45616 |
2024-06-27 10:27
|
hv.exe 6a1db4f73db4ed058c8cd7e04dfa7cc3 Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Buffer PE PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
https://pastebin.com/raw/A54sKxhY - rule_id: 38719
|
3
pastebin.com(172.67.19.24) - mailcious 104.20.3.235 - malware 194.26.29.153
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.com/raw/A54sKxhY
|
12.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45617 |
2024-06-27 13:25
|
Result_2024-0617.pdf.jse 20e2de2d794dfff774b71b6dd2294a96 Client SW User Data Stealer browser info stealer Generic Malware Suspicious_Script_Bin Hide_EXE Google Chrome User Data Downloader Antivirus Malicious Library Malicious Packer UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal cr Browser Info Stealer VirusTotal Malware United States powershell AutoRuns suspicious privilege Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW installed browsers check Windows Exploit Browser ComputerName Cryptographic key crashed |
1
http://image.ionexusa.com/view.php
|
1
image.ionexusa.com(127.0.0.1) - mailcious
|
1
ET INFO DYNAMIC_DNS Query to a *.ionexusa .com Domain
|
|
13.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45618 |
2024-06-27 17:12
|
build2.exe 335a64e110185d35bcfbc3ef86a382e9 Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199695752269
https://t.me/ta904ek
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious 149.154.167.99 - mailcious
184.26.241.154 - mailcious
65.21.109.161
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45619 |
2024-06-27 17:17
|
부가가치세 수정신고 안내(부가가치세사무처리규정).hwp... 6eee6fa92a270b1f32390eec50512eea Generic Malware Malicious Library Antivirus HWP PS PostScript AntiDebug AntiVM GIF Format Lnk Format PE File PE32 CAB JPEG Format MSOffice File Malware download VirusTotal Malware Campaign powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Konni Windows ComputerName Cryptographic key |
2
http://stvse.com/upload.php - rule_id: 40637 http://stvse.com/upload.php
|
2
stvse.com(176.97.64.174) 176.97.64.174 - mailcious
|
1
ET MALWARE [ANY.RUN] Konni.APT Exfiltration
|
1
http://stvse.com/upload.php
|
9.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45620 |
2024-06-27 18:24
|
system.exe e920056a531d4a0635ba526fabeda4ce Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files crashed |
|
|
|
|
2.4 |
|
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45621 |
2024-06-28 12:42
|
mimikatz.exe e930b05efe23891d19bc354a4209be3e Generic Malware Malicious Packer UPX PE File PE64 VirusTotal Malware Check memory WriteConsoleW |
|
|
|
|
1.6 |
|
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45622 |
2024-06-28 12:44
|
chisel.exe 6ddee3e7fa0969931f9ec465e9c8965a Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45623 |
2024-06-28 12:45
|
123.exe cd581d68ed550455444ee6e099c44266 RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check PNG Format MSOffice File JPEG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://x1.i.lencr.org/ https://moreapp4you.online/George.exe - rule_id: 40536
|
10
x1.i.lencr.org(23.52.33.11) moreapp4you.online(31.31.196.208) - malware iplogger.co(104.21.82.93) 77.91.77.81 - mailcious 23.41.113.9 31.31.196.208 - mailcious 121.254.136.74 104.21.82.93 121.254.136.9 185.215.113.67 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://moreapp4you.online/George.exe
|
12.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45624 |
2024-06-28 12:46
|
%E5%9B%BD%E5%BA%86%E5%BB%B6%E8... d0e72468c01cf13b48c0a5ee2a310cb2 Malicious Library PE File PE64 VirusTotal Malware RWX flags setting DNS crashed |
|
1
|
|
|
4.0 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45625 |
2024-06-28 12:47
|
intalls555.exe 7e30a1a92f86e8e0a25154b1521d0588 Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Telegram suspicious privilege MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Tofsee Windows ComputerName DNS keylogger |
|
2
api.telegram.org(149.154.167.220) 149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45626 |
2024-06-28 12:48
|
alphazxv.scr e4979c53302e30f656edf76043b5944a LokiBot Generic Malware Malicious Library .NET framework(MSIL) Antivirus Socket PWS DNS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://midwestsoil.top/alpha/five/fre.php
|
2
midwestsoil.top(104.21.23.190) 172.67.212.234
|
8
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP Request to a *.top domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
|
16.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45627 |
2024-06-28 12:50
|
alex5555555.exe a80a86c701801cbd77cf7406be6d11f0 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45628 |
2024-06-28 12:50
|
au.u.u.u.uuuu.doc d268f6028d5fcdb70bf64bf7419852a4 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Exploit DNS crashed |
1
http://103.186.67.211/44155/sweetflowerislookbeautifulhereimages.gif
|
2
103.186.67.211 - mailcious 66.70.160.254 - mailcious
|
|
|
6.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45629 |
2024-06-28 12:53
|
sw.w.w.w.www.doc 80e1ba7b421fd01f5319de00cf5420f7 MS_RTF_Obfuscation_Objects RTF File doc Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://198.46.178.144/wednesdayfile.jpeg https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 https://paste.ee/d/RgwiL
|
5
paste.ee(104.21.84.67) - mailcious uploaddeimagens.com.br(172.67.215.45) - malware 172.67.187.200 - mailcious 198.46.178.144 - mailcious 104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45630 |
2024-06-28 12:53
|
random.exe 97ddaf205149ee9833a9b79cbfa33e68 Gen1 EnigmaProtector Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS crashed plugin |
8
http://85.28.47.4/69934896f997d5bb/freebl3.dll http://85.28.47.4/69934896f997d5bb/nss3.dll http://85.28.47.4/69934896f997d5bb/vcruntime140.dll http://85.28.47.4/69934896f997d5bb/mozglue.dll http://85.28.47.4/69934896f997d5bb/softokn3.dll http://85.28.47.4/920475a59bac849d.php - rule_id: 40635 http://85.28.47.4/69934896f997d5bb/msvcp140.dll http://85.28.47.4/69934896f997d5bb/sqlite3.dll
|
1
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
http://85.28.47.4/920475a59bac849d.php
|
8.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|