61 |
2024-06-25 07:44
|
ExtExport2.exe 901a623dbccaa22525373cd36195ee14 Suspicious_Script_Bin UPX PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces IP Check installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c http://185.38.142.10:7474/
|
8
ipinfo.io(34.117.186.192) api.ipify.org(172.67.74.152) api.ip.sb(104.26.13.31) 172.67.75.172 - mailcious 34.117.186.192 104.26.12.205 185.38.142.10 114.108.166.82
|
8
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RedLine Stealer - CheckConnect Response ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SURICATA HTTP unable to match response to request
|
|
9.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
62 |
2024-06-25 05:29
|
http://l.instagram.com/?235901... Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava https://business.instagram.com/micro_site/url/?event_type=click https://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava
|
3
l.instagram.com(157.240.11.52) business.instagram.com(157.240.11.52) 157.240.215.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
63 |
2024-06-25 05:29
|
https://business.instagram.com... Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
https://business.instagram.com/micro_site/url/?event_type=click
|
2
business.instagram.com(157.240.11.52) 157.240.215.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
64 |
2024-06-25 05:28
|
https://l.instagram.com/?23590... AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
https://business.instagram.com/micro_site/url/?event_type=click https://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava
|
3
l.instagram.com(157.240.11.52) business.instagram.com(157.240.11.52) 157.240.215.63
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
65 |
2024-06-25 02:50
|
http://l.instagram.com/?235901... Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File PNG Format JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava https://business.instagram.com/micro_site/url/?event_type=click https://l.instagram.com/?23590132=virtaava23590132aafc0fa1466a40a290d168bebc935ce2&e=ATMTlv6QR7cLRPRi6BPCQnYyglYtbOn12xlUTzINqVw19qiSlaZJEDdkuuszqFrruIN-TZHW&s=1&u=https://business.instagram.com/micro_site/url/?event_type=click&site=igb&destination=https://www.facebook.com/ads/ig_redirect/?d=Ad8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE&a=1&hash=Ad_y5usHyEC86F8X%2323590132|https://pbs.twimg.com/profile_images/1793260522952966144/qGnAVdxb_normal.jpg|virtaava
|
3
l.instagram.com(157.240.215.63) business.instagram.com(157.240.215.63) 157.240.215.63
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
66 |
2024-06-24 15:51
|
pumairld.txt.ps1 19a7f5e2e7fd8e14d8129dcdf6c8b992 Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Discord ComputerName DNS Cryptographic key |
|
2
cdn.discordapp.com(162.159.134.233) - malware 162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
67 |
2024-06-24 14:38
|
BST.msi fe821027dfc49e8017c2cc50974a00b4 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer UPX MSOffice File CAB OS Processor Check PE File DLL PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AppData folder AntiVM_Disk suspicious TLD VM Disk Size Check Tofsee ComputerName DNS |
|
3
kurvabbr.pw(103.35.191.31) barsen.monster() 103.35.191.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.pw domain - Likely Hostile ET INFO TLS Handshake Failure
|
|
3.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
68 |
2024-06-24 11:01
|
kissingisbestforcatwalkonthebe... b380556670eaff97d6dfb34144e8cbc5 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://pastebin.com/raw/RWYyTg4h
http://192.227.173.64/xampp/kobo/wecreatedimagestogetmepicture.gif
|
3
pastebin.com(172.67.19.24) - mailcious 104.20.3.235 - malware
192.227.173.64 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
69 |
2024-06-24 07:51
|
limba.exe 3e767dd673e06387e35d7362d89ddea1 Themida Packer Generic Malware Malicious Packer Anti_VM PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Firmware DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.4.15) 77.91.77.66 - mailcious 104.26.4.15 34.117.186.192
|
8
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
14.8 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
70 |
2024-06-24 07:47
|
pic1.exe 1fecbc51b5620e578c48a12ebeb19bc2 Generic Malware Downloader Malicious Library UPX MPRESS Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE64 OS Processor C VirusTotal Malware PDB Code Injection Creates executable files unpack itself suspicious TLD Tofsee Remote Code Execution crashed |
|
2
cv99160.tw1.ru(92.53.96.121) 92.53.96.121 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
71 |
2024-06-24 07:44
|
ama.exe 5d860e52bfa60fec84b6a46661b45246 RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check MSOffice File PNG Format JPEG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Exploit Browser ComputerName DNS Cryptographic key Software crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://x1.i.lencr.org/ https://moreapp4you.online/George.exe
|
9
x1.i.lencr.org(23.52.33.11) iplogger.co(172.67.167.249) moreapp4you.online(31.31.196.208) 182.162.106.33 - malware 23.67.53.17 23.35.220.247 31.31.196.208 - mailcious 104.21.82.93 185.215.113.67 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
72 |
2024-06-21 07:53
|
avg_secure_browser_setup.exe 13b3860a2827e505cb6de1418f640b16 HermeticWiper NSIS Generic Malware PhysicalDrive Malicious Library UPX Malicious Packer PE File PE32 DLL DllRegisterServer dll OS Processor Check MSOffice File CAB PE64 Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications Auto service Check virtual network interfaces AppData folder sandbox evasion anti-virtualization installed browsers check Tofsee Ransomware Fortinet Windows Browser ComputerName Firmware crashed |
4
http://browser-update.avg.com/browser-avg/win/x64/109.0.24252.121/AVGBrowserInstaller.exe https://stats.securebrowser.com/?_=1718955853989&retry_tracking_count=0&last_request_error_code=0&last_request_error_message=&last_request_status=0&last_request_system_error=0&request_proxy=0 https://update.avgbrowser.com/service/update2 https://update.avgbrowser.com/service/update2?cup2key=9:2906594695&cup2hreq=1a77176c46ecf7b2954c2373054d5a3b455eb7a159f1b6ad23c4e5706d55a272
|
6
browser-update.avg.com(104.103.68.11) stats.securebrowser.com(104.20.87.8) update.avgbrowser.com(172.67.41.145) 104.22.62.125 23.195.119.80 104.20.86.8
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP
|
|
19.8 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
73 |
2024-06-21 07:36
|
simon.exe b7e7f713ce1c717b6ae28904971e37e5 Themida Packer Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Firmware DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 77.91.77.66 104.26.4.15 34.117.186.192
|
8
ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)
|
|
15.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
74 |
2024-06-20 09:28
|
UHH.txt.exe 72ffddcd4adf890a663396aaf31affc4 AgentTesla Malicious Library Malicious Packer UPX PE File OS Memory Check .NET EXE PE32 OS Name Check OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
2
http://ip-api.com/line/?fields=hosting https://api.ipify.org/
|
4
api.ipify.org(104.26.13.205) ip-api.com(208.95.112.1) 104.26.13.205 208.95.112.1
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
75 |
2024-06-19 17:15
|
voda.exe 61454bbf62a50d22bc3d52b44de73edd Malicious Packer UPX PE File PE32 Malware download VirusTotal Malware AutoRuns MachineGuid unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 104.26.5.15 34.117.186.192 147.45.47.126 - mailcious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 23 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (External IP)
|
|
7.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|