751 |
2024-08-22 15:51
|
ioqjWeKazzLuiTHfd.exe 06ef63fcb30cb75b38e13a0a12764097 Generic Malware Malicious Library Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
6
api.telegram.org(149.154.167.220) - mailcious reallyfreegeoip.org(104.21.67.152) checkip.dyndns.org(132.226.8.169) 193.122.6.168 104.21.67.152 149.154.167.220 - mailcious
|
9
ET HUNTING Telegram API Domain in DNS Lookup ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
15.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
752 |
2024-08-22 15:50
|
butteryummycakechocolatebunrea... 7d3b215b98532e8570e22f353da4223e MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://82.197.64.93/112/niceworkofyummybutterbun.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
82.197.64.93 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
753 |
2024-08-22 15:48
|
crypted8888.exe 031836b5b4c2fc0ba30f29e8a936b24e Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
754 |
2024-08-22 15:48
|
ioqjWeKazzLuiTHfd.doc 16ddde7b45c040f9fb63e73863134f5c MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Exploit DNS crashed |
1
http://154.216.18.222/simulators/ioqjWeKazzLuiTHfd.exe
|
1
|
1
ET INFO Executable Download from dotted-quad Host
|
|
4.6 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
755 |
2024-08-22 15:29
|
random.exe a2914123bfcdb29e06dc8283ffb24aef Stealc Gen1 Generic Malware Malicious Library UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare sandbox evasion VMware anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
9
http://185.215.113.100/0d60be0de163924d/mozglue.dll http://185.215.113.100/0d60be0de163924d/nss3.dll http://185.215.113.100/0d60be0de163924d/freebl3.dll http://185.215.113.100/0d60be0de163924d/vcruntime140.dll http://185.215.113.100/0d60be0de163924d/sqlite3.dll http://185.215.113.100/ - rule_id: 41969 http://185.215.113.100/e2b1563c6670f193.php - rule_id: 41968 http://185.215.113.100/0d60be0de163924d/softokn3.dll http://185.215.113.100/0d60be0de163924d/msvcp140.dll
|
1
185.215.113.100 - mailcious
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://185.215.113.100/ http://185.215.113.100/e2b1563c6670f193.php
|
12.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
756 |
2024-08-22 15:28
|
random.exe 2793052c06a09759b35d30e329294b6a Generic Malware Downloader Malicious Library Malicious Packer UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 Browser Info Stealer VirusTotal Malware MachineGuid Code Injection Checks debugger Creates executable files exploit crash Windows utilities suspicious process malicious URLs installed browsers check Windows Exploit Browser crashed |
|
|
|
|
10.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
757 |
2024-08-22 15:26
|
fc.exe 36c1f4bde9faa23abacb87a2d090ce77 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Check memory buffers extracted Creates shortcut unpack itself Collect installed applications sandbox evasion IP Check installed browsers check Tofsee Ransomware MeduzaStealer Stealer Browser Email ComputerName Trojan Banking DNS |
|
4
api.ipify.org(172.67.74.152) 104.26.13.205 172.67.177.134 77.105.147.243
|
8
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) SURICATA Applayer Protocol detection skipped
|
|
12.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
758 |
2024-08-22 15:25
|
8.exe 7ff76b5beb86b5301239bba18f72e18c Malicious Packer UPX PE File PE32 VirusTotal Malware MachineGuid Check memory WMI Check virtual network interfaces AntiVM_Disk VM Disk Size Check Windows ComputerName |
|
|
|
|
4.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
759 |
2024-08-22 15:25
|
critalixfree1.exe dac84ff02014b5a5302123b09ca992a4 UPX PE File PE64 OS Processor Check VirusTotal Malware PDB |
|
|
|
|
1.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
760 |
2024-08-22 15:13
|
098.exe d62734be89eafc36d0f9fc8f3d3f0b60 ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Downloader |
1
http://147.45.44.131/files/pp.exe
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
9.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
761 |
2024-08-22 15:12
|
421.exe 25c75c74ec87ede8338e514ed520126d UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
762 |
2024-08-22 15:11
|
yummybuttercakeaddedchocolatew... ce3b08f58d579862f5b03bb1f563f9f9 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
763 |
2024-08-22 15:10
|
creambutterbunwhichtastyandyum... 7d9390f8ceb53bcf05fe13ad7c3f9c8f MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://198.46.174.158/xampp/myu/weknowsmoothbuttersmoothbun.tIF
|
3
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware 198.46.174.158 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
764 |
2024-08-22 15:09
|
lOpkseAloegPhxxAcv.exe 8457be7f4b6910dc68805dacb8009200 Generic Malware Malicious Library Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Telegram PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
6
checkip.dyndns.org(132.226.247.73) reallyfreegeoip.org(172.67.177.134) api.telegram.org(149.154.167.220) - mailcious 193.122.6.168 172.67.177.134 149.154.167.220 - mailcious
|
9
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI ET INFO 404/Snake/Matiex Keylogger Style External IP Check SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET HUNTING Telegram API Domain in DNS Lookup
|
|
15.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
765 |
2024-08-22 15:09
|
pp.exe 3b767e28d61198d14a3ef101f0c7006a UPX PE File PE32 VirusTotal Malware |
|
|
|
|
1.2 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|