| 376 |
2024-09-04 10:27
|
 66d70775c548d_v.exe#space 6f99968cc27d2d6a07a921ab703a5d5d
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
2
http://147.45.68.138/ - rule_id: 42298
http://147.45.68.138/sql.dll
|
1
147.45.68.138 - mailcious
|
5
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
1
|
13.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 377 |
2024-09-04 10:26
|
 66d70e8640404_trics.exe b5887a19fe50bfa32b524aaad0a453bc
Malicious Library .NET framework(MSIL) UPX Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format Malware download VirusTotal Malware AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows RisePro ComputerName Remote Code Execution DNS |
|
1
77.105.164.24 - mailcious
|
3
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
12.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 378 |
2024-09-04 10:25
|
 66d5ec0530891_crypted.exe#1 8e0ae87939388dfd7d6470bdd397b309
RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
13.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 379 |
2024-09-04 10:25
|
 66d753141beb4_default.exe#kiso... 5bded0f41fa96aeed99d6b9b8eb34aa4
Client SW User Data Stealer ftp Client info stealer Malicious Library .NET framework(MSIL) UPX Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Malware c&c PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS Software crashed plugin |
9
http://45.152.113.10/15a25e53742510fe/nss3.dll
http://45.152.113.10/15a25e53742510fe/vcruntime140.dll
http://45.152.113.10/15a25e53742510fe/mozglue.dll
http://45.152.113.10/15a25e53742510fe/softokn3.dll
http://45.152.113.10/
http://45.152.113.10/15a25e53742510fe/freebl3.dll
http://45.152.113.10/15a25e53742510fe/sqlite3.dll
http://45.152.113.10/15a25e53742510fe/msvcp140.dll
http://45.152.113.10/92335b4816f77e90.php
|
1
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
13.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 380 |
2024-09-04 10:22
|
 Co.exe 50968bf1892077705f9182f7028c8ef2
UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 381 |
2024-09-04 10:22
|
 66d5df681876c_file010924.exe#f... 7972b08246e568495d9d116fc2d0b159
Suspicious_Script_Bin Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download VirusTotal Malware Microsoft AutoRuns Code Injection Checks debugger buffers extracted unpack itself malicious URLs Tofsee Windows ComputerName Remote Code Execution DNS |
2
http://cajgtus.com/test1/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true - rule_id: 41982
https://api.2ip.ua/geo.json
|
4
cajgtus.com(186.145.236.93) - malware
api.2ip.ua(172.67.139.220)
172.67.139.220
186.233.231.45
|
6
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
|
1
http://cajgtus.com/test1/get.php
|
9.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 382 |
2024-09-04 10:20
|
 66d5e40f57b39_def_202409021912... ade16b249de80c5d8a459baaac67201c
Client SW User Data Stealer ftp Client info stealer Antivirus Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Stealc ComputerName DNS |
2
http://147.45.47.137/6ecdc9436941ebbd.php
http://147.45.47.137/
|
1
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
|
9.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 383 |
2024-09-04 10:19
|
 66d5edf357fbf_BitcoinCore.exe 26dc83cd26d56041c731e497b96a8a73
Malicious Library UPX PE File PE64 MZP Format OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 384 |
2024-09-04 10:17
|
 payload.exe ca6ae34bf2b35aacb25a27f94fb1f7d5
Metasploit Generic Malware PE File PE64 VirusTotal Malware DNS crashed |
|
1
|
|
|
3.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 385 |
2024-09-04 10:17
|
 66d707705967b_12.exe#d12 d72251694d71a89fab057f9976ec1827
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
8
http://147.45.68.138/softokn3.dll
http://147.45.68.138/mozglue.dll
http://147.45.68.138/freebl3.dll
http://147.45.68.138/nss3.dll
http://147.45.68.138/sql.dll
http://147.45.68.138/ - rule_id: 42298
http://147.45.68.138/msvcp140.dll
http://147.45.68.138/vcruntime140.dll
|
1
147.45.68.138 - mailcious
|
10
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
1
|
15.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 386 |
2024-09-04 10:16
|
 tqh64.exe 2d8bfa12ffd53e578028edae844e7611
UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 387 |
2024-09-04 10:15
|
 66d6af212bad3_kbdturme.exe b2ceff540f1fb7234b424a5702e989ba
Gen1 Generic Malware NSIS Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX Javascript_Blob AntiDebug AntiVM PE File PE32 MZP Format OS Processor Check DLL PE64 PNG Format DllRegisterServer dll VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder Windows ComputerName crashed |
|
|
|
|
7.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 388 |
2024-09-04 10:14
|
 66d5e39de168d_cry.exe#kiscrypt... c4863f9cb3f845ccd4ebd260d532928e
Client SW User Data Stealer ftp Client info stealer Antivirus Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
9
http://147.45.47.137/04912fc0ffa81c54/freebl3.dll
http://147.45.47.137/
http://147.45.47.137/04912fc0ffa81c54/nss3.dll
http://147.45.47.137/04912fc0ffa81c54/sqlite3.dll
http://147.45.47.137/6ecdc9436941ebbd.php
http://147.45.47.137/04912fc0ffa81c54/mozglue.dll
http://147.45.47.137/04912fc0ffa81c54/softokn3.dll
http://147.45.47.137/04912fc0ffa81c54/vcruntime140.dll
http://147.45.47.137/04912fc0ffa81c54/msvcp140.dll
|
1
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
12.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 389 |
2024-09-04 10:11
|
 rev.exe c457b64b8faf93fb23adb3d3b6a6cb78
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 390 |
2024-09-04 10:09
|
 1_encoded.exe 6c098287139a5808d04237dd4cdaec3f
PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|