796 |
2024-08-21 14:01
|
stealc_daval.exe edcfe06a0db28ab97fdff4c3d57989dc Stealc Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
17
http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll http://185.215.113.17/2fb6c2cc8dce150a.php - rule_id: 275 http://185.215.113.17/2fb6c2cc8dce150a.php http://185.215.113.17/f1ddeb6592c03206/mozglue.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/mozglue.dll http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll http://185.215.113.17/f1ddeb6592c03206/softokn3.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/softokn3.dll http://185.215.113.17/ - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/nss3.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/nss3.dll http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll http://185.215.113.17/f1ddeb6592c03206/freebl3.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
|
1
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
9
http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/
|
8.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
797 |
2024-08-21 13:59
|
66c08d2750ada_PilotEdit.exe 8c0700a14b053b5a71fb7060992f4da9 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
798 |
2024-08-21 13:57
|
66b9d56da3bee_main.exe 151992a5dbd1f0c6adc8b7d97b33bd32 Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199751190313 - rule_id: 41879
https://t.me/pech0nk
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious 149.154.167.99 - mailcious
195.201.118.191 - mailcious
104.71.154.102
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199751190313
|
15.6 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
799 |
2024-08-21 13:57
|
66c4c6a2204b0_crypted.exe#1 5cbad7345107123b9aa522533a0978d2 Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
800 |
2024-08-21 13:55
|
66bd012162049_crypted.exe 2b503d87bce8e2b33a70533884bd0e6d RedLine stealer Malicious Library .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
13.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
801 |
2024-08-21 13:54
|
Dtrade_v1.3.6.exe 1f6c6f36d126cd027ded1915e321c693 Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
802 |
2024-08-21 13:53
|
66c0f6e668215_stealc_test.exe 9dcd1be11b36b327ced51156db4f63be Stealc Client SW User Data Stealer ftp Client info stealer Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
9
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211 http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll http://46.8.231.109/ - rule_id: 42142 http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
|
1
|
15
ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://46.8.231.109/c4754d4f680ead72.php http://46.8.231.109/
|
12.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
803 |
2024-08-21 13:52
|
66be35a2807ef_crypted.exe e93bf642b8564c006f501145b32ec1f6 RedLine stealer ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
13.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
804 |
2024-08-21 13:50
|
66bb9d818245b_MoonDescribing.e... 310e5c68c94e313befd538b9e999360a Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName |
|
|
|
|
6.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
805 |
2024-08-21 13:48
|
66bdc869b864d_stealc_cry.exe 175e665a8d0021510549eb8557b01bbf Stealc Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX PE File PE32 Malware download VirusTotal Malware c&c Malicious Traffic Check memory unpack itself Stealc ComputerName DNS |
2
http://193.176.190.41/ - rule_id: 42195 http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194
|
1
193.176.190.41 - mailcious
|
1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
2
http://193.176.190.41/ http://193.176.190.41/2fa883eebd632382.php
|
3.8 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
806 |
2024-08-21 13:48
|
meta.exe 3aace51d76b16a60e94636150bd1137e RedLine stealer Malicious Library Malicious Packer Antivirus UPX PWS AntiDebug AntiVM PE File PE64 OS Processor Check RedLine Malware download VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory buffers extracted Stealer Remote Code Execution DNS |
|
1
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 4 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
|
|
7.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
807 |
2024-08-21 13:47
|
66bf6d1018bb1_deskman.exe 9b3fcb53cc12bc68eb44db3e55ad4731 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 DllRegisterServer dll MSOffice File OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
808 |
2024-08-21 13:47
|
klds.exe 06f3cde26cf65abbf65884e0ea52a40c XWorm Generic Malware WebCam Malicious Library Antivirus UPX KeyLogger AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware powershell Telegram Buffer PE AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Remote Code Execution DNS Cryptographic key keylogger |
|
2
api.telegram.org(149.154.167.220) - mailcious 149.154.167.220 - mailcious
|
4
ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
809 |
2024-08-21 13:46
|
Setup2.exe 37263ede84012177cab167dc23457074 Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 VirusTotal Malware Check memory unpack itself suspicious TLD DNS |
|
1
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
2.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
810 |
2024-08-21 13:43
|
66b9d0b4a2cab_stealc.exe 0bdfd2ac36beee175c70cce6e11ed893 Client SW User Data Stealer ftp Client info stealer Generic Malware Malicious Library UPX Http API PWS AntiDebug AntiVM PE File ftp .NET EXE PE32 OS Processor Check VirusTotal Malware Buffer PE PDB Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
|
|
10.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|