| 8881 |
2023-10-16 11:12
|
 RBY2.exe d334fdbe7080a9e36d94001903199491
Amadey Generic Malware UPX Malicious Library Malicious Packer Antivirus PE File PE32 .NET EXE OS Processor Check JPEG Format DLL PE64 Malware download Amadey VirusTotal Cryptocurrency Miner Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW Tofsee Windows ComputerName DNS Downloader CoinMiner |
10
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://193.42.32.29/9bDc8sQ/index.php - rule_id: 36909
http://193.42.32.29/9bDc8sQ/index.php?scr=1 - rule_id: 36909
http://guboh2p.top/build.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://logicmouse.net/6779d89b7a368f4f3f340b50a9d18d71.exe
https://pastebin.com/raw/V6VJsrV3
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
27
thegrandduck.org(104.21.79.27)
yip.su(148.251.234.93) - mailcious
guboh2p.top(185.154.192.128)
martvl.com(69.48.143.183)
laubenstein.space(45.130.41.101)
pastebin.com(172.67.34.170) - mailcious
flyawayaero.net(172.67.216.81) - malware
net.geo.opera.com(107.167.110.216)
logicmouse.net(104.21.1.34)
potatogoose.com(172.67.180.173)
lycheepanel.info(104.21.32.208) - malware
pool.hashvault.pro(125.253.92.50) - mailcious
107.167.110.211
148.251.234.93 - mailcious
85.217.144.143 - malware
45.130.41.101
193.42.32.29 - malware
69.48.143.183
172.67.187.122 - malware
104.21.93.225 - phishing
104.21.79.27
185.154.192.128
104.20.68.143 - mailcious
172.67.186.120
121.254.136.9
104.21.35.235
131.153.76.130 - mailcious
|
18
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Amadey Bot Activity (POST) M1
|
4
http://85.217.144.143/files/My2.exe
http://193.42.32.29/9bDc8sQ/index.php
http://193.42.32.29/9bDc8sQ/index.php
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
9.8 |
M |
59 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8882 |
2023-10-16 11:20
|
 fronttechnologicalprores.exe 5a0d618b0f8ed5b550a811e4b1afdf48
Lumma Gen1 Emotet Malicious Library .NET framework(MSIL) UPX Http API ScreenShot Internet API AntiDebug AntiVM PE File PE64 CAB MSOffice File PNG Format .NET EXE JPEG Format PE32 Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Ransomware Lumma Stealer Windows Exploit Browser ComputerName Remote Code Execution Firmware DNS Cryptographic key crashed |
3
http://manguvorpmi.pw/api - rule_id: 37127
http://172.86.98.101/xs12pro/Chogy.vdf - rule_id: 37111
http://172.86.98.101/xs12pro/Qtpdugpzq.mp3 - rule_id: 37111
|
5
manguvorpmi.pw(104.21.95.127) - mailcious
iplogger.com(148.251.234.93) - mailcious
172.86.98.101 - mailcious
148.251.234.93 - mailcious
104.21.95.127 - mailcious
|
8
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET INFO HTTP Request to a *.pw domain
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET DNS Query to a *.pw domain - Likely Hostile
|
3
http://manguvorpmi.pw/api
http://172.86.98.101/xs12pro/
http://172.86.98.101/xs12pro/
|
22.2 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8883 |
2023-10-16 11:22
|
 anykmc.txt.vbs 02de2b9fc44bc82bf8e627cca8058f0f
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://raw.githubusercontent.com/drax2020/drax/main/invkmc.jpg
|
2
raw.githubusercontent.com(185.199.108.133) - malware
185.199.110.133 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8884 |
2023-10-16 11:22
|
bulaeko.vbs 3e1ff6eefd4496936edf51fb46144380
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/bulak.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
61.111.58.35 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8885 |
2023-10-16 11:23
|
droiddfffffffffffffFile.vbs 81526bd6e81d8efbe8a8a364c2b30b1a
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://193.42.33.63/apamaaktivozebas364.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
61.111.58.35 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8886 |
2023-10-16 11:51
|
investorlokiiiiiiFile.vbs dd13d2f6e0075f0b9bfa13f4493e6db2
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://193.42.33.63/investorlokibase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8887 |
2023-10-16 11:52
|
invlokiwedFile.vbs 2f91256fa60710cda18cc702684f78ab
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://193.42.33.63/investorlokibase64.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.74
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8888 |
2023-10-16 12:04
|
kenjkt.vbs 5029c7922f007aee3bba22e60cab46c6
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/kenjkt.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.18
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8889 |
2023-10-16 12:04
|
kenspa.vbs a32b1ecc7fc8c489e23976d324d5c4aa
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/kenspa.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.74
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8890 |
2023-10-16 12:04
|
looksoprettyundertheroof.vbs c6754754996c3347b6cafe44af0e7cdc
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://185.225.74.170/realonerealone.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
61.111.58.34 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8891 |
2023-10-16 12:50
|
 bulak.txt.exe c630301e6fa6e55bbb4eedeafb870f83
PE File PE32 .NET EXE Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName |
1
https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=8dQdVXc6Djbw
|
2
whatismyipaddressnow.co(104.21.71.78)
172.67.143.245
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8892 |
2023-10-16 12:52
|
 kenjkt.txt.exe f871241fffd3002353e3ed0eea50daa5
Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
3
api.ipify.org(173.231.16.77)
87.240.129.133 - mailcious
104.237.62.212
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8893 |
2023-10-16 12:55
|
 gate4.exe 5c6b1ca0336366662d0f444e01f96a3a
PrivateLoader RedLine stealer Themida Packer Generic Malware UPX Malicious Library VMProtect ScreenShot PWS Socket DGA Http API DNS Internet API SMTP Anti_VM AntiDebug AntiVM PE File PE64 PE32 ZIP Format DLL OS Processor Check PNG Format Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk suspicious TLD sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check PrivateLoader Tofsee Ransomware Stealer Windows Update Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
35
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://194.169.175.232/autorun.exe - rule_id: 36817
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://45.9.74.80/zinda.exe - rule_id: 37063
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://www.maxmind.com/geoip/v2.1/city/me
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/167def964d1d/Bot_Clien.bmp?extra=u226KRhFNKTwHJMooCCPzPmniPztLgViu_UdzG-VjX2Hdo2VQ_csORN4_Q0LZziy1wB-axwEO9JNYx174ntsePx0FuTMM0e_GCG405SNGpQvMEhf73KuF7vrvBeRTnAAwZp-CVmWviwj4x0M
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/fa41d55bfcd2/d3h782af.bmp?extra=x2wWuvzLp9U9MFpMuHZvNeDGbtRLE0wlF7xXDQEgYuMpz0YX4nSn8o70AXGDKhvOM9YscK1wrIJ3gioKVHDTS71MBi-kHvMK6C3w00FHmTA2gPyAb3GAalPr1Iq8MFdFriiC1VsUCrdiBBIt
https://vk.com/doc52355237_666953453?hash=NVFeHD1X6xxwiPyDZ4kbilHig693YsIH5g6X9HkS69s&dl=dzQeH4YkPFmuRHRZXunNV4NBh3hv5ZLppdno3QUFjqD&api=1&no_preview=1#rise
https://vk.com/doc52355237_666962194?hash=6q38NEAvszC9RaRujZr6ZVjib9zBVZremmdPy8csKIw&dl=vi5dQPwpzhvYIPezYQtsimILAKZctT0T5feFndBaxT8&api=1&no_preview=1#55
https://schematize.pw/setup294.exe - rule_id: 37138
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/03ed792486f2/WWW11_32.bmp?extra=BDTRbaczcnbNzBo0BOe-ypzZEprOU10IkpkSzte4_V8G371fkmp_shttiZOFe2G1ASGDl-WPX9fz5UxXrtRJAgBkbTqjDYOK0KXnwLo7S-B1oMpIKEG-z8PCsBkFTg520y7LBkTmUfiZSrtb
https://sun6-23.userapi.com/c909418/u52355237/docs/d18/6dea2083151c/crypted.bmp?extra=fsba2zHpXvqaKaIs2cqbeh5vyBbuwJUz1GDJrKswAJIhi-uQ6bVTt1ZthUMWNp4RKY7PjMjHY4Ma_mmFnBFnz8T2TeqY1eHF6BqoZPrQTE5hBFV2aHat9V0upNqQz5qlhcM1Nx2yUiz1RdD4
https://db-ip.com/
https://sun6-22.userapi.com/c909218/u52355237/docs/d2/0ad6080636be/RisePro.bmp?extra=PqUzNShtdQ-VVGbOsb_U5PPXWQnmOykXCr2fivqUjiKkJwon0GTt09KEwh_9I68Dc5f0DQX1ply0EcnMJc9OgcjXAI8IkIAS0jKP-35agrJxkRrVKKABaH75pGdH6_DdpAnsxm5a-uDanq3h
https://sun6-21.userapi.com/c237231/u52355237/docs/d27/febee9ba14ad/tmvwr.bmp?extra=KGmYpPVPqL1gWi9xyYdQGc9kE9zKzbY56JcAJV9iuZtoaTKYIdPjQcwEJi0bbYZccEU8xrKK9HW6FyaWz3VwbVmZxYG_2qmXrDvnZSdHp0boKwH__hcxkzXGDY-cpDrcR3ByVwRXBGUFBCA6
https://vk.com/doc52355237_667000543?hash=eKOuemWuRCZmXal2YVj4QW37gepCmLzd9U7bLDKtdnX&dl=Le3z6AAKjnE7RlnXRnVZJtvMGIu3iOAwG2df2VZCSfz&api=1&no_preview=1#test22
https://dzen.ru/?yredirect=true
https://sso.passport.yandex.ru/push?uuid=0db9eca3-374f-45c1-8887-36a74b181ed4&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11
https://api.2ip.ua/geo.json
https://sun6-23.userapi.com/c909228/u52355237/docs/d47/bcda7d7ba2d6/test222.bmp?extra=GzyOtEQtKTC3VoTX4BnD-XTSQBc84p66dFqVHCs6w0VNIzwoEOOArPYB4Kra3QYsCY6Q5lJRsdsoheUUeiOTRdVzlgMBxM95pEXkuMRNKZKeX0Vv4pn-zyZtwt586DxQGHtIi7RMD4sCd6BW
https://vk.com/doc52355237_666996873?hash=DTmX6GpQzg0mSZJ3QBf9KMyoAQLjAN2VneVoP2TiOB8&dl=3T0LCAZCJSJEhCRk9I2GHnvey9MXQk00H3a77N9btwD&api=1&no_preview=1
https://vk.com/doc52355237_666990393?hash=FTORQeSjuGQM3QZ0VZVmUaPzzMTjiHgVozgZL1VKkLs&dl=WHDNqvgddqa5sNEafsQGa9H9myfZRZuS1RHM37yysD8&api=1&no_preview=1
https://sun6-20.userapi.com/c909228/u52355237/docs/d55/a0f4bd8121f1/PL_Client.bmp?extra=gHHzZgmQ2ix-eyDuXWWUkcOvwwyUCy5E3P9WTu6vphlfKcCiFbxuGjvCO_1EJxvkfs2bGFSfr_9PlZsRCq65LOri_c51dD0gx807OeObF3eM6u1R8XpQ0HJzY5ESz-7d2hCuHgwJqj6q2qx6
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-23.userapi.com/c909628/u52355237/docs/d45/362847a669f2/44.bmp?extra=HTogS9Udy-zScPsV8Lv4flcVw5qsSLuY9mdyAh5RRn5xhDPI8DfW9wtYF2X9SS9jhOM-3_rypQvzo-pT4vmB5SI_QdmT89HOjHvIcqqjQ3qOU-NfnB8XQLZDws7kGj9EbiGU5OrFcamzfHKn
https://vk.com/doc52355237_666985371?hash=xUCdQotbw4FtZlATzAL4qnHpx7ewB6dgNtlbn7gwXm4&dl=xZf2pdqcEKVJkPKzgfXwyOhSAkzUukUObYzCFT4qurw&api=1&no_preview=1#1
|
54
api.2ip.ua(172.67.139.220)
db-ip.com(104.26.4.15)
telegram.org(149.154.167.99)
schematize.pw(172.67.152.98) - malware
iplis.ru(148.251.234.93) - mailcious
www.maxmind.com(104.18.146.235)
ipinfo.io(34.117.59.81)
iplogger.org(148.251.234.83) - mailcious
jackantonio.top(45.132.1.20) - malware
onualituyrs.org(91.215.85.209) - malware
sun6-22.userapi.com(95.142.206.2) - mailcious
twitter.com(104.244.42.193)
api.myip.com(104.26.8.59)
sun6-23.userapi.com(95.142.206.3) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
yandex.ru(77.88.55.60)
vk.com(87.240.132.72) - mailcious
sso.passport.yandex.ru(213.180.204.24)
sun6-21.userapi.com(95.142.206.1) - mailcious
api.db-ip.com(104.26.5.15)
dzen.ru(62.217.160.2)
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.18.146.235
87.240.129.133 - mailcious
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
149.154.167.99 - mailcious
193.42.32.118 - mailcious
172.67.75.166
91.215.85.209 - mailcious
171.22.28.226 - malware
87.240.132.67 - mailcious
34.117.59.81
77.88.55.60
148.251.234.83
185.225.75.171 - mailcious
213.180.204.24
45.132.1.20
45.9.74.80 - malware
194.169.175.232 - malware
176.123.9.142 - mailcious
77.91.68.249 - malware
104.26.9.59
45.15.156.229 - mailcious
172.67.152.98 - malware
104.26.4.15
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
95.142.206.1 - mailcious
94.142.138.131 - mailcious
|
31
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DNS Query to a *.pw domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
|
|
30.4 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8894 |
2023-10-16 18:35
|
 fuljani.exe 942dbace85ab0d41045bb37a66ccb139
Generic Malware PE File PE32 .NET EXE VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-cron.php
|
2
kenesrakishev.net(162.213.251.134)
162.213.251.134
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8895 |
2023-10-16 18:35
|
 fuljani.exe 942dbace85ab0d41045bb37a66ccb139
Generic Malware PE File PE32 .NET EXE VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Tofsee ComputerName |
1
http://kenesrakishev.net/wp-cron.php
|
2
kenesrakishev.net(162.213.251.134)
162.213.251.134
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|