4141 |
2024-05-10 10:04
|
setup_1715277229.6072824.exe e3e2300616cc1112ffe8fae1901eff5c Generic Malware Malicious Library Malicious Packer UPX AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder suspicious TLD WriteConsoleW installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
1
https://pastebin.com/raw/8baCJyMF
|
4
tomdom.top(195.201.252.28) pastebin.com(172.67.19.24) - mailcious 104.20.4.235 - mailcious 195.201.252.28
|
6
ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity - MSValue (Response) ET MALWARE MetaStealer Activity (Response)
|
|
14.2 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4142 |
2024-05-10 10:01
|
pojgysef.exe d4f738f4e3787ef0b31891e446919aa8 Generic Malware Downloader Malicious Library UPX VMProtect Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 OS Processo VirusTotal Malware PDB Code Injection Creates executable files unpack itself AppData folder Remote Code Execution |
|
|
|
|
4.8 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4143 |
2024-05-10 09:59
|
build.exe 7b207a5aba4025733f54ea5185f1f1cb RedLine Infostealer RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces IP Check installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://195.10.205.91:1707/ http://apps.identrust.com/roots/dstrootcax3.p7c
|
8
ipinfo.io(34.117.186.192) api.ipify.org(104.26.12.205) api.ip.sb(104.26.13.31) 34.117.186.192 104.26.12.31 104.26.12.205 195.10.205.91 121.254.136.9
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET MALWARE RedLine Stealer - CheckConnect Response ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SURICATA HTTP unable to match response to request
|
|
8.0 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4144 |
2024-05-10 09:59
|
udated.exe fecabb1640f8768ff0b10ea4186724b7 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4145 |
2024-05-10 09:18
|
1.exe 3be9e476da2e99adbc49591cbc94b4d9 Generic Malware Malicious Library UPX PE64 PE File OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
1.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4146 |
2024-05-10 09:16
|
current.exe 6cacf1262591bf7eb7c5882d47a1c8a8 Generic Malware Malicious Library PE File PE32 VirusTotal Malware |
|
|
|
|
1.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4147 |
2024-05-10 09:14
|
beautifulthingstohappeningwhen... 13d24d0ebfb462fa27ab6815086eb3df MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Windows Exploit DNS crashed Downloader |
1
http://103.186.116.171/3506/htm.exe
|
3
onedrive.live.com(13.107.139.11) - mailcious 13.107.139.11 103.186.116.171
|
8
ET DROP Spamhaus DROP Listed Traffic Inbound group 17 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4148 |
2024-05-10 09:14
|
up2date.exe cda96eb769b520de195cae37c842c8f3 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4149 |
2024-05-09 11:08
|
5.hta 0864405d81d8ab37b43868a26748f57a Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key keylogger |
2
http://193.222.96.124:7287/111.xlsx http://193.222.96.124:7287/xD.bat
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
13.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4150 |
2024-05-09 11:08
|
rakshasa.exe 653247865f2d222abc8ad696d6e756e3 Malicious Library Malicious Packer UPX PE64 PE File VirusTotal Malware Check virtual network interfaces WriteConsoleW |
|
|
|
|
2.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4151 |
2024-05-09 11:06
|
beautifulgirlsarerememberingth... 5e1a930f016dadf045d8962abfc13581 MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Windows Exploit DNS crashed Downloader |
6
http://www.gregoriusalvin.com/a42m/ http://www.qeintechnologies.com/IYiwE0.bin http://192.3.109.149/20780/hjv.exe http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip http://www.tintasmaiscor.com/a42m/ http://www.gregoriusalvin.com/a42m/?R2SEOS=6CH/YRMAK7aydmoeIYug/5bPLtmJ66q3593I/qH1Euv5gdtO1aVIO5sIkdD8Uy+PegRauaWIQNwg1s6QWSBfdi8lbfjBcXeXE7/rv5fmweeN04I7MmJWMdAH+Ho2e4yDZBqoJ1k=&PvPh=CYalcyam-GQM6F
|
13
www.italiangreyhounds.online() www.gregoriusalvin.com(103.247.10.164) www.qeintechnologies.com(199.217.106.226) www.tintasmaiscor.com(162.240.81.18) www.designsbysruly.com() www.gcashservice247.com() www.weeveno.com() www.infomail.website() 199.217.106.226 192.3.109.149 - mailcious 45.33.6.223 162.240.81.18 - mailcious 103.247.10.164
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET) M5
|
|
5.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4152 |
2024-05-09 11:06
|
1.hta cc022fea5d0660e1e221b02d2c55553b Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell ZIP Format Lnk Format GIF Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://193.222.96.124:7287/xD.bat http://193.222.96.124:7287/11.xlsx
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4153 |
2024-05-09 11:05
|
4.hta 1e5a563b24dd2e44b449042b69ddbd7c Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Exploit Email ComputerName DNS Cryptographic key crashed |
2
http://193.222.96.124:7287/xD.bat http://193.222.96.124:7287/222.xlsx
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4154 |
2024-05-09 11:05
|
3.hta 4ab94c892e634430c8eabae82af4d875 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format Vulnerability VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://193.222.96.124:7287/xD.bat http://193.222.96.124:7287/33.xlsx
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4155 |
2024-05-09 11:02
|
2.hta bb537c9f88a70e710c5993e3fe383bb6 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell Lnk Format GIF Format ZIP Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Exploit Email ComputerName DNS Cryptographic key crashed |
2
http://193.222.96.124:7287/22.xlsx http://193.222.96.124:7287/xD.bat
|
1
193.222.96.124 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Dotted Quad Host XLSX Request
|
|
12.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|