| 5221 |
2024-09-19 10:17
|
 87.exe 8031214dd28074aecf6482fcff90565b
Malicious Library PE File PE64 VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
|
1
|
|
|
5.2 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5222 |
2024-09-19 10:15
|
 vfdaj15.exe ad31361e15557683381bfeafda7fc981
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
104.76.74.15
78.47.207.136 - mailcious
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
17.0 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5223 |
2024-09-19 10:12
|
 66e9b62daa62d_xin.exe 8e3fb69a56d807d7ef1c432ea1590496
RedLine stealer Antivirus PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS |
|
1
95.216.107.53 - mailcious
|
|
|
9.2 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5224 |
2024-09-19 10:10
|
 66e87722b6018_sdfjen.exe#space 38ae00650fbf32979ee3d6163e5c579e
Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
3.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5225 |
2024-09-19 10:09
|
 univ.exe 85737d1c7426259423c84f96719e82ea
Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Windows RCE |
|
|
|
|
3.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5226 |
2024-09-19 10:06
|
 B.exe 7778bbeacc8add7df3996267fc83ece5
AgentTesla Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Name Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Browser Email ComputerName DNS Software crashed |
1
http://ip-api.com/line/?fields=hosting
|
4
ftp.jeepcommerce.rs(195.252.110.253)
ip-api.com(208.95.112.1)
208.95.112.1
195.252.110.253 - mailcious
|
3
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
ET POLICY External IP Lookup ip-api.com
SURICATA Applayer Detect protocol only one direction
|
|
6.6 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5227 |
2024-09-19 10:04
|
 66e8771d4d239_vfdokdf15.exe#d1... 3817c947e0d26bde329f7481b6d76709
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
104.76.74.15
78.47.207.136 - mailcious
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
14.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5228 |
2024-09-19 10:04
|
 66e877160911d_vnfdewk16.exe#d1... 65ac3fe80ceced1ad72a4ab03dfd14f2
Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
3.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5229 |
2024-09-19 10:02
|
 clip.exe 6ca0b0717cfa0684963ff129abb8dce9
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic DNS |
1
http://185.215.113.117/nholman/
|
1
185.215.113.117 - malware
|
|
|
2.8 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5230 |
2024-09-19 10:02
|
 zabardast-movie2024.mp3.exe cbef9bb615e2bd37d730ed30fde6ae03
UPX PE File PE64 OS Processor Check VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5231 |
2024-09-19 10:00
|
 66e877203afd3_vfdsofa12.exe#d1... 5c984dd83c65ae6b6f2d93a60ae40bfd
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
104.76.74.15
78.47.207.136 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199768374681
|
16.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5232 |
2024-09-19 10:00
|
 66e86c030044f_UniversityGradua... 8bc957246166f6b5d99c1b63d34dd663
Generic Malware Suspicious_Script_Bin Malicious Library UPX PE File PE32 OS Processor Check ftp VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName |
|
|
|
|
7.8 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5233 |
2024-09-19 09:58
|
 Channel2.exe ec3afdbd761916a682e9372834365939
Generic Malware Malicious Library Malicious Packer Antivirus UPX AntiDebug AntiVM PE File PE64 OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Disables Windows Security Check virtual network interfaces suspicious process malicious URLs suspicious TLD Tofsee Windows ComputerName RCE DNS Cryptographic key |
2
https://yip.su/RNWPd.exe - rule_id: 37623
https://pastebin.com/raw/V6VJsrV3 - rule_id: 37255
|
4
pastebin.com(104.20.3.235) - mailcious
yip.su(104.21.79.77) - mailcious
104.21.79.77 - phishing
104.20.3.235 - malware
|
2
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://yip.su/RNWPd.exe
https://pastebin.com/raw/V6VJsrV3
|
12.6 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5234 |
2024-09-19 09:57
|
 66e805302f63c_otr.exe d3d2aafaf86262baa7528e397f1ce761
RedLine Infostealer UltraVNC Generic Malware Malicious Library UPX PE File PE32 OS Processor Check Malware download VirusTotal Malware PDB Stealer DNS |
|
1
89.105.223.249 - mailcious
|
1
ET MALWARE [ANY.RUN] MetaStealer v.5 CnC Activity (MC-NMF TLS SNI)
|
|
2.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5235 |
2024-09-19 09:55
|
 vethwgr16.exe 26e1bcdecaa337ee8e8b3694603c803f
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
104.76.74.15
78.47.207.136 - mailcious
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199768374681
|
15.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|