661 |
2024-08-25 19:06
|
ExplorerPatcher_22621.exe c1c57d67409c8908179fddfff38feed4 Gen1 Generic Malware Malicious Library Malicious Packer UPX PE File DllRegisterServer dll PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
662 |
2024-08-25 19:06
|
help.exe d0ad1150a2e7c9699e00e265bf46d236 Malicious Library PE File PE64 VirusTotal Malware RWX flags setting DNS crashed |
|
1
|
|
|
4.0 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
663 |
2024-08-25 19:05
|
66ca202b71c36_HP.exe 867a688580e309ccdbada474210871f1 Stealc Generic Malware Malicious Packer UPX Malicious Library Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Check BMP Format MSOffice File JPEG Format FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Software crashed |
1
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(184.85.112.102) - mailcious 149.154.167.99 - mailcious 116.203.10.69 - mailcious 184.87.103.42 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199761128941
|
13.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
664 |
2024-08-25 19:04
|
66ca11c555823_sewfe.exe#space 0df1eb83d7ed49150b934fe7f68585af Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
665 |
2024-08-25 19:01
|
66ca11c91d783_vaelw.exe#space ad8a02a68b36bd0c78428d3552feacce Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
2.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
666 |
2024-08-25 19:01
|
66c9dcdb986c5_crypted.exe#1 724a304d92c8e4920afbc604d34ad74a Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
3.0 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
667 |
2024-08-25 19:01
|
runus.exe d3348d383a614ddf7405f189fcf10a4b Stealc PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://185.215.113.100/0d60be0de163924d/mozglue.dll http://185.215.113.100/0d60be0de163924d/nss3.dll http://185.215.113.100/0d60be0de163924d/freebl3.dll http://185.215.113.100/0d60be0de163924d/vcruntime140.dll http://185.215.113.100/0d60be0de163924d/sqlite3.dll http://185.215.113.100/ - rule_id: 41969 http://185.215.113.100/0d60be0de163924d/msvcp140.dll http://185.215.113.100/0d60be0de163924d/softokn3.dll http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968
|
2
185.215.113.100 - mailcious 31.41.244.11 - mailcious
|
19
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET DROP Spamhaus DROP Listed Traffic Inbound group 2 ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.215.113.100/ http://185.215.113.100/e2b1563c6670f193.php
|
12.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
668 |
2024-08-25 18:59
|
66ca20a26df75_PastaCache.exe#i... 377dcc031a12d3c0189afe684e4ad41e Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
5.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
669 |
2024-08-25 18:57
|
66ca560048cbe_sgrk.exe#space ec11395a4f9b30672b9392e14e684c24 Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName |
|
|
|
|
3.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
670 |
2024-08-25 18:56
|
System-Repair.msi 25243822b373e327d5b11bfbf35096fe Generic Malware Malicious Library Antivirus MSOffice File OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut unpack itself AntiVM_Disk VM Disk Size Check ComputerName |
|
|
|
|
2.8 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
671 |
2024-08-25 18:56
|
5PHCENYBS068Y01 7fffe8702479239234bce6013bcad409 Gen1 Generic Malware Malicious Library UPX Antivirus Malicious Packer Anti_VM PE File PE64 DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself |
|
|
|
|
3.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
672 |
2024-08-25 18:55
|
66c9d3f5503cc_GIFT.exe 58c6ec5a74a80def1f37f7956da11a26 Malicious Library Malicious Packer UPX PE File .NET EXE PE32 VirusTotal Malware Buffer PE PDB Check memory Checks debugger buffers extracted unpack itself ComputerName Remote Code Execution |
|
|
|
|
4.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
673 |
2024-08-25 18:53
|
66c866840e631_Indentif.exe 4dff7e34dcd2f430bf816ec4b25a9dbc Emotet Malicious Library UPX PE File PE64 MZP Format OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
674 |
2024-08-25 18:52
|
66c9d78d43c01_valensu.exe#spac... 459061967c92b83083c24ed4963e7a18 Stealc Client SW User Data Stealer LokiBot North Korea ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
1
https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(23.198.107.192) - mailcious 149.154.167.99 - mailcious 184.26.241.154 - mailcious 116.203.10.69 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199761128941
|
17.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
675 |
2024-08-25 18:51
|
66c9d38385a86_crypto.exe#kiscr 517723763103f23dcd3a692066db6aee Stealc Client SW User Data Stealer North Korea ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS Software crashed plugin |
9
http://193.176.190.41/9e7fbd3f0393ef32/nss3.dll http://193.176.190.41/9e7fbd3f0393ef32/freebl3.dll http://193.176.190.41/ - rule_id: 42195 http://193.176.190.41/9e7fbd3f0393ef32/msvcp140.dll http://193.176.190.41/9e7fbd3f0393ef32/softokn3.dll http://193.176.190.41/9e7fbd3f0393ef32/sqlite3.dll http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194 http://193.176.190.41/9e7fbd3f0393ef32/vcruntime140.dll http://193.176.190.41/9e7fbd3f0393ef32/mozglue.dll
|
1
193.176.190.41 - mailcious
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://193.176.190.41/ http://193.176.190.41/2fa883eebd632382.php
|
13.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|