| 1 |
2025-04-10 11:00
|
sostener.vbs 3861979388aa73c77bdd87a2b31214b7
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/rodadll.txt?alt=media&token=aa0328ac-1aba-4a7b-89a6-42621f5aa921
https://pastebin.com/raw/pzXGkayU
|
4
firebasestorage.googleapis.com(172.217.161.234) - phishing
pastebin.com(104.22.68.199) - mailcious
142.250.198.202
104.22.68.199
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2025-04-10 10:58
|
sostener2.vbs 5edb4498d69d24c6d9d620b602c7c349
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/rodadll.txt?alt=media&token=aa0328ac-1aba-4a7b-89a6-42621f5aa921
https://pastebin.com/raw/pzXGkayU
|
4
firebasestorage.googleapis.com(142.250.206.202) - phishing
pastebin.com(104.22.68.199) - mailcious
172.67.25.94
142.250.197.106
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2025-03-28 09:30
|
 gfdthawdddd.exe cb1ab881df77d5e59c9cd71a042489dd
PE File PE64 VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
6
xmr-eu1.nanopool.org(51.89.23.91) -
xmr-eu2.nanopool.org(51.195.43.17) -
pastebin.com(172.67.19.24) -
51.15.58.224 -
163.172.171.111 -
172.67.19.24 -
|
2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
1.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2025-02-21 16:33
|
 WindowsFormsApp14.exe 27c15cccf3c45998d4fe8582c95da58f
Malicious Library PE File .NET EXE PE32 VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows |
1
https://pastebin.com/raw/4LkF0iPK
|
2
pastebin.com(104.20.4.235) - mailcious
104.20.4.235 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2025-01-27 17:01
|
 traf.exe 77947379b9e26603db5a24e63d9e68fc
Antivirus UPX ScreenShot KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Lnk Format GIF Format Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Windows Browser Email ComputerName DNS Software crashed |
8
http://www.bing.com/
http://18.230.108.113/vapo.exe
http://go.microsoft.com/fwlink/?LinkId=133405
http://windowsupdate.microsoft.com/
http://18.230.108.113/bot/
http://18.230.108.113/smk/
http://go.microsoft.com/fwlink/?LinkId=249109
https://pastebin.com/raw/djZsmRNC
|
10
visualstudio.microsoft.com(23.49.147.165)
windowsupdate.microsoft.com(20.109.209.108)
pastebin.com(104.20.4.235) - mailcious
support.microsoft.com(13.107.246.74)
121.254.136.107
23.74.20.243
20.72.235.82
18.230.108.113 - malware
13.107.246.74 - phishing
172.67.19.24 - mailcious
|
|
|
20.2 |
M |
60 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2025-01-27 16:47
|
 conhost.exe c11a82d699a06d9b8ba4296e0c562ae4
Generic Malware Malicious Library .NET framework(MSIL) UPX Antivirus PE File .NET EXE PE32 PE64 VirusTotal Malware powershell AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
2
http://185.215.113.51/WinRing0x64.sys
https://pastebin.com/raw/YpJeSRBC
|
3
pastebin.com(172.67.19.24) - mailcious
172.67.19.24 - mailcious
185.215.113.51 - malware
|
|
|
10.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2025-01-27 16:45
|
 vapo.exe ee14a993b4f9bf8b3f0421f0a44c2057
Antivirus UPX PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName |
1
https://pastebin.com/raw/djZsmRNC
|
2
pastebin.com(104.20.4.235) - mailcious
104.20.4.235 - mailcious
|
|
|
9.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2025-01-06 18:35
|
 XClient.exe 2e525ccebf9ede7492931251eb66571a
Malicious Library Antivirus UPX PE File .NET EXE PE32 OS Processor Check Lnk Format GIF Format VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName |
|
1
pastebin.com(172.67.19.24) - mailcious
|
|
|
7.4 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2024-12-31 13:31
|
 NewApp.exe 5d1255087c4512f2121410a008218430
UPX PE File PE64 VirusTotal Malware RCE DNS |
|
3
rentry.org(164.132.58.105) -
xmr-eu1.nanopool.org(51.15.58.224) -
pastebin.com(104.20.3.235) -
|
1
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
|
|
2.4 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2024-12-03 13:25
|
asegurar.vbs 3c6884c4d3a5348a023bf408ea0f9715
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/dllroda.txt?alt=media&token=9d4329e4-e727-4c68-941a-a741e6cadff3
https://pastebin.com/raw/Adv9gBHa
https://paste.ee/d/VlThw/0
|
4
firebasestorage.googleapis.com(172.217.175.74) - phishing
pastebin.com(104.20.4.235) - mailcious
142.250.71.170
104.20.4.235 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2024-12-03 13:23
|
segura.vbs b626245664336638ee18a5b8016cd00f
Generic Malware Antivirus Hide_URL PowerShell Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll/dllroda.txt?alt=media&token=9d4329e4-e727-4c68-941a-a741e6cadff3
https://pastebin.com/raw/Adv9gBHa
|
4
firebasestorage.googleapis.com(172.217.31.170) - phishing
pastebin.com(172.67.19.24) - mailcious
104.20.3.235 - malware
142.250.197.10
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2024-10-14 10:51
|
 NewApp.exe 6c5765152f9720727f9693288b34a8b6
UPX PE File PE64 VirusTotal Cryptocurrency Miner Malware RCE DNS CoinMiner |
|
5
xmr-eu1.nanopool.org(212.47.253.124) -
pastebin.com(104.20.4.235) -
104.20.3.235 -
163.172.154.142 -
146.59.154.106 -
|
2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
2.4 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2024-10-11 11:14
|
 jgt.exe 1417d38c40d85d1c4eb7fad3444ca069
PE File PE64 Malware download VirusTotal Cryptocurrency Miner Malware suspicious TLD DNS CoinMiner |
|
10
jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su(172.67.184.91)
justpaste.it(83.168.108.45)
pool.supportxmr.com(141.94.96.195) - mailcious
pastebin.com(104.20.3.235) - mailcious
rentry.co(104.26.2.16) - malware
104.20.3.235 - malware
104.26.2.16 - mailcious
104.21.19.3
141.94.96.71
83.168.108.45
|
7
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
ET INFO Observed Pastebin-style Service Domain (justpaste .it) in TLS SNI
ET INFO Observed DNS Query to Pastebin-style Service (justpaste .it)
|
|
1.8 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2024-10-09 13:01
|
 asdz2.png 61d3abff46a6bd2946925542c7d30397
PE File PE64 VirusTotal Cryptocurrency Miner Malware DNS CoinMiner |
|
6
xmr-eu1.nanopool.org(51.89.23.91) - mailcious
xmr-eu2.nanopool.org(51.68.137.186) - mailcious
pastebin.com(172.67.19.24) - mailcious
104.20.4.235 - mailcious
51.15.65.182 - mailcious
51.15.61.114 - mailcious
|
2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
1.4 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2024-10-06 12:48
|
 NewApp.exe 2eea3ddbfc81544b54a4ac5028a30805
PE File PE64 VirusTotal Cryptocurrency Miner Malware RCE DNS CoinMiner |
|
5
xmr-eu1.nanopool.org(51.89.23.91) - mailcious
pastebin.com(104.20.3.235) - mailcious
51.15.193.130 - mailcious
104.20.4.235 - mailcious
54.37.232.103
|
2
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
2.4 |
|
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|