8881 |
2023-10-16 11:12
|
RBY2.exe d334fdbe7080a9e36d94001903199491 Amadey Generic Malware UPX Malicious Library Malicious Packer Antivirus PE File PE32 .NET EXE OS Processor Check JPEG Format DLL PE64 Malware download Amadey VirusTotal Cryptocurrency Miner Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW Tofsee Windows ComputerName DNS Downloader CoinMiner |
10
http://85.217.144.143/files/My2.exe - rule_id: 34643 http://193.42.32.29/9bDc8sQ/index.php - rule_id: 36909 http://193.42.32.29/9bDc8sQ/index.php?scr=1 - rule_id: 36909 http://guboh2p.top/build.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://logicmouse.net/6779d89b7a368f4f3f340b50a9d18d71.exe https://pastebin.com/raw/V6VJsrV3 https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
27
thegrandduck.org(104.21.79.27) yip.su(148.251.234.93) - mailcious guboh2p.top(185.154.192.128) martvl.com(69.48.143.183) laubenstein.space(45.130.41.101) pastebin.com(172.67.34.170) - mailcious flyawayaero.net(172.67.216.81) - malware net.geo.opera.com(107.167.110.216) logicmouse.net(104.21.1.34) potatogoose.com(172.67.180.173) lycheepanel.info(104.21.32.208) - malware pool.hashvault.pro(125.253.92.50) - mailcious 107.167.110.211 148.251.234.93 - mailcious 85.217.144.143 - malware 45.130.41.101 193.42.32.29 - malware 69.48.143.183 172.67.187.122 - malware 104.21.93.225 - phishing 104.21.79.27 185.154.192.128 104.20.68.143 - mailcious 172.67.186.120 121.254.136.9 104.21.35.235 131.153.76.130 - mailcious
|
18
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a *.top domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET HUNTING Possible EXE Download From Suspicious TLD ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Amadey Bot Activity (POST) M1
|
4
http://85.217.144.143/files/My2.exe http://193.42.32.29/9bDc8sQ/index.php http://193.42.32.29/9bDc8sQ/index.php https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
9.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8882 |
2023-10-16 11:20
|
fronttechnologicalprores.exe 5a0d618b0f8ed5b550a811e4b1afdf48 Lumma Gen1 Emotet Malicious Library .NET framework(MSIL) UPX Http API ScreenShot Internet API AntiDebug AntiVM PE File PE64 CAB MSOffice File PNG Format .NET EXE JPEG Format PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Ransomware Lumma Stealer Windows Exploit Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key crashed |
3
http://manguvorpmi.pw/api - rule_id: 37127 http://172.86.98.101/xs12pro/Chogy.vdf - rule_id: 37111 http://172.86.98.101/xs12pro/Qtpdugpzq.mp3 - rule_id: 37111
|
5
manguvorpmi.pw(104.21.95.127) - mailcious iplogger.com(148.251.234.93) - mailcious 172.86.98.101 - mailcious 148.251.234.93 - mailcious 104.21.95.127 - mailcious
|
8
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration ET INFO HTTP Request to a *.pw domain ET INFO TLS Handshake Failure ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In ET DNS Query to a *.pw domain - Likely Hostile
|
3
http://manguvorpmi.pw/api http://172.86.98.101/xs12pro/ http://172.86.98.101/xs12pro/
|
22.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8883 |
2023-10-16 11:22
|
anykmc.txt.vbs 02de2b9fc44bc82bf8e627cca8058f0f Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://raw.githubusercontent.com/drax2020/drax/main/invkmc.jpg
|
2
raw.githubusercontent.com(185.199.108.133) - malware 185.199.110.133 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8884 |
2023-10-16 11:22
|
bulaeko.vbs 3e1ff6eefd4496936edf51fb46144380 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/bulak.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 61.111.58.35 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8885 |
2023-10-16 11:23
|
droiddfffffffffffffFile.vbs 81526bd6e81d8efbe8a8a364c2b30b1a Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://193.42.33.63/apamaaktivozebas364.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 61.111.58.35 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8886 |
2023-10-16 11:51
|
investorlokiiiiiiFile.vbs dd13d2f6e0075f0b9bfa13f4493e6db2 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://193.42.33.63/investorlokibase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8887 |
2023-10-16 11:52
|
invlokiwedFile.vbs 2f91256fa60710cda18cc702684f78ab Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://193.42.33.63/investorlokibase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.74
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8888 |
2023-10-16 12:04
|
kenjkt.vbs 5029c7922f007aee3bba22e60cab46c6 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/kenjkt.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.18
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8889 |
2023-10-16 12:04
|
kenspa.vbs a32b1ecc7fc8c489e23976d324d5c4aa Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/kenspa.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.74
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8890 |
2023-10-16 12:04
|
looksoprettyundertheroof.vbs c6754754996c3347b6cafe44af0e7cdc Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://185.225.74.170/realonerealone.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 61.111.58.34 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8891 |
2023-10-16 12:50
|
bulak.txt.exe c630301e6fa6e55bbb4eedeafb870f83 PE File PE32 .NET EXE Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName |
1
https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=8dQdVXc6Djbw
|
2
whatismyipaddressnow.co(104.21.71.78) 172.67.143.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8892 |
2023-10-16 12:52
|
kenjkt.txt.exe f871241fffd3002353e3ed0eea50daa5 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
3
api.ipify.org(173.231.16.77) 87.240.129.133 - mailcious 104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8893 |
2023-10-16 12:55
|
gate4.exe 5c6b1ca0336366662d0f444e01f96a3a PrivateLoader RedLine stealer Themida Packer Generic Malware UPX Malicious Library VMProtect ScreenShot PWS Socket DGA Http API DNS Internet API SMTP Anti_VM AntiDebug AntiVM PE File PE64 PE32 ZIP Format DLL OS Processor Check PNG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk suspicious TLD sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check PrivateLoader Tofsee Ransomware Stealer Windows Update Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
35
http://94.142.138.131/api/firegate.php - rule_id: 32650 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://194.169.175.232/autorun.exe - rule_id: 36817 http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://45.9.74.80/zinda.exe - rule_id: 37063 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://www.maxmind.com/geoip/v2.1/city/me http://77.91.68.249/navi/kur90.exe - rule_id: 37069 https://sun6-20.userapi.com/c909418/u52355237/docs/d49/167def964d1d/Bot_Clien.bmp?extra=u226KRhFNKTwHJMooCCPzPmniPztLgViu_UdzG-VjX2Hdo2VQ_csORN4_Q0LZziy1wB-axwEO9JNYx174ntsePx0FuTMM0e_GCG405SNGpQvMEhf73KuF7vrvBeRTnAAwZp-CVmWviwj4x0M https://db-ip.com/demo/home.php?s=175.208.134.152 https://sun6-23.userapi.com/c909228/u52355237/docs/d38/fa41d55bfcd2/d3h782af.bmp?extra=x2wWuvzLp9U9MFpMuHZvNeDGbtRLE0wlF7xXDQEgYuMpz0YX4nSn8o70AXGDKhvOM9YscK1wrIJ3gioKVHDTS71MBi-kHvMK6C3w00FHmTA2gPyAb3GAalPr1Iq8MFdFriiC1VsUCrdiBBIt https://vk.com/doc52355237_666953453?hash=NVFeHD1X6xxwiPyDZ4kbilHig693YsIH5g6X9HkS69s&dl=dzQeH4YkPFmuRHRZXunNV4NBh3hv5ZLppdno3QUFjqD&api=1&no_preview=1#rise https://vk.com/doc52355237_666962194?hash=6q38NEAvszC9RaRujZr6ZVjib9zBVZremmdPy8csKIw&dl=vi5dQPwpzhvYIPezYQtsimILAKZctT0T5feFndBaxT8&api=1&no_preview=1#55 https://schematize.pw/setup294.exe - rule_id: 37138 https://sun6-23.userapi.com/c909518/u52355237/docs/d48/03ed792486f2/WWW11_32.bmp?extra=BDTRbaczcnbNzBo0BOe-ypzZEprOU10IkpkSzte4_V8G371fkmp_shttiZOFe2G1ASGDl-WPX9fz5UxXrtRJAgBkbTqjDYOK0KXnwLo7S-B1oMpIKEG-z8PCsBkFTg520y7LBkTmUfiZSrtb https://sun6-23.userapi.com/c909418/u52355237/docs/d18/6dea2083151c/crypted.bmp?extra=fsba2zHpXvqaKaIs2cqbeh5vyBbuwJUz1GDJrKswAJIhi-uQ6bVTt1ZthUMWNp4RKY7PjMjHY4Ma_mmFnBFnz8T2TeqY1eHF6BqoZPrQTE5hBFV2aHat9V0upNqQz5qlhcM1Nx2yUiz1RdD4 https://db-ip.com/ https://sun6-22.userapi.com/c909218/u52355237/docs/d2/0ad6080636be/RisePro.bmp?extra=PqUzNShtdQ-VVGbOsb_U5PPXWQnmOykXCr2fivqUjiKkJwon0GTt09KEwh_9I68Dc5f0DQX1ply0EcnMJc9OgcjXAI8IkIAS0jKP-35agrJxkRrVKKABaH75pGdH6_DdpAnsxm5a-uDanq3h https://sun6-21.userapi.com/c237231/u52355237/docs/d27/febee9ba14ad/tmvwr.bmp?extra=KGmYpPVPqL1gWi9xyYdQGc9kE9zKzbY56JcAJV9iuZtoaTKYIdPjQcwEJi0bbYZccEU8xrKK9HW6FyaWz3VwbVmZxYG_2qmXrDvnZSdHp0boKwH__hcxkzXGDY-cpDrcR3ByVwRXBGUFBCA6 https://vk.com/doc52355237_667000543?hash=eKOuemWuRCZmXal2YVj4QW37gepCmLzd9U7bLDKtdnX&dl=Le3z6AAKjnE7RlnXRnVZJtvMGIu3iOAwG2df2VZCSfz&api=1&no_preview=1#test22 https://dzen.ru/?yredirect=true https://sso.passport.yandex.ru/push?uuid=0db9eca3-374f-45c1-8887-36a74b181ed4&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11 https://api.2ip.ua/geo.json https://sun6-23.userapi.com/c909228/u52355237/docs/d47/bcda7d7ba2d6/test222.bmp?extra=GzyOtEQtKTC3VoTX4BnD-XTSQBc84p66dFqVHCs6w0VNIzwoEOOArPYB4Kra3QYsCY6Q5lJRsdsoheUUeiOTRdVzlgMBxM95pEXkuMRNKZKeX0Vv4pn-zyZtwt586DxQGHtIi7RMD4sCd6BW https://vk.com/doc52355237_666996873?hash=DTmX6GpQzg0mSZJ3QBf9KMyoAQLjAN2VneVoP2TiOB8&dl=3T0LCAZCJSJEhCRk9I2GHnvey9MXQk00H3a77N9btwD&api=1&no_preview=1 https://vk.com/doc52355237_666990393?hash=FTORQeSjuGQM3QZ0VZVmUaPzzMTjiHgVozgZL1VKkLs&dl=WHDNqvgddqa5sNEafsQGa9H9myfZRZuS1RHM37yysD8&api=1&no_preview=1 https://sun6-20.userapi.com/c909228/u52355237/docs/d55/a0f4bd8121f1/PL_Client.bmp?extra=gHHzZgmQ2ix-eyDuXWWUkcOvwwyUCy5E3P9WTu6vphlfKcCiFbxuGjvCO_1EJxvkfs2bGFSfr_9PlZsRCq65LOri_c51dD0gx807OeObF3eM6u1R8XpQ0HJzY5ESz-7d2hCuHgwJqj6q2qx6 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-23.userapi.com/c909628/u52355237/docs/d45/362847a669f2/44.bmp?extra=HTogS9Udy-zScPsV8Lv4flcVw5qsSLuY9mdyAh5RRn5xhDPI8DfW9wtYF2X9SS9jhOM-3_rypQvzo-pT4vmB5SI_QdmT89HOjHvIcqqjQ3qOU-NfnB8XQLZDws7kGj9EbiGU5OrFcamzfHKn https://vk.com/doc52355237_666985371?hash=xUCdQotbw4FtZlATzAL4qnHpx7ewB6dgNtlbn7gwXm4&dl=xZf2pdqcEKVJkPKzgfXwyOhSAkzUukUObYzCFT4qurw&api=1&no_preview=1#1
|
54
api.2ip.ua(172.67.139.220) db-ip.com(104.26.4.15) telegram.org(149.154.167.99) schematize.pw(172.67.152.98) - malware iplis.ru(148.251.234.93) - mailcious www.maxmind.com(104.18.146.235) ipinfo.io(34.117.59.81) iplogger.org(148.251.234.83) - mailcious jackantonio.top(45.132.1.20) - malware onualituyrs.org(91.215.85.209) - malware sun6-22.userapi.com(95.142.206.2) - mailcious twitter.com(104.244.42.193) api.myip.com(104.26.8.59) sun6-23.userapi.com(95.142.206.3) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious yandex.ru(77.88.55.60) vk.com(87.240.132.72) - mailcious sso.passport.yandex.ru(213.180.204.24) sun6-21.userapi.com(95.142.206.1) - mailcious api.db-ip.com(104.26.5.15) dzen.ru(62.217.160.2) 148.251.234.93 - mailcious 194.169.175.128 - mailcious 104.18.146.235 87.240.129.133 - mailcious 62.217.160.2 104.244.42.1 - suspicious 104.26.5.15 149.154.167.99 - mailcious 193.42.32.118 - mailcious 172.67.75.166 91.215.85.209 - mailcious 171.22.28.226 - malware 87.240.132.67 - mailcious 34.117.59.81 77.88.55.60 148.251.234.83 185.225.75.171 - mailcious 213.180.204.24 45.132.1.20 45.9.74.80 - malware 194.169.175.232 - malware 176.123.9.142 - mailcious 77.91.68.249 - malware 104.26.9.59 45.15.156.229 - mailcious 172.67.152.98 - malware 104.26.4.15 95.142.206.3 - mailcious 95.142.206.2 - mailcious 172.67.139.220 95.142.206.0 - mailcious 95.142.206.1 - mailcious 94.142.138.131 - mailcious
|
31
SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DNS Query to a *.top domain - Likely Hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET DNS Query to a *.pw domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Packed Executable Download ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
|
|
30.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8894 |
2023-10-16 18:35
|
fuljani.exe 942dbace85ab0d41045bb37a66ccb139 Generic Malware PE File PE32 .NET EXE VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-cron.php
|
2
kenesrakishev.net(162.213.251.134) 162.213.251.134
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8895 |
2023-10-16 18:35
|
fuljani.exe 942dbace85ab0d41045bb37a66ccb139 Generic Malware PE File PE32 .NET EXE VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-cron.php
|
2
kenesrakishev.net(162.213.251.134) 162.213.251.134
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|