| 45826 |
2024-07-06 12:48
|
startupppp.bat f88fe8d8b25b85e6c7f7b31f71771193
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware Windows utilities WriteConsoleW Windows |
|
|
|
|
1.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45827 |
2024-07-06 18:18
|
datingloverstartingAgain.vbs 66decb1e47d3173c8046c1a921244190VirusTotal Malware DNS |
1
http://91.92.254.29/Users_API/BrainiacMAX/file_s40rzeho.5f4.txt
|
1
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45828 |
2024-07-06 18:20
|
mkl.js b0d0cfe2e3d3285272c07d5c32c96e44
AgentTesla Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Name Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Gmail Browser Email ComputerName crashed keylogger |
|
2
smtp.gmail.com(74.125.23.108)
142.251.8.108
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45829 |
2024-07-06 18:21
|
 inte.exe 0da0d1efee859f1fe9cbd3bf5b428af6
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic DNS |
1
http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/ping.php
|
2.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45830 |
2024-07-06 18:22
|
 univ.exe 217b817f890ef7fc49dc9207d55d2a01
GCleaner Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic human activity check DNS |
1
http://185.172.128.90/cpa/name.php - rule_id: 39629
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/name.php
|
3.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45831 |
2024-07-06 18:25
|
 CryptoWall.exe 919034c8efb9678f96b47a20fa6199f2
ScreenShot KeyLogger AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted IP Check DNS |
2
http://myexternalip.com/raw
http://ip-addr.es/
|
10
myexternalip.com(34.117.118.44)
ip-addr.es(188.165.164.184)
34.117.118.44
91.121.12.127
188.165.164.184
94.247.28.26
94.247.31.19
185.172.128.90 - mailcious
209.148.85.151
94.247.28.156
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO HTTP Request for External IP Check (ip-addr .es)
ET POLICY External IP Check myexternalip.com
|
|
7.8 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45832 |
2024-07-06 18:25
|
 leva.exe de1f91ae5c55b1cbbc6d6561464d7d99
Gen1 EnigmaProtector Generic Malware Malicious Library UPX Malicious Packer AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Code Injection Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
8
http://85.28.47.30/69934896f997d5bb/sqlite3.dll
http://85.28.47.30/69934896f997d5bb/softokn3.dll
http://85.28.47.30/69934896f997d5bb/vcruntime140.dll
http://85.28.47.30/920475a59bac849d.php
http://85.28.47.30/69934896f997d5bb/msvcp140.dll
http://85.28.47.30/69934896f997d5bb/nss3.dll
http://85.28.47.30/69934896f997d5bb/freebl3.dll
http://85.28.47.30/69934896f997d5bb/mozglue.dll
|
3
185.172.128.90 - mailcious
77.91.77.81 - mailcious
85.28.47.30 - mailcious
|
16
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
|
12.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45833 |
2024-07-06 18:27
|
 setup.exe 6b189fc6ddde33cba5c63e1dfec82b2a
Malicious Library PE File PE32 VirusTotal Malware Checks debugger WMI Creates executable files RWX flags setting unpack itself Checks Bios anti-virtualization ComputerName DNS |
|
1
|
|
|
5.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45834 |
2024-07-06 18:29
|
 newbuild.exe 9ab4de8b2f2b99f009d32aa790cd091b
RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
185.215.113.67 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
6.2 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45835 |
2024-07-06 18:30
|
 stealc_zov.exe 253ccac8a47b80287f651987c0c779ea
Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
8
http://40.86.87.10/b13597c85f807692/mozglue.dll
http://40.86.87.10/b13597c85f807692/msvcp140.dll
http://40.86.87.10/b13597c85f807692/sqlite3.dll
http://40.86.87.10/b13597c85f807692/softokn3.dll
http://40.86.87.10/b13597c85f807692/vcruntime140.dll
http://40.86.87.10/b13597c85f807692/nss3.dll
http://40.86.87.10/b13597c85f807692/freebl3.dll
http://40.86.87.10/108e010e8f91c38c.php
|
1
|
16
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
|
|
8.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45836 |
2024-07-06 18:31
|
 RedLineStealer.exe a957dc16d684fbd7e12fc87e8ee12fea
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed |
|
|
|
|
2.4 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45837 |
2024-07-06 18:33
|
 CoronaVirus.exe 055d1462f66a350d9886542d4d79bc2b
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself suspicious process sandbox evasion shadowcopy delete installed browsers check Ransomware Windows Browser ComputerName Remote Code Execution |
|
|
|
|
9.6 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45838 |
2024-07-06 18:35
|
 build.exe 2dece3353cda5321fff7c92a697c37ee
Vidar Generic Malware Malicious Library Antivirus UPX AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199730044335 - rule_id: 40948
https://steamcommunity.com/profiles/76561199730044335
https://t.me/bu77un
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
104.87.193.17
149.154.167.99 - mailcious
95.217.241.48 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199730044335
|
11.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45839 |
2024-07-07 18:48
|
 asdfg.exe a2a9c309c5300a53d2c2fc41b71b174b
Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45840 |
2024-07-07 18:48
|
 PO%2012.04%20pdf.exe d90a72256615ac3ba74c924012fea42c
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
6.0 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|