| 48586 |
2024-10-02 14:39
|
cc.js c63888086e1646654a1e162fde69c0ff
XWorm WebCam PWS KeyLogger AntiDebug AntiVM VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName DNS keylogger |
|
|
|
|
12.0 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48587 |
2024-10-02 14:40
|
 66fb2538369cb_EdgeUpdater.exe a83b2a5ff3529936192398c88edd27a3
Confuser .NET PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48588 |
2024-10-02 14:40
|
 66fbd9a4db4c9_GovernmentalSa.e... 5e55a47b6d7053f9d1ff19539863b8c2
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
6.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48589 |
2024-10-02 14:42
|
 66fbfcc301a31_swws.exe 022cc85ed0f56a3f3e8aec4ae3b80a71
PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48590 |
2024-10-02 14:43
|
 66fc5c187ba75_lyla343.exe 007fa2c8c8ab1fbc6867e44db35c063e
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48591 |
2024-10-02 14:44
|
 66fbfccd837ac_vadggdsa.exe 237af39f8b579aad0205f6174bb96239
PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48592 |
2024-10-03 05:10
|
 cliloc_fix.exe 48381193bc2b85595549b519a250d7cf
Gen1 Generic Malware Malicious Library ASPack UPX Anti_VM PE File PE64 OS Processor Check DLL icon ZIP Format VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself Ransomware |
|
|
|
|
2.8 |
|
5 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48593 |
2024-10-04 08:40
|
 7f3c2473d1e6.exe#sp_vid f6abf83869f601a7addec780dd52f03b
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File PE32 OS Processor Check .NET EXE FTP Client Info Stealer Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software crashed |
1
https://steamcommunity.com/profiles/76561199780418869 - rule_id: 42700
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
49.12.197.9
202.43.50.213
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199780418869
|
15.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48594 |
2024-10-04 08:44
|
 956d73b7f041.exe#default15st cd15f137f9979ce6329ff8c21d508caa
Stealc Client SW User Data Stealer Gen1 ftp Client info stealer Generic Malware Malicious Library UPX Malicious Packer Http API PWS HTTP Internet API AntiDebug AntiVM PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download FTP Client Info Stealer Vidar Email Client Info Stealer Malware c&c Code Injection Malicious Traffic Check memory buffers extracted Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://62.204.41.159/ - rule_id: 42595
http://62.204.41.159/edd20096ecef326d.php
http://62.204.41.159/db293a2c1b1c70c4/vcruntime140.dll
http://62.204.41.159/db293a2c1b1c70c4/sqlite3.dll
http://62.204.41.159/db293a2c1b1c70c4/nss3.dll
http://62.204.41.159/db293a2c1b1c70c4/freebl3.dll
http://62.204.41.159/db293a2c1b1c70c4/mozglue.dll
http://62.204.41.159/db293a2c1b1c70c4/softokn3.dll
http://62.204.41.159/db293a2c1b1c70c4/msvcp140.dll
|
1
62.204.41.159 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 6
ET INFO Dotted Quad Host DLL Request
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
|
15.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48595 |
2024-10-04 08:46
|
BANDICUT.msi 087d510f4d69f6faa479e4919f51a175
Generic Malware Malicious Library Antivirus MSOffice File CAB OS Processor Check VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
4.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48596 |
2024-10-04 08:46
|
 f2e7fcb20146.exe#sp_sl 2915d563d12794d5278496fc778de6dd
Stealc Client SW User Data Stealer Gen1 ftp Client info stealer Generic Malware Downloader Malicious Library UPX Malicious Packer Http API PWS HTTP Internet API Create Service Socket DGA ScreenShot Escalate priviledges Steal credential Sniff Audio Browser Info Stealer Malware download FTP Client Info Stealer Vidar Email Client Info Stealer Malware c&c Code Injection Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
10
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://playd.healthnlife.pk/ldms/a43486128347.exe - rule_id: 42903
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
|
3
playd.healthnlife.pk(147.45.44.104) - mailcious
147.45.44.104 - malware
46.8.231.109 - mailcious
|
16
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
3
http://46.8.231.109/c4754d4f680ead72.php
http://playd.healthnlife.pk/
http://46.8.231.109/
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48597 |
2024-10-04 08:48
|
das.msi 3cb6b99b20930ac0dbadc10899dc511e
Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) AntiDebug AntiVM MSOffice File CAB OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself AntiVM_Disk VM Disk Size Check ComputerName crashed |
|
|
|
|
3.8 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48598 |
2024-10-04 11:14
|
niceideasgirlsknowwellwithnewg... b7fbbb66d072c56f7d5d0f2e55e1385a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://104.168.32.148/610/newthingstobeonlineforyournet.tIF
|
3
raw.githubusercontent.com(185.199.111.133) - malware
185.199.110.133 - malware
104.168.32.148 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48599 |
2024-10-04 11:16
|
eventthingsaregreattogetmethin... 33083e3d8cad434bfff8cdb97032babe
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://104.168.32.125/222/picturegreatwithmeenterings.tIF
|
3
raw.githubusercontent.com(185.199.109.133) - malware
104.168.32.125 - mailcious
185.199.109.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48600 |
2024-10-04 11:19
|
 javumarfirst.exe 506f20dc6d2d9a4bd2725a726679b74e
Generic Malware UPX PE File PE32 DLL Malware download VirusTotal Malware Malicious Traffic AppData folder suspicious TLD CryptBot DNS |
1
http://sevtvx17ht.top/v1/upload.php
|
2
sevtvx17ht.top(80.66.81.78)
80.66.81.78
|
3
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
|
|
3.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|