| 7006 |
2023-11-22 13:23
|
 deepweb.exe 7a51a34ca5ccfe6eb43ef6abc0f92d46
RedlineStealer RedLine Infostealer RedLine stealer .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://91.92.241.80:1337/
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31)
104.26.12.31
91.92.241.80 - malware
|
4
ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer Activity (Response)
|
|
8.0 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7007 |
2023-11-21 18:18
|
 Updatе.exe 3f6d2aa85fcd8e38412f4ab60f8f47f4
Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check VirusTotal Malware AntiVM_Disk VM Disk Size Check |
|
|
|
|
1.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7008 |
2023-11-21 18:17
|
htmlvb.vbs a106d0b5d4423dbcb1b7551cc6f011b1
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/gIIFw
https://uploaddeimagens.com.br/images/004/666/676/original/vbs.jpg?1700182879
http://107.175.113.202/450/NEW.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
104.21.84.67 - malware
23.43.165.66
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7009 |
2023-11-21 18:17
|
htmlbrowserhistorydeletedbymic... 0a869df2007f5731f95c5d84aad6bbbf
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://107.175.113.202/450/htmlvb.vbs
https://paste.ee/d/gIIFw
|
6
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.9
107.175.113.202 - mailcious
104.21.84.67 - malware
104.21.45.138 - malware
|
3
ET INFO Dotted Quad Host VBS Request
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7010 |
2023-11-21 08:10
|
 brandmar.exe a9c5d3db8ea47ab1e03cbf5a91065d24
NPKI HermeticWiper Generic Malware NSIS Suspicious_Script Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Blob PE32 PE File .NET EXE PNG Format JPEG Format OS Processor Check ZIP Format icon BMP Format VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Ransomware Windows crashed |
|
|
|
|
7.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7011 |
2023-11-21 08:02
|
 pdf.exe ef9428407424cc578442727f6fe3bc5e
UPX Malicious Library PWS SMTP AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
103.212.81.155
91.215.85.23 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
13.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7012 |
2023-11-21 08:00
|
 smo.exe d117bdd49deff0dc9c560ed4a03d3a5f
Emotet Gen1 Malicious Library UPX PE32 PE File CAB Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81)
db-ip.com(104.26.5.15)
194.49.94.152 - mailcious
104.26.4.15
34.117.59.81
|
7
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7013 |
2023-11-21 08:00
|
 jurojarem2.1.exe 0a1d0f4a278dff187347c1544ab3dc6a
NSIS Malicious Library UPX PE32 PE File OS Processor Check Remcos VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
sheddy1122.ddns.net(103.212.81.155) - mailcious
103.212.81.155
178.237.33.50
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7014 |
2023-11-21 08:00
|
 photo_dnkafan3.exe 3d2fc3836a767e534bd36c889287b7c9
Emotet Gen1 Malicious Library UPX Malicious Packer PE32 PE File DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
8
http://185.78.76.13/a0e4e3bc83b3e685/freebl3.dll
http://185.78.76.13/a0e4e3bc83b3e685/msvcp140.dll
http://185.78.76.13/a0e4e3bc83b3e685/nss3.dll
http://185.78.76.13/a0e4e3bc83b3e685/sqlite3.dll
http://185.78.76.13/21b9c0db1dfb4718.php
http://185.78.76.13/a0e4e3bc83b3e685/mozglue.dll
http://185.78.76.13/a0e4e3bc83b3e685/softokn3.dll
http://185.78.76.13/a0e4e3bc83b3e685/vcruntime140.dll
|
1
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
6.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7015 |
2023-11-21 07:57
|
 hvupdater12.exe 68392cd3b6d0900a123e3c474737a068
Generic Malware Malicious Library Malicious Packer Antivirus PE32 PE File VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
2
213.139.207.234
179.60.147.176 - mailcious
|
|
|
7.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7016 |
2023-11-21 07:55
|
 test20.exe fbd70a366b8f1c3e25e080cdd553930f
Malicious Library Malicious Packer UPX PE File PE64 Malware download NetWireRC VirusTotal Malware Malicious Traffic Check virtual network interfaces WriteConsoleW RAT DNS ChaosRAT |
3
http://179.60.147.176:8080/health
http://179.60.147.176:8080/client
http://179.60.147.176:8080/device
|
1
179.60.147.176 - mailcious
|
4
ET MALWARE CHAOS RAT CnC Server Status Check
ET MALWARE CHAOS RAT Client Checkin
ET USER_AGENTS Go HTTP Client User-Agent
ET MALWARE Win32/Khaosz.A!MTB Checkin
|
|
3.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7017 |
2023-11-21 07:55
|
 build.exe aa90f740f20462601a90fafdf37a4b82
Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7018 |
2023-11-20 09:58
|
 conhost.exe 0c648321522607509014810fa9850703
XMRig Miner Emotet Cryptocurrency Miner Generic Malware Suspicious_Script_Bin CoinHive Cryptocurrency task schedule Downloader Malicious Library UPX Antivirus Malicious Packer .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate pri VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key |
4
http://45.15.156.116/WatchDog.exe
http://45.15.156.116/WinRing0x64.sys
http://45.15.156.116/xmrig.exe
https://pastebin.com/raw/ZRRRiwsq
|
3
pastebin.com(104.20.67.143) - mailcious
45.15.156.116 - malware
104.20.67.143 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7019 |
2023-11-20 09:58
|
 brandrock.exe deb1df6e8090653848506c1e9a1e32f8
NPKI HermeticWiper Generic Malware NSIS Suspicious_Script Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Blob AntiDebug AntiVM PE32 PE File .NET EXE PNG Format JPEG Format OS Processor Check ZIP Forma Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Ransomware crashed |
|
|
|
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7020 |
2023-11-20 09:56
|
svchost.exe a4212217a2e90127cf2870215d72edf5
Obsidium protector UPX PE File PE64 .NET EXE VirusTotal Malware Windows crashed |
|
|
|
|
2.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|