| 47611 |
2024-08-27 13:48
|
 66ccd175ef453_crypted.exe#1 cd1dd0289c092923eb8985e8d86d215f
RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
12.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47612 |
2024-08-27 13:49
|
 V1.1.exe 7b1d21282a65bac0410541f7466c7038
Generic Malware Malicious Library Downloader Malicious Packer ASPack UPX PE File PE32 OS Processor Check PNG Format MZP Format JPEG Format Malware download VirusTotal Malware AutoRuns Check memory Creates executable files ICMP traffic RWX flags setting unpack itself AppData folder suspicious TLD sandbox evasion Tofsee Interception Windows Remote Code Execution DNS crashed |
2
http://qqqmy.com/360.exe
http://www.qqqmy.com/GMBuild/bb.html
|
11
google.com(142.251.42.142)
qqqmy.com(8.217.48.27)
fget-career.com(34.253.216.9) - mailcious
aaaa.qqqmy.com(8.217.48.27)
lqwljs.cn() - mailcious
sjlwql.top()
www.qqqmy.com(8.217.48.27) - mailcious
34.253.216.9
172.217.24.238
8.217.48.27 - mailcious
1.15.110.72
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET MALWARE Win32/Ramnit Checkin
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
11.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47613 |
2024-08-27 13:49
|
 66cc394a4818a_vlawg.exe#space be02035f9559cf4aba601b45a1677d92
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
https://t.me/jamelwt
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
94.130.188.148
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199761128941
|
15.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47614 |
2024-08-27 13:50
|
 patcher.exe d2e7813509144a52aaa13043a69a47bd
Suspicious_Script_Bin Malicious Library UPX PE File PE64 VirusTotal Malware Creates executable files suspicious process DNS crashed |
1
http://144.172.71.105:1338/nova_flow/patcher.exe?hash
|
1
|
1
ET HUNTING curl User-Agent to Dotted Quad
|
|
2.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47615 |
2024-08-27 13:50
|
 66cc394d4d8b2_sekwm.exe#space d58ddba7f2d064d327f45f577f2e41ec
Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer ScreenShot Http API PWS Create Service Socket DGA Escalate priviledges Steal credential Sniff Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
12
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://147.45.44.104/prog/66cd1d485d44c_lsfjf3n.exe
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://147.45.44.104/prog/66cd1d4315e2e_vokfw.exe
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
7
t.me(149.154.167.99) - mailcious
steamcommunity.com(173.222.146.99) - mailcious
149.154.167.99 - mailcious
147.45.44.104 - malware
94.130.188.148
184.26.241.154 - mailcious
46.8.231.109 - mailcious
|
21
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
3
http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/
https://steamcommunity.com/profiles/76561199761128941
|
18.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47616 |
2024-08-27 13:50
|
 [UPG]CSS.exe 99b098b23ced1a199145fe5577c9de91
Generic Malware Themida Packer Malicious Library UPX Anti_VM PE File PE32 MZP Format JPEG Format OS Processor Check DLL Malware download VirusTotal Malware Malicious Traffic Check memory buffers extracted Creates executable files RWX flags setting unpack itself AppData folder sandbox evasion Tofsee Interception Windows Update Trojan DNS keylogger |
36
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fkoreana.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/haptics.dll.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fspanish.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/servers/serverbrowser%5Fgerman.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/admin%5Fitalian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/vbsp.exe.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fczech.txt.lzma
http://cs.go.kg/pages/update/css/patchlist.xml
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Fdutch.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/gamestate.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Fkorean.txt.lzma
http://cs.go.kg/pages/update/css/self/%5BUPG%5DCSS.exe
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/gameui%5Fthai.txt.lzma
http://adv.gamer.kg/updater2.jpg
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/hl2/resource/gameui%5Fitalian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/dmxconvert.exe.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/servers/serverbrowser%5Fitalian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/admin%5Fswedish.txt.lzma
http://cs.go.kg/pages/update/css/options.xml
http://adv.gamer.kg/index.php
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/scenefilecache.dll.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Fturkish.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fukrainian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Ffinnish.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/cstrike%5Fczech.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/admin%5Fgreek.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/server%5Fukrainian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/steamclient.dll.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/servers/serverbrowser%5Fkoreana.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/vvis%5Fdll.dll.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/hl2/hl2%5Fmisc%5F001.vpk.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/gameui%5Fgreek.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Frussian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/captioncompiler.exe.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/gameui%5Fhungarian.txt.lzma
https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-4743227880453771
|
6
pagead2.googlesyndication.com(172.217.161.226) - mailcious
adv.gamer.kg(176.126.167.7)
cs.go.kg(176.126.167.7) - mailcious
142.250.197.34
176.126.167.7 - mailcious
172.217.24.238
|
3
ET MALWARE Trojan Related Lame Updater User-Agent
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47617 |
2024-08-27 13:52
|
 WFPExp.exe 1c9ccfcd3e92399642fdd1a34afab2ef
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check PDB Remote Code Execution |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47618 |
2024-08-27 13:53
|
 0day.js 271dea4d0bdfa80e4ad01257508571ccVirusTotal Malware |
|
|
|
|
0.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47619 |
2024-08-27 13:54
|
 Major_0x00029EFE4AF1E366.exe fa3d03c319a7597712eeff1338dabf92
Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47620 |
2024-08-27 13:56
|
 Office2024.exe df92abd264b50c9f069246a6e65453f0
PE File PE64 VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
6
xmr-eu1.nanopool.org(212.47.253.124) - mailcious
xmr-eu2.nanopool.org(51.195.138.197) - mailcious
pastebin.com(104.20.4.235) - mailcious
51.195.138.197
104.20.3.235 - malware
51.15.193.130 - mailcious
|
2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
1.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47621 |
2024-08-27 13:59
|
 dl e21c27cc8cb10d6829b095c625b41442
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Windows DNS |
|
1
51.15.193.130 - mailcious
|
|
|
3.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47622 |
2024-08-27 14:19
|
 IEupdation.hta d8c516959ec5b1379fc9fcc30def38a1
Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://192.3.193.155/M2608T/csrss.exe
|
1
192.3.193.155 - mailcious
|
4
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious csrss.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47623 |
2024-08-27 15:10
|
 tjqdq.exe f88d5c87a0811b9b91f9c77d714fdb68
Emotet Generic Malware Malicious Library Malicious Packer ASPack UPX PE File DllRegisterServer dll PE32 OS Processor Check DLL MZP Format VirusTotal Malware Creates executable files AppData folder sandbox evasion Windows Browser Remote Code Execution DNS |
2
http://43.249.193.54:81/server.txt
http://43.249.193.54:81/ServerList111.xml
|
1
|
1
ET POLICY Unsupported/Fake Windows NT Version 5.0
|
|
6.0 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47624 |
2024-08-27 15:12
|
 fodhelper.exe fcb34a54159d0de7cb5fa2fae1c82e72
Generic Malware Suspicious_Script_Bin Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Java Browser DNS |
16
http://www.51cc.top/7i54/?iIHB1d=SgV//QM+kZDZSmca7ISHR4U/9iG4TLn30ssUgf4MDLRPguhpDtuGIpE5eby1mFBEyx9n6ho2rfFD9SDq3nlePS+8rBqg/0cGFsBGWXu5QF07X9CUnUPZux9wfWAAZevyIeAs5Qc=&5k5T=YJUBzxsvuMqlj_oi
http://www.32wxd.top/fqtd/
http://www.zenzip.xyz/9pad/
http://www.foundation-repair.biz/5l7s/?iIHB1d=5i9IxHyDCONgw46qIHGeUvwlYzbtgN8gQUqUIjK6jcHsfbLgiJ2s3wDRXgbc+h/bICwzf3ddx8E1HmjHsyEg1i4ki39GGAPq3qClCRMeu9QIBTg/A11C17kmPPIEN81gm2sAq9Q=&5k5T=YJUBzxsvuMqlj_oi
http://www.onlytradez.club/k1y3/?iIHB1d=J7VJwuuG4HUA4bFTkbQEdxkpMEpXPBCRRs+F1x6QwwkcPlqAPKpQJUUQrtsDqb7Q+tjdIUGQwp4fGorxq2J//mB+PqSTwbyLcRM9dR0EDrcHS/LNmgUR990rINKp1m+e5VNnNrk=&5k5T=YJUBzxsvuMqlj_oi
http://www.meetfactory.biz/xoqw/?iIHB1d=IHXCkUsJunCVOO2Hwv8L1/jebUXenMysZsXgVBD8KQgj+TIAwNGDK5EWhUbKXzAU4KMQODjr0cxiOqiC8Z91HBWngaVBBi9zW0XdtSpa8XSCv8AOb3sJWenXQ9ufn4pifwUOwgs=&5k5T=YJUBzxsvuMqlj_oi
http://www.foundation-repair.biz/5l7s/
http://www.2886080.xyz/eyiz/?iIHB1d=XQ7d8vWNf2bTOhYYL6UJlqYAXy7Rg8V7tb7nan5iZXoOR23qJ7xYi6zjP0ZZPC1qNGRbW38doA+CklQhfBW16OH9GbU74opfrouVpsjlwzkQhOIIL+clvr6SJ5uB6xxabU5X5cQ=&5k5T=YJUBzxsvuMqlj_oi
http://www.d71dg.top/qbiu/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.51cc.top/7i54/
http://www.32wxd.top/fqtd/?iIHB1d=NOGaE4zNJ3vPzwJVq9flFF94in2IcnN0bsRklEYFuNltL64f812fYl1xoipxw6mqFzyE6nPBnWGndAD5Tl5FPYyUit02KiWxxW2zK2p9R7C5MnzH/2vAyX3OoZI/vgfMfT+cSXI=&5k5T=YJUBzxsvuMqlj_oi
http://www.onlytradez.club/k1y3/
http://www.meetfactory.biz/xoqw/
http://www.zenzip.xyz/9pad/?iIHB1d=1a5ATRlanZ3ATSTMsvfkUs0ciM8umoJS8y8kT4HdOCMJyW9sS8tB9dhHCXeYKtsB5QysC2Hg2jCPifAM2S09CoHR88nq9oCTqozYG6NauxPM4LjmZuBJG1m7wEgFKI64QDVX+78=&5k5T=YJUBzxsvuMqlj_oi
http://www.2886080.xyz/eyiz/
|
19
www.onlytradez.club(167.172.133.32)
www.zenzip.xyz(203.161.46.201)
www.sgcwin77rtplive.fun()
www.foundation-repair.biz(199.59.243.226)
www.2886080.xyz(103.249.106.91)
www.32wxd.top(206.119.82.116)
www.kej-sii.cloud()
www.d71dg.top(154.23.184.60)
www.meetfactory.biz(45.79.19.196)
www.51cc.top(216.83.36.195)
103.249.106.91
167.172.133.32
216.83.36.195
203.161.46.201
45.33.23.183 - suspicious
206.119.82.116
45.33.6.223
199.59.243.226 - phishing
154.23.184.60
|
6
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .biz TLD
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
|
|
5.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47625 |
2024-08-27 15:13
|
 PXray_Cast_Sort.exe fe517ecfbb94a742e2b88d67785b87bc
Malicious Library UPX PE File PE32 MZP Format VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|