| 31 |
2024-04-03 13:45
|
 dll.hta e81963d4c5a431f529c7669d3595a943
Malware download VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName Trojan DNS Cryptographic key Downloader |
|
2
162.19.139.184 - mailcious
210.246.215.82 - mailcious
|
7
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING Suspicious BITS EXE DL From Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
|
|
6.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32 |
2024-03-12 14:42
|
 task.exe 8abcfb35a0865848a43a0380c0fae5d1
AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
5
camo.githubusercontent.com(185.199.108.133)
fonts.googleapis.com(172.217.174.106)
185.199.109.133 - mailcious
172.217.25.10
172.217.24.106
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 33 |
2024-03-11 10:55
|
 Run.exe 49004c815f7a1ad89632e49a7031fb7f
AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
5
camo.githubusercontent.com(185.199.109.133)
fonts.googleapis.com(142.250.196.106)
142.251.222.202
142.250.207.74
185.199.108.133 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 34 |
2024-03-10 09:42
|
 Update.exe a93371515219f36bdf065ee8b1ac3ffc
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
5
camo.githubusercontent.com(185.199.108.133)
fonts.googleapis.com(172.217.175.42)
142.251.222.202
69.30.198.237
185.199.111.133 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 35 |
2024-03-03 15:19
|
 RuntimeBroker.exe 4d2c2b59e38b1a2931069db1c710134a
AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
5
camo.githubusercontent.com(185.199.108.133)
fonts.googleapis.com(172.217.26.234)
142.250.66.138
142.250.207.74
185.199.111.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 36 |
2024-02-18 13:38
|
 1.wsf a9d1a4189a693c4253bf20065f5a9322
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
|
1
|
2
ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers
ET HUNTING PowerShell NonInteractive Command Common In Powershell Stagers
|
|
9.6 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 37 |
2024-02-14 09:36
|
 droidmonday.hta ea8358953b550dc7b331ab37f2571973
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 38 |
2024-02-13 13:49
|
 Rat%20crypted.exe 18e07baa99f5e4467c1210d2e7a9b5d7
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.108.133)
185.199.109.133 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 39 |
2024-02-05 09:44
|
 2pdf.hta 07fa373b66fc5c661bdc2e3b51b65126
AntiDebug AntiVM Code Injection RWX flags setting unpack itself Windows utilities Windows |
|
|
|
|
2.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40 |
2024-02-05 09:43
|
 1pdf.hta a46eae4ae4dc08311640997b66b5fe37
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
3 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 41 |
2024-01-30 16:22
|
 Booking.hta fc44bc846156354fa99f4f483a360bd0
Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
9.4 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42 |
2024-01-25 16:36
|
 vLnNHh.exe 3cf7e35d135707c3c8db1e571b28f191
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.109.133)
185.199.111.133 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 43 |
2024-01-24 09:32
|
 REQUEST_FOR_QUOTATION.hta f8a7239fa4fce17853f74fcd61e24bd8
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 44 |
2024-01-16 10:04
|
 M.hta a712950af45bdc5e33863aae223c1ac6
AntiDebug AntiVM MSOffice File JPEG Format VirusTotal Malware Code Injection Check memory Checks debugger RWX flags setting exploit crash unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed |
2
https://mail.chapanakit-rta.com/favicon.ico
https://mail.chapanakit-rta.com/images/happynewyear.jpg
|
2
mail.chapanakit-rta.com(203.113.25.99) - mailcious
203.113.25.99 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
7.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45 |
2024-01-13 19:40
|
 hhh.hta 6be3e8b51f47ae0b17f18c2978170c07
Generic Malware Antivirus AntiDebug AntiVM PowerShell Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://139.99.114.151/file/Explorer.exe
|
1
139.99.114.151 - mailcious
|
2
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious explorer.exe in URI
|
|
10.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|