45646 |
2024-06-29 15:16
|
se.e.e.e.eee.doc 6c502f63642761f32b454d1eedee5ee3 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS DDNS crashed |
3
http://managermagnetcccccmango.duckdns.org/thursdayfile.gif http://41.216.183.208/Users_API/negrocock/file_rxahvjvk.4g3.txt https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 - rule_id: 40652
|
5
managermagnetcccccmango.duckdns.org(198.46.178.144) - mailcious uploaddeimagens.com.br(172.67.215.45) - malware 198.46.178.144 - mailcious 41.216.183.208 172.67.215.45 - malware
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 3 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET MALWARE Malicious Base64 Encoded Payload In Image SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
|
1
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg
|
5.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45647 |
2024-06-29 15:17
|
ffucore.dll fc5857b45516cd1decae5dbd68d59924 Generic Malware Malicious Library Malicious Packer UPX PE File DLL PE32 OS Processor Check VirusTotal Malware PDB Checks debugger unpack itself crashed |
|
|
|
|
3.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45648 |
2024-06-29 15:18
|
qNVQKFyM.exe 78a7612603af19fb92d614af1e769f2a UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45649 |
2024-06-29 15:20
|
main.exe 338cee4d2b3e4d1a0ce18dd982eefbcd Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45650 |
2024-06-29 15:20
|
XClient.exe ada4045ee6399dc5733826a4d7e43a10 Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
|
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45651 |
2024-06-29 15:23
|
go.exe a8a5bb77ad9c654a552178b562d8f860 Generic Malware Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AS5LTARyH5Kd-rVBKeWnqUj906AGGHofujSb8AgwWKsTypD2yBBYr3WBtOnUhGtxSOgxIU3lQHJc9Q https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AS5LTARz2rTindXOxtKWlV36tkFtVGW8sAyWc6Y640azCnTxNjcf0x1986tGgMcPtexJF55x92Pocw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1023256178%3A1719641978822264 https://accounts.google.com/generate_204?e342lA https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
|
6
ssl.gstatic.com(142.250.206.195) accounts.google.com(74.125.23.84) www.google.com(142.250.206.196) 142.250.71.163 216.58.203.68 74.125.203.84
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45652 |
2024-06-29 15:24
|
neste.exe b3badd1cd2cba4f587bd6737d34d3569 Gen1 EnigmaProtector Generic Malware Malicious Packer Malicious Library UPX PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://85.28.47.4/69934896f997d5bb/freebl3.dll
http://85.28.47.4/69934896f997d5bb/nss3.dll
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
http://85.28.47.4/69934896f997d5bb/mozglue.dll
http://85.28.47.4/69934896f997d5bb/softokn3.dll
http://85.28.47.4/920475a59bac849d.php - rule_id: 40635
http://85.28.47.4/69934896f997d5bb/msvcp140.dll
http://85.28.47.4/69934896f997d5bb/sqlite3.dll
http://77.91.77.81/mine/amadka.exe
|
2
85.28.47.4 - mailcious
77.91.77.81 - mailcious
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
http://85.28.47.4/920475a59bac849d.php
|
10.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45653 |
2024-06-29 15:24
|
lamda.cmd b9b513ba600e0bbf6f72129ba99ba72e Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM powershell suspicious privilege Check memory Checks debugger heapspray Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
6
http://45.88.91.103/LgGFdDAm/AntiVirus.exe
http://45.88.91.103/LgGFdDAm/AntiVirus2.exe
http://45.88.91.103/LgGFdDAm/AntiVirus3.exe
http://45.88.91.103/LgGFdDAm/AntiVirus4.exe
http://45.88.91.103/LgGFdDAm/main.exe
http://45.88.91.103/LgGFdDAm/main2.exe
|
|
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45654 |
2024-06-29 15:25
|
ot.o.o.ooo.doc b0d399c7eee1ee84aa8e55b81a4ac56f MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
3
http://51.81.235.253/44155/amazingflowerspcitureshere.gif https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498 - rule_id: 40652 https://paste.ee/d/I1BAU
|
5
paste.ee(104.21.84.67) - mailcious uploaddeimagens.com.br(104.21.45.138) - malware 104.21.84.67 - malware 51.81.235.253 - mailcious 172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45655 |
2024-06-29 15:26
|
XClientx3.exe 1fee5ce12cd61659dd46575a2e378361 Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45656 |
2024-06-29 15:27
|
XClient1.exe dedb302aba9b69536c287633fbe41f5d Antivirus UPX PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Windows ComputerName keylogger |
|
|
|
|
6.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45657 |
2024-06-29 15:28
|
Slovakia.exe ee1ffa80e2398a0f01a99856c1189b21 Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45658 |
2024-06-29 15:29
|
UpdateSetup.exe a492c3a7274138520cb977971fb13fb5 Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45659 |
2024-06-29 15:31
|
XClient2.exe 7b20c6c1ae8a7fb30666a20540ed992a Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.4 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45660 |
2024-06-29 15:37
|
Photo.scr 1c16a630f64fcde9c94e5fa219374330 Generic Malware Malicious Library UPX PE File OS Processor Check VirusTotal Malware |
|
|
|
|
0.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|