1 |
2024-07-03 18:27
|
IEnetCache.hta 23944bdd42dd1973f4cebc54defbccd0 Generic Malware Antivirus AntiDebug AntiVM PowerShell PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://198.46.178.137/22033/igccu.exe
|
1
|
3
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2024-06-24 11:04
|
a.hta 2114cf2cbdbbbdd823bf2bf4db1551c0Check memory RWX flags setting ComputerName |
2
http://81.71.147.158/a.dll
http://81.71.147.158/a.exe
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2024-06-09 09:21
|
wow123.hta 21164aaeeaaa2a4a6e77798aa82d5c7c Formbook Generic Malware Antivirus Malicious Library PowerShell PE File DLL PE32 FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
15
http://www.magmadokum.com/fo8o/ - rule_id: 39856 http://198.23.201.89/warm/VAT%20certificate.exe http://www.3xfootball.com/fo8o/ - rule_id: 39852 http://www.kasegitai.tokyo/fo8o/?f5A0cwal=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&meE1x=FbDXUZ - rule_id: 39853 http://www.rssnewscast.com/fo8o/ - rule_id: 39857 http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855 http://www.rssnewscast.com/fo8o/?f5A0cwal=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&meE1x=FbDXUZ - rule_id: 39857 http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853 http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854 http://www.techchains.info/fo8o/ - rule_id: 39858 http://www.goldenjade-travel.com/fo8o/?f5A0cwal=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&meE1x=FbDXUZ - rule_id: 39854 http://www.antonio-vivaldi.mobi/fo8o/?f5A0cwal=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&meE1x=FbDXUZ - rule_id: 39855 http://www.3xfootball.com/fo8o/?f5A0cwal=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&meE1x=FbDXUZ - rule_id: 39852 http://www.magmadokum.com/fo8o/?f5A0cwal=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&meE1x=FbDXUZ - rule_id: 39856
|
17
www.liangyuen528.com() - mailcious www.magmadokum.com(85.159.66.93) - mailcious www.techchains.info(66.29.149.46) - mailcious www.kasegitai.tokyo(202.172.28.202) - mailcious www.3xfootball.com(154.215.72.110) - mailcious www.goldenjade-travel.com(116.50.37.244) - mailcious www.antonio-vivaldi.mobi(46.30.213.191) - mailcious www.rssnewscast.com(91.195.240.94) - mailcious 202.172.28.202 - mailcious 85.159.66.93 - mailcious 116.50.37.244 - mailcious 46.30.213.191 - mailcious 66.29.149.46 - mailcious 198.23.201.89 - malware 45.33.6.223 91.195.240.94 - phishing 154.215.72.110 - mailcious
|
6
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
13
http://www.magmadokum.com/fo8o/ http://www.3xfootball.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.techchains.info/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.3xfootball.com/fo8o/ http://www.magmadokum.com/fo8o/
|
13.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2024-06-05 09:26
|
dion.hta 24be5183dd56c3d08bae8625fba83aaa Formbook Gen1 Generic Malware Suspicious_Script_Bin Process Kill Antivirus Malicious Library FindFirstVolume CryptGenKey UPX Malicious Packer PowerShell PE File DLL PE32 Device_File_Check OS Processor Check FormBook Browser Info Stealer Malware download Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key crashed |
4
http://198.23.201.89/warm/Auto%20R.exe
http://www.3xfootball.com/fo8o/?9LnGaVx=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&9KJ=FLmtL7Haabh3IASW - rule_id: 39852
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
http://www.3xfootball.com/fo8o/ - rule_id: 39852
|
4
www.3xfootball.com(154.215.72.110) - mailcious 45.33.6.223
198.23.201.89 - malware
154.215.72.110 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET) M5
|
2
http://www.3xfootball.com/fo8o/ http://www.3xfootball.com/fo8o/
|
13.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2024-06-05 09:18
|
Quote.hta cd5915bac2ea167ddb7bcc2ae9ceab78 Formbook Generic Malware Antivirus Malicious Library PowerShell PE File DLL PE32 FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
16
http://198.23.201.89/warm/quote.exe
http://www.goldenjade-travel.com/fo8o/?oRtj25=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&lR=TJtS0SjWYL-G11_ - rule_id: 39854
http://www.antonio-vivaldi.mobi/fo8o/?oRtj25=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&lR=TJtS0SjWYL-G11_ - rule_id: 39855
http://www.magmadokum.com/fo8o/ - rule_id: 39856
http://www.3xfootball.com/fo8o/ - rule_id: 39852
http://www.rssnewscast.com/fo8o/ - rule_id: 39857
http://www.techchains.info/fo8o/ - rule_id: 39858
http://www.magmadokum.com/fo8o/?oRtj25=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&lR=TJtS0SjWYL-G11_ - rule_id: 39856
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
http://www.kasegitai.tokyo/fo8o/ - rule_id: 39853
http://www.goldenjade-travel.com/fo8o/ - rule_id: 39854
http://www.rssnewscast.com/fo8o/?oRtj25=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&lR=TJtS0SjWYL-G11_ - rule_id: 39857
http://www.antonio-vivaldi.mobi/fo8o/ - rule_id: 39855
http://www.techchains.info/fo8o/?oRtj25=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&lR=TJtS0SjWYL-G11_ - rule_id: 39858
http://www.3xfootball.com/fo8o/?oRtj25=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&lR=TJtS0SjWYL-G11_ - rule_id: 39852
http://www.kasegitai.tokyo/fo8o/?oRtj25=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&lR=TJtS0SjWYL-G11_ - rule_id: 39853
|
17
www.liangyuen528.com() - mailcious
www.magmadokum.com(85.159.66.93) - mailcious
www.techchains.info(66.29.149.46) - mailcious
www.kasegitai.tokyo(202.172.28.202) - mailcious
www.3xfootball.com(154.215.72.110) - mailcious
www.goldenjade-travel.com(116.50.37.244) - mailcious
www.antonio-vivaldi.mobi(46.30.213.191) - mailcious
www.rssnewscast.com(91.195.240.94) - mailcious 202.172.28.202 - mailcious
85.159.66.93 - mailcious
116.50.37.244 - mailcious
46.30.213.191 - mailcious
66.29.149.46 - mailcious
198.23.201.89 - malware
45.33.6.223
91.195.240.94 - phishing
154.215.72.110 - mailcious
|
5
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET) M5
|
14
http://www.goldenjade-travel.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.magmadokum.com/fo8o/ http://www.3xfootball.com/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.techchains.info/fo8o/ http://www.magmadokum.com/fo8o/ http://www.kasegitai.tokyo/fo8o/ http://www.goldenjade-travel.com/fo8o/ http://www.rssnewscast.com/fo8o/ http://www.antonio-vivaldi.mobi/fo8o/ http://www.techchains.info/fo8o/ http://www.3xfootball.com/fo8o/ http://www.kasegitai.tokyo/fo8o/
|
13.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2024-05-31 10:17
|
reverse_tcp_uuid.hta b177937631436154e4bbf6f577e127ed Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
7.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2024-05-31 10:16
|
bind_tcp.hta 248aa4289e3739f172987f89212e4093 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
6.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2024-05-31 10:12
|
bind_tcp_uuid.hta bce1078c57268ef42732dc651d2049c9 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
6.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2024-05-30 10:22
|
logista.hta 976649b232d3525dd239f7139a65dd92 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process suspicious TLD Windows ComputerName Cryptographic key |
|
2
poopy.aarkhipov.ru(92.63.193.141) 92.63.193.141
|
|
|
5.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2024-05-28 11:40
|
zxcv.exe 99de2efc5673d2d9b51f54570e7cf3f2 Antivirus AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
16
widget.uservoice.com(104.17.29.92) fonts.googleapis.com(142.250.207.10) camo.githubusercontent.com(185.199.108.133) www.google-analytics.com(142.250.207.110) 142.251.222.202 104.17.29.92 104.17.30.92 185.199.111.133 - mailcious 104.17.27.92 216.58.200.238 104.17.28.92 104.17.31.92 104.192.108.130 216.239.38.178 104.192.108.79 172.217.25.10
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2024-05-28 09:50
|
rooming.hta 5f0dd9ef756c02785e681153c17ee786 Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
|
3
foundationforwomenshealth.com(148.251.146.162) - mailcious 23.52.33.11 148.251.146.162 - mailcious
|
3
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2024-05-28 09:46
|
room5.hta d3c362ce51282a6583d86fd69a578c89 Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
1
|
5
x1.i.lencr.org(23.52.33.11) eduaiqi.uz(83.69.139.250) - mailcious 23.52.33.11 104.192.108.137 83.69.139.250 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2024-05-28 09:32
|
asdf.exe 851b09408fb8c6d26d4bba579cc8a8ab AntiDebug AntiVM MSOffice File Code Injection ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
14
camo.githubusercontent.com(185.199.109.133) fonts.googleapis.com(142.250.196.106) widget.uservoice.com(104.17.27.92) www.google-analytics.com(142.250.206.238) 142.251.222.202 104.17.29.92 142.250.204.142 104.17.30.92 142.251.222.206 104.17.27.92 104.17.28.92 104.17.31.92 185.199.108.133 - mailcious 172.217.27.42
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2024-05-24 09:44
|
room4.hta 409f1bada32d81974fd8606be4cbc943 Generic Malware Antivirus Malicious Library PowerShell PE File PE32 DLL FormBook Browser Info Stealer Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows Browser ComputerName DNS Cryptographic key |
16
http://20.86.128.223/room/rooma.exe
http://www.antonio-vivaldi.mobi/fo8o/?I0NK=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Lw8=oat1oSv
http://www.magmadokum.com/fo8o/
http://www.3xfootball.com/fo8o/
http://www.goldenjade-travel.com/fo8o/?I0NK=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Lw8=oat1oSv
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip
http://www.rssnewscast.com/fo8o/
http://www.techchains.info/fo8o/
http://www.3xfootball.com/fo8o/?I0NK=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Lw8=oat1oSv
http://www.magmadokum.com/fo8o/?I0NK=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Lw8=oat1oSv
http://www.rssnewscast.com/fo8o/?I0NK=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Lw8=oat1oSv
http://www.kasegitai.tokyo/fo8o/
http://www.goldenjade-travel.com/fo8o/
http://www.techchains.info/fo8o/?I0NK=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Lw8=oat1oSv
http://www.antonio-vivaldi.mobi/fo8o/
http://www.kasegitai.tokyo/fo8o/?I0NK=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Lw8=oat1oSv
|
17
www.liangyuen528.com()
www.magmadokum.com(85.159.66.93)
www.techchains.info(66.29.149.46)
www.kasegitai.tokyo(202.172.28.202)
www.3xfootball.com(154.215.72.110)
www.goldenjade-travel.com(116.50.37.244)
www.antonio-vivaldi.mobi(46.30.213.191)
www.rssnewscast.com(91.195.240.94) 202.172.28.202
85.159.66.93 - mailcious
116.50.37.244
46.30.213.191 - mailcious
66.29.149.46
91.195.240.94 - phishing
45.33.6.223
20.86.128.223 - malware
154.215.72.110
|
5
ET MALWARE FormBook CnC Checkin (GET) M5 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
14.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2024-05-23 18:08
|
1.hta a77becccca5571c00ebc9e516fd96ce8 AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|