| 46966 |
2024-08-11 15:06
|
 66b7d3a2e7a4d_deepweb.exe#5k 4f1b08b2de97134ea899bede6f28098e
RedLine stealer PWS AntiDebug AntiVM BitCoin PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.66.231.184:1334/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
172.67.75.172 - mailcious
45.66.231.184
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SURICATA HTTP unable to match response to request
|
|
14.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46967 |
2024-08-11 15:07
|
 tt111.exe 6f09bbce72130d28fbb011ef4dc89668
Malicious Library Antivirus UPX PE File PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46968 |
2024-08-11 15:08
|
 request.exe ef8320eace6f753231666c61104bdd49
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Email Client Info Stealer Malware AutoRuns Checks debugger WMI Windows utilities suspicious process WriteConsoleW Tofsee Windows Email ComputerName DNS |
|
2
ip-api.io(212.132.117.42)
212.132.117.42
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ip-api .io) in DNS Lookup
|
|
5.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46969 |
2024-08-11 15:09
|
 pink.exe 4e0a6df4069761feb9f073276d52847c
Antivirus UPX Anti_VM PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46970 |
2024-08-11 15:10
|
 svch0st.exe 5575d0030528b163ac14ebe51ebd7da9
Malicious Library PE File PE32 Malware download Cobalt Strike Cobalt VirusTotal Malware Malicious Traffic RWX flags setting unpack itself ComputerName DNS |
1
http://103.143.248.179/push
|
1
103.143.248.179 - malware
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
ET MALWARE Cobalt Strike Beacon Observed
|
|
4.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46971 |
2024-08-11 15:12
|
 66b7a2aef1283_doz.exe#mene eb47857a107cd0ebf986c08be274bd2e
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199751190313 - rule_id: 41879
https://t.me/pech0nk
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(173.222.146.99) - mailcious
149.154.167.99 - mailcious
78.46.239.218
184.85.112.102
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199751190313
|
16.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46972 |
2024-08-11 15:13
|
 66b5ac1092454_otraba.exe f46974f39aebf4f4d039600f3881d6b6
Generic Malware Malicious Library .NET framework(MSIL) UPX ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46973 |
2024-08-11 15:14
|
 file.exe 0a0441240363fcbfdd3ee5b1f5617f6b
AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
|
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46974 |
2024-08-11 15:16
|
 random.exe 278ee1426274818874556aa18fd02e3a
Stealc Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX PE File PE32 Malware download VirusTotal Malware c&c Malicious Traffic Check memory unpack itself Stealc ComputerName DNS |
2
http://185.215.113.100/ - rule_id: 41969
http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968
|
1
185.215.113.100 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
2
http://185.215.113.100/
http://185.215.113.100/e2b1563c6670f193.php
|
3.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46975 |
2024-08-11 15:17
|
 beacon.ps1 c58277271a558ebafd06da61dc074bf4
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46976 |
2024-08-11 15:18
|
 ramos.exe d6612f5d347fb3a1e9b74b324271a5d3
Stealc Amadey Client SW User Data Stealer RedLine stealer Gen1 ftp Client info stealer Generic Malware EnigmaProtector Malicious Library UPX Admin Tool (Sysinternals etc ...) Antivirus Malicious Packer Code injection Http API PWS Anti_VM AntiDeb Browser Info Stealer Malware download Amadey FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Checks Bios Collect installed applications Detects VMWare AppData folder malicious URLs sandbox evasion VMware anti-virtualization installed browsers check Tofsee Ransomware Stealc Stealer Windows Exploit Browser Email ComputerName DNS Software crashed plugin |
13
http://185.215.113.16/num/random.exe - rule_id: 41818
http://185.215.113.100/0d60be0de163924d/nss3.dll
http://185.215.113.100/0d60be0de163924d/freebl3.dll
http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968
http://185.215.113.16/well/random.exe - rule_id: 41492
http://185.215.113.19/Vi9leo/index.php - rule_id: 41489
http://185.215.113.100/0d60be0de163924d/sqlite3.dll
http://185.215.113.100/0d60be0de163924d/vcruntime140.dll
http://185.215.113.100/ - rule_id: 41969
http://185.215.113.100/0d60be0de163924d/mozglue.dll
http://185.215.113.100/0d60be0de163924d/softokn3.dll
http://185.215.113.16/steam/random.exe - rule_id: 41792
http://185.215.113.100/0d60be0de163924d/msvcp140.dll
|
5
crash-reports.mozilla.com(34.49.45.138)
34.49.45.138
185.215.113.100 - mailcious
185.215.113.16 - mailcious
185.215.113.19 - malware
|
21
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
6
http://185.215.113.16/num/random.exe
http://185.215.113.100/e2b1563c6670f193.php
http://185.215.113.16/well/random.exe
http://185.215.113.19/Vi9leo/index.php
http://185.215.113.100/
http://185.215.113.16/steam/random.exe
|
24.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46977 |
2024-08-11 15:18
|
 eth.exe 841e052a11d2ea9148d356ae0f9c3577
Malicious Library Antivirus UPX Anti_VM PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46978 |
2024-08-11 15:19
|
 66b4ed2ceb0d7_stealc.exe c0475f36aa20f3974528fdb57d62bfef
Client SW User Data Stealer ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
|
|
10.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46979 |
2024-08-11 15:21
|
 GGWS.exe e2b0ca22d48c42d262cf6015565a106c
RedLine Infostealer UltraVNC Generic Malware Malicious Library UPX PE File PE32 OS Processor Check .NET EXE VirusTotal Malware PDB suspicious privilege Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder Windows DNS Cryptographic key crashed |
2
http://47.104.173.216:8082/server.txt
http://47.104.173.216:8082/GGWSUpdate.exe
|
1
|
4
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
7.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46980 |
2024-08-11 15:22
|
 66b0ba4420669_main.exe fee265f64791e63acdcd3e04acdc93b9
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API Anti_VM AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199747278259 - rule_id: 41798
https://steamcommunity.com/profiles/76561199747278259
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.42.104) - mailcious
149.154.167.99 - mailcious
188.245.87.202 - mailcious
104.71.154.102
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199747278259
|
17.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|