5866 |
2024-02-05 09:38
|
file.ps1 cdfc9543cad1e63fc16d366433de83e2 Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.6 |
M |
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5867 |
2024-02-05 09:38
|
InstallSetup22.exe f99cddefb34c8ce86cb76747cc92a996 Client SW User Data Stealer Gen1 ftp Client info stealer NSIS Generic Malware Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer PWS Anti_VM AntiDebug AntiVM PE32 PE File PNG Format OS Processor Check DLL ZIP Format MZP F Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Ransomware Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
11
http://185.172.128.127/ping.php?substr=two http://185.172.128.90/cpa/ping.php?substr=two&s=ab - rule_id: 38981 http://185.172.128.79/15f649199f40275b/vcruntime140.dll http://185.172.128.127/syncUpd.exe - rule_id: 39250 http://185.172.128.79/15f649199f40275b/sqlite3.dll http://185.172.128.79/15f649199f40275b/mozglue.dll http://185.172.128.79/15f649199f40275b/freebl3.dll http://185.172.128.79/15f649199f40275b/softokn3.dll http://185.172.128.79/15f649199f40275b/nss3.dll http://185.172.128.79/3cd2b41cbde8fc9c.php http://185.172.128.79/15f649199f40275b/msvcp140.dll
|
3
185.172.128.90 - mailcious 185.172.128.79 - mailcious 185.172.128.127 - malware
|
19
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO Executable Download from dotted-quad Host ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Packed Executable Download ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.172.128.90/cpa/ping.php http://185.172.128.127/syncUpd.exe
|
21.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5868 |
2024-02-05 09:38
|
mfpf.exe 946e41fd346edf140acd0d3157711011 Malicious Packer PE32 PE File VirusTotal Malware unpack itself |
|
|
|
|
3.0 |
|
61 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5869 |
2024-02-05 09:37
|
rsb.exe 5b32fd55fe0d459269f2c09bb286cddf Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware suspicious privilege Checks debugger WMI Windows utilities Windows ComputerName crashed |
|
|
|
|
2.2 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5870 |
2024-02-05 09:36
|
Client.exe 61570c8c0df19c62b674c1e477730a87 Malicious Library Malicious Packer Antivirus .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5871 |
2024-02-05 09:35
|
svchost.exe 6c78730f382399e278d0a2bee8e9df34 PE File PE64 ftp VirusTotal Malware Check memory unpack itself AntiVM_Disk anti-virtualization VM Disk Size Check ComputerName DNS crashed |
|
1
|
|
|
4.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5872 |
2024-02-05 09:34
|
WeChat.exe a0bd608ceaeaf94b99f28d79041382f5 UPX PE32 PE File VirusTotal Malware Checks debugger buffers extracted unpack itself Detects VirtualBox Detects VMWare VMware Tofsee Windows Remote Code Execution DNS crashed |
3
http://www.ip138.com/ http://2024.ip138.com/ https://www.ip138.com/
|
6
www.ip138.com(101.79.211.11) 2024.ip138.com(61.110.192.59) 82.157.254.217 - malware 61.110.192.59 185.172.128.79 - mailcious 101.79.211.11
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5873 |
2024-02-05 09:33
|
360.exe 22e02c83773863eabce93313b8f00d28 Malicious Library Malicious Packer UPX Anti_VM PE32 PE File VirusTotal Malware Check memory unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS crashed |
|
1
|
|
|
5.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5874 |
2024-02-05 09:30
|
msgbox2.file 65ea5410c5869dd9aa8511bdbeaab5bd Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware Check memory crashed |
|
|
|
|
1.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5875 |
2024-02-05 09:28
|
clip64.dll 2afdbe3b99a4736083066a13e4b5d11a Amadey Malicious Library UPX PE32 PE File DLL OS Processor Check VirusTotal Malware Malicious Traffic Checks debugger unpack itself DNS |
1
http://185.215.113.32/yandex/index.php
|
1
185.215.113.32 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
|
|
3.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5876 |
2024-02-05 09:27
|
fu.exe c34697903d0b829f48d0c2b7c3d65978 Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check MSOffice File icon VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
8
https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?wLpj7A https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp17RFliK8mOCO-X3Gl3JJeGX5yiGockQ1l13hly4UmT32bAr7wEbsm-zkSPX7aWdiOdHuno4Q&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1223811244%3A1707092633460836 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp2BM5Fd3reE-IdQx8AtgUMSgyK5xAZM8DZJbKgms149LIGPtbQFk8kOHX3yrbDB3impnNve4A
|
6
ssl.gstatic.com(172.217.161.195) accounts.google.com(64.233.187.84) www.google.com(142.250.76.132) 142.250.66.99 64.233.188.84 172.217.31.4
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5877 |
2024-02-05 09:26
|
crpta.exe 2060ab69656588e8acefcde9c7cc0a5f RedLine Infostealer UltraVNC Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5878 |
2024-02-05 07:58
|
uqc.exe 19be3a58e362b68ea242f1e57b7dd22c PE File PE64 Malware download Cobalt Strike Cobalt Malware unpack itself ComputerName DNS |
2
http://1.15.247.249:1356/cx http://1.15.247.249:1356/iYHS
|
1
|
2
ET MALWARE Cobalt Strike Beacon Observed ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5879 |
2024-02-05 07:56
|
lux64.exe 6db34be976cf8a343f7bfb01dfa87d70 Generic Malware Malicious Library Malicious Packer Antivirus UPX Anti_VM PE File PE64 PDB DNS |
|
2
175.24.197.196 - malware 107.189.12.34
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5880 |
2024-02-05 07:53
|
output_64.exe b27c86172b5ae181811cc482e218df58 Generic Malware Malicious Library Malicious Packer Antivirus UPX Anti_VM PE File PE64 Malware download NetWireRC Malware GhostRAT PDB Check memory AntiVM_Disk anti-virtualization VM Disk Size Check Browser |
|
2
i.wanna.see.20242525.xyz(175.24.197.196) 175.24.197.196 - malware
|
1
ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|