| 12331 |
2023-06-12 08:39
|
 output_64.dll 53c2b4ff75b21e128fd6f3314e30fde4
Generic Malware UPX Malicious Library Malicious Packer Antivirus Anti_VM DLL PE64 PE File PDB Check memory Checks debugger unpack itself AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check Browser DNS crashed |
|
2
193.134.208.217
104.76.78.101 - mailcious
|
|
|
5.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12332 |
2023-06-12 01:16
|
 foto164.exe cbb0bcb442a38af349af69ecb177738a
Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
3
http://77.91.68.30/music/rock/index.php - rule_id: 34087
http://77.91.68.30/music/rock/Plugins/cred64.dll - rule_id: 34101
http://77.91.68.30/music/rock/Plugins/clip64.dll - rule_id: 34102
|
2
83.97.73.129 - mailcious
77.91.68.30 - malware
|
10
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
3
http://77.91.68.30/music/rock/index.php
http://77.91.68.30/music/rock/Plugins/cred64.dll
http://77.91.68.30/music/rock/Plugins/clip64.dll
|
15.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12333 |
2023-06-11 23:55
|
 FineC0de.exe d86704134f65f0ebe87032f76864db5a
Downloader UPX Socket PWS[m] Http API ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 Malware download VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Stealer Windows DNS |
8
http://5.42.64.41:1337/mozglue.dll
http://5.42.64.41:1337/libcrypto.dll
http://5.42.64.41:1337/freebl3.dll
http://5.42.64.41:1337/s?id=9a48fc56-3aef-47c0-98e0-4ed262d612ec
http://5.42.64.41:1337/sqlite3.dll
http://5.42.64.41:1337/softokn3.dll
http://5.42.64.41:1337/?id=9a48fc56-3aef-47c0-98e0-4ed262d612ec
http://5.42.64.41:1337/nss3.dll
|
1
|
10
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
|
|
8.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12334 |
2023-06-11 23:53
|
 oteratar07.exe 2e4f9e426907d9c3e2fca85df1b19b09
RAT UPX AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Browser ComputerName DNS |
1
http://45.15.157.6/9827126d94c3e848.php
|
1
|
|
|
11.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12335 |
2023-06-11 23:52
|
 msbhv07.exe 25623138f6ab8c72ef15615a76b4adbc
RedLine stealer[m] RAT UPX AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
9.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12336 |
2023-06-11 23:47
|
 pt274.exe 44137725eba04c72f7486f45192cb768
Loki_b Loki_m RAT UPX Socket DNS PWS[m] ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 FTP Client Info Stealer VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS Software |
|
1
|
|
|
8.8 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12337 |
2023-06-11 23:44
|
 shiningcr.exe e49ec6789a1b633f16cce8d88833ad2a
RedLine stealer[m] RAT UPX AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
2
|
1
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
11.0 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12338 |
2023-06-11 23:41
|
 YaBtc.exe 78e481470c6fd24865ad8d47f83ad31d
UPX DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself crashed |
|
|
|
|
7.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12339 |
2023-06-11 23:39
|
 jimmy3kcr.exe 2b187309cd04ab31128fed43a33758e2
RedLine stealer[m] RAT UPX AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
1
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
|
|
11.0 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12340 |
2023-06-11 23:39
|
 cleanmgr.exe fdc78ab84bc217516144c18c8e870e66
Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12341 |
2023-06-11 23:33
|
 msbhv07.exe 25623138f6ab8c72ef15615a76b4adbc
RedLine stealer[m] RAT UPX AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows DNS Cryptographic key |
|
1
|
|
|
9.6 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12342 |
2023-06-11 23:32
|
crona.exe ccf4763882256111f713d881ad7d9aa9
Emotet UPX MPRESS PE64 PE File VirusTotal Malware Remote Code Execution crashed |
|
|
|
|
2.2 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12343 |
2023-06-11 23:27
|
 saw.com 479ef78157265f023025dbdb69cdad17
RAT PE64 .NET EXE PE File VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces |
1
http://purecry.ydns.eu/pure/Ximhh.dat
|
2
purecry.ydns.eu(85.209.134.253)
85.209.134.253 - mailcious
|
|
|
3.4 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12344 |
2023-06-11 23:26
|
 2.1.1.0_cr.exe c9cec4f8428b00918678cc9d3e143c8d
Formbook RAT Gen1 Gen2 UPX Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer AntiDebug AntiVM .NET EXE PE File PE32 OS Processor Check DLL Browser Info Stealer Malware download VirusTotal Malware RecordBreaker PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Collect installed applications AppData folder installed browsers check Stealer Windows Browser DNS crashed |
9
http://91.215.85.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://91.215.85.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://91.215.85.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://91.215.85.225/
http://91.215.85.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://91.215.85.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://91.215.85.225/295d0240786c5ad66fd8d8f737f2e076
http://91.215.85.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://91.215.85.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
|
1
|
11
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
|
|
13.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12345 |
2023-06-11 23:25
|
 1IC.exe 1747af9f1b9db5785c6913ac2ead8ef3
PE64 PE File Malware download Cobalt Strike Cobalt VirusTotal Malware unpack itself ComputerName DNS |
2
http://43.153.222.28:4646/c9uL
http://43.153.222.28:4646/push
|
1
|
2
ET MALWARE Cobalt Strike Beacon Observed
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
|
|
3.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|