8941 |
2023-09-02 18:47
|
stealc_freestyleebet.exe 03b75cb65dfc55f7594704128d3c2bad Stealc PE File PE32 Browser Info Stealer Malware download VirusTotal Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser ComputerName DNS plugin |
8
http://45.9.74.92/d45a644c7f4dcff4/vcruntime140.dll http://45.9.74.92/d45a644c7f4dcff4/mozglue.dll http://45.9.74.92/d45a644c7f4dcff4/softokn3.dll http://45.9.74.92/d45a644c7f4dcff4/nss3.dll http://45.9.74.92/d45a644c7f4dcff4/freebl3.dll http://45.9.74.92/7a03fb9d4773da33.php - rule_id: 36050 http://45.9.74.92/d45a644c7f4dcff4/msvcp140.dll http://45.9.74.92/d45a644c7f4dcff4/sqlite3.dll
|
1
|
15
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
1
http://45.9.74.92/7a03fb9d4773da33.php
|
7.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8942 |
2023-09-02 18:43
|
soso.exe 6dc87042689e8ee4fcf2ad4978251c44 Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check PE64 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Tofsee |
1
https://z.nnnaajjjgc.com/sts/imagd.jpg
|
2
z.nnnaajjjgc.com(156.236.72.121) - malware 156.236.72.121 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8943 |
2023-09-02 18:41
|
ui_static.js bb973dacad0a0e1cb2e2c145fd8f4c3eunpack itself crashed |
|
|
|
|
0.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8944 |
2023-09-02 18:41
|
s5.exe 6d23627f776c90f686e5768774aad09f Malicious Library PE File PE32 PDB Remote Code Execution |
|
|
|
|
0.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8945 |
2023-09-02 18:40
|
Install_WinX64X86.exe ebd57653d474ebeb5c5df2c19df6912b Themida Packer Malicious Library PE File PE64 VirusTotal Malware DNS crashed |
|
1
156.236.72.121 - mailcious
|
|
|
3.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8946 |
2023-09-02 18:39
|
1111.exe d9c8bc57eff19e15e8670881fa0dcb81 RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET OS Processor Check PE File .NET EXE PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
6.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8947 |
2023-09-02 18:38
|
ela205.exe ff0ca5d8a61da8a0b725bcd6e36412db Malicious Library UPX PE File PE64 VirusTotal Malware PDB unpack itself Tofsee Remote Code Execution |
|
2
z.nnnaajjjgc.com(156.236.72.121) - malware 156.236.72.121 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
1.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8948 |
2023-09-02 18:36
|
fil111e.exe 34577f0fd1d3f1d5f53eecd0aca166c3 Generic Malware Antivirus PE File .NET EXE PE32 PowerShell VirusTotal Malware powershell PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
7.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8949 |
2023-09-02 18:36
|
wp.vbs 788d9b6fd542ea9680d7fd61e3424aecMalware download Wshrat NetWireRC VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk VM Disk Size Check Windows Houdini ComputerName DNS DDNS Dropper |
1
http://chongmei33.publicvm.com:7045/is-ready - rule_id: 28328
|
2
chongmei33.publicvm.com(172.111.147.88) - mailcious 172.111.147.88
|
4
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com) ET MALWARE WSHRAT CnC Checkin ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
|
1
http://chongmei33.publicvm.com:7045/is-ready
|
10.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8950 |
2023-09-02 18:34
|
R3nzSkin_Injector.exe e785b8d686d97cea7f16ee1ff56dad95 Malicious Library UPX OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response)
|
|
6.6 |
|
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8951 |
2023-09-02 18:34
|
Clic.exe 3e1addce70b29934018089965733a491 Generic Malware Downloader WinRAR Malicious Library UPX Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM OS Processor Chec VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Firewall state off Tofsee Windows ComputerName Remote Code Execution Cryptographic key crashed |
|
2
www.logpasta.com(188.166.57.133) 188.166.57.133
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8952 |
2023-09-02 18:32
|
4t.exe f519d275a74776c00243901014f40df9 Malicious Library PE File PE64 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8953 |
2023-09-02 18:31
|
alldata.exe 1d80dd9f0e5db1a685c6bb9e9a91b222 Malicious Library PE File PE32 VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.0 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8954 |
2023-09-02 18:30
|
4t.exe cd2d66edbe500051c5d2711026a84f9d Malicious Library PE File PE64 VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself |
|
|
|
|
2.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8955 |
2023-09-02 18:30
|
ummaa.exe 58bc43389c3e720c0af4ff563d5ed7ce Amadey Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check PE64 Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Kelihos Windows ComputerName DNS |
4
http://45.9.74.80/softtool.exe
http://45.9.74.80/alldata.exe
http://5.42.65.80/4t.exe
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
|
2
45.9.74.80 - malware
5.42.65.80 - malware
|
9
ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Possible Kelihos.F EXE Download Common Structure
|
1
http://45.9.74.80/0bjdn2Z/index.php
|
9.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|