| 9751 |
2023-10-09 13:20
|
 discoversophisticatedpro.exe 79de5ff2273d613a14ca4c8edff7d5ec
Gen1 Emotet Generic Malware Malicious Library UPX .NET framework(MSIL) Http API ScreenShot Internet API AntiDebug AntiVM PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware download Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Lumma Stealer Windows Remote Code Execution DNS Cryptographic key crashed |
3
http://172.86.98.101/xs12pro/Gpflofkmce.dat - rule_id: 37111
http://firmpanacewa.fun/api
http://172.86.98.101/xs12pro/Rglrwzz.vdf - rule_id: 37111
|
3
firmpanacewa.fun(172.67.181.9) - mailcious
172.86.98.101 - mailcious
172.67.181.9 - mailcious
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
2
http://172.86.98.101/xs12pro/
http://172.86.98.101/xs12pro/
|
13.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9752 |
2023-10-09 13:19
|
 helpscientistpro.exe f54931aaae6cff496f607d6991cc1437
Gen1 Emotet Malicious Library UPX .NET framework(MSIL) PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Windows Remote Code Execution DNS Cryptographic key |
2
http://172.86.98.101/xs12pro/Htjxmgd.pdf - rule_id: 37111
http://172.86.98.101/xs12pro/Akdvsmkkbhu.pdf - rule_id: 37111
|
1
172.86.98.101 - mailcious
|
1
ET INFO Dotted Quad Host PDF Request
|
2
http://172.86.98.101/xs12pro/
http://172.86.98.101/xs12pro/
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9753 |
2023-10-09 13:19
|
 lastsciiencepro.exe 81d34d81c4b40ba209760c61baaad458
Gen1 Emotet Malicious Library UPX .NET framework(MSIL) Http API ScreenShot PWS Internet API AntiDebug AntiVM PE File PE64 CAB PE32 .NET EXE OS Processor Check Malware download VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Lumma Stealer Windows Remote Code Execution DNS Cryptographic key crashed |
3
http://blessdeckite.fun/
http://blessdeckite.fun/api
http://172.86.98.101/xs12pro/Czbzftdagy.mp4 - rule_id: 37111
|
3
blessdeckite.fun(172.67.176.124)
172.86.98.101 - mailcious
104.21.31.117
|
1
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
1
http://172.86.98.101/xs12pro/
|
14.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9754 |
2023-10-09 13:17
|
 watchprevailing.exe 0a258548c05c1f8baded9ccfbd4b6896
UPX .NET framework(MSIL) ScreenShot PWS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows DNS Cryptographic key |
1
http://172.86.98.101/xs12pro/Kmztlc.vdf - rule_id: 37111
|
1
172.86.98.101 - mailcious
|
|
1
http://172.86.98.101/xs12pro/
|
11.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9755 |
2023-10-09 12:57
|
Steal_BrowserPassword.ps1 781f2735b980b567aa07fec41e6d4422
Generic Malware Antivirus Check memory unpack itself WriteConsoleW Windows Cryptographic key |
1
https://github.com/atomiczsec/My-Payloads/blob/main/Assets/browser.exe?raw=true
|
|
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9756 |
2023-10-09 12:57
|
 browser.exe c86277ab02da0abcf91b0109a0bc28ea
Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9757 |
2023-10-09 12:42
|
 minda.exe c7f2b50a51b84d1108430e3fb119d0d4
Gen1 Emotet Malicious Library UPX Malicious Packer Confuser .NET Admin Tool (Sysinternals etc ...) .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL MZP Format PE64 CHM Format DllRegisterServer dll Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware c&c suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Stealc Stealer Windows Browser Email ComputerName DNS crashed plugin CoinMiner |
8
http://5.42.65.39/a03c8956ff198333/softokn3.dll
http://5.42.65.39/bed95ea4798a5204.php
http://5.42.65.39/a03c8956ff198333/mozglue.dll
http://5.42.65.39/a03c8956ff198333/msvcp140.dll
http://5.42.65.39/a03c8956ff198333/nss3.dll
http://5.42.65.39/a03c8956ff198333/vcruntime140.dll
http://5.42.65.39/a03c8956ff198333/sqlite3.dll
http://5.42.65.39/a03c8956ff198333/freebl3.dll
|
8
xmr-eu1.nanopool.org(51.68.143.81) - mailcious
pastebin.com(104.20.68.143) - mailcious
iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
163.172.154.142
212.47.253.124
5.42.65.39 - mailcious
104.20.67.143 - mailcious
|
20
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
|
17.6 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9758 |
2023-10-09 12:41
|
 AIMP2.eXe 62b71a7a5a313f5144b7bf45b7fcf87a
Gen1 Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself DNS |
|
1
|
|
|
2.2 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9759 |
2023-10-09 12:32
|
 baf652ff4cb5f03754c0156583578c... baf652ff4cb5f03754c0156583578c3a
MSOffice File VirusTotal Malware exploit crash unpack itself suspicious TLD Exploit crashed |
1
http://encyclopedia83.samiseto.ru/HOME-PC/registry/sorry/amiable/amiable/amiable.83glf
|
2
encyclopedia83.samiseto.ru(185.39.207.104) - mailcious
185.39.207.104
|
|
|
4.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9760 |
2023-10-09 12:30
|
 allergy list.exe 8fd84942190cf91e2182d552b3df80f8
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName DNS |
|
1
|
|
|
2.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9761 |
2023-10-09 12:29
|
 Reservation information (date,... 9809cc75b12ebaa98003f8288978f3b3
Malicious Library UPX PE File PE32 ftp Check memory Tofsee |
|
2
apache.org(151.101.2.132)
151.101.2.132
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9762 |
2023-10-09 12:27
|
 obcliKg.dll b52920a62d824d538812f9fb8bf563c4
.NET DLL PE File DLL PE32 VirusTotal Malware PDB |
|
|
|
|
0.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9763 |
2023-10-08 18:36
|
 netTimer.exe e674688f489f2e6dcfdf18af1ac37858
UPX Malicious Packer PE File PE64 VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger unpack itself anti-virtualization ComputerName |
|
|
|
|
4.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9764 |
2023-10-08 18:34
|
 opportunitytoolprer.exe dfacf11cff37d089fdb939534d1680e3
Gen1 Emotet Malicious Library PE File PE64 CAB VirusTotal Malware Buffer PE AutoRuns PDB Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces Windows ComputerName Remote Code Execution DNS Cryptographic key |
1
http://172.86.98.101/xs12pro/Qqiurpxnu.mp3
|
1
|
|
|
8.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9765 |
2023-10-08 18:32
|
 lnstalIer.exe 0e10ea38b2c0569203a5f46efdec60dc
Raccoon Gen1 Generic Malware UPX Malicious Packer Admin Tool (Sysinternals etc ...) Malicious Library Http API ScreenShot PWS HTTP Internet API AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Malware RecordBreaker Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications AppData folder sandbox evasion installed browsers check Stealer Windows Browser DNS Cryptographic key |
9
http://45.15.156.141/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://45.15.156.141/ - rule_id: 37100
http://45.15.156.141/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://45.15.156.141/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://45.15.156.141/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://45.15.156.141/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://45.15.156.141/fbac3c131ccbd261bd179f2d83792c65
http://45.15.156.141/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://45.15.156.141/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
|
1
45.15.156.141 - mailcious
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
1
|
14.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|