31 |
2024-09-19 10:00
|
66e877203afd3_vfdsofa12.exe#d1... 5c984dd83c65ae6b6f2d93a60ae40bfd Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.76.74.15) - mailcious 149.154.167.99 - mailcious 104.76.74.15 78.47.207.136 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
32 |
2024-09-19 10:00
|
66e86c030044f_UniversityGradua... 8bc957246166f6b5d99c1b63d34dd663 Generic Malware Suspicious_Script_Bin Malicious Library UPX PE File PE32 OS Processor Check ftp VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName |
|
|
|
|
7.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
33 |
2024-09-19 09:58
|
Channel2.exe ec3afdbd761916a682e9372834365939 Generic Malware Malicious Library Malicious Packer Antivirus UPX AntiDebug AntiVM PE File PE64 OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Disables Windows Security Check virtual network interfaces suspicious process malicious URLs suspicious TLD Tofsee Windows ComputerName Remote Code Execution DNS Cryptographic key |
2
https://yip.su/RNWPd.exe - rule_id: 37623 https://pastebin.com/raw/V6VJsrV3 - rule_id: 37255
|
4
pastebin.com(104.20.3.235) - mailcious yip.su(104.21.79.77) - mailcious 104.21.79.77 - phishing 104.20.3.235 - malware
|
2
ET DNS Query for .su TLD (Soviet Union) Often Malware Related SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://yip.su/RNWPd.exe https://pastebin.com/raw/V6VJsrV3
|
12.6 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
34 |
2024-09-19 09:57
|
66e805302f63c_otr.exe d3d2aafaf86262baa7528e397f1ce761 RedLine Infostealer UltraVNC Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Malware download VirusTotal Malware PDB Stealer DNS |
|
1
89.105.223.249 - mailcious
|
1
ET MALWARE [ANY.RUN] MetaStealer v.5 CnC Activity (MC-NMF TLS SNI)
|
|
2.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
35 |
2024-09-19 09:55
|
vethwgr16.exe 26e1bcdecaa337ee8e8b3694603c803f Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.76.74.15) - mailcious 149.154.167.99 - mailcious 104.76.74.15 78.47.207.136 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
15.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
36 |
2024-09-19 09:55
|
66e98ff1d44e2_crypted.exe a0c6989730b44ee30722feccd86d946b RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
13.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
37 |
2024-09-19 09:53
|
vfasmd.exe 9d0327bd2962fd98512fb4ad5fc9ad19 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.76.74.15) - mailcious 149.154.167.99 - mailcious 104.76.74.15 78.47.207.136 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
38 |
2024-09-19 09:53
|
API.msi b1c0657b678a8e3f320476ef4ba6dfd2 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer ASPack UPX AntiDebug AntiVM MSOffice File CAB OS Processor Check PE File DLL PE64 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk VM Disk Size Check ComputerName crashed |
|
|
|
|
5.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
39 |
2024-09-19 09:52
|
smdsg.exe 272b330726dec4add609e0d8025d71b7 Stealc Client SW User Data Stealer Gen1 ftp Client info stealer Generic Malware Antivirus Malicious Library UPX Malicious Packer Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211 http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll http://46.8.231.109/ - rule_id: 42142 http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
|
3
innovaxingenieros.com(167.114.163.236) - malware 46.8.231.109 - mailcious 167.114.163.236 - mailcious
|
17
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
|
2
http://46.8.231.109/c4754d4f680ead72.php http://46.8.231.109/
|
15.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
40 |
2024-09-19 09:52
|
sgnsd.exe 082c8a659fa07a63f6078b1cbd00ae2a Stealc Client SW User Data Stealer ftp Client info stealer Antivirus Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211 http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll http://46.8.231.109/ - rule_id: 42142 http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
|
1
|
15
ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://46.8.231.109/c4754d4f680ead72.php http://46.8.231.109/
|
14.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
41 |
2024-09-19 09:48
|
66e9359d801ce_sbgfds.exe de6101b925ca754f1ea8c8ab216a38f6 Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
3.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
42 |
2024-09-19 09:48
|
66e9c0921c144_111.exe#111 837bbda2bbdf75c019f3581afb0fc9d4 RedLine stealer RedLine Infostealer Generic Malware UltraVNC Malicious Library UPX Antivirus ScreenShot PWS AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
|
2
193.233.255.84 107.189.171.131 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
15.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43 |
2024-09-19 09:47
|
ScreenUpdateSync.exe 95c4cd6903e8db5123f6941486a2af23 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44 |
2024-09-19 09:45
|
Enquiry.vbs e7311cae7836880d52f11c91b3783da2 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg
|
2
ia601706.us.archive.org(207.241.227.96) - malware 207.241.227.96 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45 |
2024-09-19 09:45
|
66e8771a651d2_voewgngr.exe ac7314c596e766b8f4f368579e2e0f8f Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.76.74.15) - mailcious 149.154.167.99 - mailcious 104.76.74.15 78.47.207.136 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|