| 5701 |
2024-09-13 17:07
|
 ghc7.exe 8f0f4ac2337ac290e4cd09dde03664ce
Malicious Library UPX PE File PE64 OS Processor Check Check memory crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5702 |
2024-09-13 13:46
|
 svhost.exe ed8ca6f64f124f33a063e78fb985a74a
Malicious Library Malicious Packer UPX PE File PE64 VirusTotal Malware crashed |
|
|
|
|
2.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5703 |
2024-09-13 13:45
|
 Google%20Chrome.exe db3dada3b02dc0b7a0695709b654dbf1
Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check Windows ComputerName Cryptographic key |
|
|
|
|
4.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5704 |
2024-09-13 09:50
|
 66e2d83e11e31_lyla3.exe 71d70566c254e26ed24562820527d5a9
Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 DLL Malware download VirusTotal Malware Malicious Traffic AppData folder WriteConsoleW CryptBot ComputerName DNS |
1
http://tventyvd20ht.top/v1/upload.php
|
2
tventyvd20ht.top(194.87.248.136)
194.87.248.136 - mailcious
|
3
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
|
|
3.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5705 |
2024-09-13 09:47
|
 sera.exe 7696fd52645fd5bde71ca7eb4b2fa935
Stealc Gen1 Themida Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://185.215.113.103/0d60be0de163924d/msvcp140.dll
http://185.215.113.103/ - rule_id: 42566
http://185.215.113.103/0d60be0de163924d/sqlite3.dll
http://185.215.113.103/0d60be0de163924d/nss3.dll
http://185.215.113.103/0d60be0de163924d/freebl3.dll
http://185.215.113.103/0d60be0de163924d/mozglue.dll
http://185.215.113.103/0d60be0de163924d/vcruntime140.dll
http://185.215.113.103/e2b1563c6670f193.php
http://185.215.113.103/0d60be0de163924d/softokn3.dll
|
1
185.215.113.103 - mailcious
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
|
12.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5706 |
2024-09-13 09:43
|
 MichaelKelley.pdf deefa371451c41584b2fa36f4b8cacd4
PDF |
|
|
|
|
|
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5707 |
2024-09-13 09:43
|
 svhost2.exe 5e670353e13a6c5de6c3acec90eef25e
Malicious Library Malicious Packer UPX PE File PE64 VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5708 |
2024-09-13 09:41
|
 vghfw.exe 3a507b0b6463481cbb8d248efa262ddd
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199768374681 - rule_id: 42498
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.74.15) - mailcious
149.154.167.99 - mailcious
104.76.74.15
116.202.183.159 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199768374681
|
15.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5709 |
2024-09-13 09:39
|
999.html e0b11d0fba0e8c49d4f268e831bccc7a
Generic Malware Malicious Library Malicious Packer Antivirus UPX PE File ftp PE64 OS Processor Check VirusTotal Malware suspicious privilege Windows utilities WriteConsoleW Windows DNS |
|
1
|
|
|
3.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5710 |
2024-09-13 09:38
|
 useraccount.aspx b61f507b24ebcab3ea69135a21e18df5
Generic Malware Malicious Library UPX PE File DLL DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware suspicious privilege Checks debugger unpack itself |
1
https://programvenders.app/update.msi
|
2
programvenders.app(193.109.85.174)
193.109.85.174
|
|
|
2.6 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5711 |
2024-09-13 09:38
|
 %E6%B5%99%E6%B1%9F%E8%BF%AA%E8... cf14880e3a7fba74c80f21685cd15718
Generic Malware Malicious Library ASPack UPX PE File PE32 OS Processor Check VirusTotal Malware Check memory Creates executable files crashed |
|
|
|
|
2.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5712 |
2024-09-13 09:36
|
 sfds.exe f24d1ef9ffb8be85e5b7f03262eb2e88
Stealc Client SW User Data Stealer Gen1 ftp Client info stealer Generic Malware Antivirus Malicious Library UPX Malicious Packer Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
|
4
www.illuminazioneproduzione.it(80.88.87.221) - malware
80.88.87.221 - malware
46.8.231.109 - mailcious
45.33.6.223
|
18
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
|
2
http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/
|
15.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5713 |
2024-09-13 09:36
|
 account.aspx e73d75e539b7e9acf48683fc6b2cb4ab
Generic Malware Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware Checks debugger unpack itself Tofsee crashed |
1
https://motorans.com/detalis.aspx
|
2
motorans.com(193.109.85.43) - malware
193.109.85.43 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
1.6 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5714 |
2024-09-13 09:35
|
 66e2cce3eae78_Pink_0x000872A65... 00465490b449aa57d0e1ac7cba51af72
Generic Malware Malicious Library UPX PE File PE64 OS Processor Check crashed |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5715 |
2024-09-13 09:34
|
 Graphic.bat c64838099d6a9eeffb87c15a15c96892
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|