsBGWXu5QF07X9CUnUPZux9wfWAAZevyIeAs5Qc=&pvx3S=Xzx0sFPmCssrV - rule_id: 42370 http://www.foundation-repair.biz/5l7s/ - rule_id: 42369 http://www.foundation-repair.biz/5l7s/?skJ-Lus=5i9IxHyDCONgw46qIHGeUvwlYzbtgN8gQUqUIjK6jcHsfbLgiJ2s3wDRXgbc+h/bICwzf3ddx8E1HmjHsyEg1i4ki39GGAPq3qClCRMeu9QIBTg/A11C17kmPPIEN81gm2sAq9Q=&pvx3S=Xzx0sFPmCssrV - rule_id: 42369 http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip http://www.2886080.xyz/eyiz/?skJ-Lus=XQ7d8vWNf2bTOhYYL6UJlqYAXy7Rg8V7tb7nan5iZXoOR23qJ7xYi6zjP0ZZPC1qNGRbW38doA+CklQhfBW16OH9GbU74opfrouVpsjlwzkQhOIIL+clvr6SJ5uB6xxabU5X5cQ=&pvx3S=Xzx0sFPmCssrV - rule_id: 42368 http://www.d71dg.top/qbiu/ - rule_id: 42375 http://www.2886080.xyz/eyiz/ - rule_id: 42368 http://www.51cc.top/7i54/ - rule_id: 42370 http://www.inmotarget.online/f94d/?skJ-Lus=qXxH1TkJqyQLN7K67UolPOrNVrH3EkVnBHKOJBevZlWzyIWqOcopXSkjMgAVQAiVcEwXsA2AXYdRBAjRF8/XmlFRLYiZtr82nLJKSk2mfCIs3NsTyuUwAMniQ4mBWHwlcbK0rUc=&pvx3S=Xzx0sFPmCssrV - rule_id: 42428 http://www.onlytradez.club/k1y3/ - rule_id: 42373 http://www.d71dg.top/qbiu/?skJ-Lus=cpFY4442L+Bmta8QONEKHiouDvWOZNVLDBDtb0iNjVMT9Lz9+WHyspHM09lzzQ6O3A+WaZO+gSWm6Q36us29ksmtCzg/K1sgttxXiQs+/4tLnxfFR1YWTQNZTBuvIfutPAZp0QU=&pvx3S=Xzx0sFPmCssrV - rule_id: 42375 http://www.inmotarget.online/f94d/ - rule_id: 42428 http://www.meetfactory.biz/xoqw/ - rule_id: 42372 http://www.meetfactory.biz/xoqw/?skJ-Lus=IHXCkUsJunCVOO2Hwv8L1/jebUXenMysZsXgVBD8KQgj+TIAwNGDK5EWhUbKXzAU4KMQODjr0cxiOqiC8Z91HBWngaVBBi9zW0XdtSpa8XSCv8AOb3sJWenXQ9ufn4pifwUOwgs=&pvx3S=Xzx0sFPmCssrV - rule_id: 42372
|
21
www.onlytradez.club(167.172.133.32) - mailcious www.zenzip.xyz(203.161.46.201) - mailcious www.inmotarget.online() - mailcious www.sgcwin77rtplive.fun() - mailcious www.foundation-repair.biz(199.59.243.226) - mailcious www.kej-sii.cloud() - mailcious www.2886080.xyz(103.249.106.91) - mailcious www.32wxd.top(206.119.82.116) - mailcious www.d71dg.top(154.23.184.60) - mailcious www.meetfactory.biz(72.14.185.43) - mailcious www.51cc.top(216.83.36.195) - mailcious 103.249.106.91 - mailcious 98.124.224.17 - mailcious 167.172.133.32 - mailcious 216.83.36.195 - mailcious 199.59.243.226 - phishing 203.161.46.201 - mailcious 206.119.82.116 - mailcious 45.33.6.223 198.58.118.167 - mailcious 154.23.184.60 - mailcious
|
6
ET INFO HTTP Request to a *.top domain ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3 ET DNS Query to a *.top domain - Likely Hostile ET INFO Observed DNS Query to .biz TLD
|
18
http://www.onlytradez.club/k1y3/ http://www.zenzip.xyz/9pad/ http://www.32wxd.top/fqtd/ http://www.32wxd.top/fqtd/ http://www.zenzip.xyz/9pad/ http://www.51cc.top/7i54/ http://www.foundation-repair.biz/5l7s/ http://www.foundation-repair.biz/5l7s/ http://www.2886080.xyz/eyiz/ http://www.d71dg.top/qbiu/ http://www.2886080.xyz/eyiz/ http://www.51cc.top/7i54/ http://www.inmotarget.online/f94d/ http://www.onlytradez.club/k1y3/ http://www.d71dg.top/qbiu/ http://www.inmotarget.online/f94d/ http://www.meetfactory.biz/xoqw/ http://www.meetfactory.biz/xoqw/
|
6.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
311 |
2024-09-06 14:23
|
66d97993e0460_stealc_w9.vmp.ex... a79fa370fdeecbb187f96558a76534b5 Generic Malware Malicious Library UPX PE File PE32 VirusTotal Malware |
|
|
|
|
2.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
312 |
2024-09-06 14:21
|
66ba1a1880f9e_crypta.exe#kiscr a8b732ee59958581b2d5c62bb5b60c7a Stealc Client SW User Data Stealer ftp Client info stealer Generic Malware Malicious Library Malicious Packer .NET framework(MSIL) UPX ASPack Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Malware download FTP Client Info Stealer VirusTotal Malware c&c Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName Remote Code Execution DNS Software plugin |
3
http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194 http://193.176.190.41/9e7fbd3f0393ef32/sqlite3.dll http://193.176.190.41/ - rule_id: 42195
|
1
193.176.190.41 - mailcious
|
8
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
2
http://193.176.190.41/2fa883eebd632382.php http://193.176.190.41/
|
16.4 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
313 |
2024-09-06 14:21
|
66d98aa7bea3e_newPrime.exe#rea... c4d092354c3f964ee1d9671f2517a6c9 Malicious Library UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName Remote Code Execution |
|
|
|
|
3.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
314 |
2024-09-06 14:19
|
66d9da4dc547c_vrge12.exe#d12 b34fcafdfc4ddbe4db51b22dd618b8d9 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
2
http://147.45.68.138/ - rule_id: 42298 http://147.45.68.138/sql.dll
|
1
147.45.68.138 - mailcious
|
5
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
1
|
13.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
315 |
2024-09-06 14:18
|
66d9de22f231f_crypted.exe#1 e600b6015b0312b52214f459fcc6f3c2 RedLine stealer Malicious Library Antivirus .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://x1.i.lencr.org/ https://smkn2sumbawabesar.sch.id/1.exe
|
5
x1.i.lencr.org(23.40.44.214) smkn2sumbawabesar.sch.id(194.163.35.141) 194.163.35.141 23.41.113.9 147.45.47.36 - malware
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|