48151 |
2024-09-19 10:27
|
231.exe 4fa734db8e9f7ce5ecd217b34ecc6969 Gen1 Generic Malware NSIS Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX Javascript_Blob AntiDebug AntiVM PE File PE32 MZP Format OS Processor Check DLL PE64 PNG Format DllRegisterServer dll Browser Info Stealer Malware download FTP Client Info Stealer NetWireRC VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder installed browsers check SectopRAT Windows Browser Backdoor ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://45.141.86.82:9000/wbinjget?q=4647BCCD302FD52A28C2EB9D88218DA4
|
1
|
3
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)
|
|
12.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48152 |
2024-09-19 10:28
|
vfagms15.exe 89599341387624a951de84b66f9ec572 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.74.170.104) - mailcious 149.154.167.99 - mailcious 104.76.74.15 78.47.207.136 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48153 |
2024-09-19 10:29
|
vkfsags12.exe fede424830238cf2c2e661b5cb12e584 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
6
t.me(149.154.167.99) - mailcious steamcommunity.com(104.74.170.104) - mailcious 149.154.167.99 - mailcious 202.43.50.213 78.47.207.136 - mailcious 125.253.92.50 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
17.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48154 |
2024-09-19 10:30
|
QuickBooks_Desktop_Manager.msi 136797111e25e1a2014d70cc4e343f10 Generic Malware Malicious Library Malicious Packer UPX MSOffice File CAB OS Processor Check PE File DLL PE32 VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AppData folder AntiVM_Disk VM Disk Size Check Tofsee ComputerName |
|
2
http-download.intuit.com(23.39.14.40) 2.18.147.175
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48155 |
2024-09-19 10:31
|
66eafb3a8225e_crypted.exe#1 c7fce4265a5346ff9d2413813886afce RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 37 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
13.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48156 |
2024-09-19 10:32
|
66eaee5323f5d_setup3.exe a7d7d48f4a9bb7718ec17d11fba9cad8 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48157 |
2024-09-19 10:33
|
66eaadab755d2_installs.exe#ijs... 00b2660d589fe136f015a148d7f4dee0 Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48158 |
2024-09-19 10:34
|
lnfsda.exe 6f4a0ae013610785ad54438f4af26f1a Antivirus ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows |
|
|
|
|
8.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48159 |
2024-09-19 10:36
|
vlsadg.exe a714209db1b2b68a95e680df111922ed Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.74.170.104) - mailcious 149.154.167.99 - mailcious 78.47.207.136 - mailcious 202.43.50.213
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48160 |
2024-09-19 10:37
|
game.exe b68de602a612382378707692d914e63e Stealc Gen1 Themida Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar Email Client Info Stealer Malware c&c Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://185.215.113.103/0d60be0de163924d/msvcp140.dll http://185.215.113.103/ - rule_id: 42566 http://185.215.113.103/0d60be0de163924d/sqlite3.dll http://185.215.113.103/0d60be0de163924d/nss3.dll http://185.215.113.103/0d60be0de163924d/freebl3.dll http://185.215.113.103/0d60be0de163924d/mozglue.dll http://185.215.113.103/0d60be0de163924d/vcruntime140.dll http://185.215.113.103/e2b1563c6670f193.php http://185.215.113.103/0d60be0de163924d/softokn3.dll
|
2
162.241.62.63 - mailcious 185.215.113.103 - mailcious
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
|
11.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48161 |
2024-09-19 10:38
|
QuickBooks_Desktop_Setup.msi 675d05c2a81ec2148a6181ad1c60813d Generic Malware Malicious Library Malicious Packer UPX MSOffice File CAB OS Processor Check PE File DLL PE32 VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AppData folder AntiVM_Disk VM Disk Size Check Tofsee ComputerName DNS crashed |
1
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=lntuit.exe&platform=0009&osver=5&isServer=0
|
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Wrong direction first Data
|
|
5.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48162 |
2024-09-19 10:38
|
QuickBooks_Setup.msi b3d559382c44cc0ea1abbc09d55c59cd Generic Malware Malicious Library .NET framework(MSIL) Malicious Packer UPX MSOffice File CAB OS Processor Check PE File DLL PE32 Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AppData folder AntiVM_Disk VM Disk Size Check Tofsee ComputerName |
|
2
http-download.intuit.com(23.39.14.40) 2.18.147.175
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48163 |
2024-09-19 10:40
|
vsfdajg16.exe d0263e1e29b4f202bffd383f136395c4 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.74.170.104) - mailcious 149.154.167.99 - mailcious 78.47.207.136 - mailcious 202.43.50.213
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199768374681
|
17.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48164 |
2024-09-19 11:19
|
cred64.dll 5477191916e3747ea607a9d806b65c7d Amadey Generic Malware Malicious Library UPX Antivirus PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process sandbox evasion installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://5.181.86.244/aXfj40bOe4/index.php - rule_id: 42625 http://5.181.86.244/aXfj40bOe4/index.php
|
1
|
|
1
http://5.181.86.244/aXfj40bOe4/index.php
|
9.8 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48165 |
2024-09-19 11:21
|
clip64.dll d9dd7aedaae6adb2c1156aacacf87147 Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://5.181.86.244/aXfj40bOe4/index.php - rule_id: 42625
|
1
|
|
1
http://5.181.86.244/aXfj40bOe4/index.php
|
3.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|