| 8911 |
2023-10-18 09:48
|
HTMLcache.doc 0926d64a5e274efd84980e0a42963ef6
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
1
|
2
i8.ae(104.21.60.158) - mailcious
104.21.60.158
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8912 |
2023-10-18 09:50
|
HTMLcache.dOC 5694fc60fe6d3e04dc6ac4e6b05b9a7a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.108.47/iso/audiodgse.vbs
|
3
wallpapercave.com(104.22.52.71) - malware
104.22.52.71
192.3.108.47 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8913 |
2023-10-18 09:59
|
RBLnetwork.vbs 393a35d56ac8e0403f5e37a0ab0bba4b
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8914 |
2023-10-18 10:00
|
eggoflife.vbs 5cb5b67ebd7c01a2476d96153d26b45a
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8915 |
2023-10-18 10:01
|
audiodgse.vbs 338b7c96e85cbe30dd4f196461fc4ba4
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware
104.22.52.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8916 |
2023-10-18 15:20
|
Archive.7z 14cf80a7fd8a77c3eaed98b8ec615eb4
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealer Discord DNS |
6
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://193.42.32.118/api/tracemap.php - rule_id: 36180
https://cdn.discordapp.com/attachments/1162840103530528921/1163757886992814141/setup.exe
https://vk.com/doc52355237_667082058?hash=SCtt4ltNCbu3lnYUwPGvIGmMakZCTQ0Yuj5qiGj1Uc0&dl=hil1F6PzYlnVsXsKpXdnyCyI9zVoEp3fH0XkDiKEhgk&api=1&no_preview=1
https://sun6-23.userapi.com/c909628/u52355237/docs/d52/6076404f60cf/ses.bmp?extra=vfnVMTyJ0z5oRRioQq5a4Ra-175lPx2RCYBIotPnmMhApvMMpHNxSEiuf3yMM4CorYaMFxQs-9DkKKFN4lsr5mu9vCvcF8W8b8fZhd4C_vKIeW8tIByAbMv_YKl3iV7Wq6s56P6Y96mO2chN
https://api.myip.com/
|
18
iplis.ru(148.251.234.93) - mailcious
sun6-23.userapi.com(95.142.206.3) - mailcious
iplogger.org(148.251.234.83) - mailcious
ipinfo.io(34.117.59.81)
cdn.discordapp.com(162.159.129.233) - malware
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.8.59)
87.240.137.164 - mailcious
148.251.234.83
148.251.234.93 - mailcious
104.26.9.59
193.42.32.118 - mailcious
95.142.206.3 - mailcious
51.254.67.186
34.117.59.81
91.103.253.6
208.67.104.60 - mailcious
162.159.129.233 - malware
|
15
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO TLS Handshake Failure
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
2
http://193.42.32.118/api/firegate.php
http://193.42.32.118/api/tracemap.php
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8917 |
2023-10-18 17:55
|
 abun.exe 85b7d14c272f7d0ad66a74ec947b7677
UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mymobileorder.com(162.0.232.65)
api.ipify.org(64.185.227.156)
104.237.62.212
162.0.232.65 - phishing
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SURICATA Applayer Detect protocol only one direction
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8918 |
2023-10-18 18:00
|
 arinzezx.exe e25e15eb096d884c88cce0f4e079d2de
UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8919 |
2023-10-19 07:49
|
 damianozx.exe 487fa93e89fd1ec0969e0083966714bd
PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(104.237.62.212)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8920 |
2023-10-19 07:50
|
 audiodgse.exe 8ed749953dfc694808ed27f1aea08b71
Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8921 |
2023-10-19 07:52
|
 undergroundzx.exe 050408a7ec8e1c0ef8a7e417fbccc299
LokiBot .NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Discord Browser Email ComputerName DNS Software crashed keylogger |
1
https://discordapp.com/api/webhooks/1163583965509197905/ZzAXRCqQ-ibE4oUwqs0NHv2AGzFsUnKD01ZpDXfNz05uyDGnR6CuWR8nGyVChCCCECqd
|
4
discordapp.com(162.159.129.233) - mailcious
api.ipify.org(104.237.62.212)
173.231.16.77
162.159.135.233 - malware
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
|
13.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8922 |
2023-10-19 07:55
|
 system32.exe d1e40dfbae57e5f3205117f5c9d64a76
Vidar Gen1 Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram MachineGuid Malicious Traffic Check memory WMI Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser Email ComputerName DNS Software crashed |
4
http://5.75.212.77/
http://5.75.212.77/upgrade.zip
http://5.75.212.77/f02b730f81476e82205d9d2eb21e0ef8
https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.75.41.21) - mailcious
149.154.167.99 - mailcious
5.75.212.77
104.76.78.101 - mailcious
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
|
1
https://steamcommunity.com/profiles/76561199563297648
|
13.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8923 |
2023-10-19 07:59
|
 Random.exe 191febed315d7c3a620b564e99e5f3cc
Gen1 Emotet Generic Malware UPX Malicious Library Malicious Packer Antivirus AntiDebug AntiVM PE File PE64 PE32 .NET EXE OS Processor Check PNG Format DLL CAB MSOffice File JPEG Format Malware download VirusTotal Cryptocurrency Miner Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed Downloader CoinMiner |
12
http://104.194.128.170/svp/Ykwrxaauw.dat
http://172.86.97.117/himeffectivelyproress.exe
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://85.217.144.143/files/Amadey.exe - rule_id: 37253
http://galandskiyher5.com/downloads/toolspub1.exe
http://apps.identrust.com/roots/dstrootcax3.p7c
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://gons01b.top/build.exe
https://pastebin.com/raw/HPj0MzD6
https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe
https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
32
iplogger.com(148.251.234.93) - mailcious
yip.su(148.251.234.93) - mailcious
pool.hashvault.pro(131.153.76.130) - mailcious
net.geo.opera.com(107.167.110.216)
martvl.com(69.48.143.183) - malware
laubenstein.space(45.130.41.101) - mailcious
pastebin.com(104.20.68.143) - mailcious
flyawayaero.net(172.67.216.81) - malware
grabyourpizza.com(104.21.90.82) - malware
gons01b.top(85.143.220.63)
galandskiyher5.com(194.169.175.127) - malware
potatogoose.com(172.67.180.173)
lycheepanel.info(104.21.32.208) - malware
diplodoka.net(104.21.78.56)
104.21.78.56
107.167.110.211
148.251.234.93 - mailcious
121.254.136.9
85.217.144.143 - malware
104.194.128.170
193.42.32.29 - malware
85.143.220.63
45.130.41.101 - mailcious
69.48.143.183 - malware
194.169.175.127 - malware
131.153.76.130 - mailcious
104.21.32.208 - malware
172.67.216.81 - malware
172.67.197.174
104.21.35.235
172.86.97.117
104.20.67.143 - mailcious
|
17
ET DNS Query to a *.top domain - Likely Hostile
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
3
http://85.217.144.143/files/My2.exe
http://85.217.144.143/files/Amadey.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
19.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8924 |
2023-10-19 08:00
|
 Ads.exe 6e781cf49af81b961d0ab465210a35f8
Generic Malware Malicious Library UPX Malicious Packer Antivirus AntiDebug AntiVM PE File PE64 PE32 OS Processor Check DLL Malware download VirusTotal Cryptocurrency Miner Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs suspicious TLD Tofsee Windows DNS Downloader CoinMiner |
10
http://apps.identrust.com/roots/dstrootcax3.p7c
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://gobo02fc.top/build.exe
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://galandskiyher5.com/downloads/toolspub1.exe
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
29
pastebin.com(172.67.34.170) - mailcious
diplodoka.net(104.21.78.56)
net.geo.opera.com(107.167.110.211)
gobo02fc.top(85.143.220.63)
laubenstein.space(45.130.41.101) - mailcious
flyawayaero.net(172.67.216.81) - malware
yip.su(148.251.234.93) - mailcious
grabyourpizza.com(172.67.197.174) - malware
galandskiyher5.com(194.169.175.127) - malware
potatogoose.com(172.67.180.173)
darianentertainment.com(65.109.26.240)
lycheepanel.info(104.21.32.208) - malware
pool.hashvault.pro(131.153.76.130) - mailcious
148.251.234.93 - mailcious
85.217.144.143 - malware
172.67.216.81 - malware
107.167.110.216
85.143.220.63
45.130.41.101 - mailcious
194.169.175.127 - malware
172.67.217.52 - malware
104.21.32.208 - malware
172.67.180.173
162.159.135.233 - malware
172.67.197.174
104.20.67.143 - mailcious
65.109.26.240 - mailcious
23.67.53.27
131.153.76.130 - mailcious
|
17
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Request to .TOP Domain with Minimal Headers
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET HUNTING Possible EXE Download From Suspicious TLD
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
3
http://85.217.144.143/files/My2.exe
https://pastebin.com/raw/xYhKBupz
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
13.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8925 |
2023-10-19 10:29
|
Setup.7z 7549293a5a8c4e9e8ded3ee62551db42
PrivateLoader Amadey Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c powershell Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser RisePro Trojan DNS Downloader |
76
http://104.194.128.170/svp/Ykwrxaauw.dat
http://77.91.68.52/fuza/nalo.exe - rule_id: 37263
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://77.91.68.52/fuza/2.ps1 - rule_id: 37266
http://172.86.97.117/himeffectivelyproress.exe
http://85.217.144.143/files/Amadey.exe - rule_id: 37253
http://45.9.74.80/zinda.exe - rule_id: 37063
http://gons01b.top/build.exe
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://gobo02fc.top/build.exe
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e
http://77.91.68.52/fuza/sus.exe - rule_id: 37265
http://jackantonio.top/timeSync.exe - rule_id: 37357
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://77.91.68.52/fuza/foto2552.exe - rule_id: 37267
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://kevinrobinson.top/e9c345fc99a4e67e.php
http://5.42.92.88/loghub/master - rule_id: 37264
http://galandskiyher5.com/downloads/toolspub1.exe
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790
http://5.75.212.77/
http://77.91.124.1/theme/index.php - rule_id: 37040
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://171.22.28.213/3.exe - rule_id: 37068
http://194.169.175.232/autorun.exe - rule_id: 36817
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://5.75.212.77/upgrade.zip
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://db-ip.com/demo/home.php?s=175.208.134.152
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/95de023df160/d3h782af.bmp?extra=uWvrEgJ3z5rjbkGUgGON8BXoSf90LSPwWAVk1MDz2OGC8nJ7Utcq106l9DbiP0hwHWIPGkGeSQz1I4q-2rTjcC0itP_kUcIkzUbCArTQw7W5SWTQ68NispfgdBF879wcmT2vN2D5d1A-dqqB
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/debee9bfa529/PL_Client.bmp?extra=_HM8K8Sjj1WxKScQ1OeYMYRrX5RMl47KjJl7rwxmzUFhY6HrzOU4J5MJ2VAdTOuft64FSYluhbzSv9pEZlFOTcbs8GEL2XxJVnZXzbEsgwyqWDzo8igRCcZOQKYXFnUdy_j7_idbCPcftFZA
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzIlVx6lvDzEWF2VQxM6HnX3-7bQnCeiaJ8MzoFw7koldZNkvp9MJgSpLpAAJ-RbwL6dIMHGg
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/36cae3a74adf/2.bmp?extra=uh8Nl0xP01rObI2BgDjA81T1ht-JLxZhwz08F1JatMWjPlUdT9BtUuQyrzy8TEQXqyjdKZK0UYOAhBCV3wODweJt-D01gV2oaL0fISrPLFWSG9xh0IGIjUAu7QEVx0PY-SA8x2zc1V7QAvEc
https://vk.com/doc52355237_667122051?hash=LLU5GKPE1Bxnq0uull1jryyVzalFqZ7cqq3hgRfl8pz&dl=Sow5fZmwA8GkZGzQhzOU7iQNHmYouZcqLORXwYaqRSc&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c235131/u52355237/docs/d47/1e4aeaf4b1cc/crypted.bmp?extra=VfK8gGvrthV0hJRIQ7uVaB63HwstXnqx7j4VPNZHwI4G7JbTAKOzOCiPCvNdfuAi5rd_PorBwxTw_A0OJF0Zx-Nm_AM4IxAqk_bR9oyn25eR1cLHusUvUBRQ3l5X5kDDBthNc3DsI-61cMLK
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://experiment.pw/setup294.exe
https://pastebin.com/raw/HPj0MzD6
https://sun6-21.userapi.com/c237231/u52355237/docs/d27/414f7ca564de/tmvwr.bmp?extra=4uCpGtOudHwIqN77rEX9G8lWrBIS3DKRQnWulm-GsiVJDRUh2vA0LlERRvfWitZqVnntI_idvAjIbjJ3Z5i8u0XcfjmrpbWm8W7SlF1LNKXL9YWyeGqt3cL-YZxQV6odCmlo7fI3VmrRjw-v
https://api.myip.com/
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxfTCKidsLSETyDN2ZQPPtpAFuvSbxIsl2_xXmgKF4k7ryyJcqupcrFS-Bsux6MQriiC3Mp&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S537430000%3A1697678262022281
https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
https://vk.com/doc52355237_667061084?hash=RhHoRXA484KClkz0frx3CM9bI4u2I55Ei4EZrjsoui4&dl=Fdk6Nbq2bRZKBvCJgsexoP1lzfwWZIQUN1YWRdecfpP&api=1&no_preview=1#zxc
https://msdl.microsoft.com/download/symbols/index2.txt
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/7a6c9a3fc548/WWW11_32.bmp?extra=gEVUBIMSpLFW-sulR4k8pIyQnDa735WSxMfKdQ0FVscR3Z-euUtZLO5-UkuSpVRy2FTLe6_wLrRN7iqVt_tf5g5d_VS9Bh0zx-v7NIR77xhiJaAwEZ-zB-ErFyjqxUJPoy0Qy0mlY-bG6AK-
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://diplodoka.net/315b6291544e9427ed9c51d39ce0e88a/7a54bdb20779c4359694feaa1398dd25.exe
https://potatogoose.com/315b6291544e9427ed9c51d39ce0e88a/baf14778c246e15550645e30ba78ce1c.exe
https://sun6-22.userapi.com/c909418/u52355237/docs/d54/7cf9702300ea/zxc.bmp?extra=RNCMcjFxA24fI1PmnuRyOY5IftzA7ZvZDX-jEzoN8B1frPPqZcklxduh1iFcuH8q2IQVpvD-oNcodE946iNJu3oxUE5QUW6e_KNW2e1C_xzdfrxKV8Tfmxfo90tWcb2DO2c26nOVDKdnvJVf
https://dzen.ru/?yredirect=true
https://vk.com/doc52355237_667128433?hash=c75kTaBvy8XsGUHj9nZuWnwfdY9ZY2Vr0W0kqMRZKj4&dl=yd0Kt5iJ7qiHq1ne4m1DmzhCyz12TwydRCTVOZYwpg8&api=1&no_preview=1#redcl
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://sso.passport.yandex.ru/push?uuid=8bd09553-e90a-40db-9876-5bae9fb9ffda&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://api.2ip.ua/geo.json
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=7uuTdQ9yPFoIgRPO6Phqx1wMESnkwiHJHATRmVnGV%2FQ%3D&spr=https&se=2023-10-20T01%3A12%3A02Z&rscl=x-e2eid-26e9f45d-861f4c0b-b06b9090-63530012-session-900d63c7-554d47c4-854dea3d-0e2598c0
https://sun6-22.userapi.com/c237231/u52355237/docs/d30/15a1cf47157b/StealerClient_vmp.bmp?extra=KT-f23WxqBQ65uqhhWHQXPNuhiIugIViEdMCQi2BzBo7yt9K1aN3W99K2QYBjITkBCkQw3odEfiI7hfrUgxVCdGOBJ14TNwPPuQK0DvmNqyqwrlh6cFvi-zxRGnOSjGaFh0PU4iAgwwk_c8p
https://accounts.google.com/_/bscframe
https://vk.com/doc52355237_667106954?hash=u1nxcEZaxcLM5gBJiodoTcIasNoT55fLzvwrRyhTuIk&dl=eHGUUzvGf3mld3Z4uL26ddKyh2AQiccctdzWDv3HEzk&api=1&no_preview=1#1
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=jYWwYqntlQNo7VqQEVc7W0I7oehs9CpUhmmPu4LPWr4%3D&spr=https&se=2023-10-20T01%3A35%3A45Z&rscl=x-e2eid-bfe69332-5f324c5b-a4756aa8-ea45ce85-session-c338b56b-83a7497d-b3581a15-6a910b4f
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-23.userapi.com/c909228/u52355237/docs/d47/e08d562222fa/test222.bmp?extra=FKHq0JGAiinhcWKOGpyO4U_lhw9Olo9e_pEe34SbB12PISAklYZQ3HrQCl_WIfjsPWOYZxD9YZx1KLHcAYg8zGIzEtfmlRchaiOTaUHO1g2BjvGsxR-2EbTc4Xw94m3rCXZUQvFZql9qy3E3
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
138
server5.statscreate.org(185.82.216.96)
pastebin.com(104.20.68.143) - mailcious
db-ip.com(172.67.75.166)
telegram.org(149.154.167.99)
jackantonio.top(45.132.1.20) - malware
dzen.ru(62.217.160.2)
neuralshit.net(172.67.134.35) - malware
www.maxmind.com(104.18.146.235)
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
accounts.google.com(142.250.206.205)
ssl.gstatic.com(142.250.206.227)
sun6-23.userapi.com(95.142.206.3) - mailcious
galandskiyher5.com(194.169.175.127) - malware
potatogoose.com(172.67.180.173)
darianentertainment.com(65.109.26.240)
lakuiksong.known.co.ke(146.59.70.14) - malware
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.76.78.101) - mailcious
martvl.com(69.48.143.183) - malware
laubenstein.space(45.130.41.101) - mailcious
twitter.com(104.244.42.1)
msdl.microsoft.com(204.79.197.219)
lrefjviufewmcd.org(91.215.85.209) - malware
yip.su(148.251.234.93) - mailcious
cdn.discordapp.com(162.159.130.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
kevinrobinson.top(45.132.1.20)
octocrabs.com(104.21.21.189) - mailcious
clientservices.googleapis.com(142.250.206.195)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
walkinglate.com(172.67.212.188) - malware
diplodoka.net(104.21.78.56)
experiment.pw(172.67.167.220)
yandex.ru(77.88.55.60)
grabyourpizza.com(172.67.197.174) - malware
iplogger.com(148.251.234.93) - mailcious
gons01b.top(85.143.220.63)
zexeq.com(190.139.250.133) - malware
api.db-ip.com(104.26.5.15)
vsblobprodscussu5shard10.blob.core.windows.net(20.150.79.68)
colisumy.com() - malware
net.geo.opera.com(107.167.110.216)
api.myip.com(172.67.75.163)
stun.l.google.com(172.217.211.127)
gobo02fc.top(85.143.220.63)
sun6-22.userapi.com(95.142.206.2) - mailcious
978e3a64-beaf-4479-964b-134bc983cfb0.uuid.statscreate.org(185.82.216.96)
flyawayaero.net(104.21.93.225) - malware
vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68)
vk.com(87.240.137.164) - mailcious
iplis.ru(148.251.234.93) - mailcious
lycheepanel.info(104.21.32.208) - malware
95.142.206.1 - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
162.159.133.233 - malware
104.18.145.235
69.48.143.183 - malware
172.67.167.220
194.169.175.127 - malware
185.225.75.171 - mailcious
77.91.124.55 - mailcious
142.250.66.99
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
85.217.144.143 - malware
5.255.255.77
172.67.212.188
172.86.97.117
85.143.220.63
149.154.167.99 - mailcious
104.21.65.24
104.21.34.37 - phishing
5.42.92.88 - mailcious
172.67.75.163
104.21.90.82 - malware
45.9.74.80 - malware
91.215.85.209 - mailcious
204.79.197.219
172.67.187.122 - malware
77.91.68.52 - mailcious
74.125.204.127
171.22.28.224
171.22.28.226 - malware
87.240.132.67 - mailcious
171.22.28.221 - malware
85.209.11.85
34.117.59.81
77.91.68.249 - malware
45.129.14.83 - malware
104.21.21.189
211.181.24.132
172.67.180.173
182.162.106.32
182.162.106.33 - malware
104.26.8.59
104.21.6.10 - malware
45.130.41.101 - mailcious
142.250.204.141
87.240.132.78 - mailcious
5.75.212.77
45.132.1.20 - mailcious
142.251.220.109
172.67.75.166
194.169.175.232 - malware
20.150.38.228
77.91.124.1 - malware
94.142.138.113 - mailcious
121.254.136.9
65.109.26.240 - mailcious
185.82.216.96
104.26.9.59
104.21.78.56
107.167.110.211
45.15.156.229 - mailcious
104.194.128.170
104.26.4.15
193.42.32.29 - malware
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
185.216.70.238 - mailcious
104.21.32.208 - malware
104.21.93.225 - phishing
146.59.70.14 - malware
171.22.28.239
172.217.24.77
213.180.204.24
171.22.28.213 - malware
95.142.206.0 - mailcious
193.42.32.118 - mailcious
172.67.34.170 - mailcious
172.217.27.3
171.22.28.236
104.76.78.101 - mailcious
|
57
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.pw domain - Likely Hostile
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING Suspicious services.exe in URI
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Request to .TOP Domain with Minimal Headers
ET INFO Packed Executable Download
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Dotted Quad Host ZIP Request
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO PS1 Powershell File Request
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
30
http://77.91.68.52/fuza/nalo.exe
http://171.22.28.226/download/WWW14_64.exe
http://77.91.68.52/fuza/2.ps1
http://85.217.144.143/files/Amadey.exe
http://45.9.74.80/zinda.exe
http://zexeq.com/test2/get.php
http://45.15.156.229/api/firegate.php
http://85.217.144.143/files/My2.exe
http://77.91.68.52/fuza/sus.exe
http://jackantonio.top/timeSync.exe
http://zexeq.com/files/1/build3.exe
http://77.91.68.52/fuza/foto2552.exe
http://94.142.138.113/api/tracemap.php
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://5.42.92.88/loghub/master
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://45.9.74.80/0bjdn2Z/index.php
http://77.91.124.1/theme/index.php
http://45.15.156.229/api/tracemap.php
http://171.22.28.213/3.exe
http://194.169.175.232/autorun.exe
http://94.142.138.113/api/firegate.php
http://193.42.32.118/api/firecom.php
http://77.91.68.249/navi/kur90.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://steamcommunity.com/profiles/76561199563297648
https://pastebin.com/raw/xYhKBupz
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|