| 46 |
2024-06-28 12:53
|
sw.w.w.w.www.doc 80e1ba7b421fd01f5319de00cf5420f7
MS_RTF_Obfuscation_Objects RTF File doc Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://198.46.178.144/wednesdayfile.jpeg
https://uploaddeimagens.com.br/images/004/805/162/original/new_image_%281%29.jpg?1719495498
https://paste.ee/d/RgwiL
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
172.67.187.200 - mailcious
198.46.178.144 - mailcious
104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 47 |
2024-06-28 12:47
|
 intalls555.exe 7e30a1a92f86e8e0a25154b1521d0588
Antivirus UPX PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Telegram suspicious privilege MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces AntiVM_Disk VM Disk Size Check Tofsee Windows ComputerName DNS keylogger |
|
2
api.telegram.org(149.154.167.220)
149.154.167.220
|
4
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48 |
2024-06-28 12:45
|
 123.exe cd581d68ed550455444ee6e099c44266
RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check PNG Format MSOffice File JPEG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://x1.i.lencr.org/
https://moreapp4you.online/George.exe - rule_id: 40536
|
10
x1.i.lencr.org(23.52.33.11)
moreapp4you.online(31.31.196.208) - malware
iplogger.co(104.21.82.93)
77.91.77.81 - mailcious
23.41.113.9
31.31.196.208 - mailcious
121.254.136.74
104.21.82.93
121.254.136.9
185.215.113.67 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://moreapp4you.online/George.exe
|
12.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49 |
2024-06-27 17:12
|
 build2.exe 335a64e110185d35bcfbc3ef86a382e9
Client SW User Data Stealer LokiBot ftp Client info stealer Generic Malware Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE File PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199695752269
https://t.me/ta904ek
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
65.21.109.161
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50 |
2024-06-27 10:27
|
 hv.exe 6a1db4f73db4ed058c8cd7e04dfa7cc3
Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Malware Buffer PE PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
https://pastebin.com/raw/A54sKxhY - rule_id: 38719
|
3
pastebin.com(172.67.19.24) - mailcious
104.20.3.235 - malware
194.26.29.153
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://pastebin.com/raw/A54sKxhY
|
12.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 51 |
2024-06-27 10:16
|
a.p.l.n.doc 6e11c40fcc227fab4b32f8c3b275b57c
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
https://paste.ee/d/i2CFj
http://91.92.244.199/xampp/apln/bringbeautifulflowerimages.gif
|
3
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
91.92.244.199 - mailcious
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 52 |
2024-06-27 10:11
|
 vi.exe baa9e1a92bab85279dca0aed641f1fa9
Malicious Library Antivirus UPX PE File PE32 OS Processor Check VirusTotal Malware Malicious Traffic Tofsee crashed |
1
https://steamcommunity.com/profiles/76561199662282318
|
4
ndearn.xyz(76.223.67.189)
steamcommunity.com(104.76.78.101) - mailcious
76.223.67.189 - mailcious
104.76.78.101 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 53 |
2024-06-27 10:05
|
b.j.c.c.cc.doc 809e5331e9ead88825e560d3077cb6da
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://91.92.244.199/xampp/bpln/catwalkbeautyalwayshavegreat.gif
https://paste.ee/d/5mZQI
|
5
paste.ee(172.67.187.200) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious
172.67.187.200 - mailcious
91.92.244.199 - mailcious
207.241.232.195 - mailcious
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
5.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 54 |
2024-06-27 04:33
|
https://t.co/J5c3B3lHDS a447b2274aa6e2ebdb080e3def9263db
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
t.co(117.18.232.195) - phishing
117.18.232.195 - phishing
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 55 |
2024-06-26 10:36
|
 av_downloader1.1.exe 759f5a6e3daa4972d43bd4a5edbdeb11
Generic Malware Malicious Library Malicious Packer UPX Antivirus AntiDebug AntiVM PE File PE32 MSOffice File PNG Format JPEG Format VirusTotal Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security powershell.exe wrote suspicious process Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
|
2
www.pornhub.com(66.254.114.41) - mailcious
66.254.114.41 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 56 |
2024-06-26 10:18
|
a.f.f.f.f.fff.doc 6476133e6fcd5bb5fad7d39d1d214a6a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://93.123.12.248/xampp/Apln/yellowflowerisrareandbeautyfolwer.gif
https://paste.ee/d/5ApcC
|
5
paste.ee(172.67.187.200) - mailcious
ia803405.us.archive.org(207.241.232.195) - mailcious
104.21.84.67 - malware
93.123.12.248 - mailcious
207.241.232.195 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
5.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 57 |
2024-06-26 10:16
|
 build.exe 71b44c9a55f3b40681f6a5524ca9821d
[m] Generic Malware Generic Malware Suspicious_Script_Bin task schedule Malicious Library UPX Socket DGA Http API ScreenShot PWS DNS Internet API AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Dridex VirusTotal Malware Microsoft AutoRuns Code Injection Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities AppData folder malicious URLs WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS |
3
http://defgyma.com/dl/build2.exe
http://cajgtus.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
https://api.2ip.ua/geo.json
|
6
defgyma.com(190.159.138.51) - malware
api.2ip.ua(172.67.139.220)
cajgtus.com(189.195.132.134) - malware
104.21.65.24
93.118.137.82
201.191.99.134
|
9
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
|
|
13.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 58 |
2024-06-26 10:13
|
nelb.doc 6b9167056af49bf702c833ae4f581ef1
MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself suspicious TLD Tofsee Exploit DNS crashed |
4
http://www.home-repair-contractors-kfm.xyz/btrd/?FrJX9P9=eVMlJIJ59eHiVvLGCrdtG7xbZNorDbW6x7q4JZ9YU9WFmkuuB+jImPCwzZVcR1MIE594ENWI&Vnt4_=-Z1l70lHPdrDeba
http://www.xmentorgroup.com/btrd/?FrJX9P9=UYDnSobXWpXBVkfD89bcJt5KVoSCT9YF2HTPLZC4vkf0xFVelZyjEGpv0zxgTtsO2BXFiI/y&Vnt4_=-Z1l70lHPdrDeba
http://www.liposuctionclinics2.today/btrd/?FrJX9P9=g2Awi9gzMhKdCQNLs5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5sw9ZqEJh6Ao16UcXSiJC&Vnt4_=-Z1l70lHPdrDeba
https://universalmovies.top/nelb.scr
|
9
www.xmentorgroup.com(3.33.130.190)
www.home-repair-contractors-kfm.xyz(199.59.243.226)
www.h7wlvwr4afx.top()
universalmovies.top(172.67.162.95) - malware
www.liposuctionclinics2.today(104.21.89.233)
199.59.243.226 - phishing
3.33.130.190 - phishing
172.67.148.235
104.21.74.191 - malware
|
4
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 59 |
2024-06-25 09:12
|
notorious.doc 2d1b096a33d1b673fd06db9f3e861761
MS_RTF_Obfuscation_Objects RTF File doc RedLine Malware download VirusTotal Malware RWX flags setting exploit crash suspicious TLD IP Check Tofsee Stealer Exploit Browser DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.38.142.10:7474/
https://universalmovies.top/ExtExport2.exe
|
10
api.ipify.org(172.67.74.152)
universalmovies.top(104.21.74.191) - malware
ipinfo.io(34.117.186.192)
api.ip.sb(104.26.13.31)
34.117.186.192
104.26.12.31
172.67.74.152
182.162.106.144
185.38.142.10
172.67.162.95 - mailcious
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA HTTP unable to match response to request
|
|
4.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 60 |
2024-06-25 07:57
|
 Main.exe 9ec7f08c85bfa1b267761f225b68ab0b
Malicious Library Antivirus UPX PE File PE32 OS Processor Check VirusTotal Malware Telegram MachineGuid Malicious Traffic WMI Tofsee ComputerName DNS crashed |
2
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
5.75.208.137
104.76.78.101 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
6.2 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|