| 45646 |
2024-06-29 15:16
|
se.e.e.e.eee.doc 6c502f63642761f32b454d1eedee5ee3
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS DDNS crashed |
3
http://managermagnetcccccmango.duckdns.org/thursdayfile.gif
http://41.216.183.208/Users_API/negrocock/file_rxahvjvk.4g3.txt
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 - rule_id: 40652
|
5
managermagnetcccccmango.duckdns.org(198.46.178.144) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
198.46.178.144 - mailcious
41.216.183.208
172.67.215.45 - malware
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 3
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Malicious Base64 Encoded Payload In Image
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
|
1
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45647 |
2024-06-29 15:17
|
 ffucore.dll fc5857b45516cd1decae5dbd68d59924
Generic Malware Malicious Library Malicious Packer UPX PE File DLL PE32 OS Processor Check VirusTotal Malware PDB Checks debugger unpack itself crashed |
|
|
|
|
3.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45648 |
2024-06-29 15:18
|
 qNVQKFyM.exe 78a7612603af19fb92d614af1e769f2a
UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45649 |
2024-06-29 15:20
|
 main.exe 338cee4d2b3e4d1a0ce18dd982eefbcd
Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45650 |
2024-06-29 15:20
|
 XClient.exe ada4045ee6399dc5733826a4d7e43a10
Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
|
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45651 |
2024-06-29 15:23
|
 go.exe a8a5bb77ad9c654a552178b562d8f860
Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AS5LTARyH5Kd-rVBKeWnqUj906AGGHofujSb8AgwWKsTypD2yBBYr3WBtOnUhGtxSOgxIU3lQHJc9Q
https://accounts.google.com/_/bscframe
https://accounts.google.com/
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AS5LTARz2rTindXOxtKWlV36tkFtVGW8sAyWc6Y640azCnTxNjcf0x1986tGgMcPtexJF55x92Pocw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023256178%3A1719641978822264
https://accounts.google.com/generate_204?e342lA
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.206.195)
accounts.google.com(74.125.23.84)
www.google.com(142.250.206.196)
142.250.71.163
216.58.203.68
74.125.203.84
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45652 |
2024-06-29 15:24
|
 neste.exe b3badd1cd2cba4f587bd6737d34d3569
Gen1 EnigmaProtector Generic Malware Malicious Packer Malicious Library UPX PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://85.28.47.4/69934896f997d5bb/freebl3.dll
http://85.28.47.4/69934896f997d5bb/nss3.dll
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
http://85.28.47.4/69934896f997d5bb/mozglue.dll
http://85.28.47.4/69934896f997d5bb/softokn3.dll
http://85.28.47.4/920475a59bac849d.php - rule_id: 40635
http://85.28.47.4/69934896f997d5bb/msvcp140.dll
http://85.28.47.4/69934896f997d5bb/sqlite3.dll
http://77.91.77.81/mine/amadka.exe
|
2
85.28.47.4 - mailcious
77.91.77.81 - mailcious
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
http://85.28.47.4/920475a59bac849d.php
|
10.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45653 |
2024-06-29 15:24
|
 lamda.cmd b9b513ba600e0bbf6f72129ba99ba72e
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM powershell suspicious privilege Check memory Checks debugger heapspray Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
6
http://45.88.91.103/LgGFdDAm/AntiVirus.exe
http://45.88.91.103/LgGFdDAm/AntiVirus2.exe
http://45.88.91.103/LgGFdDAm/AntiVirus3.exe
http://45.88.91.103/LgGFdDAm/AntiVirus4.exe
http://45.88.91.103/LgGFdDAm/main.exe
http://45.88.91.103/LgGFdDAm/main2.exe
|
|
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45654 |
2024-06-29 15:25
|
ot.o.o.ooo.doc b0d399c7eee1ee84aa8e55b81a4ac56f
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://51.81.235.253/44155/amazingflowerspcitureshere.gif
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 - rule_id: 40652
https://paste.ee/d/I1BAU
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
104.21.84.67 - malware
51.81.235.253 - mailcious
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45655 |
2024-06-29 15:26
|
 XClientx3.exe 1fee5ce12cd61659dd46575a2e378361
Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45656 |
2024-06-29 15:27
|
 XClient1.exe dedb302aba9b69536c287633fbe41f5d
Antivirus UPX PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName keylogger |
|
|
|
|
6.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45657 |
2024-06-29 15:28
|
 Slovakia.exe ee1ffa80e2398a0f01a99856c1189b21
Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45658 |
2024-06-29 15:29
|
 UpdateSetup.exe a492c3a7274138520cb977971fb13fb5
Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45659 |
2024-06-29 15:31
|
 XClient2.exe 7b20c6c1ae8a7fb30666a20540ed992a
Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45660 |
2024-06-29 15:37
|
Photo.scr 1c16a630f64fcde9c94e5fa219374330
Generic Malware Malicious Library UPX PE File OS Processor Check VirusTotal Malware |
|
|
|
|
0.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|