| 46891 |
2024-08-10 12:50
|
 sahost.exe 9cef532829a4ca2cf13279ac134873d8
NSIS Generic Malware Malicious Library UPX Antivirus PE File PE32 DLL PE64 PNG Format VirusTotal Malware powershell suspicious privilege Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46892 |
2024-08-10 12:50
|
 file.exe e530d19a769bcd90ec3e92ebf08d68e9
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
6.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46893 |
2024-08-10 12:52
|
 Alg.exe 12418163d74668e2670547aa5e56e2eb
Generic Malware Malicious Library ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Downloader |
1
http://147.45.44.131/files/cc.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46894 |
2024-08-10 12:53
|
 VLC3.exe a7f1b43bb75327181bf5535f6eab329d
Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces malicious URLs Tofsee Windows DNS Cryptographic key |
2
https://yip.su/RNWPd.exe - rule_id: 37623
https://pastebin.com/raw/V6VJsrV3 - rule_id: 37255
|
4
pastebin.com(104.20.4.235) - mailcious
yip.su(104.21.79.77) - mailcious
104.21.79.77 - phishing
104.20.3.235 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
2
https://yip.su/RNWPd.exe
https://pastebin.com/raw/V6VJsrV3
|
14.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46895 |
2024-08-10 12:54
|
 reverse_shell.exe b880278dc937d923300f7223aeb1a5b8
Malicious Packer UPX PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
217.160.192.139 - malware
|
|
|
4.0 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46896 |
2024-08-10 12:55
|
 66b5ace3a06b0_dozkey.exe 1971d66193a4acc5be2af2c1d34c2d4d
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199751190313 - rule_id: 41879
https://t.me/pech0nk
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
104.76.78.101 - mailcious
78.46.239.218
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199751190313
|
15.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46897 |
2024-08-10 12:56
|
 random.exe a386741a24f6dd80f0a87a8af51c37c7
Malicious Library PE File PE32 VirusTotal Malware Check memory Checks debugger crashed |
|
|
|
|
2.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46898 |
2024-08-10 12:57
|
 555.exe ce4a4ba3f2215f59248f59cdc2240960
UPX PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46899 |
2024-08-10 12:58
|
 tools.exe f2bb9263e5a42975fcaab9b11293d7b2
Malicious Library PE File PE32 Malware download Cobalt Strike Cobalt VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
1
http://106.15.184.255:8001/ga.js
|
1
|
1
ET MALWARE Cobalt Strike Beacon Observed
|
|
3.2 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46900 |
2024-08-10 12:59
|
 66b623c3b1dcb_Mowdiewart.exe b8d875d94fbd7df91b1dbbbc308a057f
RedLine stealer RedLine Stealer Malicious Library .NET framework(MSIL) ScreenShot PWS SMTP AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
3
104.21.79.77 - phishing
104.20.3.235 - malware
45.9.91.71
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
9.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46901 |
2024-08-10 13:01
|
 P.exe fa9bdae586c029c45206012d681207ad
Generic Malware Malicious Library ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Trojan DNS |
1
http://147.45.44.131/files/L.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
9.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46902 |
2024-08-10 13:02
|
 armadegon.exe f5b93d3369d1ae23d6e150e75d2b6a80
Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself VMware Windows Cryptographic key |
|
|
|
|
9.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46903 |
2024-08-10 13:03
|
 CC.exe 0af6a0ec998bcaa184dd6829bf2690ba
Generic Malware Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS |
1
http://147.45.44.131/files/555.exe
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46904 |
2024-08-10 13:04
|
 ReadilyAccompanied.exe 9c557c498c29e5d37016400cf0899ac6
Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Windows ComputerName |
|
|
|
|
6.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46905 |
2024-08-10 13:08
|
 nino.exe 54a4376350631493186f19dfd5120d7b
Amadey Client SW User Data Stealer ftp Client info stealer Http API PWS Code injection AntiDebug AntiVM PE File PE32 Browser Info Stealer Malware download Amadey Vidar VirusTotal Malware c&c AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Checks Bios Collect installed applications Detects VMWare malicious URLs sandbox evasion VMware anti-virtualization installed browsers check Ransomware Stealc Stealer Windows Exploit Browser ComputerName DNS crashed plugin |
13
http://185.215.113.19/Vi9leo/index.php - rule_id: 41489
http://185.215.113.100/0d60be0de163924d/nss3.dll
http://185.215.113.100/0d60be0de163924d/freebl3.dll
http://185.215.113.16/num/random.exe - rule_id: 41818
http://185.215.113.100/e2b1563c6670f193.php
http://185.215.113.100/0d60be0de163924d/vcruntime140.dll
http://185.215.113.16/well/random.exe - rule_id: 41492
http://185.215.113.100/0d60be0de163924d/sqlite3.dll
http://185.215.113.100/
http://185.215.113.100/0d60be0de163924d/mozglue.dll
http://185.215.113.100/0d60be0de163924d/softokn3.dll
http://185.215.113.16/steam/random.exe - rule_id: 41792
http://185.215.113.100/0d60be0de163924d/msvcp140.dll
|
3
185.215.113.19 - malware
185.215.113.100 - mailcious
185.215.113.16 - mailcious
|
20
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
4
http://185.215.113.19/Vi9leo/index.php
http://185.215.113.16/num/random.exe
http://185.215.113.16/well/random.exe
http://185.215.113.16/steam/random.exe
|
20.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|