| 46726 |
2024-08-06 10:18
|
 Angel.exe 3142b24b3478b54405e7be11be6c8bbf
PE File .NET EXE PE32 Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46727 |
2024-08-06 10:18
|
 Protect.exe 8884df7aa725803e4f9ba0a99a477401
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL .NET DLL Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
1
http://147.45.44.131/files/Smart.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
10.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46728 |
2024-08-06 10:20
|
extrasmilesgivenbygirlflowerso... 0c102f517024df86ddea73ad53686516
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46729 |
2024-08-06 10:20
|
 Setup.ps1 15f193ffb1e81682570af9870a7b2b6d
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/MD5.exe
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46730 |
2024-08-06 10:20
|
 Check.exe 6f7c0573e0d0c7a2ae1796ad61dbd02d
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL .NET DLL Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
10.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46731 |
2024-08-06 10:22
|
 C2.exe 16788ca72d788dfc2df6956fff775d95
ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46732 |
2024-08-06 10:26
|
 Update.exe 462bafe35754bf6c0057f8e033c9950a
Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files unpack itself crashed |
|
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46733 |
2024-08-06 10:59
|
 Setup.ps1 15f193ffb1e81682570af9870a7b2b6d
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/MD5.exe
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46734 |
2024-08-06 11:00
|
 Studio.ps1 2fdc1e6058d9d9b1c40fc8899a98e104
Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/HxD.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46735 |
2024-08-06 11:00
|
sweeethoneymoongirlfriendwithm... 43a3a025a180bb5e47d9275d88e050ab
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46736 |
2024-08-06 11:30
|
 random.exe 59eefb04a8cb9a94d148464cd4324e93
Stealc Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://185.215.113.24/0d60be0de163924d/vcruntime140.dll
http://185.215.113.24/0d60be0de163924d/msvcp140.dll
http://185.215.113.24/0d60be0de163924d/nss3.dll
http://185.215.113.24/ - rule_id: 41729
http://185.215.113.24/0d60be0de163924d/softokn3.dll
http://185.215.113.24/0d60be0de163924d/mozglue.dll
http://185.215.113.24/0d60be0de163924d/freebl3.dll
http://185.215.113.24/e2b1563c6670f193.php - rule_id: 41793
http://185.215.113.24/0d60be0de163924d/sqlite3.dll
|
1
185.215.113.24 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.215.113.24/
http://185.215.113.24/e2b1563c6670f193.php
|
8.4 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46737 |
2024-08-06 15:01
|
 Update.js 866b0c5274ee3ddae55d782644816251Malware download Malware VBScript wscript.exe payload download Tofsee SocGholish DNS Dropper |
1
https://jbwf.donors.eucharisticjesus.net/orderReview
|
2
jbwf.donors.eucharisticjesus.net(50.114.37.59)
50.114.37.59 - mailcious
|
4
ET MALWARE SocGholish CnC Domain in TLS SNI (* .donors .eucharisticjesus .net)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET MALWARE SocGholish CnC Domain in DNS (* .donors .eucharisticjesus .net)
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46738 |
2024-08-06 15:01
|
 Niuztafxlya.exe 6fc5dfa94c6baaf54e5413b643ae72e6
Hide_EXE Malicious Library .NET framework(MSIL) DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW human activity check Windows Cryptographic key |
|
2
indialongvenomminister01connection.myddns.rocks(198.23.201.84)
198.23.201.84
|
|
|
14.8 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46739 |
2024-08-06 15:06
|
MS_calendar.lnk 88a0d644536b00f6d49bd9891223784c
Lnk Format GIF Format VirusTotal Malware Creates shortcut Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName DNS |
3
http://216.9.224.58:5555/files
http://216.9.224.58:5555/files/MS_calendar_service.exe
http://216.9.224.58:5555/
|
1
|
2
ET INFO Executable Download from dotted-quad Host
ET HUNTING WebDAV Retrieving .exe
|
|
2.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46740 |
2024-08-06 15:06
|
schedule.lnk 62d5389d43931237e9d3d1aa77c87483
Lnk Format GIF Format VirusTotal Malware heapspray Creates shortcut Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName DNS |
3
http://216.9.224.58:5555/files
http://216.9.224.58:5555/files/Erlianaw.exe
http://216.9.224.58:5555/
|
1
|
2
ET INFO Executable Download from dotted-quad Host
ET HUNTING WebDAV Retrieving .exe
|
|
3.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|