| 10021 |
2023-09-30 13:21
|
 StealerClient_Cpp.exe e6692c8fef5862964a4a82d5c58ba709
Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check VirusTotal Malware |
|
|
|
|
1.2 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10022 |
2023-09-30 13:21
|
 Elize123.exe f340d31e095009d1db8f40c06abe32ce
UPX PWS SMTP AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
3
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
|
|
11.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10023 |
2023-09-30 13:19
|
 RBY1.exe 12fdbbf78bb7d4caa336ccf05d762bcb
UPX PE File PE32 .NET EXE VirusTotal Malware Buffer PE PDB Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
3.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10024 |
2023-09-30 13:19
|
 vY7NqPNdCvuT7Sy.exe d928fd4dc7d2859adc7e285912a701ac
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB suspicious privilege Check memory Checks debugger unpack itself Windows ComputerName crashed |
|
|
|
|
4.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10025 |
2023-09-30 13:17
|
 Wtwvjbwnht.exe ea462e6077aa3e3c7573dd51206c7e4e
Formbook UPX .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs suspicious TLD Windows DNS Cryptographic key |
23
http://www.onlyleona.com/kniu/ - rule_id: 36720
http://192.3.179.157/690/TiWorkers.exe
http://192.3.179.157/zw/Zlonloydc.dat
http://www.xxkxcfkujyeft.xyz/kniu/ - rule_id: 36719
http://www.siteapp.fun/kniu/ - rule_id: 36724
http://www.prosourcegraniteinc.com/kniu/ - rule_id: 36717
http://www.poultry-symposium.com/kniu/?-z0gsLA=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&ue-_=0C5fuT6rcako - rule_id: 36722
http://www.poultry-symposium.com/kniu/ - rule_id: 36722
http://www.theartboxslidell.com/kniu/ - rule_id: 36718
http://www.onlyleona.com/kniu/?-z0gsLA=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&ue-_=0C5fuT6rcako - rule_id: 36720
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
http://www.tsygy.com/kniu/ - rule_id: 36721
http://www.flyingfoxnb.com/kniu/?-z0gsLA=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&ue-_=0C5fuT6rcako - rule_id: 36725
http://www.tsygy.com/kniu/?-z0gsLA=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&ue-_=0C5fuT6rcako - rule_id: 36721
http://www.xxkxcfkujyeft.xyz/kniu/?-z0gsLA=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&ue-_=0C5fuT6rcako - rule_id: 36719
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
http://www.flyingfoxnb.com/kniu/ - rule_id: 36725
http://www.prosourcegraniteinc.com/kniu/?-z0gsLA=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&ue-_=0C5fuT6rcako - rule_id: 36717
http://www.palatepursuits.cfd/kniu/ - rule_id: 36726
http://www.siteapp.fun/kniu/?-z0gsLA=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&ue-_=0C5fuT6rcako - rule_id: 36724
http://www.theartboxslidell.com/kniu/?-z0gsLA=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&ue-_=0C5fuT6rcako - rule_id: 36718
http://www.frefire.top/kniu/ - rule_id: 36723
http://www.frefire.top/kniu/?-z0gsLA=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&ue-_=0C5fuT6rcako - rule_id: 36723
|
25
www.palatepursuits.cfd(104.21.21.57) - mailcious
www.onlyleona.com(104.21.13.143) - mailcious
www.prosourcegraniteinc.com(216.239.34.21) - mailcious
www.pengeloladata.click() - mailcious
www.xxkxcfkujyeft.xyz(216.240.130.67) - mailcious
www.theartboxslidell.com(199.59.243.224) - mailcious
www.8956kjw1.com(103.71.154.243)
www.frefire.top(67.223.117.37) - mailcious
www.tsygy.com(23.104.137.185) - mailcious
www.poultry-symposium.com(85.128.134.237) - mailcious
www.flyingfoxnb.com(216.40.34.41) - mailcious
www.siteapp.fun(23.82.12.37) - mailcious
85.128.134.237 - mailcious
81.171.28.43
23.104.137.185 - mailcious
216.239.32.21 - mailcious
199.59.243.224 - mailcious
172.67.196.133 - mailcious
216.40.34.41 - mailcious
216.240.130.67 - mailcious
192.3.179.157 - mailcious
103.71.154.243
45.33.6.223
172.67.132.228 - mailcious
67.223.117.37 - mailcious
|
11
SURICATA HTTP unable to match response to request
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
19
http://www.onlyleona.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.siteapp.fun/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.poultry-symposium.com/kniu/
http://www.theartboxslidell.com/kniu/
http://www.onlyleona.com/kniu/
http://www.tsygy.com/kniu/
http://www.flyingfoxnb.com/kniu/
http://www.tsygy.com/kniu/
http://www.xxkxcfkujyeft.xyz/kniu/
http://www.flyingfoxnb.com/kniu/
http://www.prosourcegraniteinc.com/kniu/
http://www.palatepursuits.cfd/kniu/
http://www.siteapp.fun/kniu/
http://www.theartboxslidell.com/kniu/
http://www.frefire.top/kniu/
http://www.frefire.top/kniu/
|
13.2 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10026 |
2023-09-30 13:17
|
 greeecousinnnnnnnfrilPulGj0ozA... c58659f0aa2577165d9851c741ce3d41
.NET framework(MSIL) PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows Browser Email ComputerName Cryptographic key crashed |
|
|
|
|
5.0 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10027 |
2023-09-30 13:17
|
 verbose.exe fd128ec183aa8d4db76e08153a4a43ab
Generic Malware Malicious Library UPX Malicious Packer PE File PE64 OS Processor Check VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10028 |
2023-09-30 13:16
|
 UNIQTRAFF.exe eb69edce4df4ed81ecb296f24def4efe
RedLine Infostealer RedLine stealer UPX .NET framework(MSIL) Confuser .NET PE File PE32 .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
194.180.49.159 - mailcious
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
|
6.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10029 |
2023-09-30 13:16
|
 StealerClient_Sharp.exe 3447aacee641ed00bab15a3df7818b7f
Malicious Library UPX .NET framework(MSIL) Malicious Packer PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself ComputerName Remote Code Execution |
|
|
|
|
2.4 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10030 |
2023-09-30 13:13
|
 tedzx.exe 93927d564bb0622b7892d0dc7c797805
.NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212)
173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10031 |
2023-09-30 13:12
|
 alteredcasbon7RVuMkLvXuAoxru.e... 2fd8ea6c13a0fb49a278b1afb309e433
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key |
|
|
|
|
3.2 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10032 |
2023-09-30 13:10
|
 UMM.exe 9fa0492f671ae03b7785f7ada9a5ba8b
UPX PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Buffer PE PDB Check memory Checks debugger buffers extracted unpack itself Windows ComputerName Cryptographic key |
|
|
|
|
3.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10033 |
2023-09-30 13:09
|
 mtdocs.exe 7ff646fbaa5bb955d1b0cfaffaf61cb2
Formbook NSIS Malicious Library UPX PE File PE32 FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself |
5
http://www.278809.com/sy22/?EDK8bDR=iy+mqU/irMZ/wKqnbPhXoOBbdlFdDHlZlXpVz9oYG9OcIstj/tTeujiYT/kcN+51HbnFgiNH&BZ=E2M4oNWx_Ln
http://www.gk84.com/sy22/?EDK8bDR=EZXT1couL1SMJvG2qeg6eanykcNOwoSwRkeI+9JF3ekTKFJ8rStu/JDK0lzRposG9gxESXnb&BZ=E2M4oNWx_Ln - rule_id: 36323
http://www.sarthaksrishticreation.com/sy22/?EDK8bDR=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&BZ=E2M4oNWx_Ln - rule_id: 35905
http://www.sunspotplumbing.com/sy22/?EDK8bDR=d6AqkGJ7bunbgmizHHRyxSnS+cE7N+DoqWC4nPxnpUsdFYm3pr534s62tX1C6jkDEl4YnzCY&BZ=E2M4oNWx_Ln
http://www.kwamitikki.com/sy22/?EDK8bDR=ayc0h3zWsM+s/UZ3LUjJJuwK+un3y5jAnwaTGnQTjoBH3sQruTiuCMTcn690zSCGQsaDZ/V1&BZ=E2M4oNWx_Ln - rule_id: 36545
|
10
www.kwamitikki.com(195.216.243.33) - mailcious
www.gk84.com(107.148.223.82) - mailcious
www.sunspotplumbing.com(15.197.148.33)
www.278809.com(154.205.107.177) - mailcious
www.sarthaksrishticreation.com(119.18.49.69) - mailcious
15.197.148.33
195.216.243.33 - malware
107.148.223.82 - mailcious
154.205.107.177 - mailcious
119.18.49.69 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
3
http://www.gk84.com/sy22/
http://www.sarthaksrishticreation.com/sy22/
http://www.kwamitikki.com/sy22/
|
4.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10034 |
2023-09-30 13:09
|
 installs.exe 0508858aafafa001652f27d51ed4872b
Malicious Library PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
5
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
|
|
7.8 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10035 |
2023-09-30 13:06
|
 exbo.exe 14b9d9e187fdb2f9deb0a9361a4f408d
Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware download VirusTotal Malware Code Injection Malicious Traffic buffers extracted unpack itself Stealc Browser DNS crashed |
1
http://5.42.92.211/loghub/master - rule_id: 36282
|
1
|
2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
1
http://5.42.92.211/loghub/master
|
8.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|