571 |
2024-08-27 15:15
|
discordnitrogen.exe 2db515aa4c8ba2b4e6878e7e0b550c8f Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check DLL ZIP Format Check memory Checks debugger Creates executable files unpack itself |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
572 |
2024-08-27 15:15
|
test.exe c04a91e68f4d54aac6959c0f8bfa38b7 Gen1 Browser Login Data Stealer Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check DLL ftp wget DllRegisterServer dll VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
3.4 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
573 |
2024-08-27 15:14
|
FuzeLoader.exe a6b65cfc697dbbdcde8f19d2ab7a61d9 ROMCOM RAT Downloader PE File PE64 VirusTotal Malware DNS |
|
1
|
|
|
1.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
574 |
2024-08-27 15:13
|
PXray_Cast_Sort.exe fe517ecfbb94a742e2b88d67785b87bc Malicious Library UPX PE File PE32 MZP Format VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
575 |
2024-08-27 15:12
|
fodhelper.exe fcb34a54159d0de7cb5fa2fae1c82e72 Generic Malware Suspicious_Script_Bin Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer Checks debugger buffers extracted Creates executable files unpack itself AppData folder suspicious TLD Java Browser DNS |
16
http://www.51cc.top/7i54/?iIHB1d=SgV//QM+kZDZSmca7ISHR4U/9iG4TLn30ssUgf4MDLRPguhpDtuGIpE5eby1mFBEyx9n6ho2rfFD9SDq3nlePS+8rBqg/0cGFsBGWXu5QF07X9CUnUPZux9wfWAAZevyIeAs5Qc=&5k5T=YJUBzxsvuMqlj_oi http://www.32wxd.top/fqtd/ http://www.zenzip.xyz/9pad/ http://www.foundation-repair.biz/5l7s/?iIHB1d=5i9IxHyDCONgw46qIHGeUvwlYzbtgN8gQUqUIjK6jcHsfbLgiJ2s3wDRXgbc+h/bICwzf3ddx8E1HmjHsyEg1i4ki39GGAPq3qClCRMeu9QIBTg/A11C17kmPPIEN81gm2sAq9Q=&5k5T=YJUBzxsvuMqlj_oi http://www.onlytradez.club/k1y3/?iIHB1d=J7VJwuuG4HUA4bFTkbQEdxkpMEpXPBCRRs+F1x6QwwkcPlqAPKpQJUUQrtsDqb7Q+tjdIUGQwp4fGorxq2J//mB+PqSTwbyLcRM9dR0EDrcHS/LNmgUR990rINKp1m+e5VNnNrk=&5k5T=YJUBzxsvuMqlj_oi http://www.meetfactory.biz/xoqw/?iIHB1d=IHXCkUsJunCVOO2Hwv8L1/jebUXenMysZsXgVBD8KQgj+TIAwNGDK5EWhUbKXzAU4KMQODjr0cxiOqiC8Z91HBWngaVBBi9zW0XdtSpa8XSCv8AOb3sJWenXQ9ufn4pifwUOwgs=&5k5T=YJUBzxsvuMqlj_oi http://www.foundation-repair.biz/5l7s/ http://www.2886080.xyz/eyiz/?iIHB1d=XQ7d8vWNf2bTOhYYL6UJlqYAXy7Rg8V7tb7nan5iZXoOR23qJ7xYi6zjP0ZZPC1qNGRbW38doA+CklQhfBW16OH9GbU74opfrouVpsjlwzkQhOIIL+clvr6SJ5uB6xxabU5X5cQ=&5k5T=YJUBzxsvuMqlj_oi http://www.d71dg.top/qbiu/ http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip http://www.51cc.top/7i54/ http://www.32wxd.top/fqtd/?iIHB1d=NOGaE4zNJ3vPzwJVq9flFF94in2IcnN0bsRklEYFuNltL64f812fYl1xoipxw6mqFzyE6nPBnWGndAD5Tl5FPYyUit02KiWxxW2zK2p9R7C5MnzH/2vAyX3OoZI/vgfMfT+cSXI=&5k5T=YJUBzxsvuMqlj_oi http://www.onlytradez.club/k1y3/ http://www.meetfactory.biz/xoqw/ http://www.zenzip.xyz/9pad/?iIHB1d=1a5ATRlanZ3ATSTMsvfkUs0ciM8umoJS8y8kT4HdOCMJyW9sS8tB9dhHCXeYKtsB5QysC2Hg2jCPifAM2S09CoHR88nq9oCTqozYG6NauxPM4LjmZuBJG1m7wEgFKI64QDVX+78=&5k5T=YJUBzxsvuMqlj_oi http://www.2886080.xyz/eyiz/
|
19
www.onlytradez.club(167.172.133.32) www.zenzip.xyz(203.161.46.201) www.sgcwin77rtplive.fun() www.foundation-repair.biz(199.59.243.226) www.2886080.xyz(103.249.106.91) www.32wxd.top(206.119.82.116) www.kej-sii.cloud() www.d71dg.top(154.23.184.60) www.meetfactory.biz(45.79.19.196) www.51cc.top(216.83.36.195) 103.249.106.91 167.172.133.32 216.83.36.195 203.161.46.201 45.33.23.183 - suspicious 206.119.82.116 45.33.6.223 199.59.243.226 - phishing 154.23.184.60
|
6
ET DNS Query to a *.top domain - Likely Hostile ET INFO HTTP Request to a *.top domain ET INFO Observed DNS Query to .biz TLD ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2 ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
|
|
5.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
576 |
2024-08-27 15:10
|
tjqdq.exe f88d5c87a0811b9b91f9c77d714fdb68 Emotet Generic Malware Malicious Library Malicious Packer ASPack UPX PE File DllRegisterServer dll PE32 OS Processor Check DLL MZP Format VirusTotal Malware Creates executable files AppData folder sandbox evasion Windows Browser Remote Code Execution DNS |
2
http://43.249.193.54:81/server.txt http://43.249.193.54:81/ServerList111.xml
|
1
|
1
ET POLICY Unsupported/Fake Windows NT Version 5.0
|
|
6.0 |
|
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
577 |
2024-08-27 14:19
|
IEupdation.hta d8c516959ec5b1379fc9fcc30def38a1 Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://192.3.193.155/M2608T/csrss.exe
|
1
192.3.193.155 - mailcious
|
4
ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious csrss.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
578 |
2024-08-27 13:59
|
dl e21c27cc8cb10d6829b095c625b41442 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Windows DNS |
|
1
51.15.193.130 - mailcious
|
|
|
3.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
579 |
2024-08-27 13:56
|
Office2024.exe df92abd264b50c9f069246a6e65453f0 PE File PE64 VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
6
xmr-eu1.nanopool.org(212.47.253.124) - mailcious xmr-eu2.nanopool.org(51.195.138.197) - mailcious pastebin.com(104.20.4.235) - mailcious 51.195.138.197 104.20.3.235 - malware 51.15.193.130 - mailcious
|
2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
1.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
580 |
2024-08-27 13:54
|
Major_0x00029EFE4AF1E366.exe fa3d03c319a7597712eeff1338dabf92 Generic Malware Malicious Library UPX PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
581 |
2024-08-27 13:53
|
0day.js 271dea4d0bdfa80e4ad01257508571ccVirusTotal Malware |
|
|
|
|
0.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
582 |
2024-08-27 13:52
|
WFPExp.exe 1c9ccfcd3e92399642fdd1a34afab2ef Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check PDB Remote Code Execution |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
583 |
2024-08-27 13:50
|
[UPG]CSS.exe 99b098b23ced1a199145fe5577c9de91 Generic Malware Themida Packer Malicious Library UPX Anti_VM PE File PE32 MZP Format JPEG Format OS Processor Check DLL Malware download VirusTotal Malware Malicious Traffic Check memory buffers extracted Creates executable files RWX flags setting unpack itself AppData folder sandbox evasion Tofsee Interception Windows Update Trojan DNS keylogger |
36
http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fkoreana.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/haptics.dll.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fspanish.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/servers/serverbrowser%5Fgerman.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/admin%5Fitalian.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/vbsp.exe.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fczech.txt.lzma http://cs.go.kg/pages/update/css/patchlist.xml http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Fdutch.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/gamestate.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Fkorean.txt.lzma http://cs.go.kg/pages/update/css/self/%5BUPG%5DCSS.exe http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/gameui%5Fthai.txt.lzma http://adv.gamer.kg/updater2.jpg http://cs.go.kg/pages/update/css/Counter-Strike%20Source/hl2/resource/gameui%5Fitalian.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/dmxconvert.exe.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/servers/serverbrowser%5Fitalian.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/admin%5Fswedish.txt.lzma http://cs.go.kg/pages/update/css/options.xml http://adv.gamer.kg/index.php http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/scenefilecache.dll.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Fturkish.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/platform%5Fukrainian.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Ffinnish.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/cstrike%5Fczech.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/admin%5Fgreek.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/admin/server%5Fukrainian.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/steamclient.dll.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/servers/serverbrowser%5Fkoreana.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/vvis%5Fdll.dll.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/hl2/hl2%5Fmisc%5F001.vpk.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/gameui%5Fgreek.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/platform/resource/vgui%5Frussian.txt.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/bin/captioncompiler.exe.lzma http://cs.go.kg/pages/update/css/Counter-Strike%20Source/cstrike/resource/gameui%5Fhungarian.txt.lzma https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-4743227880453771
|
6
pagead2.googlesyndication.com(172.217.161.226) - mailcious adv.gamer.kg(176.126.167.7) cs.go.kg(176.126.167.7) - mailcious 142.250.197.34 176.126.167.7 - mailcious 172.217.24.238
|
3
ET MALWARE Trojan Related Lame Updater User-Agent ET POLICY PE EXE or DLL Windows file download HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
584 |
2024-08-27 13:50
|
66cc394d4d8b2_sekwm.exe#space d58ddba7f2d064d327f45f577f2e41ec Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer ScreenShot Http API PWS Create Service Socket DGA Escalate priviledges Steal credential Sniff Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
12
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211 http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll http://147.45.44.104/prog/66cd1d485d44c_lsfjf3n.exe http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll http://147.45.44.104/prog/66cd1d4315e2e_vokfw.exe http://46.8.231.109/ - rule_id: 42142 http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
7
t.me(149.154.167.99) - mailcious steamcommunity.com(173.222.146.99) - mailcious 149.154.167.99 - mailcious 147.45.44.104 - malware 94.130.188.148 184.26.241.154 - mailcious 46.8.231.109 - mailcious
|
21
ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
3
http://46.8.231.109/c4754d4f680ead72.php http://46.8.231.109/ https://steamcommunity.com/profiles/76561199761128941
|
18.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
585 |
2024-08-27 13:50
|
patcher.exe d2e7813509144a52aaa13043a69a47bd Suspicious_Script_Bin Malicious Library UPX PE File PE64 VirusTotal Malware Creates executable files suspicious process DNS crashed |
1
http://144.172.71.105:1338/nova_flow/patcher.exe?hash
|
1
|
1
ET HUNTING curl User-Agent to Dotted Quad
|
|
2.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|