| 496 |
2024-08-30 11:09
|
 66d0cd9755a01_sbwd.exe#space 7fee72ea1dd13c340355baa7fe9c574a
Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer ScreenShot Http API PWS Create Service Socket DGA Escalate priviledges Steal credential Sniff Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications suspicious process malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
13
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://147.45.44.104/prog/66d0cd9a65b5d_vqwergf.exe
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://147.45.68.138/sql.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://46.8.231.109/ - rule_id: 42142
http://147.45.68.138/ - rule_id: 42298
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
http://147.45.44.104/prog/66d0cd8fb6f7b_lgjfd.exe
|
3
147.45.68.138 - mailcious
147.45.44.104 - malware
46.8.231.109 - mailcious
|
19
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
3
http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/
http://147.45.68.138/
|
17.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 497 |
2024-08-30 11:08
|
 12.exe a26e3c5047080c42ff5ef9279c17d41e
PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 498 |
2024-08-30 11:07
|
 XClient.exe 36a1ae0555b5c56da0d72fc78864f11e
Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 499 |
2024-08-30 11:05
|
 no.exe 92ffd2b619edc0df4985b45b88f308fb
Malicious Library Downloader VMProtect PE File PE64 VirusTotal Malware |
|
|
|
|
2.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 500 |
2024-08-30 11:04
|
 66d0cda07d045_vteh15.exe#d15 ec8ca3a0426fdbf16cc1bb707bdf1ea6
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
2
http://147.45.68.138/ - rule_id: 42298
http://147.45.68.138/sql.dll
|
1
147.45.68.138 - mailcious
|
5
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
1
|
13.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 501 |
2024-08-30 11:03
|
 winrar.exe 1394628b42db25d5960c3ab8027b4fb4
Malicious Library VMProtect PE File PE64 VirusTotal Malware |
|
|
|
|
1.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 502 |
2024-08-30 11:01
|
 kdmapper_Release.exe 0b57fb7f0711c4ab650d2cf49d480a8a
Gen1 Generic Malware Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 503 |
2024-08-30 11:01
|
 CardPWD.exe 2ae78305061a7a1491e4371e49f506f8
CoinMiner Generic Malware UPX Malicious Library PE File PE32 DLL .NET DLL OS Processor Check Malware download Dridex VirusTotal Malware Check memory Checks debugger Creates executable files ICMP traffic unpack itself AppData folder WriteConsoleW Windows |
1
http://wieie.cn:8765/CardPwd/CardPwd.exe
|
2
wieie.cn(58.23.215.23) - malware
58.23.215.23 - malware
|
4
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET INFO AutoIt User Agent Executable Request
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 504 |
2024-08-30 10:59
|
 66d0cd9d59f3e_vdwrg12.exe#d12 5095864caf019967467c5714897ee419
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
8
http://147.45.68.138/softokn3.dll
http://147.45.68.138/mozglue.dll
http://147.45.68.138/freebl3.dll
http://147.45.68.138/nss3.dll
http://147.45.68.138/sql.dll
http://147.45.68.138/ - rule_id: 42298
http://147.45.68.138/msvcp140.dll
http://147.45.68.138/vcruntime140.dll
|
1
147.45.68.138 - mailcious
|
10
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
1
|
15.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 505 |
2024-08-30 10:59
|
 sj.exe 2100afde3e24faa6c594799dd2f5472c
Generic Malware Malicious Library Downloader Malicious Packer ASPack UPX PE File DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware suspicious privilege unpack itself Remote Code Execution crashed |
|
|
|
|
3.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 506 |
2024-08-30 10:57
|
wemadethesuccessfullbuttersmoo... fdff090601b2ddef31b254e19bf6cb60
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://198.46.178.181/265/weneedtogetmebackbuttersmooth.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware
198.46.178.181 - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 507 |
2024-08-30 10:55
|
 %E8%88%9E%E8%B9%88%E5%8A%A9%E6... c0ae221773a600c3c2d2e690ddf776f1
Generic Malware Malicious Library VMProtect UPX PE File PE32 VirusTotal Malware Checks debugger unpack itself Remote Code Execution crashed |
|
|
|
|
3.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 508 |
2024-08-30 10:53
|
 66d0c13d2f0ed_ImpressedHub.exe 2f5226b4116ce79afb6dcb32fa647954
Suspicious_Script_Bin Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
5.6 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 509 |
2024-08-30 10:52
|
sreemanganshekumarsayingbutter... f3e730b297901499d743de5c1dff1e7d
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://198.12.81.228/600/creatednewimagesinpicturebuttersmooth.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware
198.12.81.228 - mailcious
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 510 |
2024-08-30 10:51
|
 66d0879618b6b_File.exe#xin bd2891236510c953d469e346d092f0c7
Malicious Library UPX PE File .NET EXE MSOffice File PE32 OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|