| 4141 |
2024-05-10 10:04
|
 setup_1715277229.6072824.exe e3e2300616cc1112ffe8fae1901eff5c
Generic Malware Malicious Library Malicious Packer UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder suspicious TLD WriteConsoleW installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
https://pastebin.com/raw/8baCJyMF
|
4
tomdom.top(195.201.252.28)
pastebin.com(172.67.19.24) - mailcious
104.20.4.235 - mailcious
195.201.252.28
|
6
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity - MSValue (Response)
ET MALWARE MetaStealer Activity (Response)
|
|
14.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4142 |
2024-05-10 10:01
|
 pojgysef.exe d4f738f4e3787ef0b31891e446919aa8
Generic Malware Downloader Malicious Library UPX VMProtect Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 OS Processo VirusTotal Malware PDB Code Injection Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
4.8 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4143 |
2024-05-10 09:59
|
 build.exe 7b207a5aba4025733f54ea5185f1f1cb
RedLine Infostealer RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces IP Check installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://195.10.205.91:1707/
http://apps.identrust.com/roots/dstrootcax3.p7c
|
8
ipinfo.io(34.117.186.192)
api.ipify.org(104.26.12.205)
api.ip.sb(104.26.13.31)
34.117.186.192
104.26.12.31
104.26.12.205
195.10.205.91
121.254.136.9
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET MALWARE RedLine Stealer - CheckConnect Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SURICATA HTTP unable to match response to request
|
|
8.0 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4144 |
2024-05-10 09:59
|
 udated.exe fecabb1640f8768ff0b10ea4186724b7
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4145 |
2024-05-10 09:18
|
 1.exe 3be9e476da2e99adbc49591cbc94b4d9
Generic Malware Malicious Library UPX PE64 PE File OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4146 |
2024-05-10 09:16
|
 current.exe 6cacf1262591bf7eb7c5882d47a1c8a8
Generic Malware Malicious Library PE File PE32 VirusTotal Malware |
|
|
|
|
1.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4147 |
2024-05-10 09:14
|
beautifulthingstohappeningwhen... 13d24d0ebfb462fa27ab6815086eb3df
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Windows Exploit DNS crashed Downloader |
1
http://103.186.116.171/3506/htm.exe
|
3
onedrive.live.com(13.107.139.11) - mailcious
13.107.139.11
103.186.116.171
|
8
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4148 |
2024-05-10 09:14
|
 up2date.exe cda96eb769b520de195cae37c842c8f3
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4149 |
2024-05-09 11:08
|
 5.hta 0864405d81d8ab37b43868a26748f57a
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
2
http://193.222.96.124:7287/111.xlsx
http://193.222.96.124:7287/xD.bat
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET INFO Dotted Quad Host XLSX Request
|
|
13.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4150 |
2024-05-09 11:08
|
 rakshasa.exe 653247865f2d222abc8ad696d6e756e3
Malicious Library Malicious Packer UPX PE64 PE File VirusTotal Malware Check virtual network interfaces WriteConsoleW |
|
|
|
|
2.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4151 |
2024-05-09 11:06
|
beautifulgirlsarerememberingth... 5e1a930f016dadf045d8962abfc13581
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
6
http://www.gregoriusalvin.com/a42m/
http://www.qeintechnologies.com/IYiwE0.bin
http://192.3.109.149/20780/hjv.exe
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.tintasmaiscor.com/a42m/
http://www.gregoriusalvin.com/a42m/?R2SEOS=6CH/YRMAK7aydmoeIYug/5bPLtmJ66q3593I/qH1Euv5gdtO1aVIO5sIkdD8Uy+PegRauaWIQNwg1s6QWSBfdi8lbfjBcXeXE7/rv5fmweeN04I7MmJWMdAH+Ho2e4yDZBqoJ1k=&PvPh=CYalcyam-GQM6F
|
13
www.italiangreyhounds.online()
www.gregoriusalvin.com(103.247.10.164)
www.qeintechnologies.com(199.217.106.226)
www.tintasmaiscor.com(162.240.81.18)
www.designsbysruly.com()
www.gcashservice247.com()
www.weeveno.com()
www.infomail.website()
199.217.106.226
192.3.109.149 - mailcious
45.33.6.223
162.240.81.18 - mailcious
103.247.10.164
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET) M5
|
|
5.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4152 |
2024-05-09 11:06
|
 1.hta cc022fea5d0660e1e221b02d2c55553b
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell ZIP Format Lnk Format GIF Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://193.222.96.124:7287/xD.bat
http://193.222.96.124:7287/11.xlsx
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4153 |
2024-05-09 11:05
|
 4.hta 1e5a563b24dd2e44b449042b69ddbd7c
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Exploit Email ComputerName DNS Cryptographic key crashed |
2
http://193.222.96.124:7287/xD.bat
http://193.222.96.124:7287/222.xlsx
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4154 |
2024-05-09 11:05
|
 3.hta 4ab94c892e634430c8eabae82af4d875
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://193.222.96.124:7287/xD.bat
http://193.222.96.124:7287/33.xlsx
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4155 |
2024-05-09 11:02
|
 2.hta bb537c9f88a70e710c5993e3fe383bb6
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Exploit Email ComputerName DNS Cryptographic key crashed |
2
http://193.222.96.124:7287/22.xlsx
http://193.222.96.124:7287/xD.bat
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|