| 1 |
2025-04-15 09:45
|
 loader.hta 3d38ab222579d17632acd5d383490a05
Check memory RWX flags setting unpack itself Tofsee DNS |
|
3
github.githubassets.com(185.199.108.154)
185.199.110.154
92.255.85.2 - malware
|
2
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2025-04-11 15:34
|
 wecashourdrgoodnewthingsgoodbu... 49a635b773f1351cdb4e4fb457e5008b
Generic Malware Downloader Antivirus AntiDebug AntiVM PowerShell PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://172.245.208.21/342/csrss.exe
|
1
172.245.208.21 - mailcious
|
4
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious csrss.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2025-04-11 15:34
|
 hhu.hta 852ff9407aae6f2ef4fc6c61c8b6a815
Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://104.168.7.18/701/csrss.exe
|
1
|
4
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious csrss.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2025-04-09 11:14
|
 weneedbestthingswithgreatnewse... 69a8457d73f1171b37da05e4c9869b05
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM VBScript Code Injection Check memory wscript.exe payload download Creates executable files suspicious process malicious URLs Tofsee DNS Dropper |
1
https://paste.ee/d/gckekFMQ/0
|
2
paste.ee(23.186.113.60) - mailcious
23.186.113.60 - mailcious
|
4
ET INFO TLS Handshake Failure
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
|
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2025-04-09 10:42
|
 greatnicegirlbackontheearthwit... efb65d67dc764eb12f65fc12dd8eb542
Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware VBScript powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger heapspray wscript.exe payload download Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows ComputerName DNS Cryptographic key Dropper |
2
http://192.3.23.235/xampp/javn/newthingsonhereforgetrockgain.gif
https://paste.ee/d/pjDmf0Pi
|
3
paste.ee(23.186.113.60) - mailcious
192.3.23.235
23.186.113.60 - mailcious
|
4
ET INFO TLS Handshake Failure
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
|
|
10.0 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2025-04-03 10:55
|
 wecaninsertforgoodforeeturnche... d7a6bc4df00171791fbcbf33763bf5cb
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM VBScript powershell suspicious privilege Code Injection Check memory Checks debugger wscript.exe payload download Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Dropper |
3
https://pastefy.app/SXZ0OaCN/raw - rule_id: 44909
https://pastefy.app/SXZ0OaCN/raw
http://192.3.101.146/xam
|
3
pastefy.app(104.21.49.12)
104.21.49.12
192.3.101.146 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastefy.app/SXZ0OaCN/raw
|
10.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2025-03-28 15:15
|
 sfmw.hta f32e7891e2cfc58230057a506325c3c8
AntiDebug AntiVM PowerShell VirusTotal Malware powershell Code Injection RWX flags setting unpack itself Windows utilities suspicious process Windows |
|
|
|
|
5.2 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2025-03-27 11:09
|
 tarksloader.hta 3ffacc93b7d3de5d0d47f31853807f49
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting unpack itself Windows utilities Tofsee Windows |
1
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
|
4
cacerts.digicert.com(118.214.79.16) -
github.githubassets.com(185.199.108.154) -
23.36.55.181 -
185.199.108.154 -
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2025-03-27 10:49
|
 globalshippingservice.hta fba293bd1c8fecdb94afa3c5089fdf7a
Generic Malware Antivirus AntiDebug AntiVM PowerShell PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://107.174.231.211/333/cvnn.exe
|
1
|
3
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2025-03-27 10:46
|
 givemebestthingsforgivemebest.... 2d104c8499a3ab875902770edcbbc899
Generic Malware Antivirus AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://172.245.123.32/70/smss.exe
|
1
|
4
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious smss.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2025-03-27 10:46
|
 bestkissingdayswithgreatnicebe... 69acfbaa7a154e390ee9e1b270b90a32
Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware VBScript powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Windows ComputerName DNS Cryptographic key |
1
http://192.3.216.141/vvvvvvonstraints.vbs
|
1
|
1
ET INFO Dotted Quad Host VBS Request
|
|
11.8 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2025-03-27 10:33
|
 tarksloader.hta cc3c0e6f75302fb6c2d9b5e7f487efe8VirusTotal Malware Check memory RWX flags setting unpack itself WriteConsoleW Tofsee Windows |
1
https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/system.exe
|
2
github.com(20.200.245.247) -
20.200.245.247 -
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2025-03-27 10:29
|
 goodgirlwithbestbattingwithgoo... febc29c5bb6fc7a34e6965a539041138
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware VBScript Code Injection Check memory wscript.exe payload download Creates executable files RWX flags setting unpack itself suspicious process malicious URLs Tofsee DNS Dropper |
1
https://paste.ee/d/z3l8M6zb/0
|
2
paste.ee(23.186.113.60) -
23.186.113.60 -
|
4
ET INFO TLS Handshake Failure
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
|
|
10.0 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2025-03-27 10:28
|
 tarksloader.hta 3ffacc93b7d3de5d0d47f31853807f49Check memory RWX flags setting unpack itself Tofsee |
|
2
github.githubassets.com(185.199.109.154) -
185.199.111.154 -
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2025-03-27 09:52
|
 creatingbestthingsforhisbestst... 287ddf351810cc030f2eca5307052023
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM VirusTotal Malware VBScript Code Injection Check memory wscript.exe payload download Creates executable files suspicious process malicious URLs Tofsee DNS Dropper |
1
https://paste.ee/d/c30NOIBR/0
|
2
paste.ee(23.186.113.60) -
23.186.113.60 -
|
4
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|