406 |
2024-09-03 09:20
|
66d4d0726b5b3_sgdk.exe 155105824c859e795361a482d2553c57 Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer ScreenShot Http API PWS Create Service Socket DGA Escalate priviledges Steal credential Sniff Audio Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
13
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://147.45.44.104/prog/66d5ddc254656_lfem.exe
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://147.45.44.104/prog/66d5ddcbb9f86_vyre.exe
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
https://steamcommunity.com/profiles/76561199768374681
https://t.me/edm0d
|
7
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.170.104) - mailcious 149.154.167.99 - mailcious
116.203.6.46
147.45.44.104 - malware
104.74.170.104
46.8.231.109 - mailcious
|
21
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://46.8.231.109/c4754d4f680ead72.php http://46.8.231.109/
|
19.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
407 |
2024-09-03 09:15
|
shereallywantmebutheresituatio... 8ce06dc4ce1fa52f729607c6058f991c MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://23.95.235.112/122/realgirlfriendeverykissnicefeelingsgive.Tif
|
3
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
23.95.235.112 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
408 |
2024-09-03 09:14
|
8_Ball_Pool_Cheto.exe b5ca92538a485317ce5c4dff6c5fd08f UPX PE File PE32 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
409 |
2024-09-03 09:13
|
66d48faf6737f_crypted.exe 67a51322cbb161374023771f2fa9c1d5 RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
10.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
410 |
2024-09-03 09:12
|
rome.exe f43b5c1b6de35a7fdb2c48ff380bac60 Stealc Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://185.215.113.100/0d60be0de163924d/nss3.dll http://185.215.113.100/0d60be0de163924d/freebl3.dll http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968 http://185.215.113.100/0d60be0de163924d/vcruntime140.dll http://185.215.113.100/0d60be0de163924d/sqlite3.dll http://185.215.113.100/ - rule_id: 41969 http://185.215.113.100/0d60be0de163924d/mozglue.dll http://185.215.113.100/0d60be0de163924d/softokn3.dll http://185.215.113.100/0d60be0de163924d/msvcp140.dll
|
1
185.215.113.100 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting System Information to C2 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.215.113.100/e2b1563c6670f193.php http://185.215.113.100/
|
12.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
411 |
2024-09-03 09:12
|
huna.exe 8424ecf2f95410ceed693e7d1011d26f PE File PE32 VirusTotal Malware |
|
|
|
|
1.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
412 |
2024-09-03 09:12
|
Launcher.exe 1788ecdad15cd02d42475133faa38cce UPX PE File PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
413 |
2024-09-03 09:10
|
CheatEngine75.exe 609fea742d34dc1d53f0eeb4873b1a0a Emotet Generic Malware Malicious Library UPX PE File PE32 MZP Format OS Processor Check PNG Format DLL PE64 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion VMware China VM Disk Size Check Tofsee Browser |
3
https://d2oq4dwfbh6gxl.cloudfront.net/o https://d2oq4dwfbh6gxl.cloudfront.net/f/AVG_AV/images/1509/BR.png https://d2oq4dwfbh6gxl.cloudfront.net/zbd
|
2
d2oq4dwfbh6gxl.cloudfront.net(18.172.183.199) 18.154.207.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
414 |
2024-09-03 09:08
|
66d4d06f98874_vweo12.exe 0d4368e6ac69934c3d6012daecee98ad Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
8
http://147.45.68.138/softokn3.dll http://147.45.68.138/mozglue.dll http://147.45.68.138/freebl3.dll http://147.45.68.138/nss3.dll http://147.45.68.138/sql.dll http://147.45.68.138/ - rule_id: 42298 http://147.45.68.138/msvcp140.dll http://147.45.68.138/vcruntime140.dll
|
1
147.45.68.138 - mailcious
|
10
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
1
|
14.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
415 |
2024-09-03 09:08
|
Youtube-Viewers.exe a7878575f2e9f431c354c17a3e768fd9 PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
416 |
2024-09-03 09:06
|
sWsmPty.exe 478124644da5f82d2c803238a413cd96 Generic Malware Malicious Library PE File PE64 FTP Client Info Stealer VirusTotal Malware Malicious Traffic Check memory buffers extracted unpack itself Tofsee Software |
1
https://animalesfans.space/park?jpkr7rxhi=LXc8pXq%2B90Dqtjn83Fl3FLo0pHPLDPLaSKYnB%2FH72B5yCdr0JCJOZKWkStPG67hyYHv9uiy27egbaPaFEIaCVQ%3D%3D
|
2
animalesfans.space(172.67.180.170) 172.67.180.170
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
417 |
2024-09-03 09:04
|
EvolutInjector.exe 34563cc2fcd4e6e5b0063cbc0ffce9c1 Malicious Packer UPX PE File PE32 OS Processor Check VirusTotal Malware DNS |
|
1
104.21.35.232 - mailcious
|
|
|
1.8 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
418 |
2024-09-03 09:04
|
VIZSPLOIT.exe 1f29ee3673fc717fcb8f6007c3f840cd UPX PE File PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
419 |
2024-09-03 09:00
|
byebyefronbypass.exe b5128526be8a6b02a0ea3dcb4bef1478 Gen1 Emotet Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM PE File PE64 OS Processor Check DLL PE32 .NET DLL ftp wget DllRegisterServer dll ZIP Format Check memory Creates executable files AppData folder |
|
|
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
420 |
2024-09-03 08:59
|
m20.exe 1bc0da4074693f616a71d648d4b8c106 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check |
|
|
|
|
|
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|