46831 |
2024-08-09 07:53
|
buildz.exe b7cb7f2b5cd9bd047710650295dc88f7 Suspicious_Script_Bin Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Malware Microsoft AutoRuns Code Injection malicious URLs Tofsee Windows ComputerName DNS |
2
http://cajgtus.com/lancer/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true - rule_id: 41241 https://api.2ip.ua/geo.json
|
4
cajgtus.com(200.63.106.141) - malware api.2ip.ua(104.21.65.24) 104.21.65.24 2.185.214.11 - mailcious
|
6
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET POLICY External IP Address Lookup DNS Query (2ip .ua)
|
1
http://cajgtus.com/lancer/get.php
|
4.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46832 |
2024-08-09 07:54
|
DivxBra.exe 4ee6fb632595268ef97aacf18a0bffb8 Suspicious_Script_Bin Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P An suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Ransomware Windows ComputerName |
|
|
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46833 |
2024-08-09 07:56
|
bsso_launcher_v1.exe 6a60f6fbd451bfb11d0c943706ceda0a Malicious Library UPX PE File PE64 ftp OS Processor Check Check memory Checks debugger Creates executable files RWX flags setting unpack itself Check virtual network interfaces Tor DNS crashed |
|
5
84.240.60.234 199.195.253.180 178.33.36.64 137.226.34.45 145.239.136.129
|
6
ET TOR Known Tor Exit Node Traffic group 70 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 70 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 788 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46834 |
2024-08-09 07:56
|
stealc_default.exe e78239a5b0223499bed12a752b893cad Stealc Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll - rule_id: 275 http://185.215.113.17/2fb6c2cc8dce150a.php - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/mozglue.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/softokn3.dll - rule_id: 275 http://185.215.113.17/ - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/nss3.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/freebl3.dll - rule_id: 275
|
1
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
9
http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46835 |
2024-08-09 07:57
|
GOLD.exe e71c0c5d72455dde6510ba23552d7d2f Generic Malware Malicious Library UPX PE File PE32 OS Processor Check PDB unpack itself crashed |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46836 |
2024-08-09 09:25
|
file3333.exe 978623ad6b4d9385c047d9315423c754 PE File PE64 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46837 |
2024-08-09 09:27
|
S%D0%B5tup1.exe ea4d0c345eec97f8ec7174b210798a56 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself |
|
|
|
|
2.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46838 |
2024-08-09 09:27
|
file234.exe def6f274c14351d9cf0f49798b5a833d Malicious Library Malicious Packer Antivirus UPX AntiDebug AntiVM PE File PE64 OS Processor Check PE32 VirusTotal Malware AutoRuns PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs suspicious TLD Tofsee Windows Discord Remote Code Execution DNS |
6
http://194.58.114.223/d/385121 https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://yip.su/RNWPd.exe - rule_id: 37623 https://iplogger.com/1uNwK4 https://cdn.discordapp.com/attachments/1271038807315185718/1271141520195715093/setup.exe?ex=66b6424b&is=66b4f0cb&hm=de560db8ff6dd3fa9ac31172f1bd3d348b35190c8d570ea98c882ca3b5c00fdd& https://github.com/evan9908/Setup/raw/main/Filemy.exe
|
15
yip.su(104.21.79.77) - mailcious github.com(20.200.245.247) - mailcious pastebin.com(172.67.19.24) - mailcious iplogger.com(172.67.188.178) - mailcious cdn.discordapp.com(162.159.135.233) - malware raw.githubusercontent.com(185.199.110.133) - malware ironmanrecycling.com(147.45.60.44) - malware 104.20.3.235 - malware 147.45.60.44 - malware 162.159.133.233 - malware 185.199.111.133 - mailcious 104.21.76.57 104.21.79.77 - phishing 194.58.114.223 - mailcious 20.200.245.247 - malware
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET HUNTING Redirect to Discord Attachment Download
|
2
https://pastebin.com/raw/xYhKBupz https://yip.su/RNWPd.exe
|
12.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46839 |
2024-08-09 09:30
|
file200h.exe 5325fec9552fa277891e782b77a475ee Malicious Library Malicious Packer Antivirus UPX AntiDebug AntiVM PE File PE64 OS Processor Check PE32 VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs Tofsee Windows Discord Remote Code Execution DNS |
6
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt http://194.58.114.223/d/385104 https://pastebin.com/raw/E0rY26ni - rule_id: 37702 https://yip.su/RNWPd.exe - rule_id: 37623 https://github.com/evan9908/Setup/raw/main/Umar.exe https://cdn.discordapp.com/attachments/1271038807315185718/1271141416722235504/setup.exe?ex=66b64232&is=66b4f0b2&hm=54ce8f39d23ca603ff6f30c94a6a47d0c4b423d21c32cc49cdd2dfd3da22283e&
|
15
raw.githubusercontent.com(185.199.108.133) - malware github.com(20.200.245.247) - mailcious pastebin.com(104.20.4.235) - mailcious yip.su(172.67.169.89) - mailcious cdn.discordapp.com(162.159.130.233) - malware cacerts.digicert.com(152.195.38.76) ironmanrecycling.com(147.45.60.44) - malware 104.20.3.235 - malware 185.199.111.133 - mailcious 147.45.60.44 - malware 152.195.38.76 162.159.135.233 - malware 194.58.114.223 - mailcious 172.67.169.89 20.200.245.247 - malware
|
8
ET DNS Query for .su TLD (Soviet Union) Often Malware Related SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET HUNTING Redirect to Discord Attachment Download ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
2
https://pastebin.com/raw/E0rY26ni https://yip.su/RNWPd.exe
|
12.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46840 |
2024-08-09 09:32
|
setup2.exe 098621a8fa13fdfd4ce2d9c3dc010092 Malicious Library Malicious Packer Antivirus UPX AntiDebug AntiVM PE File PE64 OS Processor Check PE32 VirusTotal Malware AutoRuns PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces malicious URLs Tofsee Windows Discord Remote Code Execution DNS |
7
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt http://194.58.114.223/d/385104 https://pastebin.com/raw/E0rY26ni - rule_id: 37702 https://yip.su/RNWPd.exe - rule_id: 37623 https://github.com/evan9908/Setup/raw/main/Umar.exe https://cdn.discordapp.com/attachments/1271038807315185718/1271141416722235504/setup.exe?ex=66b64232&is=66b4f0b2&hm=54ce8f39d23ca603ff6f30c94a6a47d0c4b423d21c32cc49cdd2dfd3da22283e& https://iplogger.com/1lyxz
|
17
cacerts.digicert.com(152.195.38.76) iplogger.com(104.21.76.57) - mailcious github.com(20.200.245.247) - mailcious pastebin.com(172.67.19.24) - mailcious yip.su(104.21.79.77) - mailcious cdn.discordapp.com(162.159.129.233) - malware raw.githubusercontent.com(185.199.111.133) - malware ironmanrecycling.com(147.45.60.44) - malware 104.20.3.235 - malware 162.159.134.233 - malware 147.45.60.44 - malware 152.195.38.76 172.67.188.178 - mailcious 185.199.110.133 - malware 194.58.114.223 - mailcious 172.67.169.89 20.200.245.247 - malware
|
10
ET DNS Query for .su TLD (Soviet Union) Often Malware Related SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Redirect to Discord Attachment Download ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Packed Executable Download ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
2
https://pastebin.com/raw/E0rY26ni https://yip.su/RNWPd.exe
|
12.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46841 |
2024-08-09 10:06
|
file3333.exe 978623ad6b4d9385c047d9315423c754 Vidar PE File PE64 VirusTotal Malware PDB MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.4 |
M |
46 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46842 |
2024-08-09 10:47
|
89.hta f904e8a5141b08f3f8e2121459f539fe Generic Malware Downloader Antivirus AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://192.3.243.147/89/sahost.exe
|
1
|
3
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46843 |
2024-08-09 10:48
|
envifa.vbs 23cef0c9c3e02cc2bdc8516b889d1191 Generic Malware Antivirus Hide_URL PowerShell Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/dll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe
|
2
firebasestorage.googleapis.com(172.217.161.202) - phishing 142.250.196.234
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46844 |
2024-08-09 10:48
|
sostener.vbs 23cef0c9c3e02cc2bdc8516b889d1191 Generic Malware Antivirus Hide_URL PowerShell Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/dll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe
|
2
firebasestorage.googleapis.com(172.217.25.170) - phishing 142.250.76.234
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46845 |
2024-08-09 10:49
|
Run112.exe 85a9287c26148788deff9c77bab244b3 Emotet Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows |
|
2
i.ibb.co(172.96.161.6) - mailcious 104.194.8.120
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|