646 |
2024-08-26 09:23
|
66cba4c565f5f_vief.exe#space 75d0097acc881bb6bc4332bda07f16f1 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Antivirus Malicious Library Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(23.198.107.192) - mailcious 149.154.167.99 - mailcious 116.203.10.69 - mailcious 104.71.154.102
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199761128941
|
15.8 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
647 |
2024-08-26 09:23
|
도양기업 20240610 송장 갑지.bmp.lnk... 09b1213c8a336541a4849d65b937293f Antivirus AntiDebug AntiVM Lnk Format GIF Format wget VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
2
https://dl.dropboxusercontent.com/scl/fi/quo63qm8d3iqlhmpyib7p/20240608.bmp?rlkey=sbpcgubgi0ixiynm5lbsnq81p&st=yldbsrou&dl=0
https://dl.dropboxusercontent.com/scl/fi/s7d6awid58xr89htlnyyc/0610safe-f.txt?rlkey=eqxbch21nilhgwortyw0xbbi9&st=wwctsyb2&dl=0
|
|
|
|
6.8 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
648 |
2024-08-26 09:22
|
66cb3e08e7e87_install.exe#upus 7586d565812943ae038f1a3957e14a65 Generic Malware Malicious Library Malicious Packer UPX PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
649 |
2024-08-26 09:20
|
66cb89fccdd00_crypted.exe#1 92605ba136b126db1d3734ffab2f1700 RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
12.8 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
650 |
2024-08-26 09:20
|
WWW.exe c6eb9a4057ddf5e758ce3c4a1bdb9637 UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
651 |
2024-08-26 09:18
|
900.exe afa78c01048274af803a0115dcc26757 Generic Malware ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS |
1
http://147.45.44.131/files/WWW.exe
|
1
|
5
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
9.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
652 |
2024-08-26 09:18
|
66cb2ed66675d_cryppted.exe 7541f9ac48cc092641060d1924ab30fc Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.6 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
653 |
2024-08-26 09:16
|
66cb3326d0f78_crypted.exe#1 0f9a7390c4a71cae8b2e709695fdd05b RedLine stealer Antivirus ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
12.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
654 |
2024-08-26 09:16
|
66cb2df8bd684_lawrng.exe e868144771e7cb04f68c6fe63a46d8c8 Antivirus ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
6.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
655 |
2024-08-26 01:16
|
https://download.apkcombo.com/... 8c58c680c95bc15657f9af69acb1ebf9 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM ZIP Format ftp MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
https://cdn.apkflash.net/com.shenyaocn.android.usbcamera/USB%20Camera_10.9.3_apkcombo.com.apk?ecp=Y29tLnNoZW55YW9jbi5hbmRyb2lkLnVzYmNhbWVyYS8xMC45LjMvNDg0LjljOWI3MTM4ZGNhOWU2Y2RhMmRkMDkyZmU3ZmE4M2RjM2FlNDRhOWMuYXBr&iat=1724602206&sig=9d074fe1f3b43296c3a72a7fd68eb56e&size=39226835&from=cf&version=old&lang=fr&fp=ff14b33da8308127abe0b024a20143c5&ip=197.15.6.209 https://download.apkcombo.com/com.shenyaocn.android.usbcamera/USB%20Camera_10.9.3_apkcombo.com.apk?ecp=Y29tLnNoZW55YW9jbi5hbmRyb2lkLnVzYmNhbWVyYS8xMC45LjMvNDg0LjljOWI3MTM4ZGNhOWU2Y2RhMmRkMDkyZmU3ZmE4M2RjM2FlNDRhOWMuYXBr&iat=1724602206&sig=aa93a3b41264866b7124111c04f825ff&size=39226835&from=cf&version=old&lang=fr&fp=ff14b33da8308127abe0b024a20143c5&ip=197.15.6.209
|
4
cdn.apkflash.net(104.18.18.207) download.apkcombo.com(104.18.12.249) 104.18.19.207 104.18.13.249
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
656 |
2024-08-25 19:47
|
66c9d2d689463_Chrome.exe#d2 a9fe6ad4be60831ae6d7bcf8fbab71cd Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Check memory IP Check Tofsee Ransomware Browser Email ComputerName DNS |
|
3
api.ipify.org(104.26.13.205) 78.153.131.36 172.67.74.152
|
5
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure SURICATA Applayer Protocol detection skipped
|
|
7.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
657 |
2024-08-25 19:13
|
66c9d3bd31e56_otraba.exe#kisot... 89f3026dea32a83cc17b59f7590d9467 Stealc Client SW User Data Stealer North Korea ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Malware download VirusTotal Malware c&c PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Stealc ComputerName DNS |
2
http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194 http://193.176.190.41/ - rule_id: 42195
|
1
193.176.190.41 - mailcious
|
1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
2
http://193.176.190.41/2fa883eebd632382.php http://193.176.190.41/
|
11.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
658 |
2024-08-25 19:10
|
66c9ca1a3ee7f_d2d2.exe 8d562b82bdf622983ca9b689e9455a62 Generic Malware Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
|
2
i.ibb.co(104.194.8.120) - mailcious 172.96.160.210
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
659 |
2024-08-25 19:08
|
e.hta a7ad83b26f4ec2b3f42dd4db7d979a87 Generic Malware Antivirus PowerShell Malware download Cobalt Strike Cobalt VirusTotal Malware c&c powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process Tofsee Blister Windows ComputerName Cryptographic key |
2
http://ntkdnj.oy4wvawf.pro/functionalStatus/SpSsrJtSGP21e9h7YTLyk9p87TIXIrl61FmTJ5a?_=djogfhnifolakdhbjgbhhheoclgdmoephnjglhaldeneabbijkmhkfenfplmppfpnjpennondkodkdnnoabplpgcipeodddkoobnfbjogchbjjghoddipfkpblhhhfedcgblickapnmjocdpmgnhgninheklamgjghmbpeajdhbomgbcpgdflfenfppgfnfacelengmmibiblohpjffoppcpbngmajllfladhackegiobkbcodcajkbghibmpidd https://woybuk.oy4wvawf.pro/Meeting/CtDyrHCBqrnO7O/
|
4
ntkdnj.oy4wvawf.pro(172.67.147.213) woybuk.oy4wvawf.pro(172.67.147.213) 104.21.79.203 172.67.147.213
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Blister Loader Cobalt Strike C2 Profile M20
|
|
6.4 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
660 |
2024-08-25 19:08
|
66ca5602e5106_vqow.exe#space 13facf5abdf5f741c24b640b0e60347a Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|