| 1 |
2021-03-17 16:47
|
 test.html 1e4afb756fe35ed1998103207ffb6758
Code Injection RWX flags setting unpack itself Windows utilities Windows |
|
|
|
|
2.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-03-27 11:26
|
 Encoding.html d7bb6b9d1cd02209f89dc0c4759ddd87
VirusTotal Malware crashed |
|
|
|
|
0.6 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-03-27 11:36
|
 Encoding.html d7bb6b9d1cd02209f89dc0c4759ddd87
Antivirus Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://198.251.72.110/ALL.txt
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://www.bing.com/favicon.ico
|
3
ia801407.us.archive.org(207.241.228.147) - mailcious
207.241.228.147 - mailcious
198.251.72.110 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Windows executable base64 encoded
ET HUNTING EXE Base64 Encoded potential malware
|
|
10.6 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-04-01 07:46
|
 divine11.html 39f36486a95dd6945a63a4f028b8af54VBScript suspicious privilege MachineGuid Code Injection WMI wscript.exe payload download Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName DNS crashed Dropper |
32
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D3844689482953206831%26blogspotRpcToken%3D8511820%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D9202096335134795169%26pageID%3D3844689482953206831%26blogspotRpcToken%3D8511820%26bpli%3D1&passive=true&go=true
https://resources.blogblog.com/img/anon36.png
https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=3844689482953206831&blogspotRpcToken=8511820
https://www.blogger.com/static/v1/widgets/2080820689-widgets.js
https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=Pa5A_0uaAzeWbINaO2TQXL0lZm6tAyox2Q6Ari2SFkE
https://www.google-analytics.com/analytics.js
https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmWUlfBBc-.woff
https://www.blogger.com/img/share_buttons_20_3.png
https://www.blogger.com/blogin.g?blogspotURL=https://humtotmharyhain.blogspot.com/p/divine11.html
https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://humtotmharyhain.blogspot.com/p/divine11.html%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://humtotmharyhain.blogspot.com/p/divine11.html%26bpli%3D1&passive=true&go=true
https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css
https://www.blogger.com/static/v1/jsbin/3762525058-cmt__en_gb.js
https://resources.blogblog.com/img/blank.gif
https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
https://fonts.googleapis.com/css?family=Open+Sans:300
https://www.google.com/css/maia.css
https://www.blogger.com/comment-iframe.g?blogID=9202096335134795169&pageID=3844689482953206831&blogspotRpcToken=8511820&bpli=1
https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fhumtotmharyhain.blogspot.com%2Fp%2Fdivine11.html&bpli=1
https://fonts.googleapis.com/css?lang=ko&family=Product+Sans|Roboto:400,700
https://www.blogger.com/img/blogger-logotype-color-black-1x.png
https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js
https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css
https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
https://www.google.com/js/bg/Pa5A_0uaAzeWbINaO2TQXL0lZm6tAyox2Q6Ari2SFkE.js
https://resources.blogblog.com/img/icon18_edit_allbkg.gif
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=13bf7370-9e7a-4c19-af40-56e74bd3158e
https://resources.blogblog.com/img/icon18_wrench_allbkg.png
|
19
resources.blogblog.com(172.217.31.137)
ia801408.us.archive.org(207.241.228.148) - mailcious
www.google.com(172.217.24.132)
www.gstatic.com(172.217.175.99)
fonts.googleapis.com(172.217.175.42)
archive.org(207.241.224.2) - mailcious
accounts.google.com(172.217.175.45)
www.google-analytics.com(172.217.175.78)
fonts.gstatic.com(172.217.31.131)
www.blogger.com(172.217.31.137)
172.217.163.228
216.58.200.74
216.58.197.109
207.241.228.148 - mailcious
216.58.200.67
172.217.174.206
172.217.24.201
216.58.220.195
172.217.26.137
|
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-04-07 09:33
|
 real.wsf 6587e06aed7a51ec54d73394cf3b8d9dVirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder DNS |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
6.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-04-07 09:33
|
 deal.wsf aad06a91c13f3f118b9c1a23b0af4f87VirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
5.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-04-07 09:47
|
 real.wsf 6587e06aed7a51ec54d73394cf3b8d9dVirusTotal Malware Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder |
|
|
|
|
5.6 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-04-08 19:43
|
 zender.txt 5db24413257332efd03849b64f49b2c1
Antivirus Code Injection Check memory Creates executable files exploit crash unpack itself Windows utilities suspicious process Windows Exploit DNS crashed |
|
3
79.141.170.43
104.26.13.31
104.192.141.1 - mailcious
|
|
|
6.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-04-23 13:10
|
 index.html f80e9553e5387cb4fcb09a9094416f4dCode Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://d3js.org/d3.v4.js
https://d3js.org/d3.v4.js
https://d3js.org/d3-scale-chromatic.v1.min.js
https://d3js.org/d3-geo-projection.v2.min.js
|
2
d3js.org(104.26.7.30)
104.26.6.30
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-04-23 13:42
|
 index.html f80e9553e5387cb4fcb09a9094416f4dCode Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://d3js.org/d3.v4.js
https://d3js.org/d3.v4.js
https://d3js.org/d3-scale-chromatic.v1.min.js
https://d3js.org/d3-geo-projection.v2.min.js
|
2
d3js.org(104.26.6.30)
104.26.6.30
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2021-04-23 13:56
|
 index.html f80e9553e5387cb4fcb09a9094416f4dCode Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://d3js.org/d3.v4.js
https://d3js.org/d3.v4.js
https://d3js.org/d3-scale-chromatic.v1.min.js
https://d3js.org/d3-geo-projection.v2.min.js
|
2
d3js.org(172.67.73.126)
172.67.73.126
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2021-04-26 18:00
|
 file 45a0cfbd6749929ebd451bd5a04120e4Code Injection Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
9
https://www.googletagmanager.com/gtag/js?id=UA-829541-1
https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T
https://www.aaxdetect.com/pxext.gif
https://c.aaxads.com/aax.js?pub=AAX3221EY&hst=&ver=1.2
https://www.google-analytics.com/plugins/ua/ec.js
https://c.aaxads.com/pxusr.gif
https://cdn.otnolatrnup.com/Scripts/infinity.js.aspx?guid=5ff0fb62-0643-4ff1-aaee-c737f9ffc0e0
https://www.google-analytics.com/analytics.js
https://l3.aaxads.com/log?___stu13p=aveoaamactga5dnnuee25ti2rm86bcrodqacb&lwbsh=AAX&dewh=SSP_CLIENT_control&dgeg=0&dgw=desktop&flg=AAX3221EY&fw=YONGDONG&ff=KR&xjg=4&dss=0&skw=899&slg=8PR6YK195&gq=&vhuyqdph=rtb-nv-dcos-ssp-10-6-46-228-14293&vg=-1&vyu=042211_229_042211_95_ssp&vf=&yhuvlrq=4&yk=899&yz=1365&yvlg=&ylg=00001619427471141029496787422051&vvsDeExfnhw=CONTROL&qsd=0&oz=0&gdss=green&uwbsh=&jgsu_hqi=1&fvha=0&jgivwu=&jgsu=0&fvvwu=&wfi_fps=&wfi_vwdwxv=&wfi_sus=&vxf=0&xvs_hqi=1&xvs_vwdwxv=0&xvs_ogi=&xvs_vwulqj=&xifd=-1&frssd_vwdwxv=&frssd_dssolhg=&jixqgo=1600&jwg=100&lqlg=&qjixqgo=1700&ugo=800&lg_ghwdlov=°=2&gvwduw=138&ghqg=420&sf=&uhtxuo=file%3A%2F%2F%2FC%3A%2FUsers%2Ftest22%2FAppData%2FLocal%2FTemp%2Ffile.html&nzui=
|
17
www.googletagmanager.com(142.250.196.104)
www.aaxdetect.com(104.75.34.8)
c.aaxads.com(104.75.22.243)
translate.google.com(172.217.26.46)
cdn.otnolatrnup.com(104.19.214.37)
l3.aaxads.com(104.75.22.243)
static.mediafire.com(104.16.202.237)
www.google-analytics.com(216.58.197.174)
104.19.215.37
142.250.66.110
104.16.203.237 - mailcious
142.250.204.142
216.58.197.110
104.75.34.8
104.75.22.243
142.250.204.72
104.16.202.237 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
6.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2021-04-27 09:13
|
 JNhUwWi6 1f76d9e2358dcba1670b35ce61d7bd96
Antivirus VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key |
1
https://gist.githubusercontent.com/1kingspy/af97c0b7658b52f4180c19160c52b767/raw/703ed4925d63aaa92912496452dc8a2f82217db1/gistfile1.txt
|
2
gist.githubusercontent.com(185.199.111.133) - mailcious
185.199.108.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.8 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2021-04-27 09:14
|
 JNhUwWi6.html 1f76d9e2358dcba1670b35ce61d7bd96
Antivirus VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows ComputerName DNS Cryptographic key |
1
https://gist.githubusercontent.com/1kingspy/af97c0b7658b52f4180c19160c52b767/raw/703ed4925d63aaa92912496452dc8a2f82217db1/gistfile1.txt
|
2
gist.githubusercontent.com(185.199.109.133) - mailcious
185.199.111.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
7 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2021-04-29 09:23
|
 4.html a5b6964b3df390bbc68275fae8aacf51VirusTotal Malware crashed |
|
|
|
|
0.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|