| 6916 |
2024-08-11 15:28
|
 66b4b5e40dbf6_template832compo... d46a50db86b3fd08fcfee930731d63ed
RedLine stealer Malicious Library UPX ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName RCE DNS Cryptographic key Software crashed |
|
1
185.215.113.25 - mailcious
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
12.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6917 |
2024-08-11 15:27
|
 RingQ.exe 2c3beb9c17ad530a2b049b64ff2aae66
Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6918 |
2024-08-11 15:25
|
 66b09f01e0030_dozkey.exe e66c202fc9367708b37d5ed10975bfa8
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199747278259 - rule_id: 41798
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.42.104) - mailcious
149.154.167.99 - mailcious
188.245.87.202 - mailcious
184.85.112.102
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://steamcommunity.com/profiles/76561199747278259
|
17.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6919 |
2024-08-11 15:25
|
 beacon_x64.ps1 9dc0a907c4136946f8d3b0c42ebf677f
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6920 |
2024-08-11 15:23
|
 ActiveMQ-RCE.exe 4ba8f3acf74baeaf5db40372f0c70e9d
Malicious Library Malicious Packer UPX PE File PE64 VirusTotal Malware |
|
|
|
|
1.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6921 |
2024-08-11 15:23
|
equitopxMPDW-constraints.vbs 02c2234746945a015ebee166b943b22e
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6922 |
2024-08-11 15:22
|
 66b0ba4420669_main.exe fee265f64791e63acdcd3e04acdc93b9
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API Anti_VM AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199747278259 - rule_id: 41798
https://steamcommunity.com/profiles/76561199747278259
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.74.42.104) - mailcious
149.154.167.99 - mailcious
188.245.87.202 - mailcious
104.71.154.102
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199747278259
|
17.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6923 |
2024-08-11 15:21
|
 GGWS.exe e2b0ca22d48c42d262cf6015565a106c
RedLine Infostealer UltraVNC Generic Malware Malicious Library UPX PE File PE32 OS Processor Check .NET EXE VirusTotal Malware PDB suspicious privilege Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder Windows DNS Cryptographic key crashed |
2
http://47.104.173.216:8082/server.txt
http://47.104.173.216:8082/GGWSUpdate.exe
|
1
|
4
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
7.0 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6924 |
2024-08-11 15:19
|
 66b4ed2ceb0d7_stealc.exe c0475f36aa20f3974528fdb57d62bfef
Client SW User Data Stealer ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
|
|
10.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6925 |
2024-08-11 15:18
|
 eth.exe 841e052a11d2ea9148d356ae0f9c3577
Malicious Library Antivirus UPX Anti_VM PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.6 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6926 |
2024-08-11 15:18
|
 ramos.exe d6612f5d347fb3a1e9b74b324271a5d3
Stealc Amadey Client SW User Data Stealer RedLine stealer Gen1 ftp Client info stealer Generic Malware EnigmaProtector Malicious Library UPX Admin Tool (Sysinternals etc ...) Antivirus Malicious Packer Code injection Http API PWS Anti_VM AntiDeb Browser Info Stealer Malware download Amadey FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Checks Bios Collect installed applications Detects VMWare AppData folder malicious URLs sandbox evasion VMware anti-virtualization installed browsers check Tofsee Ransomware Stealc Stealer Windows Exploit Browser Email ComputerName DNS Software crashed plugin |
13
http://185.215.113.16/num/random.exe - rule_id: 41818
http://185.215.113.100/0d60be0de163924d/nss3.dll
http://185.215.113.100/0d60be0de163924d/freebl3.dll
http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968
http://185.215.113.16/well/random.exe - rule_id: 41492
http://185.215.113.19/Vi9leo/index.php - rule_id: 41489
http://185.215.113.100/0d60be0de163924d/sqlite3.dll
http://185.215.113.100/0d60be0de163924d/vcruntime140.dll
http://185.215.113.100/ - rule_id: 41969
http://185.215.113.100/0d60be0de163924d/mozglue.dll
http://185.215.113.100/0d60be0de163924d/softokn3.dll
http://185.215.113.16/steam/random.exe - rule_id: 41792
http://185.215.113.100/0d60be0de163924d/msvcp140.dll
|
5
crash-reports.mozilla.com(34.49.45.138)
34.49.45.138
185.215.113.100 - mailcious
185.215.113.16 - mailcious
185.215.113.19 - malware
|
21
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
6
http://185.215.113.16/num/random.exe
http://185.215.113.100/e2b1563c6670f193.php
http://185.215.113.16/well/random.exe
http://185.215.113.19/Vi9leo/index.php
http://185.215.113.100/
http://185.215.113.16/steam/random.exe
|
24.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6927 |
2024-08-11 15:17
|
 beacon.ps1 c58277271a558ebafd06da61dc074bf4
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself |
|
|
|
|
1.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6928 |
2024-08-11 15:16
|
 random.exe 278ee1426274818874556aa18fd02e3a
Stealc Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX PE File PE32 Malware download VirusTotal Malware c&c Malicious Traffic Check memory unpack itself Stealc ComputerName DNS |
2
http://185.215.113.100/ - rule_id: 41969
http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968
|
1
185.215.113.100 - mailcious
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
2
http://185.215.113.100/
http://185.215.113.100/e2b1563c6670f193.php
|
3.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6929 |
2024-08-11 15:14
|
 file.exe 0a0441240363fcbfdd3ee5b1f5617f6b
AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
|
|
8.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6930 |
2024-08-11 15:13
|
 66b5ac1092454_otraba.exe f46974f39aebf4f4d039600f3881d6b6
Generic Malware Malicious Library .NET framework(MSIL) UPX ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
7.8 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|