16 |
2024-07-03 19:02
|
file_ahstznsa.ob0.txt.ps1 478b1ac88592f59f8a1d4cb790120c38 Generic Malware Antivirus VirusTotal Malware powershell Malicious Traffic unpack itself Check virtual network interfaces Tofsee ComputerName |
2
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235 - rule_id: 40876
http://23.95.235.16/33011/WDF.txt
|
2
uploaddeimagens.com.br(172.67.215.45) - malware 172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg
|
3.6 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
17 |
2024-07-03 18:47
|
uho.uouo.uououo.doc 9904916ce3549610216e99d83e7e2135 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit Java DNS crashed |
3
http://91.92.254.29/Users_API/syscore/file_xgep41gp.dyp.txt http://23.95.235.16/33011/greatideaforfollowers.gif https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235 - rule_id: 40876
|
4
uploaddeimagens.com.br(104.21.45.138) - malware 23.95.235.16 - mailcious 91.92.254.29 172.67.215.45 - malware
|
4
ET DROP Spamhaus DROP Listed Traffic Inbound group 13 ET MALWARE Malicious Base64 Encoded Payload In Image SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET WEB_CLIENT Obfuscated Javascript // ptth
|
1
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg
|
5.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
18 |
2024-07-03 11:27
|
Video HD (1080p).lnk e694422f9ae9a4bf93258f6376db4292 Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell ZIP Format VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut RWX flags setting unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Interception Windows ComputerName Cryptographic key |
4
https://matodown.b-cdn.net/K2.zip https://mato2.b-cdn.net/matodown - rule_id: 40855 https://mato2.b-cdn.net/matodown https://matodown.b-cdn.net/K1.zip
|
4
matodown.b-cdn.net(143.244.49.183) mato2.b-cdn.net(143.244.50.214) 169.150.225.43 212.102.50.49
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://mato2.b-cdn.net/matodown
|
11.6 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19 |
2024-07-03 10:46
|
Update.js cbca476a716c76cf629b3428ee9c3f43VBScript wscript.exe payload download Tofsee crashed Dropper |
1
https://yeo.fans.smalladventureguide.com/orderReview
|
2
yeo.fans.smalladventureguide.com(162.252.175.117) 162.252.175.117 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
20 |
2024-07-03 10:42
|
archive.rar 9d10f6f08ae1cc016c10b09007063417 Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM VirusTotal Cryptocurrency Miner Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee Windows Discord DNS CoinMiner |
10
http://5.42.99.177/api/crazyfish.php - rule_id: 40006
http://apps.identrust.com/roots/dstrootcax3.p7c
http://80.78.242.100/d/525403
http://5.42.99.177/api/twofish.php - rule_id: 40008
http://x1.i.lencr.org/
https://steamcommunity.com/profiles/76561199707802586 - rule_id: 40674
https://lop.foxesjoy.com/ssl/crt.exe - rule_id: 40188
https://db-ip.com/demo/home.php?s=
http://77.105.133.27/download/th/space.php
http://77.105.133.27/download/123p.exe
|
35
db-ip.com(172.67.75.166)
monoblocked.com(45.130.41.108) - malware
api64.ipify.org(173.231.16.77)
api.myip.com(172.67.75.163)
steamcommunity.com(104.100.64.90) - mailcious
lop.foxesjoy.com(104.21.66.124) - malware
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.186.192)
x1.i.lencr.org(23.35.220.247)
bitbucket.org(104.192.141.1) - malware
cdn.discordapp.com(162.159.133.233) - malware
vk.com(87.240.132.67) - mailcious
iplogger.org(104.21.4.208) - mailcious
pool.hashvault.pro(142.202.242.45) - mailcious 104.71.154.102
104.26.5.15
149.154.167.99 - mailcious
23.201.35.155
34.117.186.192
125.253.92.50
104.26.8.59
162.159.130.233 - malware
104.21.66.124 - malware
45.130.41.108 - malware
104.237.62.213
77.91.77.80 - malware
104.192.141.1 - mailcious
121.254.136.9
80.78.242.100 - mailcious
37.27.31.150
5.42.99.177 - mailcious
23.41.113.9
77.105.133.27 - mailcious
87.240.132.72 - mailcious
172.67.132.113
|
17
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) SURICATA Applayer Mismatch protocol both directions ET INFO Executable Download from dotted-quad Host ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET HUNTING Redirect to Discord Attachment Download ET INFO TLS Handshake Failure ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
4
http://5.42.99.177/api/crazyfish.php http://5.42.99.177/api/twofish.php https://steamcommunity.com/profiles/76561199707802586 https://lop.foxesjoy.com/ssl/crt.exe
|
6.0 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
21 |
2024-07-03 09:40
|
outbyte-driver-updater.exe 19e7819eb886414b6bcab23db00541ec Gen1 HermeticWiper Generic Malware PhysicalDrive Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM PE File PE32 MZP Format OS Processor Check Lnk Format GIF Format DLL PE64 MSOffice File DllRegisterServer dll ftp Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Checks Bios AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee GameoverP2P Zeus Windows Browser ComputerName Trojan Banking crashed |
1
https://www.google-analytics.com/mp/collect?measurement_id=G-SEW4YMR3XJ&api_secret=Bwp8gLa9SqG7iUYK8RMmcg
|
9
ssl.outbyte.com(45.33.97.245) api.outbyte.com(192.155.86.205) outbyte.com(45.33.97.245) du.outbyte.com(51.81.185.149) www.google-analytics.com(142.250.206.206) 142.250.207.78 51.81.185.149 45.33.97.245 192.155.86.205
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
11.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
22 |
2024-07-03 09:37
|
Fortect.exe 745dfc19a7a8ce32812211f17b792fa6 Gen1 RedLine stealer Emotet NSIS Generic Malware Suspicious_Script_Bin Downloader Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Antivirus Anti_VM Javascript_Blob PE File PE32 OS Processor Check DLL PNG Format JPEG Format Lnk For VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut RWX flags setting unpack itself Auto service AppData folder AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Tofsee Ransomware Windows ComputerName DNS Software |
11
https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=PKAOK¶m=ServiceRunning<*> https://app.fortect.com/events/version.php?data=json&sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&installed= https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=INSVR¶m=6.5.0.2<*> https://app.fortect.com/ev-install-start/ev-install-start.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502 https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=INSST¶m=Downloader%20Started<*> https://app.fortect.com/ev-install-end/ev-install-end.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502 https://cloud.fortect.com/app/installation/engine/6502/FortectSetup64.7z https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=LANG¶m=1042<*>ko<*> https://app.fortect.com/events/evt_scan.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=AUINS¶m=service%20installed<*>0<*>6.5.0.2<*> https://app.fortect.com/events/events.php?sessionid=f1b9f267bedbe168cfcb3bfb1c77135727786305941307e07605b667634ea6d5&minorsessionid=1a01b5d2-41ab-4436-85e7-b2c4a1bb783c&os=7&build=7601&architecture=64&version=6502&id=INSRN¶m=6.5.0.2<*> https://cloud.fortect.com/app/installation/service/6502/FortectProtection64.7z
|
6
service.fortect.com(104.26.3.16) app.fortect.com(104.26.2.16) cloud.fortect.com(172.67.75.40) 104.26.3.16 - mailcious 172.67.75.40 - mailcious 104.26.2.16 - mailcious
|
3
ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET ADWARE_PUP Observed DNS Query to PC Optimizer Software Domain (fortect .com)
|
|
8.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
23 |
2024-07-03 09:29
|
outbyte-driver-updater.exe 19e7819eb886414b6bcab23db00541ec Gen1 Generic Malware PhysicalDrive Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE File PE32 MZP Format OS Processor Check DLL DllRegisterServer dll ftp PE64 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Checks Bios AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee |
1
https://www.google-analytics.com/mp/collect?measurement_id=G-SEW4YMR3XJ&api_secret=Bwp8gLa9SqG7iUYK8RMmcg
|
4
outbyte.com(45.33.97.245) www.google-analytics.com(142.250.207.110) 142.251.130.14 45.33.97.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
24 |
2024-07-03 08:17
|
F.exe e501c275814bfcb58fe845c38227d5c5 Emotet Gen1 Generic Malware PhysicalDrive NSIS NMap Malicious Library Antivirus UPX Malicious Packer Admin Tool (Sysinternals etc ...) Downloader .NET framework(MSIL) ASPack Anti_VM Javascript_Blob PE File PE32 MZP Format OS Processor Check DllRegisterSer Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Windows Browser Advertising Google ComputerName DNS Cryptographic key DDNS crashed keylogger |
7
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
|
11
drive.usercontent.google.com(142.250.206.193) - mailcious
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious 142.251.220.78
69.42.215.252
142.250.66.142
142.251.220.1
142.251.220.33
162.125.84.18 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
|
|
10.8 |
M |
68 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
25 |
2024-07-03 08:13
|
Build.exe 2f6f4f9674c6721b5ea8319ed90a8f20 Emotet Gen1 Generic Malware PhysicalDrive NSIS NMap Malicious Library Downloader UPX Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus .NET framework(MSIL) ASPack Anti_VM Javascript_Blob PE File PE32 MZP Format OS Processor Check DllRegisterSer Browser Info Stealer VirusTotal Malware AutoRuns Check memory Creates executable files unpack itself suspicious process AppData folder installed browsers check Tofsee Windows Browser Advertising Google ComputerName Trojan DNS DDNS crashed keylogger |
7
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
|
10
drive.usercontent.google.com(142.250.207.97) - mailcious
docs.google.com(172.217.25.174) - mailcious
xred.mooo.com() - mailcious
freedns.afraid.org(69.42.215.252)
www.dropbox.com(162.125.84.18) - mailcious 142.251.220.78
45.141.26.232 - mailcious
142.251.220.1
69.42.215.252
162.125.84.18 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
69 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
26 |
2024-07-03 08:09
|
don701.exe 6a1ff8c93c4d4ba50c8145a354b5c586 AgentTesla Malicious Library PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Gmail Browser Email ComputerName Cryptographic key crashed keylogger |
|
2
smtp.gmail.com(74.125.23.109) 173.194.174.109
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
M |
56 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
27 |
2024-07-03 08:07
|
pilnmAc2.6.exe 9929a1a4d2ec5d72c028435c6b71054f Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
1
|
2
api.ipify.org(172.67.74.152) 172.67.74.152
|
3
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
28 |
2024-07-03 08:05
|
wp.exe 140e8ca7a6a6df97fe913af1adad9cbe AgentTesla Malicious Library PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Email Client Info Stealer Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Gmail Browser Email ComputerName Cryptographic key crashed keylogger |
|
2
smtp.gmail.com(74.125.23.108) 173.194.174.109
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
29 |
2024-07-02 15:58
|
Content_497179.exe 52070a9adf4787ece9b80af208603030 Gen1 Generic Malware NSIS Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM PE File PE32 OS Processor Check DLL icon BMP Format DllRegisterServer dll Lnk Format GIF Format ftp Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself AppData folder AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser ComputerName |
1
|
2
codeonicinc.com(104.26.8.6) 172.67.69.54
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
30 |
2024-07-02 15:45
|
Content_497179.exe 52070a9adf4787ece9b80af208603030 Generic Malware NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL BMP Format Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself AppData folder sandbox evasion anti-virtualization Tofsee |
1
|
2
codeonicinc.com(104.26.8.6) 104.26.9.6
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|