| 48151 |
2024-09-19 10:27
|
 231.exe 4fa734db8e9f7ce5ecd217b34ecc6969
Gen1 Generic Malware NSIS Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX Javascript_Blob AntiDebug AntiVM PE File PE32 MZP Format OS Processor Check DLL PE64 PNG Format DllRegisterServer dll Browser Info Stealer Malware download FTP Client Info Stealer NetWireRC VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder installed browsers check SectopRAT Windows Browser Backdoor ComputerName DNS Cryptographic key Software crashed keylogger |
1
http://45.141.86.82:9000/wbinjget?q=4647BCCD302FD52A28C2EB9D88218DA4
|
1
|
3
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity
ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)
|
|
12.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48152 |
2024-09-19 10:28
|
 vfagms15.exe 89599341387624a951de84b66f9ec572
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.170.104) - mailcious
149.154.167.99 - mailcious
104.76.74.15
78.47.207.136 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48153 |
2024-09-19 10:29
|
 vkfsags12.exe fede424830238cf2c2e661b5cb12e584
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
6
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.170.104) - mailcious
149.154.167.99 - mailcious
202.43.50.213
78.47.207.136 - mailcious
125.253.92.50 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
17.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48154 |
2024-09-19 10:30
|
QuickBooks_Desktop_Manager.msi 136797111e25e1a2014d70cc4e343f10
Generic Malware Malicious Library Malicious Packer UPX MSOffice File CAB OS Processor Check PE File DLL PE32 VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AppData folder AntiVM_Disk VM Disk Size Check Tofsee ComputerName |
|
2
http-download.intuit.com(23.39.14.40)
2.18.147.175
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48155 |
2024-09-19 10:31
|
 66eafb3a8225e_crypted.exe#1 c7fce4265a5346ff9d2413813886afce
RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
13.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48156 |
2024-09-19 10:32
|
 66eaee5323f5d_setup3.exe a7d7d48f4a9bb7718ec17d11fba9cad8
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48157 |
2024-09-19 10:33
|
 66eaadab755d2_installs.exe#ijs... 00b2660d589fe136f015a148d7f4dee0
Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48158 |
2024-09-19 10:34
|
 lnfsda.exe 6f4a0ae013610785ad54438f4af26f1a
Antivirus ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows |
|
|
|
|
8.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48159 |
2024-09-19 10:36
|
 vlsadg.exe a714209db1b2b68a95e680df111922ed
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.170.104) - mailcious
149.154.167.99 - mailcious
78.47.207.136 - mailcious
202.43.50.213
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48160 |
2024-09-19 10:37
|
 game.exe b68de602a612382378707692d914e63e
Stealc Gen1 Themida Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar Email Client Info Stealer Malware c&c Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://185.215.113.103/0d60be0de163924d/msvcp140.dll
http://185.215.113.103/ - rule_id: 42566
http://185.215.113.103/0d60be0de163924d/sqlite3.dll
http://185.215.113.103/0d60be0de163924d/nss3.dll
http://185.215.113.103/0d60be0de163924d/freebl3.dll
http://185.215.113.103/0d60be0de163924d/mozglue.dll
http://185.215.113.103/0d60be0de163924d/vcruntime140.dll
http://185.215.113.103/e2b1563c6670f193.php
http://185.215.113.103/0d60be0de163924d/softokn3.dll
|
2
162.241.62.63 - mailcious
185.215.113.103 - mailcious
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
|
11.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48161 |
2024-09-19 10:38
|
QuickBooks_Desktop_Setup.msi 675d05c2a81ec2148a6181ad1c60813d
Generic Malware Malicious Library Malicious Packer UPX MSOffice File CAB OS Processor Check PE File DLL PE32 VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AppData folder AntiVM_Disk VM Disk Size Check Tofsee ComputerName DNS crashed |
1
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=lntuit.exe&platform=0009&osver=5&isServer=0
|
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Wrong direction first Data
|
|
5.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48162 |
2024-09-19 10:38
|
QuickBooks_Setup.msi b3d559382c44cc0ea1abbc09d55c59cd
Generic Malware Malicious Library .NET framework(MSIL) Malicious Packer UPX MSOffice File CAB OS Processor Check PE File DLL PE32 Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AppData folder AntiVM_Disk VM Disk Size Check Tofsee ComputerName |
|
2
http-download.intuit.com(23.39.14.40)
2.18.147.175
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48163 |
2024-09-19 10:40
|
 vsfdajg16.exe d0263e1e29b4f202bffd383f136395c4
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.170.104) - mailcious
149.154.167.99 - mailcious
78.47.207.136 - mailcious
202.43.50.213
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199768374681
|
17.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48164 |
2024-09-19 11:19
|
 cred64.dll 5477191916e3747ea607a9d806b65c7d
Amadey Generic Malware Malicious Library UPX Antivirus PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process sandbox evasion installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
2
http://5.181.86.244/aXfj40bOe4/index.php - rule_id: 42625
http://5.181.86.244/aXfj40bOe4/index.php
|
1
|
|
1
http://5.181.86.244/aXfj40bOe4/index.php
|
9.8 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48165 |
2024-09-19 11:21
|
 clip64.dll d9dd7aedaae6adb2c1156aacacf87147
Amadey Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://5.181.86.244/aXfj40bOe4/index.php - rule_id: 42625
|
1
|
|
1
http://5.181.86.244/aXfj40bOe4/index.php
|
3.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|