46726 |
2024-08-06 10:18
|
Angel.exe 3142b24b3478b54405e7be11be6c8bbf PE File .NET EXE PE32 Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46727 |
2024-08-06 10:18
|
Protect.exe 8884df7aa725803e4f9ba0a99a477401 ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL .NET DLL Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
1
http://147.45.44.131/files/Smart.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
10.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46728 |
2024-08-06 10:20
|
extrasmilesgivenbygirlflowerso... 0c102f517024df86ddea73ad53686516 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46729 |
2024-08-06 10:20
|
Setup.ps1 15f193ffb1e81682570af9870a7b2b6d Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/MD5.exe
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46730 |
2024-08-06 10:20
|
Check.exe 6f7c0573e0d0c7a2ae1796ad61dbd02d ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL .NET DLL Malware Buffer PE MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Windows DNS Cryptographic key |
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
10.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46731 |
2024-08-06 10:22
|
C2.exe 16788ca72d788dfc2df6956fff775d95 ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46732 |
2024-08-06 10:26
|
Update.exe 462bafe35754bf6c0057f8e033c9950a Gen1 Generic Malware Malicious Library ASPack UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ZIP Format VirusTotal Malware Check memory Creates executable files unpack itself crashed |
|
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46733 |
2024-08-06 10:59
|
Setup.ps1 15f193ffb1e81682570af9870a7b2b6d Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/MD5.exe
|
1
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46734 |
2024-08-06 11:00
|
Studio.ps1 2fdc1e6058d9d9b1c40fc8899a98e104 Generic Malware Antivirus Malware powershell Malicious Traffic Check memory buffers extracted unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://147.45.44.131/files/HxD.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Windows Executable WriteProcessMemory
|
|
5.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46735 |
2024-08-06 11:00
|
sweeethoneymoongirlfriendwithm... 43a3a025a180bb5e47d9275d88e050ab Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46736 |
2024-08-06 11:30
|
random.exe 59eefb04a8cb9a94d148464cd4324e93 Stealc Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://185.215.113.24/0d60be0de163924d/vcruntime140.dll http://185.215.113.24/0d60be0de163924d/msvcp140.dll http://185.215.113.24/0d60be0de163924d/nss3.dll http://185.215.113.24/ - rule_id: 41729 http://185.215.113.24/0d60be0de163924d/softokn3.dll http://185.215.113.24/0d60be0de163924d/mozglue.dll http://185.215.113.24/0d60be0de163924d/freebl3.dll http://185.215.113.24/e2b1563c6670f193.php - rule_id: 41793 http://185.215.113.24/0d60be0de163924d/sqlite3.dll
|
1
185.215.113.24 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.215.113.24/ http://185.215.113.24/e2b1563c6670f193.php
|
8.4 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46737 |
2024-08-06 15:01
|
Update.js 866b0c5274ee3ddae55d782644816251Malware download Malware VBScript wscript.exe payload download Tofsee SocGholish DNS Dropper |
1
https://jbwf.donors.eucharisticjesus.net/orderReview
|
2
jbwf.donors.eucharisticjesus.net(50.114.37.59) 50.114.37.59 - mailcious
|
4
ET MALWARE SocGholish CnC Domain in TLS SNI (* .donors .eucharisticjesus .net) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET MALWARE SocGholish CnC Domain in DNS (* .donors .eucharisticjesus .net)
|
|
10.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46738 |
2024-08-06 15:01
|
Niuztafxlya.exe 6fc5dfa94c6baaf54e5413b643ae72e6 Hide_EXE Malicious Library .NET framework(MSIL) DNS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW human activity check Windows Cryptographic key |
|
2
indialongvenomminister01connection.myddns.rocks(198.23.201.84) 198.23.201.84
|
|
|
14.8 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46739 |
2024-08-06 15:06
|
MS_calendar.lnk 88a0d644536b00f6d49bd9891223784c Lnk Format GIF Format VirusTotal Malware Creates shortcut Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName DNS |
3
http://216.9.224.58:5555/files http://216.9.224.58:5555/files/MS_calendar_service.exe http://216.9.224.58:5555/
|
1
|
2
ET INFO Executable Download from dotted-quad Host ET HUNTING WebDAV Retrieving .exe
|
|
2.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46740 |
2024-08-06 15:06
|
schedule.lnk 62d5389d43931237e9d3d1aa77c87483 Lnk Format GIF Format VirusTotal Malware heapspray Creates shortcut Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check ComputerName DNS |
3
http://216.9.224.58:5555/files http://216.9.224.58:5555/files/Erlianaw.exe http://216.9.224.58:5555/
|
1
|
2
ET INFO Executable Download from dotted-quad Host ET HUNTING WebDAV Retrieving .exe
|
|
3.2 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|