| 796 |
2024-08-21 14:01
|
 stealc_daval.exe edcfe06a0db28ab97fdff4c3d57989dc
Stealc Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
17
http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
http://185.215.113.17/2fb6c2cc8dce150a.php - rule_id: 275
http://185.215.113.17/2fb6c2cc8dce150a.php
http://185.215.113.17/f1ddeb6592c03206/mozglue.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
http://185.215.113.17/f1ddeb6592c03206/softokn3.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
http://185.215.113.17/ - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/nss3.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/nss3.dll
http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
http://185.215.113.17/f1ddeb6592c03206/freebl3.dll - rule_id: 275
http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
|
1
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
9
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
http://185.215.113.17/
|
8.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 797 |
2024-08-21 13:59
|
 66c08d2750ada_PilotEdit.exe 8c0700a14b053b5a71fb7060992f4da9
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 DllRegisterServer dll OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 798 |
2024-08-21 13:57
|
 66b9d56da3bee_main.exe 151992a5dbd1f0c6adc8b7d97b33bd32
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 FTP Client Info Stealer VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199751190313 - rule_id: 41879
https://t.me/pech0nk
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
195.201.118.191 - mailcious
104.71.154.102
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199751190313
|
15.6 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 799 |
2024-08-21 13:57
|
 66c4c6a2204b0_crypted.exe#1 5cbad7345107123b9aa522533a0978d2
Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 800 |
2024-08-21 13:55
|
 66bd012162049_crypted.exe 2b503d87bce8e2b33a70533884bd0e6d
RedLine stealer Malicious Library .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
13.2 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 801 |
2024-08-21 13:54
|
 Dtrade_v1.3.6.exe 1f6c6f36d126cd027ded1915e321c693
Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 802 |
2024-08-21 13:53
|
 66c0f6e668215_stealc_test.exe 9dcd1be11b36b327ced51156db4f63be
Stealc Client SW User Data Stealer ftp Client info stealer Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download Vidar VirusTotal Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
9
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
|
1
|
15
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/
|
12.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 803 |
2024-08-21 13:52
|
 66be35a2807ef_crypted.exe e93bf642b8564c006f501145b32ec1f6
RedLine stealer ScreenShot PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
6
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
|
|
13.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 804 |
2024-08-21 13:50
|
 66bb9d818245b_MoonDescribing.e... 310e5c68c94e313befd538b9e999360a
Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Windows ComputerName |
|
|
|
|
6.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 805 |
2024-08-21 13:48
|
 66bdc869b864d_stealc_cry.exe 175e665a8d0021510549eb8557b01bbf
Stealc Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX PE File PE32 Malware download VirusTotal Malware c&c Malicious Traffic Check memory unpack itself Stealc ComputerName DNS |
2
http://193.176.190.41/ - rule_id: 42195
http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194
|
1
193.176.190.41 - mailcious
|
1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
2
http://193.176.190.41/
http://193.176.190.41/2fa883eebd632382.php
|
3.8 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 806 |
2024-08-21 13:48
|
 meta.exe 3aace51d76b16a60e94636150bd1137e
RedLine stealer Malicious Library Malicious Packer Antivirus UPX PWS AntiDebug AntiVM PE File PE64 OS Processor Check RedLine Malware download VirusTotal Malware Microsoft PDB suspicious privilege Code Injection Check memory buffers extracted Stealer Remote Code Execution DNS |
|
1
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
|
|
7.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 807 |
2024-08-21 13:47
|
 66bf6d1018bb1_deskman.exe 9b3fcb53cc12bc68eb44db3e55ad4731
Generic Malware Malicious Library Malicious Packer UPX PE File PE64 DllRegisterServer dll MSOffice File OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 808 |
2024-08-21 13:47
|
 klds.exe 06f3cde26cf65abbf65884e0ea52a40c
XWorm Generic Malware WebCam Malicious Library Antivirus UPX KeyLogger AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware powershell Telegram Buffer PE AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName Remote Code Execution DNS Cryptographic key keylogger |
|
2
api.telegram.org(149.154.167.220) - mailcious
149.154.167.220 - mailcious
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 809 |
2024-08-21 13:46
|
 Setup2.exe 37263ede84012177cab167dc23457074
Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 VirusTotal Malware Check memory unpack itself suspicious TLD DNS |
|
1
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
2.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 810 |
2024-08-21 13:43
|
 66b9d0b4a2cab_stealc.exe 0bdfd2ac36beee175c70cce6e11ed893
Client SW User Data Stealer ftp Client info stealer Generic Malware Malicious Library UPX Http API PWS AntiDebug AntiVM PE File ftp .NET EXE PE32 OS Processor Check VirusTotal Malware Buffer PE PDB Code Injection Check memory Checks debugger buffers extracted unpack itself DNS |
|
1
|
|
|
10.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|