1396 |
2024-08-09 07:57
|
GOLD.exe e71c0c5d72455dde6510ba23552d7d2f Generic Malware Malicious Library UPX PE File PE32 OS Processor Check PDB unpack itself crashed |
|
|
|
|
1.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1397 |
2024-08-09 07:56
|
stealc_default.exe e78239a5b0223499bed12a752b893cad Stealc Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PE File PE32 DLL OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Vidar Email Client Info Stealer Malware c&c Malicious Traffic Check memory Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName DNS Software plugin |
9
http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll - rule_id: 275 http://185.215.113.17/2fb6c2cc8dce150a.php - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/mozglue.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/softokn3.dll - rule_id: 275 http://185.215.113.17/ - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/nss3.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll - rule_id: 275 http://185.215.113.17/f1ddeb6592c03206/freebl3.dll - rule_id: 275
|
1
|
16
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
9
http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/ http://185.215.113.17/
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1398 |
2024-08-09 07:56
|
bsso_launcher_v1.exe 6a60f6fbd451bfb11d0c943706ceda0a Malicious Library UPX PE File PE64 ftp OS Processor Check Check memory Checks debugger Creates executable files RWX flags setting unpack itself Check virtual network interfaces Tor DNS crashed |
|
5
84.240.60.234 199.195.253.180 178.33.36.64 137.226.34.45 145.239.136.129
|
6
ET TOR Known Tor Exit Node Traffic group 70 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 70 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 788 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1399 |
2024-08-09 07:54
|
DivxBra.exe 4ee6fb632595268ef97aacf18a0bffb8 Suspicious_Script_Bin Generic Malware Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P An suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW Ransomware Windows ComputerName |
|
|
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1400 |
2024-08-09 07:53
|
buildz.exe b7cb7f2b5cd9bd047710650295dc88f7 Suspicious_Script_Bin Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Malware Microsoft AutoRuns Code Injection malicious URLs Tofsee Windows ComputerName DNS |
2
http://cajgtus.com/lancer/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true - rule_id: 41241 https://api.2ip.ua/geo.json
|
4
cajgtus.com(200.63.106.141) - malware api.2ip.ua(104.21.65.24) 104.21.65.24 2.185.214.11 - mailcious
|
6
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET POLICY External IP Address Lookup DNS Query (2ip .ua)
|
1
http://cajgtus.com/lancer/get.php
|
4.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1401 |
2024-08-09 07:51
|
kitty.exe 0ec1f7cc17b6402cd2df150e0e5e92ca Generic Malware Malicious Library UPX PE File PE32 OS Processor Check PE64 Malware download Email Client Info Stealer Malware AutoRuns Malicious Traffic WMI Creates executable files Windows utilities Checks Bios suspicious process WriteConsoleW anti-virtualization Tofsee Windows Email ComputerName DNS |
3
http://185.216.214.225/mingh.exe https://fusionflow-meta.net/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3C4AB49D3B4F7 https://fusionflow-meta.net/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3C4AB49D3B4F7&tsk=5F9BD4
|
3
fusionflow-meta.net(172.67.162.233) 185.216.214.225 104.21.74.211
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE ZharkBot User-Agent Observed ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1402 |
2024-08-09 07:50
|
30072024.exe aedfb26f18fdd54279e8d1b82b84559a RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Check memory Checks debugger unpack itself Windows DNS Cryptographic key |
|
1
185.215.113.67 - mailcious
|
1
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1403 |
2024-08-09 07:49
|
Aatxl.exe 02b2f62e789410f8c256b0d63ac45a1a Malicious Library .NET framework(MSIL) PE File .NET EXE PE32 Check memory Checks debugger buffers extracted unpack itself ComputerName crashed |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1404 |
2024-08-09 07:48
|
sahost.exe 3470b26b4f683b2c79794d5a71b5d681 NSIS Suspicious_Script_Bin Malicious Library UPX PE File PE32 DLL Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
1.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1405 |
2024-08-08 16:51
|
카카오 엔터테인먼트의 지식재산권 침해 내용.PDF.ex... 6eaf878c7f1449d65f4b99d49aa9844a Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX PE File PE32 MZP Format OS Processor Check DLL PE64 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName crashed |
|
|
|
|
7.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1406 |
2024-08-08 16:13
|
Launcher_Setup.exe 6c1f3f90da84d774ee602dd603a5a22e Emotet Generic Malware Malicious Library Malicious Packer UPX Anti_VM DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware |
|
|
|
|
1.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1407 |
2024-08-08 16:10
|
Targeted Advance Persistent Th... ccec3e4857cbb197ac79b0f3b01f5189 Word 2007 file format(docx) ZIP Format Vulnerability VirusTotal Malware unpack itself Tofsee |
2
http://x1.i.lencr.org/
https://mofa-gov-pk.dowmload.info/869469_APT/doc.rtf
|
4
x1.i.lencr.org(23.207.177.83)
mofa-gov-pk.dowmload.info(213.183.55.169) - mailcious 23.41.113.9
213.183.55.169 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1408 |
2024-08-08 16:07
|
Launcher_Setup.exe 6c1f3f90da84d774ee602dd603a5a22e Emotet Generic Malware Malicious Library Malicious Packer UPX Anti_VM DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1409 |
2024-08-08 16:03
|
sahost.exe a50c4a5189f1223de3c44d7803972571 Generic Malware Malicious Library .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/ https://reallyfreegeoip.org/xml/175.208.134.152
|
4
reallyfreegeoip.org(104.21.67.152) checkip.dyndns.org(132.226.8.169) 172.67.177.134 132.226.247.73
|
6
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) ET POLICY External IP Lookup - checkip.dyndns.org ET INFO 404/Snake/Matiex Keylogger Style External IP Check ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1410 |
2024-08-08 15:33
|
sweetdresswearwithgirlstyle.gI... 4d8093da8406aa5447403631e1383e8e Generic Malware Antivirus Hide_URL PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key |
1
https://archive.org/download/nativee/nativee.jpg
|
2
archive.org(207.241.224.2) - mailcious 207.241.224.2 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|