| 46 |
2024-01-12 15:56
|
 ppt1.hta 5b96beafe91b18688f3a3da85ab1627a
Generic Malware Antivirus UPX Hide_URL PowerShell PE File PE64 Lnk Format GIF Format ZIP Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows Exploit Email ComputerName DNS Cryptographic key crashed |
1
http://194.33.191.248:7287/ssdf.pptx
|
1
194.33.191.248 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host PPTX Request
|
|
14.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47 |
2024-01-12 15:54
|
 docx1.hta f57918785e7cd4f430555e6efb00ff0f
Generic Malware Antivirus UPX Hide_URL PowerShell PE File PE64 ZIP Format Word 2007 file format(docx) Lnk Format GIF Format VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key |
1
http://194.33.191.248:7287/qfqe.docx
|
1
194.33.191.248 - mailcious
|
6
ET INFO Dotted Quad Host DOCX Request
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
14.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48 |
2023-12-23 03:12
|
 SHIPMENT.html eee94ac7a87b9751276ff8a8f2dd1545
AntiDebug AntiVM MSOffice File PNG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
https://i.gyazo.com/4522caeb250b902767ea9d7dbee510fb.png
|
2
i.gyazo.com(104.18.25.163)
104.18.25.163
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49 |
2023-12-15 16:22
|
 128.5.14-package.hta 715d2502c51eddfd399a63042a259634
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50 |
2023-11-28 09:57
|
 File_HTA.hta dba4ee200dd745d57b7bb1f6dcdfe8d5
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840
http://91.92.248.130/toothpick.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 51 |
2023-11-28 09:56
|
 brAZILLLFile_HTA.hta e72b286e211eec5f15fcd218ffcc389c
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.9
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 52 |
2023-11-14 17:19
|
 fridayexploit.hta d4970c65d0fc813816a54460705705cc
AgentTesla Generic Malware Antivirus KeyLogger AntiDebug AntiVM PowerShell Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName Cryptographic key |
3
http://bolandraf.com/prostutefiles/droibase64mohammedupdatedfile.txt - rule_id: 38298
http://bolandraf.com/prostutefiles/droibase64mohammedupdatedfile.txt
https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg - rule_id: 37753
|
4
bolandraf.com(185.221.67.27) - mailcious
imageupload.io(104.21.83.102) - malware
185.221.67.27 - malware
104.21.83.102 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1
|
2
http://bolandraf.com/prostutefiles/droibase64mohammedupdatedfile.txt
https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg
|
13.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 53 |
2023-11-09 10:26
|
 123.pdf .cmd eea5227a5dae5958916a988c7bb6587b
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware Code Injection Malicious Traffic Check memory RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Windows DNS |
3
http://45.32.206.198/Ha5tL/0.015310657706292918.dat
http://108.61.219.39/SVRoAEb/0.408779832117718.dat
http://45.32.223.151/qC8tr/0.4718902317874043.dat
|
6
0.9099879648721763.dat()
0.6170589747558932.dat()
0.69050401478444.dat()
108.61.219.39 - mailcious
45.32.206.198 - mailcious
45.32.223.151 - mailcious
|
2
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
|
|
6.6 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 54 |
2023-11-07 19:14
|
 WinRar.exe 12ad5dac08fffe484f5bece941c6ee4e
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.108.133)
185.199.109.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 55 |
2023-10-31 17:47
|
 lowkeeeeeFile.hta 393385547048586dc9eac0ba496b5c6a
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg
http://185.254.37.174/droidlokiiiiiiiiiiiibase64.txt
|
3
imageupload.io(104.21.83.102) - malware
185.196.8.176 - malware
104.21.83.102 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 56 |
2023-10-31 17:46
|
 XLARFQ77802578790.pdf.hta 9f5447784eb960df0833273eded3324c
Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
2
https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg
http://185.254.37.174/cuzinebase64bxjhgvhsj.txt
|
2
imageupload.io(104.21.83.102) - malware
104.21.83.102 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
11.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 57 |
2023-10-31 17:34
|
 XLARFQ77802578790.pdf.hta 9f5447784eb960df0833273eded3324c
Generic Malware Antivirus AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
|
2
imageupload.io(172.67.222.26) - malware
104.21.83.102 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
11.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 58 |
2023-10-31 07:55
|
 more_page.hta 27201c15277b2147ec45620e60e73833
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
4.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 59 |
2023-10-17 10:52
|
 at.hta b3a69d39ea2f074e520077721b475d51
Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
http://91.207.183.9:8000/main.bat - rule_id: 37338
|
3
www2.lunapic.com(72.9.146.243)
91.207.183.9 - mailcious
72.9.146.243
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
1
http://91.207.183.9:8000/main.bat
|
12.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 60 |
2023-10-17 10:12
|
 test.hta db2fde02752a7a3ddcbf39589acdf815
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://91.207.183.9:8000/main.bat - rule_id: 37338
|
1
|
1
ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
|
1
http://91.207.183.9:8000/main.bat
|
10.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|