| 8056 |
2024-07-06 18:25
|
 leva.exe de1f91ae5c55b1cbbc6d6561464d7d99
Gen1 EnigmaProtector Generic Malware Malicious Library UPX Malicious Packer AntiDebug AntiVM PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Code Injection Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software crashed plugin |
8
http://85.28.47.30/69934896f997d5bb/sqlite3.dll
http://85.28.47.30/69934896f997d5bb/softokn3.dll
http://85.28.47.30/69934896f997d5bb/vcruntime140.dll
http://85.28.47.30/920475a59bac849d.php
http://85.28.47.30/69934896f997d5bb/msvcp140.dll
http://85.28.47.30/69934896f997d5bb/nss3.dll
http://85.28.47.30/69934896f997d5bb/freebl3.dll
http://85.28.47.30/69934896f997d5bb/mozglue.dll
|
3
185.172.128.90 - mailcious
77.91.77.81 - mailcious
85.28.47.30 - mailcious
|
16
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
|
|
12.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8057 |
2024-07-06 18:25
|
 CryptoWall.exe 919034c8efb9678f96b47a20fa6199f2
ScreenShot KeyLogger AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE Code Injection buffers extracted IP Check DNS |
2
http://myexternalip.com/raw
http://ip-addr.es/
|
10
myexternalip.com(34.117.118.44)
ip-addr.es(188.165.164.184)
34.117.118.44
91.121.12.127
188.165.164.184
94.247.28.26
94.247.31.19
185.172.128.90 - mailcious
209.148.85.151
94.247.28.156
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO HTTP Request for External IP Check (ip-addr .es)
ET POLICY External IP Check myexternalip.com
|
|
7.8 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8058 |
2024-07-06 18:22
|
 univ.exe 217b817f890ef7fc49dc9207d55d2a01
GCleaner Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic human activity check DNS |
1
http://185.172.128.90/cpa/name.php - rule_id: 39629
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/name.php
|
3.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8059 |
2024-07-06 18:21
|
 inte.exe 0da0d1efee859f1fe9cbd3bf5b428af6
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic DNS |
1
http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981
|
1
185.172.128.90 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
1
http://185.172.128.90/cpa/ping.php
|
2.6 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8060 |
2024-07-06 18:20
|
mkl.js b0d0cfe2e3d3285272c07d5c32c96e44
AgentTesla Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Name Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Windows Gmail Browser Email ComputerName crashed keylogger |
|
2
smtp.gmail.com(74.125.23.108)
142.251.8.108
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8061 |
2024-07-06 18:18
|
datingloverstartingAgain.vbs 66decb1e47d3173c8046c1a921244190VirusTotal Malware DNS |
1
http://91.92.254.29/Users_API/BrainiacMAX/file_s40rzeho.5f4.txt
|
1
|
|
|
2.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8062 |
2024-07-06 12:48
|
startupppp.bat f88fe8d8b25b85e6c7f7b31f71771193
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware Windows utilities WriteConsoleW Windows |
|
|
|
|
1.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8063 |
2024-07-06 12:48
|
e_Scan_Statement0037829.lnk db2f7df2e40e5b8901b42d3f56a186fc
Generic Malware Antivirus Lnk Format GIF Format Creates shortcut unpack itself WriteConsoleW |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8064 |
2024-07-06 12:48
|
ukbvxz01.lnk 5029bd93186f57a8f5b7978910999604
Generic Malware Antivirus Lnk Format GIF Format Creates shortcut unpack itself WriteConsoleW |
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8065 |
2024-07-05 22:38
|
 64.exe 3e682955546fe3b6b1296a509ff80f65
Malicious Library Malicious Packer UPX PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser |
|
|
|
|
4.8 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8066 |
2024-07-05 22:38
|
 64.exe 3e682955546fe3b6b1296a509ff80f65
Malicious Library Malicious Packer UPX PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser |
|
|
|
|
4.8 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8067 |
2024-07-05 17:50
|
 РОСКОМНАДЗОР письмо Google Ana... adc398c253cff3c1acf9a48e78f5775d
PDF VirusTotal Malware |
|
|
|
|
0.4 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8068 |
2024-07-05 15:56
|
 64.exe 3e682955546fe3b6b1296a509ff80f65
Malicious Library Malicious Packer UPX PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB MachineGuid Check memory Checks debugger Creates executable files unpack itself AntiVM_Disk sandbox evasion VM Disk Size Check Browser DNS |
|
1
|
|
|
5.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8069 |
2024-07-05 15:54
|
 Report.ps1 054618073752ea5823c98130114a3241
Hide_EXE Generic Malware task schedule Antivirus KeyLogger AntiDebug AntiVM Malware download AsyncRAT NetWireRC VirusTotal Malware Code Injection Check memory buffers extracted unpack itself DDNS |
|
2
services-line2.freeddns.org(136.243.111.71)
136.243.111.71
|
3
ET INFO DYNAMIC_DNS Query to a *.freeddns .org Domain
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
7.2 |
|
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8070 |
2024-07-05 15:01
|
 Scandoc1114.exe 1028a0939cb0ce3475e93dcab08ebba8
Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
|
4
smtp.bureaubetak.co(208.91.199.224)
api.ipify.org(172.67.74.152)
208.91.199.223 - mailcious
172.67.74.152
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP
|
|
9.4 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|