| 8851 |
2023-10-11 11:29
|
 Azienda.url 7d41622bb8e2d0cc1e148b9d536c792b
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting unpack itself Windows utilities Tofsee Windows DNS |
1
http://62.173.145.25/scarica/unito.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8852 |
2023-10-11 11:31
|
 Documenti.url 605a545fcf4bdb9f72cccce6f96c3b00
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.72/scarica/impresa.exe
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8853 |
2023-10-11 11:32
|
 Informazioni.url 71f0e30a7451930cd63fe6b7438489b8
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.73/scarica/archivio.exe
|
1
62.173.146.73 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8854 |
2023-10-11 11:33
|
jinglebello.vbs 27bdf0b81793b0047531dcd59ca2f72f
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://95.214.27.121/oshandokij.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
23.67.53.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8855 |
2023-10-11 11:38
|
 Run.exe 1f5ce1bd1c533fcc0066c163f6c20cb6
UPX PE File PE64 OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key |
1
https://files.catbox.moe/kxoths.pdf
|
2
files.catbox.moe(108.181.20.35) - malware
108.181.20.35 - mailcious
|
2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8856 |
2023-10-11 15:46
|
zip1_09.7z cc7af56986cf3d93d33a92bd4a2962f1
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Lumma Stealer Windows RisePro DNS |
37
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://194.169.175.232/autorun.exe - rule_id: 36817
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://45.9.74.80/super.exe - rule_id: 36063
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://176.113.115.84:8080/4.php - rule_id: 34795
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://94.142.138.131/api/firecom.php - rule_id: 36179
http://172.86.98.101/xs12pro/Vdthrdd.pdf - rule_id: 37111
http://45.9.74.80/zinda.exe - rule_id: 37063
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://www.maxmind.com/geoip/v2.1/city/me
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
http://www.google.com/
http://bytecloudasa.website/api
https://vk.com/doc52355237_666782820?hash=ArroX66l9eYl49eAHc8hpGG9y4ueo0YcyAXCK6pwb68&dl=kNiFdjjHEiGZauYFHzX4HcInvoKLFcTYwmBCbWjJoNw&api=1&no_preview=1
https://schematize.pw/setup294.exe - rule_id: 37138
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQH75ndCjMFugsVh7Hldwu1lHUjEssXTAV
https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxiior7j1_0fqQ6mBVUqbACDeY8atU2Czs
https://db-ip.com/
https://vk.com/doc52355237_666772349?hash=hYVRMj3VXZEN6TuoRIyuNJBsp1uaaX2imFKbcIG1Vfg&dl=9cyMlTApKcbHG0TjdzdQvAAFPBW96Jc1btF9S5guV48&api=1&no_preview=1#rise
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_mZTvfLw-7sBSGpkSUZ2zaDqxVcAGn4TCN
https://dzen.ru/?yredirect=true
https://api.2ip.ua/geo.json
https://sun6-20.userapi.com/c909618/u52355237/docs/d14/c31569dfbdeb/tmvwr.bmp?extra=yxC_ij_BEaCeg17_3RBMDQ1BNAZNk2h_OM7eSsW8UFjriQQEuPjhkmx7r0l5RwikTTTaRs8JC_WeZ6J1ia9pemH-qujCGGdFQ4qt1HjhdnUs91Pu9zHKbqwz31PEAhQxeOFJQPN_beZxT45a
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5y8U_bC5GVV3LMEZpPK42aJxtw0YqR8a7
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2TrvJhzqfyAbrB3AF-DLwMdohQlTY21hLG
https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1
https://sso.passport.yandex.ru/push?uuid=b09af16e-2e62-4304-9cf5-7f2d1c90ff55&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUPaT83_ObjaFQepb-p8krkTffz9kq27hz
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5ldPy5SVg89O6jgA587BEQuCjUOJ_mYqg
|
77
watson.microsoft.com(104.208.16.93)
db-ip.com(104.26.5.15)
vanaheim.cn(193.106.174.220) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
yandex.ru(5.255.255.70)
dzen.ru(62.217.160.2)
schematize.pw(104.21.32.142) - malware
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.75.41.21) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
bytecloudasa.website(172.67.212.39)
69d9414d-87e8-4ca5-945d-204bdc8124d9.uuid.zaoshanghao.su(185.82.216.48)
onualituyrs.org(91.215.85.209) - malware
zexeq.com(109.175.29.39) - malware
colisumy.com(2.88.121.8) - malware
www.google.com(142.250.76.132)
iplis.ru(148.251.234.93) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
www.maxmind.com(104.18.145.235)
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.9.59)
104.21.61.162
148.251.234.93 - mailcious
193.106.174.220
104.18.146.235
148.251.234.83
185.225.75.171
194.169.175.128 - mailcious
62.122.184.92 - mailcious
172.86.98.101 - mailcious
62.217.160.2
149.154.167.99 - mailcious
104.21.65.24
172.67.75.166
80.66.75.4 - mailcious
51.255.152.132 - mailcious
91.215.85.209 - mailcious
142.250.204.100
171.22.28.226 - malware
34.117.59.81
77.91.68.249 - malware
176.113.115.84 - mailcious
176.113.115.85 - mailcious
77.88.55.60
104.244.42.65 - suspicious
104.26.8.59
193.42.32.118 - mailcious
176.113.115.135 - mailcious
176.113.115.136 - mailcious
45.143.201.238 - mailcious
45.9.74.80 - malware
194.169.175.232 - malware
176.123.9.142 - mailcious
104.208.16.93
45.15.156.229 - mailcious
172.67.152.98 - malware
104.26.4.15
2.88.121.8
95.142.206.2 - mailcious
211.119.84.111 - malware
95.142.206.0 - mailcious
95.142.206.3 - mailcious
94.142.138.131 - mailcious
213.180.204.24
62.122.184.58 - mailcious
87.240.132.72 - mailcious
95.142.206.1 - mailcious
104.76.78.101 - mailcious
171.22.28.212 - malware
|
37
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Packed Executable Download
ET INFO Dotted Quad Host PDF Request
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
17
http://94.142.138.131/api/firegate.php
http://194.169.175.232/autorun.exe
http://colisumy.com/dl/build2.exe
http://45.9.74.80/super.exe
http://171.22.28.226/download/Services.exe
http://45.15.156.229/api/tracemap.php
http://176.113.115.84:8080/4.php
http://171.22.28.226/download/WWW14_64.exe
http://94.142.138.131/api/firecom.php
http://172.86.98.101/xs12pro/
http://45.9.74.80/zinda.exe
http://45.15.156.229/api/firegate.php
http://94.142.138.131/api/tracemap.php
http://zexeq.com/files/1/build3.exe
http://zexeq.com/test2/get.php
http://77.91.68.249/navi/kur90.exe
https://schematize.pw/setup294.exe
|
8.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8857 |
2023-10-11 17:01
|
zip_pass1234.7z 902a9838f4e815e995103aa9d5ec3108
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
17
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://176.113.115.84:8080/4.php - rule_id: 34795
http://194.169.175.232/autorun.exe - rule_id: 36817
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
http://171.22.28.212/carryspend.exe - rule_id: 37179
http://94.142.138.113/api/tracemap.php - rule_id: 28877
https://schematize.pw/setup294.exe - rule_id: 37138
https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxhiYr7j1_0fqQ6mBVVKqaCGfPpqwAg3i-
https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_maTffLw-7sBSGpkSUaD6LX6hWcw-l4GHW
https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1
https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUMaj83_ObjaFQepb-ppl7lDqLmoMojbx2
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5md_y5SVg89O6jgA5qLQfQ-z1AuQowoyj
https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2Tov5hzqfyAbrB3AF-XrwOdI8NwGE1hBbA
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQE7JndCjMFugsVh7HxIoogAaG3UIsWGdB
https://api.myip.com/
https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5x8k_bC5GVV3LMEZpaq9hbJJpwEd5EZC7
|
25
schematize.pw(104.21.32.142) - malware
api.myip.com(104.26.8.59)
ipinfo.io(34.117.59.81)
sun6-20.userapi.com(95.142.206.0) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
sun6-23.userapi.com(95.142.206.3) - mailcious
onualituyrs.org(91.215.85.209) - malware
vk.com(87.240.137.164) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
77.91.68.249 - malware
172.67.152.98 - malware
172.67.75.163
95.142.206.3 - mailcious
95.142.206.2 - mailcious
91.215.85.209 - mailcious
95.142.206.0 - mailcious
171.22.28.226 - malware
194.169.175.232 - malware
87.240.132.72 - mailcious
34.117.59.81
94.142.138.113 - mailcious
208.67.104.60 - mailcious
176.113.115.84 - mailcious
95.142.206.1 - mailcious
171.22.28.212 - malware
|
14
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET HUNTING Suspicious services.exe in URI
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
|
8
http://171.22.28.226/download/Services.exe
http://176.113.115.84:8080/4.php
http://194.169.175.232/autorun.exe
http://94.142.138.113/api/firegate.php
http://77.91.68.249/navi/kur90.exe
http://171.22.28.212/carryspend.exe
http://94.142.138.113/api/tracemap.php
https://schematize.pw/setup294.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8858 |
2023-10-11 18:08
|
 Setup.exe aac23ff6c2cc93769600e060ab7cfca9
Generic Malware Malicious Library UPX Malicious Packer .NET framework(MSIL) Antivirus Anti_VM PE File PE32 OS Processor Check ZIP Format BMP Format CHM Format DLL .NET EXE PE64 MSOffice File JPEG Format Word 2007 file format(docx) VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency Telegram PDB Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Auto service Check virtual network interfaces AppData folder IP Check Tofsee Ransomware Windows Email ComputerName Firmware DNS |
10
http://185.225.75.8/stryzon/cleanse.exe
http://185.225.75.8/stryzon/build.exe
http://api.ipify.org/
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO
http://185.225.75.8/stryzon/typhon.exe
http://ip-api.com/line/?fields=hosting
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2J1aWxkLmV4ZQ==
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL3R5cGhvbi5leGU=
http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2NsZWFuc2UuZXhl
https://ipapi.co/175.208.134.152/json
|
9
api.telegram.org(149.154.167.220)
api.ipify.org(104.237.62.212)
ipapi.co(104.26.9.44)
ip-api.com(208.95.112.1)
104.26.9.44 - mailcious
149.154.167.220
64.185.227.156
208.95.112.1
185.225.75.8 - malware
|
15
ET POLICY External IP Lookup ip-api.com
ET 3CORESec Poor Reputation IP group 16
ET POLICY curl User-Agent Outbound
ET INFO Executable Download from dotted-quad Host
ET HUNTING curl User-Agent to Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET HUNTING Telegram API Domain in DNS Lookup
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
ET POLICY External IP Lookup api.ipify.org
ET POLICY Cryptocurrency Miner Checkin
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
12.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8859 |
2023-10-11 18:12
|
 bQ5J.exe 82f98bb613a30f61ceb9ca7686f97847
PE File PE32 .NET EXE VirusTotal Malware Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212)
148.72.177.212 - mailcious
121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8860 |
2023-10-11 18:36
|
 typhon.exe 3fad6c3e0604ee091f2b2a61a91e2b4d
Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Telegram Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee ComputerName DNS |
2
http://api.ipify.org/
https://ipapi.co/175.208.134.152/json
|
6
ipapi.co(104.26.9.44)
api.ipify.org(173.231.16.77)
api.telegram.org(149.154.167.220)
104.26.9.44 - mailcious
104.237.62.212
149.154.167.220
|
7
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup api.ipify.org
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
4.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8861 |
2023-10-12 07:52
|
 sihost.exe 7f6feed7fc881b9b450fb7f3b726c2ae
AgentTesla Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.212)
173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8862 |
2023-10-12 10:05
|
 blalalalalalalala.hta b4acf9fdc9a290176583bbab576c4c20
Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/583/414/original/hta_nostartup.jpg?1692658645
http://185.225.74.170/realonerealone.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
23.209.95.51
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8863 |
2023-10-12 14:55
|
 difficultspecificprores.exe 01b925b499a5bc1e9d7a2f93d8ac0c65
Lumma Gen1 Emotet Malicious Library Http API ScreenShot Internet API AntiDebug AntiVM PE File PE64 CAB PNG Format JPEG Format Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Lumma Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key |
2
http://172.86.98.101/xs12pro/Abfhakile.mp3 - rule_id: 37111
http://manguvorpmi.pw/api - rule_id: 37127
|
5
manguvorpmi.pw(104.21.95.127) - mailcious
iplogger.com(148.251.234.93) - mailcious
172.86.98.101 - mailcious
148.251.234.93 - mailcious
172.67.144.245 - mailcious
|
8
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET DNS Query to a *.pw domain - Likely Hostile
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET INFO HTTP Request to a *.pw domain
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
2
http://172.86.98.101/xs12pro/
http://manguvorpmi.pw/api
|
17.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8864 |
2023-10-13 01:02
|
 Password_dll.txt 21567881b3d5d574a5ef76c7bda521dc
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8865 |
2023-10-13 01:02
|
 Password_ps1.txt 975d7d238a824cf37893450cc62d2b9f
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|