8836 |
2023-10-10 10:33
|
Documenti.url b4ae0d79ac63532fcf65494e208cb940 AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.72/scarica/client.exe
|
1
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8837 |
2023-10-10 10:33
|
ig5443.txt.exe 6de05ad93daca1b6caf769826a404975 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212) 104.237.62.212
|
4
ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
6.4 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8838 |
2023-10-10 10:33
|
EXX.vbs 5d8410c20a0349ff3b5a346180455b76 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://94.156.161.167/tl/eg6667.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8839 |
2023-10-10 10:36
|
Informazioni.txt.url 0e20d831a104276c6b374d9c01cc9bde AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.73/scarica/client.url
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8840 |
2023-10-10 10:42
|
zip.7z 854c628dca46bee73c0d90ce447d626e Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
21
http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://176.113.115.84:8080/4.php - rule_id: 34795 http://171.22.28.212/2/carryspend.exe http://isaiahbenjamin.top/calc2.exe - rule_id: 37065 http://194.169.175.232/autorun.exe - rule_id: 36817 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://77.91.68.249/navi/kur90.exe - rule_id: 37069 https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1 https://sun6-21.userapi.com/c237331/u52355237/docs/d51/a25470dcbd60/51.bmp?extra=GeDMEoBnj5HiBH8lYCKM4E8Cdf0ZvPTo7RNEQt5rgyVqxNfQ0I1nABcSoOF-zqaJGTRo_TjvBGxRvljryGdpzuoTpkFMg9qakOHKfcy3PKJOd07O5ybrR3WWuhp7tE8ZYJj02c1Oe-7AW9Ea https://sun6-20.userapi.com/c909218/u52355237/docs/d56/c799dfa67f83/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=8V_Gx4EM01ClICmHXir_Nyg1m47_gpkHviRFEfRfwEimSdJ7lF-rSRtzZ4lLXEDEWL0c4-UIjMfbK753vsOEAkQgoAt5gND6ezVX9FScbP3ssicE-oDCWJBeWvjxLE67DNaRE4nMetqT17G0 https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a379a3d6dbcc/s328sadfg.bmp?extra=ewdYmK0WfXaphUxsYVOMtnqPtsupcKUARPvi9rMvr31eIuAz7ZOZNRG5PIDRf1OM_zfw3x7KbpMAloitO121-9yAWedpZPHVRejXt_vzKVu5BUG_kC5_eTliTWpQcpaMEku0Tw5SEAB62PFE https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22 https://api.myip.com/ https://vk.com/doc52355237_666723625?hash=0XzYCf0Jcy2su6zuK2SNEpQd4wEUCdm2dCf3EnEbT6c&dl=GVcRiS2pf3k3AJQ40jMUWdwrMZlIpwfBRf0X8QAO9y0&api=1&no_preview=1#rise https://sun6-20.userapi.com/c909228/u52355237/docs/d55/dc55b042e028/PL_Client.bmp?extra=jUW_oRwrD9NTavRvUvJs7-AeE7YRls5T39ZVi5MifraVz98tbOwI8GPUjfeSa75bJxmiU8vIH7QDMkGrb0ecKgZ_9P3GfaMs4m7oDLVoHA5EkCVG9LefjOT1D_n4uIQjuJREJRk5KewbforM https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk https://vk.com/doc52355237_666740840?hash=eOQIZZkaEGIDpIMnMtScHnZo2IjU6SfEjtIRm4HjaVz&dl=RuFCA30NjDjQttzjQkMKji7OE54jkmgwhZ6q4PGRZtT&api=1&no_preview=1#1 https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1 https://sun6-21.userapi.com/c909228/u52355237/docs/d40/9713ae4da741/crypted.bmp?extra=3z2dDFxrgb3KmfY19dlv_B46b4NrqlNdYNZ3DbiQFvyuEAQXVtdjJm7Wh06D-CL1zZM7lCr2nTBOUJuQifKo9xnFcROWroQzWR5wooLm9QV99Z4qVunwmdzaBsJ3WpcGqfiqnEPzj1g67u9E https://sun6-23.userapi.com/c235131/u52355237/docs/d48/41178e94324b/test22.bmp?extra=50EX2Euknv-wHFrHFEnsB8am5MGHT-UOUeAN0VgDGEZSz5WsYfiPQTcTccfABNS317kmjuBB2el09vADkUL_fUZM_KrFZH1YlXJypuWL5cIaUxakmnjmKYE7dL8-TkydAD9366cw6QHsgSTr
|
24
schematize.pw(172.67.152.98) api.myip.com(104.26.9.59) onualituyrs.org(91.215.85.209) - malware ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious vk.com(93.186.225.194) - mailcious isaiahbenjamin.top(85.143.221.30) - malware sun6-21.userapi.com(95.142.206.1) - mailcious 193.42.32.118 - mailcious 77.91.68.249 - malware 85.143.221.30 - malware 104.26.9.59 95.142.206.3 - mailcious 91.215.85.209 - mailcious 95.142.206.0 - mailcious 171.22.28.226 - malware 87.240.129.133 - mailcious 194.169.175.232 - malware 34.117.59.81 104.21.32.142 176.113.115.84 - mailcious 95.142.206.1 - mailcious 171.22.28.212
|
18
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious services.exe in URI ET DNS Query to a *.pw domain - Likely Hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET INFO TLS Handshake Failure ET HUNTING Possible EXE Download From Suspicious TLD
|
7
http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://176.113.115.84:8080/4.php http://isaiahbenjamin.top/calc2.exe http://194.169.175.232/autorun.exe http://193.42.32.118/api/tracemap.php http://77.91.68.249/navi/kur90.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8841 |
2023-10-10 10:48
|
zip.7z 180d73f995d228c51498c4bfaf674d57 Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
22
http://94.142.138.131/api/firegate.php - rule_id: 32650 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://194.169.175.232/autorun.exe - rule_id: 36817 http://171.22.28.212/2/carryspend.exe http://isaiahbenjamin.top/calc2.exe - rule_id: 37065 http://176.113.115.84:8080/4.php - rule_id: 34795 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://77.91.68.249/navi/kur90.exe - rule_id: 37069 https://schematize.pw/setup294.exe https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1 https://sun6-21.userapi.com/c237331/u52355237/docs/d51/a25470dcbd60/51.bmp?extra=GeDMEoBnj5HiBH8lYCKM4E8Cdf0ZvPTo7RNEQt5rgyVqxNfQ0I1nABcSoOF-zqaJGTRo_TjvBGxRvljryGdpzuoTpkFMg9qakOHKfcy3PKJOd07O5ybrR3WWuhp7tE8ZYJj02c1Oe-7AW9Ea https://sun6-20.userapi.com/c909218/u52355237/docs/d56/c799dfa67f83/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=8V_Gx4EM01ClICmHXir_Nyg1m47_gpkHviRFEfRfwEimSdJ7lF-rSRtzZ4lLXEDEWL0c4-UIjMfbK753vsOEAkQgoAt5gND6ezVX9FScbP3ssicE-oDCWJBeWvjxLE67DNaRE4nMetqT17G0 https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a379a3d6dbcc/s328sadfg.bmp?extra=ewdYmK0WfXaphUxsYVOMtnqPtsupcKUARPvi9rMvr31eIuAz7ZOZNRG5PIDRf1OM_zfw3x7KbpMAloitO121-9yAWedpZPHVRejXt_vzKVu5BUG_kC5_eTliTWpQcpaMEku0Tw5SEAB62PFE https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22 https://api.myip.com/ https://vk.com/doc52355237_666723625?hash=0XzYCf0Jcy2su6zuK2SNEpQd4wEUCdm2dCf3EnEbT6c&dl=GVcRiS2pf3k3AJQ40jMUWdwrMZlIpwfBRf0X8QAO9y0&api=1&no_preview=1#rise https://sun6-20.userapi.com/c909228/u52355237/docs/d55/dc55b042e028/PL_Client.bmp?extra=jUW_oRwrD9NTavRvUvJs7-AeE7YRls5T39ZVi5MifraVz98tbOwI8GPUjfeSa75bJxmiU8vIH7QDMkGrb0ecKgZ_9P3GfaMs4m7oDLVoHA5EkCVG9LefjOT1D_n4uIQjuJREJRk5KewbforM https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk https://vk.com/doc52355237_666740840?hash=eOQIZZkaEGIDpIMnMtScHnZo2IjU6SfEjtIRm4HjaVz&dl=RuFCA30NjDjQttzjQkMKji7OE54jkmgwhZ6q4PGRZtT&api=1&no_preview=1#1 https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1 https://sun6-21.userapi.com/c909228/u52355237/docs/d40/9713ae4da741/crypted.bmp?extra=3z2dDFxrgb3KmfY19dlv_B46b4NrqlNdYNZ3DbiQFvyuEAQXVtdjJm7Wh06D-CL1zZM7lCr2nTBOUJuQifKo9xnFcROWroQzWR5wooLm9QV99Z4qVunwmdzaBsJ3WpcGqfiqnEPzj1g67u9E https://sun6-23.userapi.com/c235131/u52355237/docs/d48/41178e94324b/test22.bmp?extra=50EX2Euknv-wHFrHFEnsB8am5MGHT-UOUeAN0VgDGEZSz5WsYfiPQTcTccfABNS317kmjuBB2el09vADkUL_fUZM_KrFZH1YlXJypuWL5cIaUxakmnjmKYE7dL8-TkydAD9366cw6QHsgSTr
|
24
schematize.pw(104.21.32.142) api.myip.com(172.67.75.163) onualituyrs.org(91.215.85.209) - malware ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious vk.com(87.240.137.164) - mailcious isaiahbenjamin.top(85.143.221.30) - malware sun6-21.userapi.com(95.142.206.1) - mailcious 77.91.68.249 - malware 85.143.221.30 - malware 172.67.75.163 95.142.206.3 - mailcious 91.215.85.209 - mailcious 95.142.206.0 - mailcious 171.22.28.226 - malware 87.240.129.133 - mailcious 194.169.175.232 - malware 34.117.59.81 104.21.32.142 176.113.115.84 - mailcious 95.142.206.1 - mailcious 94.142.138.131 - mailcious 171.22.28.212
|
18
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SURICATA Applayer Mismatch protocol both directions ET INFO Executable Download from dotted-quad Host ET DNS Query to a *.pw domain - Likely Hostile ET DNS Query to a *.top domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Suspicious services.exe in URI ET INFO TLS Handshake Failure ET HUNTING Possible EXE Download From Suspicious TLD
|
7
http://94.142.138.131/api/firegate.php http://171.22.28.226/download/Services.exe http://194.169.175.232/autorun.exe http://isaiahbenjamin.top/calc2.exe http://176.113.115.84:8080/4.php http://94.142.138.131/api/tracemap.php http://77.91.68.249/navi/kur90.exe
|
6.0 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8842 |
2023-10-10 17:00
|
Prowf.exe 3cef8b4a9c9507c112ca5449a03b03e9 PE File PE32 .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee ComputerName |
|
2
pmjo.fra1.cdn.digitaloceanspaces.com(205.185.216.42) - malware 205.185.216.42 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8843 |
2023-10-10 17:02
|
windows.exe 36065d0183df9a022d1cfb4eac70ee71 AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.109.133) 185.199.110.133 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8844 |
2023-10-10 18:36
|
북한최고인민회의 결과.lnk cc96ba45dd2b6a6d7aa300d77e49c095 Generic Malware Downloader Antivirus HWP PS PostScript Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Hide_URL AntiDebug AntiVM Lnk Format MSOffice VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://dl.dropboxusercontent.com/scl/fi/3vdz6tw94x6x1xdbf6oap/20231002.zip?rlkey=9q6pf41sox0kcw4l3w3lb2hvu&dl=0
|
2
dl.dropboxusercontent.com(162.125.84.15) - malware 162.125.84.15 - malware
|
2
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8845 |
2023-10-10 18:46
|
ac8077e64a8cd818f17039dd74c733... 8741a228fba24165aac6aac400aada40 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Hide_URL AntiDebug AntiVM .NET DLL PE File DLL PE32 powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://dl.dropboxusercontent.com/scl/fi/3vdz6tw94x6x1xdbf6oap/20231002.zip?rlkey=9q6pf41sox0kcw4l3w3lb2hvu&dl=0
|
2
dl.dropboxusercontent.com(162.125.84.15) - malware 162.125.84.15 - malware
|
2
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8846 |
2023-10-10 19:49
|
NMemo1Setp.exe f12aa4983f77ed85b3a618f7656807c2 Confuser .NET PE File PE32 .NET EXE VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Ransomware DNS |
|
3
videoconvert-download38.xyz() - mailcious iplogger.org(148.251.234.83) - mailcious 148.251.234.83
|
3
ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
59 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8847 |
2023-10-10 22:07
|
ac8077e64a8cd818f17039dd74c733... 8741a228fba24165aac6aac400aada40 Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Hide_URL AntiDebug AntiVM .NET DLL PE File DLL PE32 powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
dl.dropboxusercontent.com(162.125.84.15) - malware 162.125.84.15 - malware
|
2
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8848 |
2023-10-11 07:52
|
googluk.exe 07b8df6ee60cd20723ba20794e15d438 LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77) 104.237.62.212
|
4
ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
10.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8849 |
2023-10-11 07:52
|
ishost.exe f83a1ebac520b7deea9613aa2a7765c4 LokiBot .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.77) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8850 |
2023-10-11 07:57
|
sihost.exe 1d2e25e64e7c402540fa6ce6871257f4 Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
3
api.ipify.org(64.185.227.156) 172.67.196.133 - mailcious 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|