391 |
2024-09-04 10:09
|
chrome.exe 67407557dfbdd3d71436f89d6d47897a Malicious Packer UPX PE File PE64 VirusTotal Malware buffers extracted RWX flags setting DNS |
|
1
|
|
|
4.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
392 |
2024-09-04 10:08
|
lamp.exe 54dd56c2c79350de18dc0be27360520d Stealc Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://185.215.113.100/0d60be0de163924d/nss3.dll http://185.215.113.100/0d60be0de163924d/freebl3.dll http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968 http://185.215.113.100/0d60be0de163924d/vcruntime140.dll http://185.215.113.100/0d60be0de163924d/sqlite3.dll http://185.215.113.100/ - rule_id: 41969 http://185.215.113.100/0d60be0de163924d/mozglue.dll http://185.215.113.100/0d60be0de163924d/softokn3.dll http://185.215.113.100/0d60be0de163924d/msvcp140.dll
|
1
185.215.113.100 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.215.113.100/e2b1563c6670f193.php http://185.215.113.100/
|
12.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
393 |
2024-09-04 10:07
|
66d58b1858bcb_crypted.exe#xin d8ecb462d3046a0ee172551c5d505c8e RedLine stealer Antivirus PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
95.216.107.53 - mailcious
|
|
|
9.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
394 |
2024-09-04 10:03
|
66d707730e9bf_s.exe#space 998f7fb6068e4377618bcdb2138bc6f0 Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer Http API PWS Create Service Socket DGA ScreenShot Escalate priviledges Steal credential Sniff Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
19
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll http://147.45.68.138/softokn3.dll http://147.45.44.104/prog/66d7077a2064d_l.exe http://147.45.68.138/mozglue.dll http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211 http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll http://147.45.68.138/freebl3.dll http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll http://147.45.68.138/nss3.dll http://147.45.68.138/sql.dll http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll http://147.45.44.104/prog/66d70775c548d_v.exe http://46.8.231.109/ - rule_id: 42142 http://147.45.68.138/ - rule_id: 42298 http://147.45.68.138/msvcp140.dll http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll http://147.45.68.138/vcruntime140.dll
|
3
147.45.68.138 - mailcious 147.45.44.104 - malware 46.8.231.109 - mailcious
|
19
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Submitting System Information to C2 ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
|
3
http://46.8.231.109/c4754d4f680ead72.php http://46.8.231.109/ http://147.45.68.138/
|
16.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
395 |
2024-09-04 09:40
|
2.exe 727d942e4c26b713b9498e8997fabf38 Malicious Packer UPX PE File PE64 VirusTotal Malware RWX flags setting DNS crashed |
|
1
|
|
|
3.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
396 |
2024-09-04 09:40
|
1388.exe 7109c985bd8a553012ea843d05737794 Malicious Library PE File PE64 VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
|
1
|
|
|
5.2 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
397 |
2024-09-04 09:35
|
66d7540419a3a_installer.exe 9a0770b61e54640630a3c8542c5bc7ac Malicious Library UPX PE File PE64 VirusTotal Malware Checks debugger Creates executable files unpack itself crashed |
|
|
|
|
2.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
398 |
2024-09-03 12:00
|
WORDICON.EXE 068918a65830b7e7671056f125412757 ASPack UPX PE File DLL PE64 |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
399 |
2024-09-03 09:42
|
SecHex-GUI.dll ad714ee48d2e829c5012c65de6166c05 Generic Malware Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
400 |
2024-09-03 09:40
|
SolaraBootstrapper.exe 06f13f50c4580846567a644eb03a11f2 PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces WriteConsoleW Tofsee |
|
4
github.com(20.200.245.247) - mailcious raw.githubusercontent.com(185.199.108.133) - malware 20.200.245.247 - malware 185.199.109.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
401 |
2024-09-03 09:38
|
Nezur.exe d6f133dee71ed4c119a2d2aaf4cf3a69 Malicious Packer UPX PE File ftp PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
402 |
2024-09-03 09:36
|
CMLiteInstaller.exe 02ea34533272f916fb52990a45917913 Malicious Library UPX PE File PE64 VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
2.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
403 |
2024-09-03 09:34
|
Launcher.exe 8e9d1161d84aa416108c23f8d457a633 UPX PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
404 |
2024-09-03 09:32
|
ModSkin_Eng.exe 251506af767bc121f5e65970488030c1 Malicious Library Confuser .NET PE File PE64 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee |
1
https://toolgamepc.blogspot.com/p/tgp.html
|
2
toolgamepc.blogspot.com(142.250.207.97) 172.217.27.33
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
405 |
2024-09-03 09:30
|
R3nzSkin_Injector.exe 8af17734385f55dc58f1ca38bce22312 Malicious Library PE File PE64 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
1
https://api.github.com/repos/R3nzTheCodeGOD/R3nzSkin/releases/latest
|
2
api.github.com(20.200.245.245) 20.200.245.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|