| 6241 |
2024-08-25 18:45
|
 stealc_default2.exe 7a02aa17200aeac25a375f290a4b4c95
Stealc Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
16
http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
http://185.215.113.17/2fb6c2cc8dce150a.php - rule_id: 42279
http://185.215.113.17/f1ddeb6592c03206/mozglue.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
http://185.215.113.17/f1ddeb6592c03206/softokn3.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
http://185.215.113.17/ - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/nss3.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/nss3.dll
http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
http://185.215.113.17/f1ddeb6592c03206/freebl3.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
|
1
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Dotted Quad Host DLL Request
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
9
http://185.215.113.17/
http://185.215.113.17/2fb6c2cc8dce150a.php
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
|
8.4 |
M |
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6242 |
2024-08-25 18:44
|
 nc.exe 5cae15c12e26d4ac8f32cd7026a5cb7a
ZIP Format VirusTotal Malware |
|
|
|
|
1.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6243 |
2024-08-25 18:42
|
 LummaC22222.exe 40e9f5e6b35423ed5af9a791fc6b8740
UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6244 |
2024-08-25 18:41
|
microsoft-system-repair.msi 56130894f8bfb3a0f4b33cd2f9d765b4
Generic Malware Malicious Library MSOffice File CAB OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
2.4 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6245 |
2024-08-25 18:39
|
 66c9dc4089598_update.exe#upus 857d79717817a2a9831add6dccf79305
Malicious Library Malicious Packer UPX PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName RCE |
|
|
|
|
3.2 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6246 |
2024-08-25 18:39
|
 a.exe 06acac40f95b938cc52dd263fd39f631
Malicious Library PE File PE64 VirusTotal Malware RWX flags setting DNS crashed |
|
1
|
|
|
4.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6247 |
2024-08-24 19:15
|
 install.exe cb4e8358a58de5cd176e3c4bbe264043
Emotet Gen1 Malicious Library UPX PE File PE32 MZP Format PE64 DLL OS Processor Check VirusTotal Malware Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
3.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6248 |
2024-08-24 19:13
|
 payload_x86.ps1 194d1495881b3eb9703f20e7d48eaefd
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself DNS |
|
2
83.229.120.79 - malware
104.248.229.104
|
|
|
3.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6249 |
2024-08-24 19:12
|
nicemengivinglotofsweetbutters... a9413df0cfdac99cdba5f57e62e5af76
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://192.3.64.158/600/sweetchcobarmilkbunwithgreatsweet.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
192.3.64.158 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6250 |
2024-08-24 19:11
|
 script.exe dc37d19933e5689c25bc6cce8c15d58c
NSIS Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Cryptocurrency Miner Malware AutoRuns Check memory Checks debugger WMI Creates executable files WriteConsoleW Windows ComputerName DNS CoinMiner |
1
https://104.248.229.104/agent.ashx
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
4.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6251 |
2024-08-24 19:10
|
 setup2.exe d78d85135f584e455f692923d9feb804
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself RCE |
|
|
|
|
2.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6252 |
2024-08-24 19:09
|
 66c71ea568b23_LingerieMarshall... 63787e6df0b85a10bd1132dfd3afe6c7
Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
6.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6253 |
2024-08-24 19:08
|
 sne2ugn.exe 44576f75042e6400196662c9ed6e0152
Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer Http API PWS Create Service Socket DGA ScreenShot Escalate priviledges Steal credential Sniff Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
12
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://147.45.44.104/prog/66c8f1817d261_valef.exe
http://147.45.44.104/prog/66c8f1851766d_lename.exe
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
7
t.me(149.154.167.99) - mailcious
steamcommunity.com(173.222.146.99) - mailcious
149.154.167.99 - mailcious
173.222.146.99
147.45.44.104 - malware
116.203.10.69 - mailcious
46.8.231.109 - mailcious
|
21
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
3
http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/
https://steamcommunity.com/profiles/76561199761128941
|
17.8 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6254 |
2024-08-24 19:08
|
 66c8bcf897a73_xin.exe 5ed5be6e0b1f72f6e5c7e2b6d9a470da
RedLine stealer Antivirus PWS AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
|
|
8.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6255 |
2024-08-24 19:07
|
 66c8f17d5f1ae_selwq.exe#space 258229d6ad139e745a770eb9e0418310
Stealc Client SW User Data Stealer LokiBot Gen1 ftp Client info stealer Generic Malware Downloader Antivirus Malicious Library UPX Malicious Packer Http API PWS Create Service Socket DGA ScreenShot Escalate priviledges Steal credential Sniff Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
12
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://147.45.44.104/prog/66c8f1817d261_valef.exe
http://147.45.44.104/prog/66c8f1851766d_lename.exe
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
7
t.me(149.154.167.99) - mailcious
steamcommunity.com(173.222.146.99) - mailcious
149.154.167.99 - mailcious
147.45.44.104 - malware
116.203.10.69 - mailcious
184.26.241.154 - mailcious
46.8.231.109 - mailcious
|
21
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
3
http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/
https://steamcommunity.com/profiles/76561199761128941
|
18.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|