| 47476 |
2024-08-23 09:37
|
 66c5dccb8d59d_File.exe#xin 1c7ebcdade13eebb33b4efda3a9ee280
Emotet Malicious Library PE File .NET EXE PE32 VirusTotal Malware Buffer PE PDB Check memory Checks debugger buffers extracted unpack itself ComputerName Remote Code Execution |
|
|
|
|
4.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47477 |
2024-08-23 09:38
|
 66c7887bec1a5_selgm2.exe#space 38ae8f3ecc41bdd6a96cbae3fc05f4c0
Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer Http API PWS Create Service Socket DGA ScreenShot Escalate priviledges Steal credential Sniff Audio Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
12
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
http://147.45.44.104/prog/66c788707161f_len4n1d.exe
https://steamcommunity.com/profiles/76561199761128941
https://t.me/jamelwt
|
7
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
147.45.44.104 - malware
116.203.10.69 - mailcious
104.71.154.102
46.8.231.109 - mailcious
|
21
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET INFO TLS Handshake Failure
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/
|
18.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47478 |
2024-08-23 09:38
|
zavkgy.msi cf80bbcf2312d0e38cc65b008e5bba80
MSOffice File CAB VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName crashed |
|
|
|
|
2.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47479 |
2024-08-23 09:40
|
 66c62b9bd2f1c_doz.exe c8d1a38262b49ff7cc32f3e784bd55bc
Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library ASPack UPX Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199761128941
https://t.me/iyigunl
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
116.203.10.69 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
18.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47480 |
2024-08-23 09:43
|
 Pollos.exe 6640aedcf559295e30a2e01bdd54e488
Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47481 |
2024-08-23 09:45
|
 Client.exe 754aa1e8baa350cb36b05ddf8feb5bbe
Malicious Library Antivirus UPX PE File PE32 MZP Format OS Processor Check .NET EXE DLL JPEG Format Lnk Format GIF Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
3
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
|
9
drive.usercontent.google.com(142.250.206.193) - mailcious
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.80.18) - mailcious
142.250.197.78
162.125.80.18 - mailcious
172.217.31.1
69.42.215.252
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
12.8 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47482 |
2024-08-23 09:49
|
mewantyouraregetmebackwithenti... 55f8f4d3e0a9c939c28da10340f86c3d
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://198.46.174.158/xampp/mch/weneedbuttersmoothcreambunsmile.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
198.46.174.158 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47483 |
2024-08-23 09:49
|
 Updater.exe dd3aa70adbe7894d6705ddb398155628
Generic Malware Malicious Library VMProtect PE File PE64 VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
5
xmr-eu1.nanopool.org(162.19.224.121) - mailcious
pastebin.com(104.20.4.235) - mailcious
51.15.193.130 - mailcious
104.20.4.235 - mailcious
163.172.154.142 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
|
|
2.2 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47484 |
2024-08-23 09:52
|
 Update.exe 679c3af5f25af03f0703263673e1bb15
Themida Packer Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 VirusTotal Malware AutoRuns Code Injection Check memory Creates executable files RWX flags setting unpack itself Windows utilities Checks Bios Detects VirtualBox Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization Windows ComputerName Remote Code Execution Firmware crashed |
|
|
|
|
11.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47485 |
2024-08-23 09:54
|
 launcher.jpg.exe e56934b31bd60c42cbb9b44313666c0c
Malicious Library Malicious Packer Antivirus UPX PE File PE64 DNS |
|
1
51.15.193.130 - mailcious
|
|
|
1.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47486 |
2024-08-23 09:54
|
 SequencesPassage.exe dadfa6f51c990b1b4f5520f3a8e2c824
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
5.4 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47487 |
2024-08-23 09:54
|
 PollosAplicaccion.bat eae7aa8feff31887941d85efc8b29cb7
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47488 |
2024-08-23 09:56
|
 Pollosappnuevo.bat 536ac91b5fe6a53fd85f5d7b609dc591
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
5.4 |
|
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47489 |
2024-08-23 09:56
|
 66c6fcb30b9dd_123p.exe 025ebe0a476fe1a27749e6da0eea724f
PE File PE64 VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
2
pool.hashvault.pro(131.153.76.130) - mailcious
125.253.92.50 - mailcious
|
1
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
1.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47490 |
2024-08-23 09:58
|
 Vape.exe 7b60adfd3c8713955436035786b8ae2b
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware suspicious privilege Checks debugger Remote Code Execution DNS |
|
1
125.253.92.50 - mailcious
|
|
|
2.8 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|