7006 |
2023-11-22 13:23
|
deepweb.exe 7a51a34ca5ccfe6eb43ef6abc0f92d46 RedlineStealer RedLine Infostealer RedLine stealer .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://91.92.241.80:1337/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31) 104.26.12.31 91.92.241.80 - malware
|
4
ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer Activity (Response)
|
|
8.0 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7007 |
2023-11-21 18:18
|
Updatе.exe 3f6d2aa85fcd8e38412f4ab60f8f47f4 Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check VirusTotal Malware AntiVM_Disk VM Disk Size Check |
|
|
|
|
1.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7008 |
2023-11-21 18:17
|
htmlvb.vbs a106d0b5d4423dbcb1b7551cc6f011b1 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/gIIFw
https://uploaddeimagens.com.br/images/004/666/676/original/vbs.jpg?1700182879
http://107.175.113.202/450/NEW.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware 104.21.84.67 - malware
23.43.165.66
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7009 |
2023-11-21 18:17
|
htmlbrowserhistorydeletedbymic... 0a869df2007f5731f95c5d84aad6bbbf MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://107.175.113.202/450/htmlvb.vbs https://paste.ee/d/gIIFw
|
6
paste.ee(172.67.187.200) - mailcious uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.9 107.175.113.202 - mailcious 104.21.84.67 - malware 104.21.45.138 - malware
|
3
ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7010 |
2023-11-21 08:10
|
brandmar.exe a9c5d3db8ea47ab1e03cbf5a91065d24 NPKI HermeticWiper Generic Malware NSIS Suspicious_Script Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Blob PE32 PE File .NET EXE PNG Format JPEG Format OS Processor Check ZIP Format icon BMP Format VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Ransomware Windows crashed |
|
|
|
|
7.8 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7011 |
2023-11-21 08:02
|
pdf.exe ef9428407424cc578442727f6fe3bc5e UPX Malicious Library PWS SMTP AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
103.212.81.155 91.215.85.23 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
13.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7012 |
2023-11-21 08:00
|
smo.exe d117bdd49deff0dc9c560ed4a03d3a5f Emotet Gen1 Malicious Library UPX PE32 PE File CAB Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81) db-ip.com(104.26.5.15) 194.49.94.152 - mailcious 104.26.4.15 34.117.59.81
|
7
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7013 |
2023-11-21 08:00
|
jurojarem2.1.exe 0a1d0f4a278dff187347c1544ab3dc6a NSIS Malicious Library UPX PE32 PE File OS Processor Check Remcos VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50) sheddy1122.ddns.net(103.212.81.155) - mailcious 103.212.81.155 178.237.33.50
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net ET JA3 Hash - Remcos 3.x TLS Connection
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7014 |
2023-11-21 08:00
|
photo_dnkafan3.exe 3d2fc3836a767e534bd36c889287b7c9 Emotet Gen1 Malicious Library UPX Malicious Packer PE32 PE File DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
8
http://185.78.76.13/a0e4e3bc83b3e685/freebl3.dll http://185.78.76.13/a0e4e3bc83b3e685/msvcp140.dll http://185.78.76.13/a0e4e3bc83b3e685/nss3.dll http://185.78.76.13/a0e4e3bc83b3e685/sqlite3.dll http://185.78.76.13/21b9c0db1dfb4718.php http://185.78.76.13/a0e4e3bc83b3e685/mozglue.dll http://185.78.76.13/a0e4e3bc83b3e685/softokn3.dll http://185.78.76.13/a0e4e3bc83b3e685/vcruntime140.dll
|
1
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
6.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7015 |
2023-11-21 07:57
|
hvupdater12.exe 68392cd3b6d0900a123e3c474737a068 Generic Malware Malicious Library Malicious Packer Antivirus PE32 PE File VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
2
213.139.207.234 179.60.147.176 - mailcious
|
|
|
7.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7016 |
2023-11-21 07:55
|
test20.exe fbd70a366b8f1c3e25e080cdd553930f Malicious Library Malicious Packer UPX PE File PE64 Malware download NetWireRC VirusTotal Malware Malicious Traffic Check virtual network interfaces WriteConsoleW RAT DNS ChaosRAT |
3
http://179.60.147.176:8080/health http://179.60.147.176:8080/client http://179.60.147.176:8080/device
|
1
179.60.147.176 - mailcious
|
4
ET MALWARE CHAOS RAT CnC Server Status Check ET MALWARE CHAOS RAT Client Checkin ET USER_AGENTS Go HTTP Client User-Agent ET MALWARE Win32/Khaosz.A!MTB Checkin
|
|
3.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7017 |
2023-11-21 07:55
|
build.exe aa90f740f20462601a90fafdf37a4b82 Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7018 |
2023-11-20 09:58
|
conhost.exe 0c648321522607509014810fa9850703 XMRig Miner Emotet Cryptocurrency Miner Generic Malware Suspicious_Script_Bin CoinHive Cryptocurrency task schedule Downloader Malicious Library UPX Antivirus Malicious Packer .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate pri VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key |
4
http://45.15.156.116/WatchDog.exe http://45.15.156.116/WinRing0x64.sys http://45.15.156.116/xmrig.exe https://pastebin.com/raw/ZRRRiwsq
|
3
pastebin.com(104.20.67.143) - mailcious 45.15.156.116 - malware 104.20.67.143 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7019 |
2023-11-20 09:58
|
brandrock.exe deb1df6e8090653848506c1e9a1e32f8 NPKI HermeticWiper Generic Malware NSIS Suspicious_Script Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Blob AntiDebug AntiVM PE32 PE File .NET EXE PNG Format JPEG Format OS Processor Check ZIP Forma Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Ransomware crashed |
|
|
|
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7020 |
2023-11-20 09:56
|
svchost.exe a4212217a2e90127cf2870215d72edf5 Obsidium protector UPX PE File PE64 .NET EXE VirusTotal Malware Windows crashed |
|
|
|
|
2.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|