| 6931 |
2024-08-11 15:12
|
 66b7a2aef1283_doz.exe#mene eb47857a107cd0ebf986c08be274bd2e
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199751190313 - rule_id: 41879
https://t.me/pech0nk
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(173.222.146.99) - mailcious
149.154.167.99 - mailcious
78.46.239.218
184.85.112.102
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199751190313
|
16.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6932 |
2024-08-11 15:10
|
 svch0st.exe 5575d0030528b163ac14ebe51ebd7da9
Malicious Library PE File PE32 Malware download Cobalt Strike Cobalt VirusTotal Malware Malicious Traffic RWX flags setting unpack itself ComputerName DNS |
1
http://103.143.248.179/push
|
1
103.143.248.179 - malware
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 17
ET MALWARE Cobalt Strike Beacon Observed
|
|
4.0 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6933 |
2024-08-11 15:09
|
 pink.exe 4e0a6df4069761feb9f073276d52847c
Antivirus UPX Anti_VM PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6934 |
2024-08-11 15:08
|
 request.exe ef8320eace6f753231666c61104bdd49
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Email Client Info Stealer Malware AutoRuns Checks debugger WMI Windows utilities suspicious process WriteConsoleW Tofsee Windows Email ComputerName DNS |
|
2
ip-api.io(212.132.117.42)
212.132.117.42
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ip-api .io) in DNS Lookup
|
|
5.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6935 |
2024-08-11 15:07
|
 tt111.exe 6f09bbce72130d28fbb011ef4dc89668
Malicious Library Antivirus UPX PE File PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6936 |
2024-08-11 15:06
|
 66b7d3a2e7a4d_deepweb.exe#5k 4f1b08b2de97134ea899bede6f28098e
RedLine stealer PWS AntiDebug AntiVM BitCoin PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.66.231.184:1334/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
172.67.75.172 - mailcious
45.66.231.184
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SURICATA HTTP unable to match response to request
|
|
14.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6937 |
2024-08-11 15:05
|
 Factura%20Pro-forma%20-%20S083... 66da887500b1a6ce357adfafb8a10d07
PDF Suspicious Link PDF |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6938 |
2024-08-11 15:05
|
 blued2.exe 444227bb8425c40230c70a0312b34d9e
Malicious Library Antivirus UPX Anti_VM PE File PE64 OS Processor Check VirusTotal Malware DNS |
|
1
212.47.253.124 - mailcious
|
|
|
1.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6939 |
2024-08-11 15:04
|
 66af9bdbf0f60_Team.exe 2f208b17f8bda673f6b4f0dacf43d1bf
Malicious Library UPX PE File PE64 MZP Format OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6940 |
2024-08-11 15:03
|
 newalp.exe 6093bb59e7707afe20ca2d9b80327b49
Generic Malware Malicious Library Malicious Packer UPX PE File PE32 OS Processor Check PE64 Malware download Amadey VirusTotal Cryptocurrency Miner Malware AutoRuns Malicious Traffic Creates executable files unpack itself AppData folder Windows DNS CoinMiner |
3
http://185.196.11.123/FirstZ.exe
http://185.196.11.123/h9k4kfklCdszZ3/index.php
http://stagingbyvdveen.com/get/setup2.exe
|
9
xmr-eu1.nanopool.org(212.47.253.124) - mailcious
zeph-eu2.nanopool.org(51.195.43.17) - mailcious
pastebin.com(172.67.19.24) - mailcious
stagingbyvdveen.com(147.45.60.44)
163.172.171.111 - mailcious
212.47.253.124 - mailcious
147.45.60.44 - malware
172.67.19.24 - mailcious
185.196.11.123 - mailcious
|
9
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.6 |
M |
64 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6941 |
2024-08-11 15:01
|
 NJTCFVIV.exe c350fa7b1a8b9cbbab1ae59e00575209
Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL PE64 OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk VM Disk Size Check |
|
|
|
|
3.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6942 |
2024-08-11 15:01
|
 tt2.exe ae136ee998229f2898b20cc44cf2bc99
Malicious Library Antivirus UPX Anti_VM PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6943 |
2024-08-11 14:59
|
 06082025.exe 0d76d08b0f0a404604e7de4d28010abc
RedLine stealer RedlineStealer Generic Malware Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check PE64 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
https://bitbucket.org/cloudappsoftware/vsc/downloads/GlitchClipper.exe
https://bbuseruploads.s3.amazonaws.com/0046344b-dbc7-4633-ba53-858e97e1e5e3/downloads/e035ed78-1bf0-4b5e-b1b5-5452a9c00962/GlitchClipper.exe?response-content-disposition=attachment%3B%20filename%3D%22GlitchClipper.exe%22&AWSAccessKeyId=ASIA6KOSE3BNNACKCQR3&Signature=0WJdjhH0SzZbZrg4qmi8SZhFZ1c%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJGMEQCIEk%2BARBMnCUmBc%2B4pE%2FLa%2FXufm9B9egBuQycdCg0PqkwAiB%2FJLKBV7ZCeo6kUBQVydv1ivbUl3CHG7AFwB5Ve1dCDCqnAghvEAAaDDk4NDUyNTEwMTE0NiIMOVl5UzuIlAe9MITSKoQCVVtkn%2FpUoHlSF02oe4h2lTomBpfefAEuKnNpHAuBWN7prPQgMTqVZWNuxiUYi1unMhcX2MkjGlQ4VbMWl7v0XjUEneW8uXb3jjfbwjBpUu9%2FehfDZcef8pKMqekxlnv7uYSkEUIqP7%2FxJKYRxxNYkQgfMBtOIMlNk2D0XzSI0jaeRzup4oYiGftG6Y62slfk4MfdNZ4Fr0fmaicEs%2FVc6X2UkwpF%2FYlfORUKcjK1Oc%2BzjmQDyjw4IVi7N6%2FfR0UKtOnQ58AOpnyt1jeZe3V3I1ajPYwFppy2QHHWYbuI49pGZGqy1%2BNIIgPHME5oVe4FJPKixo3xpnPL3OXsaW31abikMj0wkqDhtQY6ngEuq0NPpIJ4eoRobfM450Na17ef9eAvuAhiGVozXMuLABm9hdgvUUFB2x6r2%2BVsNi7xP9DvAXE5f1tArFGJjVEs8wwsJVM%2BtqfacjbOLG8Dh1EyJfGJjgom65rQfHPRPyDA6UamyxSfg9WC9zkEq4nZwz2Wm3mc3k6cLzQfk8Mr6HumakVxDKW4UAqaYDtFt%2BzVIEkRzKYcxiogT%2FvSMA%3D%3D&Expires=1723356954
|
5
bbuseruploads.s3.amazonaws.com(54.231.231.113) - malware
bitbucket.org(185.166.140.7) - malware
185.166.140.9 - mailcious
3.5.29.22
185.215.113.67 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6944 |
2024-08-11 14:58
|
 66ae97ac4c30d_crypted.exe dbfb97dfac2ebd1c0c891897dee558a3
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
2.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6945 |
2024-08-11 14:57
|
 sthealthclient.exe 5a49dfb1f8484d86675a3811e95c5020
RedLine Infostealer UltraVNC Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB suspicious privilege Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder Windows DNS Cryptographic key crashed |
2
http://47.104.173.216:9876/server.txt
http://47.104.173.216:9876/STHealthUpdate.exe
|
1
|
4
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
7.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|