47701 |
2024-08-30 11:07
|
XClient.exe 36a1ae0555b5c56da0d72fc78864f11e Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47702 |
2024-08-30 11:08
|
12.exe a26e3c5047080c42ff5ef9279c17d41e PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47703 |
2024-08-30 11:09
|
66d0cd9755a01_sbwd.exe#space 7fee72ea1dd13c340355baa7fe9c574a Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer ScreenShot Http API PWS Create Service Socket DGA Escalate priviledges Steal credential Sniff Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications suspicious process malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
13
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll http://147.45.44.104/prog/66d0cd9a65b5d_vqwergf.exe http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211 http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll http://147.45.68.138/sql.dll http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll http://46.8.231.109/ - rule_id: 42142 http://147.45.68.138/ - rule_id: 42298 http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll http://147.45.44.104/prog/66d0cd8fb6f7b_lgjfd.exe
|
3
147.45.68.138 - mailcious 147.45.44.104 - malware 46.8.231.109 - mailcious
|
19
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
3
http://46.8.231.109/c4754d4f680ead72.php http://46.8.231.109/ http://147.45.68.138/
|
17.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47704 |
2024-08-30 11:09
|
66d0cd8fb6f7b_lgjfd.exe#space 087f21847d13d50158683c834471728c Antivirus ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47705 |
2024-08-30 11:10
|
u888.exe f4d6d6ea62cb666b6fee9d00bdb77350 UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47706 |
2024-08-30 11:12
|
66d08591035ef_AttachmentDaught... abb713cf90e8345c0b6b79345cbdc9d6 Generic Malware Suspicious_Script_Bin Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
5.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47707 |
2024-08-30 11:14
|
66d0cd9a65b5d_vqwergf.exe#spac... 70567fae269796bf407322d0a4435054 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
2
http://147.45.68.138/ - rule_id: 42298 http://147.45.68.138/sql.dll
|
1
147.45.68.138 - mailcious
|
5
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
1
|
13.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47708 |
2024-08-30 11:16
|
mapp.exe cb466c26bb103105b293f2c6c9eecac8 Gen1 Generic Malware Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47709 |
2024-08-30 11:20
|
MEmpEng.exe 3412e23523a0f4f6da613485bd7fdb38 Formbook Generic Malware Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer VirusTotal Malware Checks debugger buffers extracted Creates executable files unpack itself AppData folder Java Browser DNS |
15
http://www.2886080.xyz/eyiz/?M-xm=XQ7d8vWNf2bTOhYYL6UJlqYAXy7Rg8V7tb7nan5iZXoOR23qJ7xYi6zjP0ZZPC1qNGRbW38doA+CklQhfBW16OH9GbU74opfrouVpsjlwzkQhOIIL+clvr6SJ5uB6xxabU5X5cQ=&mSn7=kH0QwyQQmqS - rule_id: 42368 http://www.32wxd.top/fqtd/ - rule_id: 42374 http://www.51cc.top/7i54/?M-xm=SgV//QM+kZDZSmca7ISHR4U/9iG4TLn30ssUgf4MDLRPguhpDtuGIpE5eby1mFBEyx9n6ho2rfFD9SDq3nlePS+8rBqg/0cGFsBGWXu5QF07X9CUnUPZux9wfWAAZevyIeAs5Qc=&mSn7=kH0QwyQQmqS - rule_id: 42370 http://www.zenzip.xyz/9pad/ - rule_id: 42371 http://www.foundation-repair.biz/5l7s/ - rule_id: 42369 http://www.zenzip.xyz/9pad/?M-xm=1a5ATRlanZ3ATSTMsvfkUs0ciM8umoJS8y8kT4HdOCMJyW9sS8tB9dhHCXeYKtsB5QysC2Hg2jCPifAM2S09CoHR88nq9oCTqozYG6NauxPM4LjmZuBJG1m7wEgFKI64QDVX+78=&mSn7=kH0QwyQQmqS - rule_id: 42371 http://www.32wxd.top/fqtd/?M-xm=NOGaE4zNJ3vPzwJVq9flFF94in2IcnN0bsRklEYFuNltL64f812fYl1xoipxw6mqFzyE6nPBnWGndAD5Tl5FPYyUit02KiWxxW2zK2p9R7C5MnzH/2vAyX3OoZI/vgfMfT+cSXI=&mSn7=kH0QwyQQmqS - rule_id: 42374 http://www.2886080.xyz/eyiz/ - rule_id: 42368 http://www.51cc.top/7i54/ - rule_id: 42370 http://www.foundation-repair.biz/5l7s/?M-xm=5i9IxHyDCONgw46qIHGeUvwlYzbtgN8gQUqUIjK6jcHsfbLgiJ2s3wDRXgbc+h/bICwzf3ddx8E1HmjHsyEg1i4ki39GGAPq3qClCRMeu9QIBTg/A11C17kmPPIEN81gm2sAq9Q=&mSn7=kH0QwyQQmqS - rule_id: 42369 http://www.meetfactory.biz/xoqw/?M-xm=IHXCkUsJunCVOO2Hwv8L1/jebUXenMysZsXgVBD8KQgj+TIAwNGDK5EWhUbKXzAU4KMQODjr0cxiOqiC8Z91HBWngaVBBi9zW0XdtSpa8XSCv8AOb3sJWenXQ9ufn4pifwUOwgs=&mSn7=kH0QwyQQmqS - rule_id: 42372 http://www.onlytradez.club/k1y3/ - rule_id: 42373 http://www.onlytradez.club/k1y3/?M-xm=J7VJwuuG4HUA4bFTkbQEdxkpMEpXPBCRRs+F1x6QwwkcPlqAPKpQJUUQrtsDqb7Q+tjdIUGQwp4fGorxq2J//mB+PqSTwbyLcRM9dR0EDrcHS/LNmgUR990rINKp1m+e5VNnNrk=&mSn7=kH0QwyQQmqS - rule_id: 42373 http://www.meetfactory.biz/xoqw/ - rule_id: 42372 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
|
17
www.onlytradez.club(167.172.133.32) - mailcious www.zenzip.xyz(203.161.46.201) - mailcious www.sgcwin77rtplive.fun() - mailcious www.meetfactory.biz(45.33.30.197) - mailcious www.kej-sii.cloud() - mailcious www.2886080.xyz(103.249.106.91) - mailcious www.32wxd.top(206.119.82.116) - mailcious www.foundation-repair.biz(199.59.243.226) - mailcious www.51cc.top(216.83.36.195) - mailcious 103.249.106.91 - mailcious 167.172.133.32 - mailcious 216.83.36.195 - mailcious 199.59.243.226 - phishing 203.161.46.201 - mailcious 206.119.82.116 - mailcious 45.33.6.223 198.58.118.167 - mailcious
|
6
ET INFO Observed DNS Query to .biz TLD ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
|
14
http://www.2886080.xyz/eyiz/ http://www.32wxd.top/fqtd/ http://www.51cc.top/7i54/ http://www.zenzip.xyz/9pad/ http://www.foundation-repair.biz/5l7s/ http://www.zenzip.xyz/9pad/ http://www.32wxd.top/fqtd/ http://www.2886080.xyz/eyiz/ http://www.51cc.top/7i54/ http://www.foundation-repair.biz/5l7s/ http://www.meetfactory.biz/xoqw/ http://www.onlytradez.club/k1y3/ http://www.onlytradez.club/k1y3/ http://www.meetfactory.biz/xoqw/
|
6.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47710 |
2024-08-30 11:21
|
54.exe 0b1d213e54d820dd3fefa386aa3e1f43 Generic Malware Downloader UPX PE File ftp PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47711 |
2024-08-30 11:23
|
nvidia.exe 4b3659cdd58a9f5cda08278568d65da1 Malicious Library VMProtect PE File PE64 VirusTotal Malware DNS |
|
1
|
|
|
2.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47712 |
2024-08-30 16:37
|
7fda1e50488896f329561b30ea0c3f... 8d2b522ca500a1fe0745223e1578ebae AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47713 |
2024-08-30 16:38
|
fd78ad3be58e5d0cbac1242ccdcbd1... 874858781e07cb3c3ce013b9e11dd7bc Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47714 |
2024-08-30 16:38
|
f5c9ee003dc4f1dd578a393102938f... a1a12d64ae5e98d717e4a31fac953a8d Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47715 |
2024-08-30 16:39
|
374b481f704c5ac8d04e4d92f2df5e... 6a5868425d6a234f502cc93da9013df2 AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Windows Exploit DNS crashed |
|
|
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|