46891 |
2024-08-10 12:50
|
sahost.exe 9cef532829a4ca2cf13279ac134873d8 NSIS Generic Malware Malicious Library UPX Antivirus PE File PE32 DLL PE64 PNG Format VirusTotal Malware powershell suspicious privilege Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46892 |
2024-08-10 12:50
|
file.exe e530d19a769bcd90ec3e92ebf08d68e9 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
6.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46893 |
2024-08-10 12:52
|
Alg.exe 12418163d74668e2670547aa5e56e2eb Generic Malware Malicious Library ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Downloader |
1
http://147.45.44.131/files/cc.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46894 |
2024-08-10 12:53
|
VLC3.exe a7f1b43bb75327181bf5535f6eab329d Malicious Library AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces malicious URLs Tofsee Windows DNS Cryptographic key |
2
https://yip.su/RNWPd.exe - rule_id: 37623 https://pastebin.com/raw/V6VJsrV3 - rule_id: 37255
|
4
pastebin.com(104.20.4.235) - mailcious yip.su(104.21.79.77) - mailcious 104.21.79.77 - phishing 104.20.3.235 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
2
https://yip.su/RNWPd.exe https://pastebin.com/raw/V6VJsrV3
|
14.4 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46895 |
2024-08-10 12:54
|
reverse_shell.exe b880278dc937d923300f7223aeb1a5b8 Malicious Packer UPX PE File PE32 VirusTotal Malware unpack itself DNS |
|
1
217.160.192.139 - malware
|
|
|
4.0 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46896 |
2024-08-10 12:55
|
66b5ace3a06b0_dozkey.exe 1971d66193a4acc5be2af2c1d34c2d4d Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199751190313 - rule_id: 41879
https://t.me/pech0nk
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious 149.154.167.99 - mailcious
104.76.78.101 - mailcious
78.46.239.218
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199751190313
|
15.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46897 |
2024-08-10 12:56
|
random.exe a386741a24f6dd80f0a87a8af51c37c7 Malicious Library PE File PE32 VirusTotal Malware Check memory Checks debugger crashed |
|
|
|
|
2.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46898 |
2024-08-10 12:57
|
555.exe ce4a4ba3f2215f59248f59cdc2240960 UPX PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46899 |
2024-08-10 12:58
|
tools.exe f2bb9263e5a42975fcaab9b11293d7b2 Malicious Library PE File PE32 Malware download Cobalt Strike Cobalt VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
1
http://106.15.184.255:8001/ga.js
|
1
|
1
ET MALWARE Cobalt Strike Beacon Observed
|
|
3.2 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46900 |
2024-08-10 12:59
|
66b623c3b1dcb_Mowdiewart.exe b8d875d94fbd7df91b1dbbbc308a057f RedLine stealer RedLine Stealer Malicious Library .NET framework(MSIL) ScreenShot PWS SMTP AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
3
104.21.79.77 - phishing 104.20.3.235 - malware 45.9.91.71
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
9.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46901 |
2024-08-10 13:01
|
P.exe fa9bdae586c029c45206012d681207ad Generic Malware Malicious Library ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Trojan DNS |
1
http://147.45.44.131/files/L.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
9.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46902 |
2024-08-10 13:02
|
armadegon.exe f5b93d3369d1ae23d6e150e75d2b6a80 Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself VMware Windows Cryptographic key |
|
|
|
|
9.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46903 |
2024-08-10 13:03
|
CC.exe 0af6a0ec998bcaa184dd6829bf2690ba Generic Malware Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS |
1
http://147.45.44.131/files/555.exe
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46904 |
2024-08-10 13:04
|
ReadilyAccompanied.exe 9c557c498c29e5d37016400cf0899ac6 Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Windows ComputerName |
|
|
|
|
6.4 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46905 |
2024-08-10 13:08
|
nino.exe 54a4376350631493186f19dfd5120d7b Amadey Client SW User Data Stealer ftp Client info stealer Http API PWS Code injection AntiDebug AntiVM PE File PE32 Browser Info Stealer Malware download Amadey Vidar VirusTotal Malware c&c AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Checks Bios Collect installed applications Detects VMWare malicious URLs sandbox evasion VMware anti-virtualization installed browsers check Ransomware Stealc Stealer Windows Exploit Browser ComputerName DNS crashed plugin |
13
http://185.215.113.19/Vi9leo/index.php - rule_id: 41489 http://185.215.113.100/0d60be0de163924d/nss3.dll http://185.215.113.100/0d60be0de163924d/freebl3.dll http://185.215.113.16/num/random.exe - rule_id: 41818 http://185.215.113.100/e2b1563c6670f193.php http://185.215.113.100/0d60be0de163924d/vcruntime140.dll http://185.215.113.16/well/random.exe - rule_id: 41492 http://185.215.113.100/0d60be0de163924d/sqlite3.dll http://185.215.113.100/ http://185.215.113.100/0d60be0de163924d/mozglue.dll http://185.215.113.100/0d60be0de163924d/softokn3.dll http://185.215.113.16/steam/random.exe - rule_id: 41792 http://185.215.113.100/0d60be0de163924d/msvcp140.dll
|
3
185.215.113.19 - malware 185.215.113.100 - mailcious 185.215.113.16 - mailcious
|
20
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
4
http://185.215.113.19/Vi9leo/index.php http://185.215.113.16/num/random.exe http://185.215.113.16/well/random.exe http://185.215.113.16/steam/random.exe
|
20.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|