8851 |
2023-10-11 11:29
|
Azienda.url 7d41622bb8e2d0cc1e148b9d536c792b AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting unpack itself Windows utilities Tofsee Windows DNS |
1
http://62.173.145.25/scarica/unito.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8852 |
2023-10-11 11:31
|
Documenti.url 605a545fcf4bdb9f72cccce6f96c3b00 AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.72/scarica/impresa.exe
|
1
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8853 |
2023-10-11 11:32
|
Informazioni.url 71f0e30a7451930cd63fe6b7438489b8 AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.73/scarica/archivio.exe
|
1
62.173.146.73 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8854 |
2023-10-11 11:33
|
jinglebello.vbs 27bdf0b81793b0047531dcd59ca2f72f Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://95.214.27.121/oshandokij.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 23.67.53.18
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8855 |
2023-10-11 11:38
|
Run.exe 1f5ce1bd1c533fcc0066c163f6c20cb6 UPX PE File PE64 OS Processor Check VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows Cryptographic key |
1
https://files.catbox.moe/kxoths.pdf
|
2
files.catbox.moe(108.181.20.35) - malware 108.181.20.35 - mailcious
|
2
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8856 |
2023-10-11 15:46
|
zip1_09.7z cc7af56986cf3d93d33a92bd4a2962f1 PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Lumma Stealer Windows RisePro DNS |
37
http://94.142.138.131/api/firegate.php - rule_id: 32650 http://194.169.175.232/autorun.exe - rule_id: 36817 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://45.9.74.80/super.exe - rule_id: 36063 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://176.113.115.84:8080/4.php - rule_id: 34795 http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://94.142.138.131/api/firecom.php - rule_id: 36179 http://172.86.98.101/xs12pro/Vdthrdd.pdf - rule_id: 37111 http://45.9.74.80/zinda.exe - rule_id: 37063 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://www.maxmind.com/geoip/v2.1/city/me http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://77.91.68.249/navi/kur90.exe - rule_id: 37069 http://www.google.com/ http://bytecloudasa.website/api https://vk.com/doc52355237_666782820?hash=ArroX66l9eYl49eAHc8hpGG9y4ueo0YcyAXCK6pwb68&dl=kNiFdjjHEiGZauYFHzX4HcInvoKLFcTYwmBCbWjJoNw&api=1&no_preview=1 https://schematize.pw/setup294.exe - rule_id: 37138 https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQH75ndCjMFugsVh7Hldwu1lHUjEssXTAV https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxiior7j1_0fqQ6mBVUqbACDeY8atU2Czs https://db-ip.com/ https://vk.com/doc52355237_666772349?hash=hYVRMj3VXZEN6TuoRIyuNJBsp1uaaX2imFKbcIG1Vfg&dl=9cyMlTApKcbHG0TjdzdQvAAFPBW96Jc1btF9S5guV48&api=1&no_preview=1#rise https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_mZTvfLw-7sBSGpkSUZ2zaDqxVcAGn4TCN https://dzen.ru/?yredirect=true https://api.2ip.ua/geo.json https://sun6-20.userapi.com/c909618/u52355237/docs/d14/c31569dfbdeb/tmvwr.bmp?extra=yxC_ij_BEaCeg17_3RBMDQ1BNAZNk2h_OM7eSsW8UFjriQQEuPjhkmx7r0l5RwikTTTaRs8JC_WeZ6J1ia9pemH-qujCGGdFQ4qt1HjhdnUs91Pu9zHKbqwz31PEAhQxeOFJQPN_beZxT45a https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5y8U_bC5GVV3LMEZpPK42aJxtw0YqR8a7 https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2TrvJhzqfyAbrB3AF-DLwMdohQlTY21hLG https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1 https://sso.passport.yandex.ru/push?uuid=b09af16e-2e62-4304-9cf5-7f2d1c90ff55&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUPaT83_ObjaFQepb-p8krkTffz9kq27hz https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5ldPy5SVg89O6jgA587BEQuCjUOJ_mYqg
|
77
watson.microsoft.com(104.208.16.93) db-ip.com(104.26.5.15) vanaheim.cn(193.106.174.220) - mailcious t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) - mailcious yandex.ru(5.255.255.70) dzen.ru(62.217.160.2) schematize.pw(104.21.32.142) - malware api.2ip.ua(172.67.139.220) steamcommunity.com(104.75.41.21) - mailcious iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.1) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.5.15) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) bytecloudasa.website(172.67.212.39) 69d9414d-87e8-4ca5-945d-204bdc8124d9.uuid.zaoshanghao.su(185.82.216.48) onualituyrs.org(91.215.85.209) - malware zexeq.com(109.175.29.39) - malware colisumy.com(2.88.121.8) - malware www.google.com(142.250.76.132) iplis.ru(148.251.234.93) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious www.maxmind.com(104.18.145.235) vk.com(87.240.129.133) - mailcious api.myip.com(104.26.9.59) 104.21.61.162 148.251.234.93 - mailcious 193.106.174.220 104.18.146.235 148.251.234.83 185.225.75.171 194.169.175.128 - mailcious 62.122.184.92 - mailcious 172.86.98.101 - mailcious 62.217.160.2 149.154.167.99 - mailcious 104.21.65.24 172.67.75.166 80.66.75.4 - mailcious 51.255.152.132 - mailcious 91.215.85.209 - mailcious 142.250.204.100 171.22.28.226 - malware 34.117.59.81 77.91.68.249 - malware 176.113.115.84 - mailcious 176.113.115.85 - mailcious 77.88.55.60 104.244.42.65 - suspicious 104.26.8.59 193.42.32.118 - mailcious 176.113.115.135 - mailcious 176.113.115.136 - mailcious 45.143.201.238 - mailcious 45.9.74.80 - malware 194.169.175.232 - malware 176.123.9.142 - mailcious 104.208.16.93 45.15.156.229 - mailcious 172.67.152.98 - malware 104.26.4.15 2.88.121.8 95.142.206.2 - mailcious 211.119.84.111 - malware 95.142.206.0 - mailcious 95.142.206.3 - mailcious 94.142.138.131 - mailcious 213.180.204.24 62.122.184.58 - mailcious 87.240.132.72 - mailcious 95.142.206.1 - mailcious 104.76.78.101 - mailcious 171.22.28.212 - malware
|
37
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions ET DNS Query to a *.pw domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO TLS Handshake Failure ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Packed Executable Download ET INFO Dotted Quad Host PDF Request ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Observed Telegram Domain (t .me in TLS SNI) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
17
http://94.142.138.131/api/firegate.php http://194.169.175.232/autorun.exe http://colisumy.com/dl/build2.exe http://45.9.74.80/super.exe http://171.22.28.226/download/Services.exe http://45.15.156.229/api/tracemap.php http://176.113.115.84:8080/4.php http://171.22.28.226/download/WWW14_64.exe http://94.142.138.131/api/firecom.php http://172.86.98.101/xs12pro/ http://45.9.74.80/zinda.exe http://45.15.156.229/api/firegate.php http://94.142.138.131/api/tracemap.php http://zexeq.com/files/1/build3.exe http://zexeq.com/test2/get.php http://77.91.68.249/navi/kur90.exe https://schematize.pw/setup294.exe
|
8.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8857 |
2023-10-11 17:01
|
zip_pass1234.7z 902a9838f4e815e995103aa9d5ec3108 Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Windows DNS |
17
http://171.22.28.226/download/Services.exe - rule_id: 37064 http://176.113.115.84:8080/4.php - rule_id: 34795 http://194.169.175.232/autorun.exe - rule_id: 36817 http://94.142.138.113/api/firegate.php - rule_id: 36152 http://77.91.68.249/navi/kur90.exe - rule_id: 37069 http://171.22.28.212/carryspend.exe - rule_id: 37179 http://94.142.138.113/api/tracemap.php - rule_id: 28877 https://schematize.pw/setup294.exe - rule_id: 37138 https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxhiYr7j1_0fqQ6mBVVKqaCGfPpqwAg3i- https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_maTffLw-7sBSGpkSUaD6LX6hWcw-l4GHW https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1 https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUMaj83_ObjaFQepb-ppl7lDqLmoMojbx2 https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5md_y5SVg89O6jgA5qLQfQ-z1AuQowoyj https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2Tov5hzqfyAbrB3AF-XrwOdI8NwGE1hBbA https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQE7JndCjMFugsVh7HxIoogAaG3UIsWGdB https://api.myip.com/ https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5x8k_bC5GVV3LMEZpaq9hbJJpwEd5EZC7
|
25
schematize.pw(104.21.32.142) - malware api.myip.com(104.26.8.59) ipinfo.io(34.117.59.81) sun6-20.userapi.com(95.142.206.0) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious sun6-23.userapi.com(95.142.206.3) - mailcious onualituyrs.org(91.215.85.209) - malware vk.com(87.240.137.164) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious 77.91.68.249 - malware 172.67.152.98 - malware 172.67.75.163 95.142.206.3 - mailcious 95.142.206.2 - mailcious 91.215.85.209 - mailcious 95.142.206.0 - mailcious 171.22.28.226 - malware 194.169.175.232 - malware 87.240.132.72 - mailcious 34.117.59.81 94.142.138.113 - mailcious 208.67.104.60 - mailcious 176.113.115.84 - mailcious 95.142.206.1 - mailcious 171.22.28.212 - malware
|
14
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SURICATA Applayer Mismatch protocol both directions ET DNS Query to a *.pw domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET HUNTING Suspicious services.exe in URI ET INFO EXE - Served Attached HTTP ET INFO TLS Handshake Failure
|
8
http://171.22.28.226/download/Services.exe http://176.113.115.84:8080/4.php http://194.169.175.232/autorun.exe http://94.142.138.113/api/firegate.php http://77.91.68.249/navi/kur90.exe http://171.22.28.212/carryspend.exe http://94.142.138.113/api/tracemap.php https://schematize.pw/setup294.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8858 |
2023-10-11 18:08
|
Setup.exe aac23ff6c2cc93769600e060ab7cfca9 Generic Malware Malicious Library UPX Malicious Packer .NET framework(MSIL) Antivirus Anti_VM PE File PE32 OS Processor Check ZIP Format BMP Format CHM Format DLL .NET EXE PE64 MSOffice File JPEG Format Word 2007 file format(docx) VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency Telegram PDB Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Auto service Check virtual network interfaces AppData folder IP Check Tofsee Ransomware Windows Email ComputerName Firmware DNS |
10
http://185.225.75.8/stryzon/cleanse.exe http://185.225.75.8/stryzon/build.exe http://api.ipify.org/ http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO http://185.225.75.8/stryzon/typhon.exe http://ip-api.com/line/?fields=hosting http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2J1aWxkLmV4ZQ== http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL3R5cGhvbi5leGU= http://185.225.75.8/stryzon/fire.php?id=Yjk4MzExNTAwY2U2MTAwZmIwMWNkMWJlN2FkNGI3ZGI=&us=dGVzdDIy&cn=VEVTVDIyLVBDIDogV2luZG93cyA3IFByb2Zlc3Npb25hbCBO&url=aHR0cDovLzE4NS4yMjUuNzUuOC9zdHJ5em9uL2NsZWFuc2UuZXhl https://ipapi.co/175.208.134.152/json
|
9
api.telegram.org(149.154.167.220) api.ipify.org(104.237.62.212) ipapi.co(104.26.9.44) ip-api.com(208.95.112.1) 104.26.9.44 - mailcious 149.154.167.220 64.185.227.156 208.95.112.1 185.225.75.8 - malware
|
15
ET POLICY External IP Lookup ip-api.com ET 3CORESec Poor Reputation IP group 16 ET POLICY curl User-Agent Outbound ET INFO Executable Download from dotted-quad Host ET HUNTING curl User-Agent to Dotted Quad ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET HUNTING Telegram API Domain in DNS Lookup ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) ET POLICY External IP Lookup api.ipify.org ET POLICY Cryptocurrency Miner Checkin SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
12.0 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8859 |
2023-10-11 18:12
|
bQ5J.exe 82f98bb613a30f61ceb9ca7686f97847 PE File PE32 .NET EXE VirusTotal Malware Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212) 148.72.177.212 - mailcious 121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8860 |
2023-10-11 18:36
|
typhon.exe 3fad6c3e0604ee091f2b2a61a91e2b4d Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Telegram Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee ComputerName DNS |
2
http://api.ipify.org/ https://ipapi.co/175.208.134.152/json
|
6
ipapi.co(104.26.9.44) api.ipify.org(173.231.16.77) api.telegram.org(149.154.167.220) 104.26.9.44 - mailcious 104.237.62.212 149.154.167.220
|
7
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup api.ipify.org ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
|
|
4.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8861 |
2023-10-12 07:52
|
sihost.exe 7f6feed7fc881b9b450fb7f3b726c2ae AgentTesla Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(104.237.62.212) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8862 |
2023-10-12 10:05
|
blalalalalalalala.hta b4acf9fdc9a290176583bbab576c4c20 Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/583/414/original/hta_nostartup.jpg?1692658645
http://185.225.74.170/realonerealone.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 23.209.95.51
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8863 |
2023-10-12 14:55
|
difficultspecificprores.exe 01b925b499a5bc1e9d7a2f93d8ac0c65 Lumma Gen1 Emotet Malicious Library Http API ScreenShot Internet API AntiDebug AntiVM PE File PE64 CAB PNG Format JPEG Format Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Lumma Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key |
2
http://172.86.98.101/xs12pro/Abfhakile.mp3 - rule_id: 37111 http://manguvorpmi.pw/api - rule_id: 37127
|
5
manguvorpmi.pw(104.21.95.127) - mailcious iplogger.com(148.251.234.93) - mailcious 172.86.98.101 - mailcious 148.251.234.93 - mailcious 172.67.144.245 - mailcious
|
8
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET DNS Query to a *.pw domain - Likely Hostile ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration ET INFO HTTP Request to a *.pw domain ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
2
http://172.86.98.101/xs12pro/ http://manguvorpmi.pw/api
|
17.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8864 |
2023-10-13 01:02
|
Password_dll.txt 21567881b3d5d574a5ef76c7bda521dc Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8865 |
2023-10-13 01:02
|
Password_ps1.txt 975d7d238a824cf37893450cc62d2b9f AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|