| 8836 |
2023-10-10 10:33
|
 Documenti.url b4ae0d79ac63532fcf65494e208cb940
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.72/scarica/client.exe
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8837 |
2023-10-10 10:33
|
 ig5443.txt.exe 6de05ad93daca1b6caf769826a404975
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212)
104.237.62.212
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
6.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8838 |
2023-10-10 10:33
|
EXX.vbs 5d8410c20a0349ff3b5a346180455b76
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://94.156.161.167/tl/eg6667.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8839 |
2023-10-10 10:36
|
 Informazioni.txt.url 0e20d831a104276c6b374d9c01cc9bde
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.73/scarica/client.url
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8840 |
2023-10-10 10:42
|
zip.7z 854c628dca46bee73c0d90ce447d626e
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
21
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://176.113.115.84:8080/4.php - rule_id: 34795
http://171.22.28.212/2/carryspend.exe
http://isaiahbenjamin.top/calc2.exe - rule_id: 37065
http://194.169.175.232/autorun.exe - rule_id: 36817
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/a25470dcbd60/51.bmp?extra=GeDMEoBnj5HiBH8lYCKM4E8Cdf0ZvPTo7RNEQt5rgyVqxNfQ0I1nABcSoOF-zqaJGTRo_TjvBGxRvljryGdpzuoTpkFMg9qakOHKfcy3PKJOd07O5ybrR3WWuhp7tE8ZYJj02c1Oe-7AW9Ea
https://sun6-20.userapi.com/c909218/u52355237/docs/d56/c799dfa67f83/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=8V_Gx4EM01ClICmHXir_Nyg1m47_gpkHviRFEfRfwEimSdJ7lF-rSRtzZ4lLXEDEWL0c4-UIjMfbK753vsOEAkQgoAt5gND6ezVX9FScbP3ssicE-oDCWJBeWvjxLE67DNaRE4nMetqT17G0
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a379a3d6dbcc/s328sadfg.bmp?extra=ewdYmK0WfXaphUxsYVOMtnqPtsupcKUARPvi9rMvr31eIuAz7ZOZNRG5PIDRf1OM_zfw3x7KbpMAloitO121-9yAWedpZPHVRejXt_vzKVu5BUG_kC5_eTliTWpQcpaMEku0Tw5SEAB62PFE
https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22
https://api.myip.com/
https://vk.com/doc52355237_666723625?hash=0XzYCf0Jcy2su6zuK2SNEpQd4wEUCdm2dCf3EnEbT6c&dl=GVcRiS2pf3k3AJQ40jMUWdwrMZlIpwfBRf0X8QAO9y0&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/dc55b042e028/PL_Client.bmp?extra=jUW_oRwrD9NTavRvUvJs7-AeE7YRls5T39ZVi5MifraVz98tbOwI8GPUjfeSa75bJxmiU8vIH7QDMkGrb0ecKgZ_9P3GfaMs4m7oDLVoHA5EkCVG9LefjOT1D_n4uIQjuJREJRk5KewbforM
https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk
https://vk.com/doc52355237_666740840?hash=eOQIZZkaEGIDpIMnMtScHnZo2IjU6SfEjtIRm4HjaVz&dl=RuFCA30NjDjQttzjQkMKji7OE54jkmgwhZ6q4PGRZtT&api=1&no_preview=1#1
https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1
https://sun6-21.userapi.com/c909228/u52355237/docs/d40/9713ae4da741/crypted.bmp?extra=3z2dDFxrgb3KmfY19dlv_B46b4NrqlNdYNZ3DbiQFvyuEAQXVtdjJm7Wh06D-CL1zZM7lCr2nTBOUJuQifKo9xnFcROWroQzWR5wooLm9QV99Z4qVunwmdzaBsJ3WpcGqfiqnEPzj1g67u9E
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/41178e94324b/test22.bmp?extra=50EX2Euknv-wHFrHFEnsB8am5MGHT-UOUeAN0VgDGEZSz5WsYfiPQTcTccfABNS317kmjuBB2el09vADkUL_fUZM_KrFZH1YlXJypuWL5cIaUxakmnjmKYE7dL8-TkydAD9366cw6QHsgSTr
|
24
schematize.pw(172.67.152.98)
api.myip.com(104.26.9.59)
onualituyrs.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(93.186.225.194) - mailcious
isaiahbenjamin.top(85.143.221.30) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
193.42.32.118 - mailcious
77.91.68.249 - malware
85.143.221.30 - malware
104.26.9.59
95.142.206.3 - mailcious
91.215.85.209 - mailcious
95.142.206.0 - mailcious
171.22.28.226 - malware
87.240.129.133 - mailcious
194.169.175.232 - malware
34.117.59.81
104.21.32.142
176.113.115.84 - mailcious
95.142.206.1 - mailcious
171.22.28.212
|
18
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
|
7
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://176.113.115.84:8080/4.php
http://isaiahbenjamin.top/calc2.exe
http://194.169.175.232/autorun.exe
http://193.42.32.118/api/tracemap.php
http://77.91.68.249/navi/kur90.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8841 |
2023-10-10 10:48
|
zip.7z 180d73f995d228c51498c4bfaf674d57
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
22
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://194.169.175.232/autorun.exe - rule_id: 36817
http://171.22.28.212/2/carryspend.exe
http://isaiahbenjamin.top/calc2.exe - rule_id: 37065
http://176.113.115.84:8080/4.php - rule_id: 34795
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://schematize.pw/setup294.exe
https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/a25470dcbd60/51.bmp?extra=GeDMEoBnj5HiBH8lYCKM4E8Cdf0ZvPTo7RNEQt5rgyVqxNfQ0I1nABcSoOF-zqaJGTRo_TjvBGxRvljryGdpzuoTpkFMg9qakOHKfcy3PKJOd07O5ybrR3WWuhp7tE8ZYJj02c1Oe-7AW9Ea
https://sun6-20.userapi.com/c909218/u52355237/docs/d56/c799dfa67f83/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=8V_Gx4EM01ClICmHXir_Nyg1m47_gpkHviRFEfRfwEimSdJ7lF-rSRtzZ4lLXEDEWL0c4-UIjMfbK753vsOEAkQgoAt5gND6ezVX9FScbP3ssicE-oDCWJBeWvjxLE67DNaRE4nMetqT17G0
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a379a3d6dbcc/s328sadfg.bmp?extra=ewdYmK0WfXaphUxsYVOMtnqPtsupcKUARPvi9rMvr31eIuAz7ZOZNRG5PIDRf1OM_zfw3x7KbpMAloitO121-9yAWedpZPHVRejXt_vzKVu5BUG_kC5_eTliTWpQcpaMEku0Tw5SEAB62PFE
https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22
https://api.myip.com/
https://vk.com/doc52355237_666723625?hash=0XzYCf0Jcy2su6zuK2SNEpQd4wEUCdm2dCf3EnEbT6c&dl=GVcRiS2pf3k3AJQ40jMUWdwrMZlIpwfBRf0X8QAO9y0&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/dc55b042e028/PL_Client.bmp?extra=jUW_oRwrD9NTavRvUvJs7-AeE7YRls5T39ZVi5MifraVz98tbOwI8GPUjfeSa75bJxmiU8vIH7QDMkGrb0ecKgZ_9P3GfaMs4m7oDLVoHA5EkCVG9LefjOT1D_n4uIQjuJREJRk5KewbforM
https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk
https://vk.com/doc52355237_666740840?hash=eOQIZZkaEGIDpIMnMtScHnZo2IjU6SfEjtIRm4HjaVz&dl=RuFCA30NjDjQttzjQkMKji7OE54jkmgwhZ6q4PGRZtT&api=1&no_preview=1#1
https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1
https://sun6-21.userapi.com/c909228/u52355237/docs/d40/9713ae4da741/crypted.bmp?extra=3z2dDFxrgb3KmfY19dlv_B46b4NrqlNdYNZ3DbiQFvyuEAQXVtdjJm7Wh06D-CL1zZM7lCr2nTBOUJuQifKo9xnFcROWroQzWR5wooLm9QV99Z4qVunwmdzaBsJ3WpcGqfiqnEPzj1g67u9E
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/41178e94324b/test22.bmp?extra=50EX2Euknv-wHFrHFEnsB8am5MGHT-UOUeAN0VgDGEZSz5WsYfiPQTcTccfABNS317kmjuBB2el09vADkUL_fUZM_KrFZH1YlXJypuWL5cIaUxakmnjmKYE7dL8-TkydAD9366cw6QHsgSTr
|
24
schematize.pw(104.21.32.142)
api.myip.com(172.67.75.163)
onualituyrs.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.137.164) - mailcious
isaiahbenjamin.top(85.143.221.30) - malware
sun6-21.userapi.com(95.142.206.1) - mailcious
77.91.68.249 - malware
85.143.221.30 - malware
172.67.75.163
95.142.206.3 - mailcious
91.215.85.209 - mailcious
95.142.206.0 - mailcious
171.22.28.226 - malware
87.240.129.133 - mailcious
194.169.175.232 - malware
34.117.59.81
104.21.32.142
176.113.115.84 - mailcious
95.142.206.1 - mailcious
94.142.138.131 - mailcious
171.22.28.212
|
18
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET DNS Query to a *.pw domain - Likely Hostile
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Suspicious services.exe in URI
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
|
7
http://94.142.138.131/api/firegate.php
http://171.22.28.226/download/Services.exe
http://194.169.175.232/autorun.exe
http://isaiahbenjamin.top/calc2.exe
http://176.113.115.84:8080/4.php
http://94.142.138.131/api/tracemap.php
http://77.91.68.249/navi/kur90.exe
|
6.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8842 |
2023-10-10 17:00
|
 Prowf.exe 3cef8b4a9c9507c112ca5449a03b03e9
PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
|
2
pmjo.fra1.cdn.digitaloceanspaces.com(205.185.216.42) - malware
205.185.216.42 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8843 |
2023-10-10 17:02
|
 windows.exe 36065d0183df9a022d1cfb4eac70ee71
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.109.133)
185.199.110.133 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8844 |
2023-10-10 18:36
|
북한최고인민회의 결과.lnk cc96ba45dd2b6a6d7aa300d77e49c095
Generic Malware Downloader Antivirus HWP PS PostScript Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Hide_URL AntiDebug AntiVM Lnk Format MSOffice VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://dl.dropboxusercontent.com/scl/fi/3vdz6tw94x6x1xdbf6oap/20231002.zip?rlkey=9q6pf41sox0kcw4l3w3lb2hvu&dl=0
|
2
dl.dropboxusercontent.com(162.125.84.15) - malware
162.125.84.15 - malware
|
2
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8845 |
2023-10-10 18:46
|
 ac8077e64a8cd818f17039dd74c733... 8741a228fba24165aac6aac400aada40
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Hide_URL AntiDebug AntiVM .NET DLL PE File DLL PE32 powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://dl.dropboxusercontent.com/scl/fi/3vdz6tw94x6x1xdbf6oap/20231002.zip?rlkey=9q6pf41sox0kcw4l3w3lb2hvu&dl=0
|
2
dl.dropboxusercontent.com(162.125.84.15) - malware
162.125.84.15 - malware
|
2
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8846 |
2023-10-10 19:49
|
 NMemo1Setp.exe f12aa4983f77ed85b3a618f7656807c2
Confuser .NET PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Ransomware DNS |
|
3
videoconvert-download38.xyz() - mailcious
iplogger.org(148.251.234.83) - mailcious
148.251.234.83
|
3
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
59 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8847 |
2023-10-10 22:07
|
 ac8077e64a8cd818f17039dd74c733... 8741a228fba24165aac6aac400aada40
Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Hide_URL AntiDebug AntiVM .NET DLL PE File DLL PE32 powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
dl.dropboxusercontent.com(162.125.84.15) - malware
162.125.84.15 - malware
|
2
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8848 |
2023-10-11 07:52
|
 googluk.exe 07b8df6ee60cd20723ba20794e15d438
LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77)
104.237.62.212
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
10.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8849 |
2023-10-11 07:52
|
 ishost.exe f83a1ebac520b7deea9613aa2a7765c4
LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8850 |
2023-10-11 07:57
|
 sihost.exe 1d2e25e64e7c402540fa6ce6871257f4
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.ipify.org(64.185.227.156)
172.67.196.133 - mailcious
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|