47806 |
2024-09-04 10:08
|
lamp.exe 54dd56c2c79350de18dc0be27360520d Stealc Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://185.215.113.100/0d60be0de163924d/nss3.dll http://185.215.113.100/0d60be0de163924d/freebl3.dll http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968 http://185.215.113.100/0d60be0de163924d/vcruntime140.dll http://185.215.113.100/0d60be0de163924d/sqlite3.dll http://185.215.113.100/ - rule_id: 41969 http://185.215.113.100/0d60be0de163924d/mozglue.dll http://185.215.113.100/0d60be0de163924d/softokn3.dll http://185.215.113.100/0d60be0de163924d/msvcp140.dll
|
1
185.215.113.100 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.215.113.100/e2b1563c6670f193.php http://185.215.113.100/
|
12.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47807 |
2024-09-04 10:09
|
chrome.exe 67407557dfbdd3d71436f89d6d47897a Malicious Packer UPX PE File PE64 VirusTotal Malware buffers extracted RWX flags setting DNS |
|
1
|
|
|
4.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47808 |
2024-09-04 10:09
|
1_encoded.exe 6c098287139a5808d04237dd4cdaec3f PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47809 |
2024-09-04 10:11
|
rev.exe c457b64b8faf93fb23adb3d3b6a6cb78 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47810 |
2024-09-04 10:14
|
66d5e39de168d_cry.exe#kiscrypt... c4863f9cb3f845ccd4ebd260d532928e Client SW User Data Stealer ftp Client info stealer Antivirus Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
9
http://147.45.47.137/04912fc0ffa81c54/freebl3.dll http://147.45.47.137/ http://147.45.47.137/04912fc0ffa81c54/nss3.dll http://147.45.47.137/04912fc0ffa81c54/sqlite3.dll http://147.45.47.137/6ecdc9436941ebbd.php http://147.45.47.137/04912fc0ffa81c54/mozglue.dll http://147.45.47.137/04912fc0ffa81c54/softokn3.dll http://147.45.47.137/04912fc0ffa81c54/vcruntime140.dll http://147.45.47.137/04912fc0ffa81c54/msvcp140.dll
|
1
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
12.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47811 |
2024-09-04 10:15
|
66d6af212bad3_kbdturme.exe b2ceff540f1fb7234b424a5702e989ba Gen1 Generic Malware NSIS Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX Javascript_Blob AntiDebug AntiVM PE File PE32 MZP Format OS Processor Check DLL PE64 PNG Format DllRegisterServer dll VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder Windows ComputerName crashed |
|
|
|
|
7.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47812 |
2024-09-04 10:16
|
tqh64.exe 2d8bfa12ffd53e578028edae844e7611 UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47813 |
2024-09-04 10:17
|
66d707705967b_12.exe#d12 d72251694d71a89fab057f9976ec1827 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
8
http://147.45.68.138/softokn3.dll http://147.45.68.138/mozglue.dll http://147.45.68.138/freebl3.dll http://147.45.68.138/nss3.dll http://147.45.68.138/sql.dll http://147.45.68.138/ - rule_id: 42298 http://147.45.68.138/msvcp140.dll http://147.45.68.138/vcruntime140.dll
|
1
147.45.68.138 - mailcious
|
10
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
1
|
15.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47814 |
2024-09-04 10:17
|
payload.exe ca6ae34bf2b35aacb25a27f94fb1f7d5 Metasploit Generic Malware PE File PE64 VirusTotal Malware DNS crashed |
|
1
|
|
|
3.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47815 |
2024-09-04 10:19
|
66d5edf357fbf_BitcoinCore.exe 26dc83cd26d56041c731e497b96a8a73 Malicious Library UPX PE File PE64 MZP Format OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47816 |
2024-09-04 10:20
|
66d5e40f57b39_def_202409021912... ade16b249de80c5d8a459baaac67201c Client SW User Data Stealer ftp Client info stealer Antivirus Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Stealc ComputerName DNS |
2
http://147.45.47.137/6ecdc9436941ebbd.php http://147.45.47.137/
|
1
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
|
9.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47817 |
2024-09-04 10:22
|
66d5df681876c_file010924.exe#f... 7972b08246e568495d9d116fc2d0b159 Suspicious_Script_Bin Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download VirusTotal Malware Microsoft AutoRuns Code Injection Checks debugger buffers extracted unpack itself malicious URLs Tofsee Windows ComputerName Remote Code Execution DNS |
2
http://cajgtus.com/test1/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true - rule_id: 41982 https://api.2ip.ua/geo.json
|
4
cajgtus.com(186.145.236.93) - malware api.2ip.ua(172.67.139.220) 172.67.139.220 186.233.231.45
|
6
ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
|
1
http://cajgtus.com/test1/get.php
|
9.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47818 |
2024-09-04 10:22
|
Co.exe 50968bf1892077705f9182f7028c8ef2 UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47819 |
2024-09-04 10:25
|
66d753141beb4_default.exe#kiso... 5bded0f41fa96aeed99d6b9b8eb34aa4 Client SW User Data Stealer ftp Client info stealer Malicious Library .NET framework(MSIL) UPX Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Malware c&c PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS Software crashed plugin |
9
http://45.152.113.10/15a25e53742510fe/nss3.dll http://45.152.113.10/15a25e53742510fe/vcruntime140.dll http://45.152.113.10/15a25e53742510fe/mozglue.dll http://45.152.113.10/15a25e53742510fe/softokn3.dll http://45.152.113.10/ http://45.152.113.10/15a25e53742510fe/freebl3.dll http://45.152.113.10/15a25e53742510fe/sqlite3.dll http://45.152.113.10/15a25e53742510fe/msvcp140.dll http://45.152.113.10/92335b4816f77e90.php
|
1
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
13.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47820 |
2024-09-04 10:25
|
66d5ec0530891_crypted.exe#1 8e0ae87939388dfd7d6470bdd397b309 RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
13.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|