| 1 |
2024-07-03 18:27
|
 IEnetCache.hta 23944bdd42dd1973f4cebc54defbccd0
Generic Malware Antivirus AntiDebug AntiVM PowerShell PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://198.46.178.137/22033/igccu.exe
|
1
|
3
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2024-06-24 11:04
|
 a.hta 2114cf2cbdbbbdd823bf2bf4db1551c0Check memory RWX flags setting ComputerName |
2
http://81.71.147.158/a.dll
http://81.71.147.158/a.exe
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2024-06-09 09:21
|
 wow123.hta 21164aaeeaaa2a4a6e77798aa82d5c7c
Formbook Generic Malware Antivirus Malicious Library PowerShell PE File DLL PE32 FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
15
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://198.23.201.89/warm/VAT%20certificate.exe
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.kasegitai.tokyo/fo8o/?f5A0cwal=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&meE1x=FbDXUZ - rule_id: 39853
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.rssnewscast.com/fo8o/?f5A0cwal=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&meE1x=FbDXUZ - rule_id: 39857
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.goldenjade-travel.com/fo8o/?f5A0cwal=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&meE1x=FbDXUZ - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/?f5A0cwal=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&meE1x=FbDXUZ - rule_id: 39855
http://www.3xfootball.com/fo8o/?f5A0cwal=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&meE1x=FbDXUZ - rule_id: 39852
http://www.magmadokum.com/fo8o/?f5A0cwal=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&meE1x=FbDXUZ - rule_id: 39856
|
17
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
198.23.201.89 - malware
45.33.6.223
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
6
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
13
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.techchains.info/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.3xfootball.com/fo8o/
http://www.magmadokum.com/fo8o/
|
13.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2024-06-05 09:26
|
 dion.hta 24be5183dd56c3d08bae8625fba83aaa
Formbook Gen1 Generic Malware Suspicious_Script_Bin Process Kill Antivirus Malicious Library FindFirstVolume CryptGenKey UPX Malicious Packer PowerShell PE File DLL PE32 Device_File_Check OS Processor Check FormBook Browser Info Stealer Malware download Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key crashed |
4
http://198.23.201.89/warm/Auto%20R.exe
http://www.3xfootball.com/fo8o/?9LnGaVx=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&9KJ=FLmtL7Haabh3IASW - rule_id: 39852
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.3xfootball.com/fo8o/ - rule_id: 39852
|
4
www.3xfootball.com(154.215.72.110) - mailcious
45.33.6.223
198.23.201.89 - malware
154.215.72.110 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET) M5
|
2
http://www.3xfootball.com/fo8o/
http://www.3xfootball.com/fo8o/
|
13.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2024-06-05 09:18
|
 Quote.hta cd5915bac2ea167ddb7bcc2ae9ceab78
Formbook Generic Malware Antivirus Malicious Library PowerShell PE File DLL PE32 FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
16
http://198.23.201.89/warm/quote.exe
http://www.goldenjade-travel.com/fo8o/?oRtj25=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&lR=TJtS0SjWYL-G11_ - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/?oRtj25=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&lR=TJtS0SjWYL-G11_ - rule_id: 39855
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.magmadokum.com/fo8o/?oRtj25=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&lR=TJtS0SjWYL-G11_ - rule_id: 39856
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.rssnewscast.com/fo8o/?oRtj25=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&lR=TJtS0SjWYL-G11_ - rule_id: 39857
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.techchains.info/fo8o/?oRtj25=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&lR=TJtS0SjWYL-G11_ - rule_id: 39858
http://www.3xfootball.com/fo8o/?oRtj25=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&lR=TJtS0SjWYL-G11_ - rule_id: 39852
http://www.kasegitai.tokyo/fo8o/?oRtj25=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&lR=TJtS0SjWYL-G11_ - rule_id: 39853
|
17
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious
202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
198.23.201.89 - malware
45.33.6.223
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET) M5
|
14
http://www.goldenjade-travel.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.magmadokum.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.rssnewscast.com/fo8o/
http://www.antonio-vivaldi.mobi/fo8o/
http://www.techchains.info/fo8o/
http://www.3xfootball.com/fo8o/
http://www.kasegitai.tokyo/fo8o/
|
13.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2024-05-31 10:17
|
 reverse_tcp_uuid.hta b177937631436154e4bbf6f577e127ed
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
7.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2024-05-31 10:16
|
 bind_tcp.hta 248aa4289e3739f172987f89212e4093
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
6.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2024-05-31 10:12
|
 bind_tcp_uuid.hta bce1078c57268ef42732dc651d2049c9
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
6.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2024-05-30 10:22
|
 logista.hta 976649b232d3525dd239f7139a65dd92
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process suspicious TLD Windows ComputerName Cryptographic key |
|
2
poopy.aarkhipov.ru(92.63.193.141)
92.63.193.141
|
|
|
5.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2024-05-28 11:40
|
 zxcv.exe 99de2efc5673d2d9b51f54570e7cf3f2
Antivirus AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
16
widget.uservoice.com(104.17.29.92)
fonts.googleapis.com(142.250.207.10)
camo.githubusercontent.com(185.199.108.133)
www.google-analytics.com(142.250.207.110)
142.251.222.202
104.17.29.92
104.17.30.92
185.199.111.133 - mailcious
104.17.27.92
216.58.200.238
104.17.28.92
104.17.31.92
104.192.108.130
216.239.38.178
104.192.108.79
172.217.25.10
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2024-05-28 09:50
|
 rooming.hta 5f0dd9ef756c02785e681153c17ee786
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
|
3
foundationforwomenshealth.com(148.251.146.162) - mailcious
23.52.33.11
148.251.146.162 - mailcious
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2024-05-28 09:46
|
 room5.hta d3c362ce51282a6583d86fd69a578c89
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
|
5
x1.i.lencr.org(23.52.33.11)
eduaiqi.uz(83.69.139.250) - mailcious
23.52.33.11
104.192.108.137
83.69.139.250 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2024-05-28 09:32
|
 asdf.exe 851b09408fb8c6d26d4bba579cc8a8ab
AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
14
camo.githubusercontent.com(185.199.109.133)
fonts.googleapis.com(142.250.196.106)
widget.uservoice.com(104.17.27.92)
www.google-analytics.com(142.250.206.238)
142.251.222.202
104.17.29.92
142.250.204.142
104.17.30.92
142.251.222.206
104.17.27.92
104.17.28.92
104.17.31.92
185.199.108.133 - mailcious
172.217.27.42
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2024-05-24 09:44
|
 room4.hta 409f1bada32d81974fd8606be4cbc943
Generic Malware Antivirus Malicious Library PowerShell PE File PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
16
http://20.86.128.223/room/rooma.exe
http://www.antonio-vivaldi.mobi/fo8o/?I0NK=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Lw8=oat1oSv
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.goldenjade-travel.com/fo8o/?I0NK=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Lw8=oat1oSv
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.3xfootball.com/fo8o/?I0NK=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Lw8=oat1oSv
http://www.magmadokum.com/fo8o/?I0NK=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Lw8=oat1oSv
http://www.rssnewscast.com/fo8o/?I0NK=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Lw8=oat1oSv
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.techchains.info/fo8o/?I0NK=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Lw8=oat1oSv
http://www.antonio-vivaldi.mobi/fo8o/
http://www.kasegitai.tokyo/fo8o/?I0NK=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Lw8=oat1oSv
|
17
www.liangyuen528.com()
www.magmadokum.com(85.159.66.93)
www.techchains.info(66.29.149.46)
www.kasegitai.tokyo(202.172.28.202)
www.3xfootball.com(154.215.72.110)
www.goldenjade-travel.com(116.50.37.244)
www.antonio-vivaldi.mobi(46.30.213.191)
www.rssnewscast.com(91.195.240.94)
202.172.28.202
85.159.66.93 - mailcious
116.50.37.244
46.30.213.191 - mailcious
66.29.149.46
91.195.240.94 - phishing
45.33.6.223
20.86.128.223 - malware
154.215.72.110
|
5
ET MALWARE FormBook CnC Checkin (GET) M5
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
14.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2024-05-23 18:08
|
 1.hta a77becccca5571c00ebc9e516fd96ce8
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|