| 7201 |
2023-11-07 19:12
|
 StealerClient_Sharp.exe 344e9762e1477db04edfecaa07cef091
Malicious Library UPX Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check Check memory Checks debugger unpack itself ComputerName Remote Code Execution |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7202 |
2023-11-07 19:09
|
 toolspub4.exe ba07981c0db641512c0004aac1654895
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware Code Injection Checks debugger buffers extracted unpack itself |
|
|
|
|
5.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7203 |
2023-11-07 19:08
|
 a.exe 248fdd80b574b1379fe4f6f1cee40091
email stealer Downloader .NET framework(MSIL) Socket ScreenShot Escalate priviledges PWS Sniff Audio DNS Code injection persistence KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs WriteConsoleW Windows DNS |
|
1
|
|
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7204 |
2023-11-07 19:07
|
 StealerClient_Cpp.exe 0e149c713146c9c1ea53d7b7fa3b39e1
Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7205 |
2023-11-07 19:05
|
 Juderk.exe 3f47913af364115da3a560edb88035ae
Themida Packer Malicious Library Anti_VM PE File PE32 .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare VMware anti-virtualization installed browsers check Stealer Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7206 |
2023-11-07 19:05
|
 xoIBL6LAISDs.exe eb29546aff8b06616b7b226986fd7827
Browser Login Data Stealer Generic Malware Malicious Library UPX Malicious Packer Downloader PE File PE32 OS Processor Check Windows DNS keylogger |
|
1
|
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7207 |
2023-11-07 15:02
|
CVE 2001-0241.pcap aa96f5eaeb8f04a7e6fc1f1cb455d195
AntiDebug AntiVM Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself installed browsers check Browser Email ComputerName |
|
|
|
|
3.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7208 |
2023-11-07 11:30
|
 tuc19.exe a8c3b73f59bdf41eb250cba92fa934f1
Gen1 Emotet Generic Malware Malicious Library UPX Confuser .NET Malicious Packer PE File PE32 MZP Format DLL OS Processor Check CHM Format PE64 DllRegisterServer dll suspicious privilege Checks debugger Creates executable files unpack itself Windows utilities AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7209 |
2023-11-07 11:30
|
 tuc19.exe 63b908a7f395bb899f1d4afbbc472d1e
Gen1 Emotet Generic Malware Malicious Library UPX Confuser .NET Malicious Packer PE File PE32 MZP Format DLL OS Processor Check CHM Format PE64 DllRegisterServer dll suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7210 |
2023-11-07 11:24
|
 setup294.exe a05ee0fea78a297e1a4182ce9d5cd8a4
Malicious Library AntiDebug AntiVM PE File PE32 DLL Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7211 |
2023-11-07 11:03
|
 syncUpd.exe a1fd31c9149678ba7c05e3adad8ac568
Malicious Library UPX PE File PE32 OS Processor Check unpack itself |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7212 |
2023-11-07 10:59
|
File.rar f990fd3d664b4a2cd89a21cb6e2a9911
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser RisePro DNS Downloader plugin |
62
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://157.90.152.131/9ea41fac0af12ade12ae478b6c25112b
http://jaimemcgee.top/2a7743b8bbd7e4a7/softokn3.dll
http://jaimemcgee.top/2a7743b8bbd7e4a7/msvcp140.dll
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://45.129.14.83/ch.exe - rule_id: 37431
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7mQSCiCXPXX6dRJCYyN_6SMF.exe&platform=0009&osver=5&isServer=0
http://jaimemcgee.top/40d570f44e84a454.php
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://157.90.152.131/
http://94.142.138.131/api/firecom.php - rule_id: 36179
http://jaimemcgee.top/2a7743b8bbd7e4a7/vcruntime140.dll
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://185.172.128.69/latestumma.exe
http://stim.graspalace.com/order/tuc19.exe
http://176.113.115.84:8080/4.php - rule_id: 34795
http://jaimemcgee.top/2a7743b8bbd7e4a7/freebl3.dll
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
http://jaimemcgee.top/2a7743b8bbd7e4a7/mozglue.dll
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
http://jaimemcgee.top/2a7743b8bbd7e4a7/nss3.dll
http://157.90.152.131/getfiles.zip
http://jaimemcgee.top/2a7743b8bbd7e4a7/sqlite3.dll
https://sun6-21.userapi.com/c236331/u26060933/docs/d11/19c8da91767e/Risepro.bmp?extra=EwSSGzoAfy65GGSvZoW0Ph4KCtfnD5CJ-1u-khJCbN0uxDNn5vNuDAZaJ062NR0l9b6fIdcxu5_fWGeZra_Co2jUpbbfKnN7da75BE-JQqXJESVDc3dX5d4gxqJEeVS6pTXFFfmTxgRtA_-G
https://db-ip.com/demo/home.php?s=175.208.134.152
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-22.userapi.com/c909418/u26060933/docs/d3/31f5159f58be/11M.bmp?extra=q7yy_WjSO4crX0JQqA0zrRgVKPA_BwhFITi3TkpiBNuBN76H24ifVVzGLVsXACZVJPMeewShQ3SYQq6fit-5m7yQlm5ukIqknODXs8Vp9JEzWjDpr3rUNgeRdS81CpnvMoQd5ItqRXAv6AhZ
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://vk.com/doc26060933_667308364?hash=p1GNfmBszTx4xyiyMmHgD2G6gamnOS6Qs3qnmrPFKHD&dl=o2oV7mrCcgrmkinSseauvXVuXZ6QwvOSPW95WlRGhv4&api=1&no_preview=1#test22
https://api.ip.sb/ip
https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897
https://fdjbgkhjrpfvsdf.online/setup294.exe
https://iplogger.com/2lhi52
https://sun6-20.userapi.com/c237031/u26060933/docs/d15/cc14cf618ad2/32ssh7832haf.bmp?extra=fwty-u7t3kuVDKn2Ab1i7boHK4AyOko_2OhckURSgZjMwMr1LMRzcDeu6ldvQCwfDuTH4EEUK6o17LKRsfTQtZt7FslDGR2y6GbdZCCcOp_WNzQ6CUda5D8--pR4RgBxlwovfJ0hDyZTvl6g
https://sun6-22.userapi.com/c909218/u26060933/docs/d39/2b5c05ade136/PL_Client.bmp?extra=da599MOTGK0smGFDrYCbIOwnAESK93Bdw8XDZy_0vK13817g4Qsr6AWGWEf5TNMs8D67QVgYFb6fgHXsdA6lLB0kHdsNHYl2LuiA4Cchiwv-echVwulM9pvREF7eyP8R_tYUW-AEg4HMRDmJ
https://sun6-20.userapi.com/c909518/u26060933/docs/d43/8987a58e0def/test031123.bmp?extra=LNcfpMmfQ4e1XyE-H-_EewnV5I3alPEAz1GiWT87qEkNNONXDFPJA59B4EdjSf6xHMjU6n27oNDeC6LkauW6gTJWelqIO0xD_w5qx4fnSi4e_urLm5ugwEHcpUfEvxKkJYlSyUrW7_Rggxqw
https://db-ip.com/
https://iplis.ru/1Gemv7.
https://vk.com/doc26060933_667421028?hash=j3Z25EXZmCIGuFo5YGWwnsvj9inMRrAWT9JdWCHuPks&dl=6wFoCNqOG7czMxkdXxPFPbkcj5eJ4YPZMxmedR2cQPc&api=1&no_preview=1#maff
https://vk.com/doc26060933_667265534?hash=QrZOxyJfddotURGFHUaHcRtzBrPYFYi92QMrQaABFRL&dl=YGWXjzH1s6k62LlpR6zC3pzzD02Frvfpv4JhBLkPKVH&api=1&no_preview=1
https://msdl.microsoft.com/download/symbols/index2.txt
https://iplis.ru/1Gemv7.mp3
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=pKXD9T2Ja0HGIo5e8%2Fcvv0Yc9fVtfZRjyHGIX36WiAw%3D&spr=https&se=2023-11-08T02%3A35%3A45Z&rscl=x-e2eid-f67a0683-dccd4cc8-9426d7ad-4812ef6a-session-8414ebf2-89984859-8b4ebbb8-4b169b42
https://sun6-21.userapi.com/c235031/u26060933/docs/d60/17553397c370/BotClients.bmp?extra=-v4zcNPz1jW9QCJnnz9JVzDnTCKGRuMlTveecae_unmKfC9kkvBIvc2-te4xySL_yWe5nnd_YxV37ErLEFEIq7sRTyCvImhVEvmEOPxoun1R7sPoot0d8T6T-hCuuHgaJPUBO994jw7jL9uK
https://vk.com/doc26060933_667404716?hash=N6wI3Dlu78zPmfalwE3rKRJ5FgIIyxAz1ZSoOw7ouQH&dl=0VFQn4zxEraMQuKRozZh3ZwLpQ7M6m03jjzYZOUAFTs&api=1&no_preview=1#1
https://dzen.ru/?yredirect=true
https://sun6-20.userapi.com/c909328/u26060933/docs/d21/2cc2e6a109e1/crypted.bmp?extra=9329IUX2R9ECqwn1fgB2PsRHAwQiQF5IfXGz4Zcmshfj4-Cj0fSAuhRKbvx9FrgziFPry0eDKAetw1594ZxN3J8BTfYgczRhpTltfTyzn7_w9u923JOSl6UEO6RWfLQLPDaqGx3wAzBNy5bf
https://api.2ip.ua/geo.json
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=CW2TdsX3u%2FEQJoPaUT23mMNV3SioEW9ghTlKz0cDkKQ%3D&spr=https&se=2023-11-08T02%3A12%3A02Z&rscl=x-e2eid-ca1ed09a-9ce84dbe-b0dda930-7b12b38c-session-42f81510-df9e406c-a337da90-7f880c70
https://vk.com/doc26060933_667379359?hash=RBD5wFZgphBd3Ltpr4zpvlKC5PFFn4lKiLxULYoChgD&dl=BKPDJrFBQ4b0FMpKZWHc5lZ9DL91O9orwTtaREbcz98&api=1&no_preview=1#rise10
https://sun6-21.userapi.com/c235031/u26060933/docs/d9/bc2848036729/RisePro.bmp?extra=SP1QdjCI8oU_xuYoIIuZttGFNgWH7AbE6JwtZ38DSR0pO-h7FoRCvnKkufqlmQ46-FAtSfPZhinV1S-bj-wfjvlOR9IAT1ozrONeI06QH8DZwg9_d29MnpwcitMyaiN5iQdqTV0kMpewNZlg
https://vk.com/doc26060933_667364987?hash=BHX3WK0Px3UZYC6KUcanvJ8pCPk0aSa1CJ1a0crl1aL&dl=Y5COLZGRCC7rDCjMPJPVPA4Y0k1NZaZCa4v1PlcGmn8&api=1&no_preview=1
https://steamcommunity.com/profiles/76561199566884947
https://vk.com/doc26060933_667359908?hash=yQKoVWnfjFhzr903ZjYqRdETfhHRvOA3tdbWxY3zKzD&dl=zw8EgRqlD4zpJ6OqofPR0yVWnKxxgpXEHD0enFFWN4c&api=1&no_preview=1#risepro
https://sun6-21.userapi.com/c235031/u26060933/docs/d17/db2aaaddfe32/WWW11_32.bmp?extra=LvgMZ5BcJibniVvg_xQUErj_9kLnqOtcusmOUyUjOIXbjkKeGQ7pW-CoV7IrznBP2wJiu4NzODsIVN7qO0IUK8lgpYQX9G5kXyxutFPWFhIaYYMu_JdxGjVFCbYekkWVqM3_yu14LtRG8yAR
https://iplis.ru/1Gem
https://sso.passport.yandex.ru/push?uuid=98d9fd1b-f887-410d-b8db-d30bf2bd21b5&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://iplis.ru/1
|
93
stim.graspalace.com(104.21.20.155)
www.maxmind.com(104.18.145.235)
db-ip.com(104.26.5.15)
vanaheim.cn(158.160.73.47) - mailcious
www.download.windowsupdate.com(23.199.34.11)
ipinfo.io(34.117.59.81)
yandex.ru(5.255.255.77)
jaimemcgee.top(193.106.175.190)
dzen.ru(62.217.160.2)
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
learn.microsoft.com(23.36.221.172)
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.76.78.101) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.1)
msdl.microsoft.com(204.79.197.219)
cdn.discordapp.com(162.159.135.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.4.15)
ironhost.io(172.67.193.129)
telegram.org(149.154.167.99)
stun3.l.google.com(142.251.2.127)
walkinglate.com(172.67.212.188) - malware
api.ip.sb(104.26.13.31)
iplogger.com(172.67.194.188) - mailcious
gons09fc.top(212.113.122.87) - malware
zexeq.com(201.110.235.204) - malware
server3.localstats.org(185.82.216.111)
t.me(149.154.167.99) - mailcious
vsblobprodscussu5shard10.blob.core.windows.net(20.150.79.68)
fdjbgkhjrpfvsdf.online(104.21.87.5)
iplis.ru(172.67.147.32) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
bd178ff8-29e6-47f2-a804-23d45a4bfa60.uuid.localstats.org(185.82.216.111)
vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68)
vk.com(87.240.129.133) - mailcious
sso.passport.yandex.ru(213.180.204.24)
api.myip.com(172.67.75.163)
194.169.175.128 - mailcious
162.159.133.233 - malware
104.18.145.235
93.186.225.194 - mailcious
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
5.255.255.70
157.90.152.131 - mailcious
149.154.167.99 - mailcious
104.21.65.24
91.215.85.209 - mailcious
45.129.14.83 - malware
104.21.12.138
185.82.216.111
204.79.197.219
23.40.45.69
185.173.38.57
194.49.94.41 - mailcious
172.67.193.43
212.113.122.87 - malware
85.209.11.85 - mailcious
194.49.94.48 - malware
34.117.59.81
158.160.73.47
176.113.115.84 - mailcious
148.251.234.83
172.67.147.32
194.33.191.60
194.169.175.118 - mailcious
23.33.32.64
91.92.243.151 - mailcious
185.172.128.69 - malware
104.21.57.237 - mailcious
172.253.117.127
14.33.209.147
20.150.38.228
121.254.136.9
194.49.94.97 - malware
23.67.53.17
104.26.9.59
104.26.4.15
104.21.87.5
95.142.206.2 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
45.15.156.229 - mailcious
104.21.23.184 - malware
213.180.204.24
104.26.13.31
193.106.175.190 - malware
80.66.75.77 - mailcious
104.76.78.101 - mailcious
94.142.138.131 - mailcious
|
57
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET HUNTING Suspicious services.exe in URI
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET INFO EXE - Served Attached HTTP
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Redline Stealer Activity (Response)
ET INFO Dotted Quad Host ZIP Request
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
|
10
http://zexeq.com/test2/get.php
http://45.15.156.229/api/tracemap.php
http://45.129.14.83/ch.exe
http://45.15.156.229/api/firegate.php
http://94.142.138.131/api/firegate.php
http://91.92.243.151/api/tracemap.php
http://94.142.138.131/api/firecom.php
http://94.142.138.131/api/tracemap.php
http://176.113.115.84:8080/4.php
https://fdjbgkhjrpfvsdf.online/setup294.exe
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7213 |
2023-11-07 10:13
|
 bRoC.exe 07807c652283c997837c931b41c45f24
PE File PE32 .NET EXE VirusTotal Malware Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212)
148.72.177.212 - mailcious
121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7214 |
2023-11-07 10:12
|
 aww.exe 3d74ec695d023d5a66cb239354445734
Malicious Library Malicious Packer PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
6.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7215 |
2023-11-07 10:12
|
 Runtime.exe bcbbef1fa9490ce2337f1bd74480e428
PE File PE64 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|