526 |
2024-08-29 09:15
|
66cf81753addd_vsldqfs15.exe#d1... 8ae4605ae214af3ba375ad58263ca707 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.74.170.104) - mailcious 149.154.167.99 - mailcious 104.74.170.104 94.130.188.148 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199761128941
|
17.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
527 |
2024-08-29 09:15
|
66cf769b69d70_crypted.exe#1 6d90f5899ff47cd3519ee0f53b8900f6 RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
12.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
528 |
2024-08-29 09:13
|
66cf75d3791d7_vrewqgq.exe#spac... 1ef9bbed957bcd2df5a639e04a67f8bb Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.74.170.104) - mailcious 149.154.167.99 - mailcious 104.74.170.104 94.130.188.148 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199761128941
|
15.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
529 |
2024-08-29 09:12
|
113133.exe 7fdc6d283bcbd3b6957117bcf029121b RedLine stealer Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 Malware download VirusTotal Malware Stealer DNS |
|
1
|
1
ET MALWARE [ANY.RUN] MetaStealer v.5 CnC Activity (MC-NMF TLS SNI)
|
|
2.2 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
530 |
2024-08-28 12:43
|
wecreatednewthingstogetmebackt... c5b33393804cbc8be7ea90ddd2a9f024 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://198.46.178.181/121/seethebuttersmoothchocolitecream.tIF
|
4
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
198.46.178.181 - malware
154.216.19.149
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
531 |
2024-08-28 12:41
|
PENDXGKW.exe 61d31fb13c1dd46fcb03caf7f648508c Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer PE File PE32 DLL MZP Format DllRegisterServer dll OS Processor Check VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Tofsee DNS |
1
https://pastebin.com/raw/jxfGm9Pc
|
3
pastebin.com(104.20.4.235) - mailcious 154.216.19.149 172.67.19.24 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
532 |
2024-08-28 12:39
|
honey.exe b824978c8183a65d081012677a1d46d1 Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
533 |
2024-08-28 12:37
|
niceshirtwhichwearedbymesherea... 97184c45a919e70afa3378753cae6e2f MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://198.46.178.137/136/shegoodforeverythingtogetmefrom.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
198.46.178.137 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
534 |
2024-08-28 12:36
|
66cca0b083a5e_Yietgld.exe#upus 2268fa0c1b8ab3e3a8306b7f7949ccff njRAT backdoor Generic Malware Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself ComputerName DNS |
|
1
|
|
|
2.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
535 |
2024-08-28 12:35
|
66cdff2bded74_Update.exe#updat... 9157a0df4966b25e45271e8010de96f7 Generic Malware Malicious Library Malicious Packer UPX PE File DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
536 |
2024-08-28 12:34
|
66cdfdb23b62d_File.exe#xin df168ea774b699222234ac533adce5b9 Emotet Malicious Library UPX PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName Remote Code Execution DNS |
|
1
|
|
|
3.8 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
537 |
2024-08-28 12:33
|
thrylPXnvfySmGN.exe 04d4d4d83e1601d220f83f09ae16cd79 Client SW User Data Stealer Backdoor RemcosRAT browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Library Antivirus ScreenShot Create Service Socket Escalate priviledges PWS Sniff Audio DNS Internet API KeyLogger AntiDebug A Browser Info Stealer Remcos VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Windows Browser Email ComputerName DNS Cryptographic key DDNS keylogger |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) sungito2.ddns.net(154.216.19.222) 178.237.33.50 154.216.19.222
|
2
ET JA3 Hash - Remcos 3.x/4.x TLS Connection ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
538 |
2024-08-28 12:32
|
230.exe 49ef310675c37495a3fb6d406b3ed3cf Antivirus ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
539 |
2024-08-28 12:30
|
SPOOOFER.exe a07e70b0b57df15c5a04d93da1de3f2b Generic Malware Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PE File .NET EXE PE32 VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
keyauth.win(172.67.72.57) 121.254.136.74 172.67.72.57
|
3
ET INFO Fake Game Cheat Related Domain in DNS Lookup (keyauth .win) ET INFO Fake Game Cheat Related Domain (keyauth .win) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
540 |
2024-08-28 12:30
|
thrylPXnvfySmGN.doc c0d48716ea8eef0d46d77cc231fa5371 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://45.200.149.75/simulators/thrylPXnvfySmGN.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|