| 5131 |
2024-09-22 15:11
|
 66eef0d27af21_vfdsgfd.exe 76b81bbaa929e92a0885267869e62fdf
Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199780418869
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
116.203.165.127
104.76.74.15
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5132 |
2024-09-22 15:08
|
 Autoupdate.exe 0a391949514f69ddc5a2d6e069aac9f1
Malicious Library Antivirus UPX PE File .NET EXE PE32 Lnk Format GIF Format VirusTotal Malware PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
5.0 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5133 |
2024-09-22 15:08
|
feelniceforgivenmegreatthingst... 2db98a27e71fef64135ce5e259d5a8c4
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://172.236.19.62/340/nicepictureforeveryoneseegood.tIF
|
3
ia600100.us.archive.org(207.241.227.240)
172.236.19.62 - mailcious
207.241.227.240
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5134 |
2024-09-22 14:59
|
h0r0zx00x.mpsl 05845cd46412b372eefb06c502d876fb
UPX AntiDebug AntiVM ELF VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
4.4 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5135 |
2024-09-22 14:59
|
 66eef0cfe6c57_vdcsdgf15.exe 0656946b783a6df8ff57c45846e49de1
Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199780418869
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
116.203.165.127
202.43.50.213
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5136 |
2024-09-22 04:16
|
 2.exe 294fab1523dc3b50cbcc120e67946a5b
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Malware Malicious Traffic Creates executable files DNS |
|
1
139.196.224.137 - malware
|
1
ET INFO Dotted Quad Host DLL Request
|
|
2.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5137 |
2024-09-21 14:18
|
 random.exe 9b638c429ac9e4c032d7e6852b464dbd
Generic Malware Malicious Library UPX Code injection AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware MachineGuid Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself malicious URLs installed browsers check Ransomware Exploit Browser crashed |
|
|
|
|
9.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5138 |
2024-09-21 14:15
|
 sdhsfd.exe ea754070163f8eca914b259096d834f0
Stealc Client SW User Data Stealer Gen1 ftp Client info stealer Generic Malware Antivirus Malicious Library UPX Malicious Packer Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
|
3
nerv.com.pe(162.241.61.218) - malware
162.241.61.218 - mailcious
46.8.231.109 - mailcious
|
17
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET INFO TLS Handshake Failure
|
2
http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/
|
14.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5139 |
2024-09-21 14:11
|
 66edb89bc4073_crypted.exe#xin d687af3b103399aa245807bb719878b7
RedLine stealer Antivirus PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
95.216.107.53 - mailcious
|
|
|
8.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5140 |
2024-09-21 14:09
|
 66ed33772bbe7_vdfhsjf16.exe 5f1ea69f876e6c0b3f52c49cb56a5933
Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199780418869
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
116.203.165.127
202.43.50.213
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
17.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5141 |
2024-09-21 14:07
|
 game.exe b5466eeb2b35e47ffc7230ec00d6d4c6
Stealc CryptBot Themida PE File PE32 Malware download VirusTotal Malware c&c Malicious Traffic Check memory Checks debugger unpack itself Checks Bios Detects VMWare VMware anti-virtualization Stealc Windows ComputerName DNS crashed |
2
http://185.215.113.103/e2b1563c6670f193.php - rule_id: 42615
http://185.215.113.103/ - rule_id: 42566
|
1
185.215.113.103 - mailcious
|
1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
2
http://185.215.113.103/e2b1563c6670f193.php
http://185.215.113.103/
|
7.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5142 |
2024-09-21 14:05
|
 66ebb3bf78bd6_Send.exe#111us30... 098e15e88e5332253356c78badf8d479
UPX PE File PE32 OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB Code Injection Malicious Traffic buffers extracted Creates executable files unpack itself Windows RCE DNS |
1
http://45.202.35.101/pLQvfD4d/index.php
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
|
|
9.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5143 |
2024-09-21 14:03
|
 66ed33717e4c1_vfdshfdag15.exe cd681a24c9d79c3af8caa1843296a062
Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199780418869
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.170.104) - mailcious
149.154.167.99 - mailcious
116.203.165.127
104.74.170.104 - mailcious
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
16.0 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5144 |
2024-09-21 14:02
|
 random.exe e0bb28202965797f022195320f3287d5
Stealc Amadey Gen1 Themida Generic Malware Malicious Library UPX Malicious Packer Code injection Anti_VM AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download Amadey FTP Client Info Stealer Vidar Email Client Info Stealer Malware c&c AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare AppData folder malicious URLs sandbox evasion VMware anti-virtualization installed browsers check Ransomware Stealc Stealer Windows Exploit Browser Email ComputerName DNS Software crashed plugin |
10
http://185.215.113.103/0d60be0de163924d/msvcp140.dll
http://185.215.113.103/ - rule_id: 42566
http://185.215.113.103/0d60be0de163924d/sqlite3.dll
http://185.215.113.103/0d60be0de163924d/nss3.dll
http://185.215.113.103/0d60be0de163924d/freebl3.dll
http://31.41.244.10/Dem7kTu/index.php - rule_id: 42202
http://185.215.113.103/0d60be0de163924d/mozglue.dll
http://185.215.113.103/0d60be0de163924d/vcruntime140.dll
http://185.215.113.103/e2b1563c6670f193.php - rule_id: 42615
http://185.215.113.103/0d60be0de163924d/softokn3.dll
|
3
31.41.244.10 - malware
185.215.113.100 - mailcious
185.215.113.103 - mailcious
|
19
ET DROP Spamhaus DROP Listed Traffic Inbound group 2
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
3
http://185.215.113.103/
http://31.41.244.10/Dem7kTu/index.php
http://185.215.113.103/e2b1563c6670f193.php
|
22.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5145 |
2024-09-21 14:02
|
 66ed336eac985_vdfhssfdg12.exe 6b082832f014548bf1703ddaed1e16b9
Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199780418869
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.170.104) - mailcious
149.154.167.99 - mailcious
116.203.165.127
104.74.170.104 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
15.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|