| 571 |
2024-08-27 15:15
|
 discordnitrogen.exe 2db515aa4c8ba2b4e6878e7e0b550c8f
Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check DLL ZIP Format Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 572 |
2024-08-27 15:15
|
 test.exe c04a91e68f4d54aac6959c0f8bfa38b7
Gen1 Browser Login Data Stealer Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ftp wget DllRegisterServer dll VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
3.4 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 573 |
2024-08-27 15:14
|
 FuzeLoader.exe a6b65cfc697dbbdcde8f19d2ab7a61d9
ROMCOM RAT Downloader PE File PE64 VirusTotal Malware DNS |
|
1
|
|
|
1.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 574 |
2024-08-27 15:13
|
 PXray_Cast_Sort.exe fe517ecfbb94a742e2b88d67785b87bc
Malicious Library UPX PE File PE32 MZP Format VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 575 |
2024-08-27 15:12
|
 fodhelper.exe fcb34a54159d0de7cb5fa2fae1c82e72
Generic Malware Suspicious_Script_Bin Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Java Browser DNS |
16
http://www.51cc.top/7i54/?iIHB1d=SgV//QM+kZDZSmca7ISHR4U/9iG4TLn30ssUgf4MDLRPguhpDtuGIpE5eby1mFBEyx9n6ho2rfFD9SDq3nlePS+8rBqg/0cGFsBGWXu5QF07X9CUnUPZux9wfWAAZevyIeAs5Qc=&5k5T=YJUBzxsvuMqlj_oi
http://www.32wxd.top/fqtd/
http://www.zenzip.xyz/9pad/
http://www.foundation-repair.biz/5l7s/?iIHB1d=5i9IxHyDCONgw46qIHGeUvwlYzbtgN8gQUqUIjK6jcHsfbLgiJ2s3wDRXgbc+h/bICwzf3ddx8E1HmjHsyEg1i4ki39GGAPq3qClCRMeu9QIBTg/A11C17kmPPIEN81gm2sAq9Q=&5k5T=YJUBzxsvuMqlj_oi
http://www.onlytradez.club/k1y3/?iIHB1d=J7VJwuuG4HUA4bFTkbQEdxkpMEpXPBCRRs+F1x6QwwkcPlqAPKpQJUUQrtsDqb7Q+tjdIUGQwp4fGorxq2J//mB+PqSTwbyLcRM9dR0EDrcHS/LNmgUR990rINKp1m+e5VNnNrk=&5k5T=YJUBzxsvuMqlj_oi
http://www.meetfactory.biz/xoqw/?iIHB1d=IHXCkUsJunCVOO2Hwv8L1/jebUXenMysZsXgVBD8KQgj+TIAwNGDK5EWhUbKXzAU4KMQODjr0cxiOqiC8Z91HBWngaVBBi9zW0XdtSpa8XSCv8AOb3sJWenXQ9ufn4pifwUOwgs=&5k5T=YJUBzxsvuMqlj_oi
http://www.foundation-repair.biz/5l7s/
http://www.2886080.xyz/eyiz/?iIHB1d=XQ7d8vWNf2bTOhYYL6UJlqYAXy7Rg8V7tb7nan5iZXoOR23qJ7xYi6zjP0ZZPC1qNGRbW38doA+CklQhfBW16OH9GbU74opfrouVpsjlwzkQhOIIL+clvr6SJ5uB6xxabU5X5cQ=&5k5T=YJUBzxsvuMqlj_oi
http://www.d71dg.top/qbiu/
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
http://www.51cc.top/7i54/
http://www.32wxd.top/fqtd/?iIHB1d=NOGaE4zNJ3vPzwJVq9flFF94in2IcnN0bsRklEYFuNltL64f812fYl1xoipxw6mqFzyE6nPBnWGndAD5Tl5FPYyUit02KiWxxW2zK2p9R7C5MnzH/2vAyX3OoZI/vgfMfT+cSXI=&5k5T=YJUBzxsvuMqlj_oi
http://www.onlytradez.club/k1y3/
http://www.meetfactory.biz/xoqw/
http://www.zenzip.xyz/9pad/?iIHB1d=1a5ATRlanZ3ATSTMsvfkUs0ciM8umoJS8y8kT4HdOCMJyW9sS8tB9dhHCXeYKtsB5QysC2Hg2jCPifAM2S09CoHR88nq9oCTqozYG6NauxPM4LjmZuBJG1m7wEgFKI64QDVX+78=&5k5T=YJUBzxsvuMqlj_oi
http://www.2886080.xyz/eyiz/
|
19
www.onlytradez.club(167.172.133.32)
www.zenzip.xyz(203.161.46.201)
www.sgcwin77rtplive.fun()
www.foundation-repair.biz(199.59.243.226)
www.2886080.xyz(103.249.106.91)
www.32wxd.top(206.119.82.116)
www.kej-sii.cloud()
www.d71dg.top(154.23.184.60)
www.meetfactory.biz(45.79.19.196)
www.51cc.top(216.83.36.195)
103.249.106.91
167.172.133.32
216.83.36.195
203.161.46.201
45.33.23.183 - suspicious
206.119.82.116
45.33.6.223
199.59.243.226 - phishing
154.23.184.60
|
6
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET INFO Observed DNS Query to .biz TLD
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2
ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
|
|
5.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 576 |
2024-08-27 15:10
|
 tjqdq.exe f88d5c87a0811b9b91f9c77d714fdb68
Emotet Generic Malware Malicious Library Malicious Packer ASPack UPX PE File DllRegisterServer dll PE32 OS Processor Check DLL MZP Format VirusTotal Malware Creates executable files AppData folder sandbox evasion Windows Browser Remote Code Execution DNS |
2
http://43.249.193.54:81/server.txt
http://43.249.193.54:81/ServerList111.xml
|
1
|
1
ET POLICY Unsupported/Fake Windows NT Version 5.0
|
|
6.0 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 577 |
2024-08-27 14:19
|
 IEupdation.hta d8c516959ec5b1379fc9fcc30def38a1
Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://192.3.193.155/M2608T/csrss.exe
|
1
192.3.193.155 - mailcious
|
4
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious csrss.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 578 |
2024-08-27 13:59
|
 dl e21c27cc8cb10d6829b095c625b41442
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Windows DNS |
|
1
51.15.193.130 - mailcious
|
|
|
3.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 579 |
2024-08-27 13:56
|
 Office2024.exe df92abd264b50c9f069246a6e65453f0
PE File PE64 VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
6
xmr-eu1.nanopool.org(212.47.253.124) - mailcious
xmr-eu2.nanopool.org(51.195.138.197) - mailcious
pastebin.com(104.20.4.235) - mailcious
51.195.138.197
104.20.3.235 - malware
51.15.193.130 - mailcious
|
2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
1.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 580 |
2024-08-27 13:54
|
 Major_0x00029EFE4AF1E366.exe fa3d03c319a7597712eeff1338dabf92
Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 581 |
2024-08-27 13:53
|
 0day.js 271dea4d0bdfa80e4ad01257508571ccVirusTotal Malware |
|
|
|
|
0.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 582 |
2024-08-27 13:52
|
 WFPExp.exe 1c9ccfcd3e92399642fdd1a34afab2ef
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check PDB Remote Code Execution |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 583 |
2024-08-27 13:50
|
 [UPG]CSS.exe 99b098b23ced1a199145fe5577c9de91
Generic Malware Themida Packer Malicious Library UPX Anti_VM PE File PE32 MZP Format JPEG Format OS Processor Check DLL Malware download VirusTotal Malware Malicious Traffic Check memory buffers extracted Creates executable files RWX flags setting unpack itself AppData folder sandbox evasion Tofsee Interception Windows Update Trojan DNS keylogger |
36
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fkoreana.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/haptics.dll.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fspanish.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/servers/serverbrowser%5Fgerman.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/admin%5Fitalian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/vbsp.exe.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fczech.txt.lzma
http://cs.go.kg/pages/update/css/patchlist.xml
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Fdutch.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/gamestate.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Fkorean.txt.lzma
http://cs.go.kg/pages/update/css/self/%5BUPG%5DCSS.exe
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/gameui%5Fthai.txt.lzma
http://adv.gamer.kg/updater2.jpg
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/hl2/resource/gameui%5Fitalian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/dmxconvert.exe.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/servers/serverbrowser%5Fitalian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/admin%5Fswedish.txt.lzma
http://cs.go.kg/pages/update/css/options.xml
http://adv.gamer.kg/index.php
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/scenefilecache.dll.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Fturkish.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fukrainian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Ffinnish.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/cstrike%5Fczech.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/admin%5Fgreek.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/server%5Fukrainian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/steamclient.dll.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/servers/serverbrowser%5Fkoreana.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/vvis%5Fdll.dll.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/hl2/hl2%5Fmisc%5F001.vpk.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/gameui%5Fgreek.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Frussian.txt.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/captioncompiler.exe.lzma
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/gameui%5Fhungarian.txt.lzma
https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-4743227880453771
|
6
pagead2.googlesyndication.com(172.217.161.226) - mailcious
adv.gamer.kg(176.126.167.7)
cs.go.kg(176.126.167.7) - mailcious
142.250.197.34
176.126.167.7 - mailcious
172.217.24.238
|
3
ET MALWARE Trojan Related Lame Updater User-Agent
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 584 |
2024-08-27 13:50
|
 66cc394d4d8b2_sekwm.exe#space d58ddba7f2d064d327f45f577f2e41ec
Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer ScreenShot Http API PWS Create Service Socket DGA Escalate priviledges Steal credential Sniff Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
12
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://147.45.44.104/prog/66cd1d485d44c_lsfjf3n.exe
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://147.45.44.104/prog/66cd1d4315e2e_vokfw.exe
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
7
t.me(149.154.167.99) - mailcious
steamcommunity.com(173.222.146.99) - mailcious
149.154.167.99 - mailcious
147.45.44.104 - malware
94.130.188.148
184.26.241.154 - mailcious
46.8.231.109 - mailcious
|
21
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
3
http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/
https://steamcommunity.com/profiles/76561199761128941
|
18.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 585 |
2024-08-27 13:50
|
 patcher.exe d2e7813509144a52aaa13043a69a47bd
Suspicious_Script_Bin Malicious Library UPX PE File PE64 VirusTotal Malware Creates executable files suspicious process DNS crashed |
1
http://144.172.71.105:1338/nova_flow/patcher.exe?hash
|
1
|
1
ET HUNTING curl User-Agent to Dotted Quad
|
|
2.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|