| 47536 |
2024-08-25 19:05
|
 66ca202b71c36_HP.exe 867a688580e309ccdbada474210871f1
Stealc Generic Malware Malicious Packer UPX Malicious Library Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Check BMP Format MSOffice File JPEG Format FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Software crashed |
1
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(184.85.112.102) - mailcious
149.154.167.99 - mailcious
116.203.10.69 - mailcious
184.87.103.42 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199761128941
|
13.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47537 |
2024-08-25 19:06
|
 help.exe d0ad1150a2e7c9699e00e265bf46d236
Malicious Library PE File PE64 VirusTotal Malware RWX flags setting DNS crashed |
|
1
|
|
|
4.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47538 |
2024-08-25 19:06
|
 ExplorerPatcher_22621.exe c1c57d67409c8908179fddfff38feed4
Gen1 Generic Malware Malicious Library Malicious Packer UPX PE File DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47539 |
2024-08-25 19:08
|
 66ca5602e5106_vqow.exe#space 13facf5abdf5f741c24b640b0e60347a
Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47540 |
2024-08-25 19:08
|
 e.hta a7ad83b26f4ec2b3f42dd4db7d979a87
Generic Malware Antivirus PowerShell Malware download Cobalt Strike Cobalt VirusTotal Malware c&c powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process Tofsee Blister Windows ComputerName Cryptographic key |
2
http://ntkdnj.oy4wvawf.pro/functionalStatus/SpSsrJtSGP21e9h7YTLyk9p87TIXIrl61FmTJ5a?_=djogfhnifolakdhbjgbhhheoclgdmoephnjglhaldeneabbijkmhkfenfplmppfpnjpennondkodkdnnoabplpgcipeodddkoobnfbjogchbjjghoddipfkpblhhhfedcgblickapnmjocdpmgnhgninheklamgjghmbpeajdhbomgbcpgdflfenfppgfnfacelengmmibiblohpjffoppcpbngmajllfladhackegiobkbcodcajkbghibmpidd
https://woybuk.oy4wvawf.pro/Meeting/CtDyrHCBqrnO7O/
|
4
ntkdnj.oy4wvawf.pro(172.67.147.213)
woybuk.oy4wvawf.pro(172.67.147.213)
104.21.79.203
172.67.147.213
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Blister Loader Cobalt Strike C2 Profile M20
|
|
6.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47541 |
2024-08-25 19:10
|
 66c9ca1a3ee7f_d2d2.exe 8d562b82bdf622983ca9b689e9455a62
Generic Malware Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
|
2
i.ibb.co(104.194.8.120) - mailcious
172.96.160.210
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47542 |
2024-08-25 19:13
|
 66c9d3bd31e56_otraba.exe#kisot... 89f3026dea32a83cc17b59f7590d9467
Stealc Client SW User Data Stealer North Korea ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Malware download VirusTotal Malware c&c PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Stealc ComputerName DNS |
2
http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194
http://193.176.190.41/ - rule_id: 42195
|
1
193.176.190.41 - mailcious
|
1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
2
http://193.176.190.41/2fa883eebd632382.php
http://193.176.190.41/
|
11.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47543 |
2024-08-25 19:47
|
 66c9d2d689463_Chrome.exe#d2 a9fe6ad4be60831ae6d7bcf8fbab71cd
Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Check memory IP Check Tofsee Ransomware Browser Email ComputerName DNS |
|
3
api.ipify.org(104.26.13.205)
78.153.131.36
172.67.74.152
|
5
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
SURICATA Applayer Protocol detection skipped
|
|
7.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47544 |
2024-08-26 01:16
|
https://download.apkcombo.com/... 8c58c680c95bc15657f9af69acb1ebf9
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM ZIP Format ftp MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
https://cdn.apkflash.net/com.shenyaocn.android.usbcamera/USB%20Camera_10.9.3_apkcombo.com.apk?ecp=Y29tLnNoZW55YW9jbi5hbmRyb2lkLnVzYmNhbWVyYS8xMC45LjMvNDg0LjljOWI3MTM4ZGNhOWU2Y2RhMmRkMDkyZmU3ZmE4M2RjM2FlNDRhOWMuYXBr&iat=1724602206&sig=9d074fe1f3b43296c3a72a7fd68eb56e&size=39226835&from=cf&version=old&lang=fr&fp=ff14b33da8308127abe0b024a20143c5&ip=197.15.6.209
https://download.apkcombo.com/com.shenyaocn.android.usbcamera/USB%20Camera_10.9.3_apkcombo.com.apk?ecp=Y29tLnNoZW55YW9jbi5hbmRyb2lkLnVzYmNhbWVyYS8xMC45LjMvNDg0LjljOWI3MTM4ZGNhOWU2Y2RhMmRkMDkyZmU3ZmE4M2RjM2FlNDRhOWMuYXBr&iat=1724602206&sig=aa93a3b41264866b7124111c04f825ff&size=39226835&from=cf&version=old&lang=fr&fp=ff14b33da8308127abe0b024a20143c5&ip=197.15.6.209
|
4
cdn.apkflash.net(104.18.18.207)
download.apkcombo.com(104.18.12.249)
104.18.19.207
104.18.13.249
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47545 |
2024-08-26 09:16
|
 66cb2df8bd684_lawrng.exe e868144771e7cb04f68c6fe63a46d8c8
Antivirus ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
6.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47546 |
2024-08-26 09:16
|
 66cb3326d0f78_crypted.exe#1 0f9a7390c4a71cae8b2e709695fdd05b
RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
12.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47547 |
2024-08-26 09:18
|
 66cb2ed66675d_cryppted.exe 7541f9ac48cc092641060d1924ab30fc
Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47548 |
2024-08-26 09:18
|
 900.exe afa78c01048274af803a0115dcc26757
Generic Malware ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS |
1
http://147.45.44.131/files/WWW.exe
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
9.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47549 |
2024-08-26 09:20
|
 WWW.exe c6eb9a4057ddf5e758ce3c4a1bdb9637
UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47550 |
2024-08-26 09:20
|
 66cb89fccdd00_crypted.exe#1 92605ba136b126db1d3734ffab2f1700
RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
12.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|