45826 |
2024-07-06 12:48
|
startupppp.bat f88fe8d8b25b85e6c7f7b31f71771193 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware Windows utilities WriteConsoleW Windows |
|
|
|
|
1.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45827 |
2024-07-06 18:18
|
datingloverstartingAgain.vbs 66decb1e47d3173c8046c1a921244190VirusTotal Malware DNS |
1
http://91.92.254.29/Users_API/BrainiacMAX/file_s40rzeho.5f4.txt
|
1
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45828 |
2024-07-06 18:20
|
mkl.js b0d0cfe2e3d3285272c07d5c32c96e44 AgentTesla Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Name Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Gmail Browser Email ComputerName crashed keylogger |
|
2
smtp.gmail.com(74.125.23.108) 142.251.8.108
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45829 |
2024-07-06 18:21
|
inte.exe 0da0d1efee859f1fe9cbd3bf5b428af6 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic DNS |
1
http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/ping.php
|
2.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45830 |
2024-07-06 18:22
|
univ.exe 217b817f890ef7fc49dc9207d55d2a01 GCleaner Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic human activity check DNS |
1
http://185.172.128.90/cpa/name.php - rule_id: 39629
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/name.php
|
3.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45831 |
2024-07-06 18:25
|
CryptoWall.exe 919034c8efb9678f96b47a20fa6199f2 ScreenShot KeyLogger AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted IP Check DNS |
2
http://myexternalip.com/raw http://ip-addr.es/
|
10
myexternalip.com(34.117.118.44) ip-addr.es(188.165.164.184) 34.117.118.44 91.121.12.127 188.165.164.184 94.247.28.26 94.247.31.19 185.172.128.90 - mailcious 209.148.85.151 94.247.28.156
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO HTTP Request for External IP Check (ip-addr .es) ET POLICY External IP Check myexternalip.com
|
|
7.8 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45832 |
2024-07-06 18:25
|
leva.exe de1f91ae5c55b1cbbc6d6561464d7d99 Gen1 EnigmaProtector Generic Malware Malicious Library UPX Malicious Packer AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Code Injection Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
8
http://85.28.47.30/69934896f997d5bb/sqlite3.dll http://85.28.47.30/69934896f997d5bb/softokn3.dll http://85.28.47.30/69934896f997d5bb/vcruntime140.dll http://85.28.47.30/920475a59bac849d.php http://85.28.47.30/69934896f997d5bb/msvcp140.dll http://85.28.47.30/69934896f997d5bb/nss3.dll http://85.28.47.30/69934896f997d5bb/freebl3.dll http://85.28.47.30/69934896f997d5bb/mozglue.dll
|
3
185.172.128.90 - mailcious 77.91.77.81 - mailcious 85.28.47.30 - mailcious
|
16
ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
|
12.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45833 |
2024-07-06 18:27
|
setup.exe 6b189fc6ddde33cba5c63e1dfec82b2a Malicious Library PE File PE32 VirusTotal Malware Checks debugger WMI Creates executable files RWX flags setting unpack itself Checks Bios anti-virtualization ComputerName DNS |
|
1
|
|
|
5.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45834 |
2024-07-06 18:29
|
newbuild.exe 9ab4de8b2f2b99f009d32aa790cd091b RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.67 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
6.2 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45835 |
2024-07-06 18:30
|
stealc_zov.exe 253ccac8a47b80287f651987c0c779ea Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
8
http://40.86.87.10/b13597c85f807692/mozglue.dll http://40.86.87.10/b13597c85f807692/msvcp140.dll http://40.86.87.10/b13597c85f807692/sqlite3.dll http://40.86.87.10/b13597c85f807692/softokn3.dll http://40.86.87.10/b13597c85f807692/vcruntime140.dll http://40.86.87.10/b13597c85f807692/nss3.dll http://40.86.87.10/b13597c85f807692/freebl3.dll http://40.86.87.10/108e010e8f91c38c.php
|
1
|
16
ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting Screenshot to C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
|
|
8.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45836 |
2024-07-06 18:31
|
RedLineStealer.exe a957dc16d684fbd7e12fc87e8ee12fea Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45837 |
2024-07-06 18:33
|
CoronaVirus.exe 055d1462f66a350d9886542d4d79bc2b Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself suspicious process sandbox evasion shadowcopy delete installed browsers check Ransomware Windows Browser ComputerName Remote Code Execution |
|
|
|
|
9.6 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45838 |
2024-07-06 18:35
|
build.exe 2dece3353cda5321fff7c92a697c37ee Vidar Generic Malware Malicious Library Antivirus UPX AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199730044335 - rule_id: 40948
https://steamcommunity.com/profiles/76561199730044335
https://t.me/bu77un
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious 104.87.193.17
149.154.167.99 - mailcious
95.217.241.48 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199730044335
|
11.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45839 |
2024-07-07 18:48
|
asdfg.exe a2a9c309c5300a53d2c2fc41b71b174b Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45840 |
2024-07-07 18:48
|
PO%2012.04%20pdf.exe d90a72256615ac3ba74c924012fea42c Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
6.0 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|