7981 |
2023-10-06 09:36
|
d9e1c3_0ec2df3125b34e10ad269f8... 5e63744a4fad5be640aa0a7a2e444a3d Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key |
|
|
|
|
1.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7982 |
2023-10-06 08:03
|
foto3553.exe 53ffe4a2e5ff91672c96597ebece2470 RedLine stealer Gen1 Emotet RedLine Infostealer SmokeLoader Amadey Generic Malware UltraVNC Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Update Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
34
http://5.42.92.211/loghub/master - rule_id: 36282 http://77.91.124.1/theme/index.php https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://www.facebook.com/favicon.ico https://accounts.google.com/generate_204?qq0oQg https://www.facebook.com/login https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?zRkItw https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhcLz_cnXDIXvz3QIMY97r1jrsQOAnIw1tmulVERc2o6bSWlDbcLriBPSZgdPt1S1cy1gKwoqw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1912069806%3A1696546479888140 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://fbsbx.com/security/hsts-pixel.gif?c=5 https://connect.facebook.net/security/hsts-pixel.gif https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhe5IhkTCdrQCA1yPVmt1oDA_voOW_A_ZqyCLTPdvHyGXJzE-RO7xy3BTH2BA1gxFU3WhShv https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdK1mkizJfifk30A2wUFICseNNCEjJIeVPM5FdrF5tEWuvZIe1OSLr4tRhi1BGsuGKKyagnGg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S2064279959%3A1696546472842958 https://accounts.google.com/ https://static.xx.fbcdn.net/rsrc.php/v3/yF/l/0,cross/LSAcIwftMnp.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/dSpVEafK7Ja.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcDvrRvELv2YHAoIozHL4ARKVAwdXih1YzNwd9N0tcW7AThR1PqnPYFBUHlbxzCE9fKQvd2Mg https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0,cross/g5qw7MkrAMe.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhemK6vxa5aVksbZqVqKrPQQwbOqA9SxEdxfxB3QOQidRlZmc0xXtRUEuzzNGlhNobYw0k8Y_g&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S906761759%3A1696546534329684 https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/C7x9HQY1590.js?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/generate_204?qMW9GQ https://static.xx.fbcdn.net/rsrc.php/v3/yX/l/0,cross/3YxNg1jSEBd.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/4Gbx36-Nu9e.js?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdyfADyPcA7yLXC6h_tQmdvglNolQT6NRsBxSOYAOP9cQ5q7sygQlUcHMx3zc8TEcngtPmlTw https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://static.xx.fbcdn.net/rsrc.php/v3/yk/l/0,cross/mZN0_xqSmFF.css?_nc_x=Ij3Wp8lg5Kz
|
18
ssl.gstatic.com(172.217.25.163) www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) www.google.com(142.250.206.228) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) accounts.google.com(172.217.25.173) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 142.251.130.4 142.251.130.13 157.240.215.14 77.91.124.55 - mailcious 77.91.68.52 - mailcious 77.91.124.1 - malware 157.240.215.35 5.42.92.211 - mailcious 172.217.24.67
|
20
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO PS1 Powershell File Request ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://5.42.92.211/loghub/master
|
26.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7983 |
2023-10-06 08:03
|
rus.exe fa89b094ca8c9caaa69758e0c0385d5e Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware PDB Code Injection buffers extracted |
|
|
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7984 |
2023-10-06 08:01
|
mstsc.exe 65c7d9e822c9f2b8291202128644e825 Malicious Library UPX PE File PE32 OS Processor Check PDB DNS |
|
1
|
|
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7985 |
2023-10-06 08:00
|
Wblxhuaksujvhq.exe c7fcb915a272045036e5d8e0de23fd5a Malicious Library UPX PE File PE32 MZP Format RWX flags setting unpack itself Tofsee Interception crashed |
|
2
onedrive.live.com(13.107.42.13) - mailcious 13.107.42.13 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7986 |
2023-10-06 07:59
|
nano.exe 501bd8c4a18e386f240b6d77d388cbb3 Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Malware PDB Code Injection Malicious Traffic buffers extracted unpack itself Stealc Browser DNS |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
1
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://5.42.92.211/loghub/master
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7987 |
2023-10-06 07:58
|
trafico.exe 5aac2b17c8da70fd4386a66974d5206c Malicious Library PE File PE32 |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7988 |
2023-10-06 07:58
|
legend.exe ef2de4a8a06f86867f6e460e88919515 NSIS Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7989 |
2023-10-06 07:56
|
audiodg.exe b04c242731d9afd15433f4e2d8049f35 .NET framework(MSIL) PE File PE32 .NET EXE Check memory Checks debugger unpack itself |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7990 |
2023-10-06 07:54
|
EpPDrE.exe 85d3d194ec107f5b92a7d9e6a9d06ef0 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check crashed |
|
|
|
|
0.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7991 |
2023-10-06 07:54
|
HTML.exe b080010f26154310dc09d7154d6a898c LokiBot Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.212) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7992 |
2023-10-06 07:52
|
vlc.exe e30cd25b2b31a0c5f19f9c3f5818b242 RedLine stealer UPX AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)
|
|
9.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7993 |
2023-10-06 07:52
|
dorime.exe a889a7cca1cbb0680532b62569d9e362 LokiBot UPX .NET framework(MSIL) Socket PWS DNS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://45.77.76.224/~clinics/?check
|
1
|
5
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
12.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7994 |
2023-10-06 07:49
|
audiodg.exe fca38d9f17a13f01c024777d8b81ccf4 PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7995 |
2023-10-06 07:49
|
2-3-0_2023-10-05_14-14.exe 56e563840a12f6725c08c20577b1e1fe Malicious Library UPX PE File PE32 OS Processor Check PDB |
|
|
|
|
0.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|