| 8806 |
2023-11-21 08:02
|
 pdf.exe ef9428407424cc578442727f6fe3bc5e
UPX Malicious Library PWS SMTP AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
103.212.81.155
91.215.85.23 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
13.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8807 |
2023-11-21 08:00
|
 smo.exe d117bdd49deff0dc9c560ed4a03d3a5f
Emotet Gen1 Malicious Library UPX PE32 PE File CAB Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81)
db-ip.com(104.26.5.15)
194.49.94.152 - mailcious
104.26.4.15
34.117.59.81
|
7
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8808 |
2023-11-21 08:00
|
 jurojarem2.1.exe 0a1d0f4a278dff187347c1544ab3dc6a
NSIS Malicious Library UPX PE32 PE File OS Processor Check Remcos VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files unpack itself AppData folder Windows DNS DDNS |
1
http://geoplugin.net/json.gp
|
4
geoplugin.net(178.237.33.50)
sheddy1122.ddns.net(103.212.81.155) - mailcious
103.212.81.155
178.237.33.50
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET JA3 Hash - Remcos 3.x TLS Connection
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8809 |
2023-11-21 08:00
|
 photo_dnkafan3.exe 3d2fc3836a767e534bd36c889287b7c9
Emotet Gen1 Malicious Library UPX Malicious Packer PE32 PE File DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
8
http://185.78.76.13/a0e4e3bc83b3e685/freebl3.dll
http://185.78.76.13/a0e4e3bc83b3e685/msvcp140.dll
http://185.78.76.13/a0e4e3bc83b3e685/nss3.dll
http://185.78.76.13/a0e4e3bc83b3e685/sqlite3.dll
http://185.78.76.13/21b9c0db1dfb4718.php
http://185.78.76.13/a0e4e3bc83b3e685/mozglue.dll
http://185.78.76.13/a0e4e3bc83b3e685/softokn3.dll
http://185.78.76.13/a0e4e3bc83b3e685/vcruntime140.dll
|
1
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
6.8 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8810 |
2023-11-21 07:57
|
 hvupdater12.exe 68392cd3b6d0900a123e3c474737a068
Generic Malware Malicious Library Malicious Packer Antivirus PE32 PE File VirusTotal Malware AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
2
213.139.207.234
179.60.147.176 - mailcious
|
|
|
7.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8811 |
2023-11-21 07:55
|
 test20.exe fbd70a366b8f1c3e25e080cdd553930f
Malicious Library Malicious Packer UPX PE File PE64 Malware download NetWireRC VirusTotal Malware Malicious Traffic Check virtual network interfaces WriteConsoleW RAT DNS ChaosRAT |
3
http://179.60.147.176:8080/health
http://179.60.147.176:8080/client
http://179.60.147.176:8080/device
|
1
179.60.147.176 - mailcious
|
4
ET MALWARE CHAOS RAT CnC Server Status Check
ET MALWARE CHAOS RAT Client Checkin
ET USER_AGENTS Go HTTP Client User-Agent
ET MALWARE Win32/Khaosz.A!MTB Checkin
|
|
3.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8812 |
2023-11-21 07:55
|
 build.exe aa90f740f20462601a90fafdf37a4b82
Malicious Library UPX PE32 PE File OS Processor Check VirusTotal Malware unpack itself Windows crashed |
|
|
|
|
2.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8813 |
2023-11-20 09:58
|
 conhost.exe 0c648321522607509014810fa9850703
XMRig Miner Emotet Cryptocurrency Miner Generic Malware Suspicious_Script_Bin CoinHive Cryptocurrency task schedule Downloader Malicious Library UPX Antivirus Malicious Packer .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate pri VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key |
4
http://45.15.156.116/WatchDog.exe
http://45.15.156.116/WinRing0x64.sys
http://45.15.156.116/xmrig.exe
https://pastebin.com/raw/ZRRRiwsq
|
3
pastebin.com(104.20.67.143) - mailcious
45.15.156.116 - malware
104.20.67.143 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8814 |
2023-11-20 09:58
|
 brandrock.exe deb1df6e8090653848506c1e9a1e32f8
NPKI HermeticWiper Generic Malware NSIS Suspicious_Script Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Blob AntiDebug AntiVM PE32 PE File .NET EXE PNG Format JPEG Format OS Processor Check ZIP Forma Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check Ransomware crashed |
|
|
|
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8815 |
2023-11-20 09:56
|
svchost.exe a4212217a2e90127cf2870215d72edf5
Obsidium protector UPX PE File PE64 .NET EXE VirusTotal Malware Windows crashed |
|
|
|
|
2.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8816 |
2023-11-20 09:55
|
 updater3.exe 47437b8a25c634828593283d0679063a
RedLine stealer Gen1 NSIS Downloader Generic Malware Malicious Library UPX Malicious Packer Javascript_Blob Anti_VM PE32 PE File ftp DLL PE64 OS Processor Check MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files RWX flags setting unpack itself Check virtual network interfaces AppData folder IP Check Ransomware crashed |
|
1
|
|
|
6.2 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8817 |
2023-11-20 09:55
|
 Lwsecure_beta.exe 5c320953f68110bc451f42495ef0a296
Gen1 Malicious Library UPX PE File PE64 ftp OS Processor Check VirusTotal Malware PDB Tofsee Remote Code Execution crashed |
|
2
app.physics.wisc.edu(128.104.160.19)
128.104.160.19
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8818 |
2023-11-20 09:54
|
 v1.exe cc78ebc3aad20686d5bef8613aba55be
Client SW User Data Stealer LokiBot ftp Client info stealer .NET framework(MSIL) UPX Http API PWS AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software |
1
https://steamcommunity.com/profiles/76561199571056594
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(184.87.111.197) - mailcious
149.154.167.99 - mailcious
49.13.94.153 - mailcious
104.76.78.101 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
16.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8819 |
2023-11-20 09:53
|
 UnityGameHandler.exe 2547fc421a8ce77e333e88f4f87be833
Gen1 RedLine stealer NSIS Downloader Generic Malware Malicious Library UPX Malicious Packer Javascript_Blob Anti_VM PE32 PE File ftp OS Processor Check DLL PE64 MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Ransomware crashed |
|
|
|
|
3.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8820 |
2023-11-20 09:49
|
 devmode.exe 192f55e340f45009639d106530172497
UPX PE32 PE File .NET EXE OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself ComputerName |
|
|
|
|
3.0 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|