811 |
2024-08-21 13:42
|
66bb584acc7f2_stealc_default.v... 769696b4d235e0184c2c8099e39b2394 Stealc Client SW User Data Stealer Gen1 ftp Client info stealer Generic Malware Malicious Library .NET framework(MSIL) UPX Malicious Packer Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware c&c PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211 http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll http://46.8.231.109/ - rule_id: 42142 http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
|
3
siscorp.mx(162.241.63.30) 46.8.231.109 - mailcious 162.241.63.30 - mailcious
|
17
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://46.8.231.109/c4754d4f680ead72.php http://46.8.231.109/
|
15.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
812 |
2024-08-21 13:41
|
shost.exe 10a826203139ab5be148ca3ff88b8acc Malicious Packer PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
|
2
zakariya-ayt-amran.github.io(185.199.110.153) 185.199.108.153 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
813 |
2024-08-21 13:39
|
66c4c6ec7d961_crypto.exe#kiscr 2bd4145da31909b2dc0d423a626224a7 Stealc Client SW User Data Stealer ftp Client info stealer Malicious Library Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 Malware download VirusTotal Malware c&c PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Stealc ComputerName DNS |
2
http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194 http://193.176.190.41/ - rule_id: 42195
|
1
193.176.190.41 - mailcious
|
1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
|
2
http://193.176.190.41/2fa883eebd632382.php http://193.176.190.41/
|
10.2 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
814 |
2024-08-21 13:38
|
equitoxxxxMPDW-constraints.vbs ccc5d8eb11c324a27d34d506c968e862 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
815 |
2024-08-21 13:38
|
66bf6d1018bb1_deskman.exe 9b3fcb53cc12bc68eb44db3e55ad4731 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 DllRegisterServer dll MSOffice File OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
816 |
2024-08-21 13:37
|
channel.exe 51dd8d9912686daa950d583dad0aa631 Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 VirusTotal Malware Check memory suspicious TLD DNS |
|
1
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
2.2 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
817 |
2024-08-21 13:36
|
66bf19d6c5d07_crypto.exe 154fd6d5fd624c6568c2d0fd9958c4ea Stealc Client SW User Data Stealer ftp Client info stealer Malicious Library .NET framework(MSIL) Http API PWS AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Malware c&c PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS Software crashed plugin |
9
http://193.176.190.41/9e7fbd3f0393ef32/nss3.dll http://193.176.190.41/9e7fbd3f0393ef32/freebl3.dll http://193.176.190.41/ - rule_id: 42195 http://193.176.190.41/9e7fbd3f0393ef32/msvcp140.dll http://193.176.190.41/9e7fbd3f0393ef32/softokn3.dll http://193.176.190.41/9e7fbd3f0393ef32/sqlite3.dll http://193.176.190.41/2fa883eebd632382.php - rule_id: 42194 http://193.176.190.41/9e7fbd3f0393ef32/vcruntime140.dll http://193.176.190.41/9e7fbd3f0393ef32/mozglue.dll
|
1
193.176.190.41 - mailcious
|
15
ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://193.176.190.41/ http://193.176.190.41/2fa883eebd632382.php
|
15.2 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
818 |
2024-08-21 13:36
|
66bb989993888_crypted.exe a62c9cdf5e2ae4abf97dcf5dc6e4bd7d RedLine stealer Malicious Library .NET framework(MSIL) AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
|
|
10.4 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
819 |
2024-08-21 13:35
|
createdbutterbunwithnewyummybu... a175c53485e3d9d87b47bb3b44fb3088 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
|
2
ia803104.us.archive.org(207.241.232.154) - malware 207.241.232.154 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
820 |
2024-08-21 13:31
|
66bb9a6db079b_Install.exe 9fa963a49ddd929dce9ca2afe761845a Generic Malware Malicious Library Malicious Packer UPX PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Check memory Checks debugger Creates executable files unpack itself AppData folder crashed |
|
|
|
|
3.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
821 |
2024-08-21 13:31
|
Vn70wVxW.exe 2d340fd6abb83c75fb8d07b8290a66d5 Antivirus PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
2.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
822 |
2024-08-21 13:30
|
coreplugin.exe 9954f7ed32d9a20cda8545c526036143 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName |
|
|
|
|
6.2 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
823 |
2024-08-21 13:29
|
clcs.exe 0f9281146d61bc606140a1ab69feb60d Generic Malware Admin Tool (Sysinternals etc ...) UPX PE File PE32 Browser Info Stealer Malware download VirusTotal Malware Malicious Traffic Check memory buffers extracted Collect installed applications suspicious TLD anti-virtualization installed browsers check CryptBot Browser ComputerName DNS crashed |
1
http://fivexx5vt.top/v1/upload.php
|
2
fivexx5vt.top(185.244.181.38) 185.244.181.38
|
3
ET DNS Query to a *.top domain - Likely Hostile ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 ET INFO HTTP Request to a *.top domain
|
|
6.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
824 |
2024-08-21 13:29
|
DiskUtility.exe 11f656a0e8ab8563f91028a3c95802e5 Malicious Packer PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
|
2
zakariya-ayt-amran.github.io(185.199.108.153) 185.199.109.153 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
825 |
2024-08-21 13:28
|
Identification.exe 2ecb08bc874649148c0b23e832f522f7 Emotet Malicious Library UPX PE File PE64 MZP Format OS Processor Check VirusTotal Malware unpack itself |
|
|
|
|
1.8 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|