8911 |
2023-10-18 09:48
|
HTMLcache.doc 0926d64a5e274efd84980e0a42963ef6 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
1
|
2
i8.ae(104.21.60.158) - mailcious 104.21.60.158
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8912 |
2023-10-18 09:50
|
HTMLcache.dOC 5694fc60fe6d3e04dc6ac4e6b05b9a7a MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.3.108.47/iso/audiodgse.vbs
|
3
wallpapercave.com(104.22.52.71) - malware 104.22.52.71 192.3.108.47 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8913 |
2023-10-18 09:59
|
RBLnetwork.vbs 393a35d56ac8e0403f5e37a0ab0bba4b Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware 104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8914 |
2023-10-18 10:00
|
eggoflife.vbs 5cb5b67ebd7c01a2476d96153d26b45a Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware 104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8915 |
2023-10-18 10:01
|
audiodgse.vbs 338b7c96e85cbe30dd4f196461fc4ba4 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
https://wallpapercave.com/uwp/uwp4072801.png
|
2
wallpapercave.com(104.22.52.71) - malware 104.22.52.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8916 |
2023-10-18 15:20
|
Archive.7z 14cf80a7fd8a77c3eaed98b8ec615eb4 Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealer Discord DNS |
6
http://193.42.32.118/api/firegate.php - rule_id: 36458 http://193.42.32.118/api/tracemap.php - rule_id: 36180 https://cdn.discordapp.com/attachments/1162840103530528921/1163757886992814141/setup.exe https://vk.com/doc52355237_667082058?hash=SCtt4ltNCbu3lnYUwPGvIGmMakZCTQ0Yuj5qiGj1Uc0&dl=hil1F6PzYlnVsXsKpXdnyCyI9zVoEp3fH0XkDiKEhgk&api=1&no_preview=1 https://sun6-23.userapi.com/c909628/u52355237/docs/d52/6076404f60cf/ses.bmp?extra=vfnVMTyJ0z5oRRioQq5a4Ra-175lPx2RCYBIotPnmMhApvMMpHNxSEiuf3yMM4CorYaMFxQs-9DkKKFN4lsr5mu9vCvcF8W8b8fZhd4C_vKIeW8tIByAbMv_YKl3iV7Wq6s56P6Y96mO2chN https://api.myip.com/
|
18
iplis.ru(148.251.234.93) - mailcious sun6-23.userapi.com(95.142.206.3) - mailcious iplogger.org(148.251.234.83) - mailcious ipinfo.io(34.117.59.81) cdn.discordapp.com(162.159.129.233) - malware vk.com(87.240.129.133) - mailcious api.myip.com(104.26.8.59) 87.240.137.164 - mailcious 148.251.234.83 148.251.234.93 - mailcious 104.26.9.59 193.42.32.118 - mailcious 95.142.206.3 - mailcious 51.254.67.186 34.117.59.81 91.103.253.6 208.67.104.60 - mailcious 162.159.129.233 - malware
|
15
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET INFO TLS Handshake Failure ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
2
http://193.42.32.118/api/firegate.php http://193.42.32.118/api/tracemap.php
|
5.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8917 |
2023-10-18 17:55
|
abun.exe 85b7d14c272f7d0ad66a74ec947b7677 UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
4
mymobileorder.com(162.0.232.65) api.ipify.org(64.185.227.156) 104.237.62.212 162.0.232.65 - phishing
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8918 |
2023-10-18 18:00
|
arinzezx.exe e25e15eb096d884c88cce0f4e079d2de UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141) 91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8919 |
2023-10-19 07:49
|
damianozx.exe 487fa93e89fd1ec0969e0083966714bd PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(104.237.62.212) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8920 |
2023-10-19 07:50
|
audiodgse.exe 8ed749953dfc694808ed27f1aea08b71 Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8921 |
2023-10-19 07:52
|
undergroundzx.exe 050408a7ec8e1c0ef8a7e417fbccc299 LokiBot .NET framework(MSIL) PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Discord Browser Email ComputerName DNS Software crashed keylogger |
1
https://discordapp.com/api/webhooks/1163583965509197905/ZzAXRCqQ-ibE4oUwqs0NHv2AGzFsUnKD01ZpDXfNz05uyDGnR6CuWR8nGyVChCCCECqd
|
4
discordapp.com(162.159.129.233) - mailcious api.ipify.org(104.237.62.212) 173.231.16.77 162.159.135.233 - malware
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
|
|
13.4 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8922 |
2023-10-19 07:55
|
system32.exe d1e40dfbae57e5f3205117f5c9d64a76 Vidar Gen1 Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Telegram MachineGuid Malicious Traffic Check memory WMI Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser Email ComputerName DNS Software crashed |
4
http://5.75.212.77/ http://5.75.212.77/upgrade.zip http://5.75.212.77/f02b730f81476e82205d9d2eb21e0ef8 https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.75.41.21) - mailcious 149.154.167.99 - mailcious 5.75.212.77 104.76.78.101 - mailcious
|
4
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Dotted Quad Host ZIP Request
|
1
https://steamcommunity.com/profiles/76561199563297648
|
13.2 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8923 |
2023-10-19 07:59
|
Random.exe 191febed315d7c3a620b564e99e5f3cc Gen1 Emotet Generic Malware UPX Malicious Library Malicious Packer Antivirus AntiDebug AntiVM PE File PE64 PE32 .NET EXE OS Processor Check PNG Format DLL CAB MSOffice File JPEG Format Malware download VirusTotal Cryptocurrency Miner Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed Downloader CoinMiner |
12
http://104.194.128.170/svp/Ykwrxaauw.dat http://172.86.97.117/himeffectivelyproress.exe http://85.217.144.143/files/My2.exe - rule_id: 34643 http://85.217.144.143/files/Amadey.exe - rule_id: 37253 http://galandskiyher5.com/downloads/toolspub1.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://gons01b.top/build.exe https://pastebin.com/raw/HPj0MzD6 https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
32
iplogger.com(148.251.234.93) - mailcious yip.su(148.251.234.93) - mailcious pool.hashvault.pro(131.153.76.130) - mailcious net.geo.opera.com(107.167.110.216) martvl.com(69.48.143.183) - malware laubenstein.space(45.130.41.101) - mailcious pastebin.com(104.20.68.143) - mailcious flyawayaero.net(172.67.216.81) - malware grabyourpizza.com(104.21.90.82) - malware gons01b.top(85.143.220.63) galandskiyher5.com(194.169.175.127) - malware potatogoose.com(172.67.180.173) lycheepanel.info(104.21.32.208) - malware diplodoka.net(104.21.78.56) 104.21.78.56 107.167.110.211 148.251.234.93 - mailcious 121.254.136.9 85.217.144.143 - malware 104.194.128.170 193.42.32.29 - malware 85.143.220.63 45.130.41.101 - mailcious 69.48.143.183 - malware 194.169.175.127 - malware 131.153.76.130 - mailcious 104.21.32.208 - malware 172.67.216.81 - malware 172.67.197.174 104.21.35.235 172.86.97.117 104.20.67.143 - mailcious
|
17
ET DNS Query to a *.top domain - Likely Hostile ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers ET HUNTING Possible EXE Download From Suspicious TLD ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
3
http://85.217.144.143/files/My2.exe http://85.217.144.143/files/Amadey.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
19.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8924 |
2023-10-19 08:00
|
Ads.exe 6e781cf49af81b961d0ab465210a35f8 Generic Malware Malicious Library UPX Malicious Packer Antivirus AntiDebug AntiVM PE File PE64 PE32 OS Processor Check DLL Malware download VirusTotal Cryptocurrency Miner Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces AppData folder malicious URLs suspicious TLD Tofsee Windows DNS Downloader CoinMiner |
10
http://apps.identrust.com/roots/dstrootcax3.p7c http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://gobo02fc.top/build.exe http://85.217.144.143/files/My2.exe - rule_id: 34643 http://galandskiyher5.com/downloads/toolspub1.exe https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
|
29
pastebin.com(172.67.34.170) - mailcious diplodoka.net(104.21.78.56) net.geo.opera.com(107.167.110.211) gobo02fc.top(85.143.220.63) laubenstein.space(45.130.41.101) - mailcious flyawayaero.net(172.67.216.81) - malware yip.su(148.251.234.93) - mailcious grabyourpizza.com(172.67.197.174) - malware galandskiyher5.com(194.169.175.127) - malware potatogoose.com(172.67.180.173) darianentertainment.com(65.109.26.240) lycheepanel.info(104.21.32.208) - malware pool.hashvault.pro(131.153.76.130) - mailcious 148.251.234.93 - mailcious 85.217.144.143 - malware 172.67.216.81 - malware 107.167.110.216 85.143.220.63 45.130.41.101 - mailcious 194.169.175.127 - malware 172.67.217.52 - malware 104.21.32.208 - malware 172.67.180.173 162.159.135.233 - malware 172.67.197.174 104.20.67.143 - mailcious 65.109.26.240 - mailcious 23.67.53.27 131.153.76.130 - mailcious
|
17
ET DNS Query for .su TLD (Soviet Union) Often Malware Related SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET INFO TLS Handshake Failure ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Request to .TOP Domain with Minimal Headers SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET HUNTING Possible EXE Download From Suspicious TLD ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
3
http://85.217.144.143/files/My2.exe https://pastebin.com/raw/xYhKBupz https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
|
13.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8925 |
2023-10-19 10:29
|
Setup.7z 7549293a5a8c4e9e8ded3ee62551db42 PrivateLoader Amadey Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Dridex Malware c&c powershell Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser RisePro Trojan DNS Downloader |
76
http://104.194.128.170/svp/Ykwrxaauw.dat http://77.91.68.52/fuza/nalo.exe - rule_id: 37263 http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://77.91.68.52/fuza/2.ps1 - rule_id: 37266 http://172.86.97.117/himeffectivelyproress.exe http://85.217.144.143/files/Amadey.exe - rule_id: 37253 http://45.9.74.80/zinda.exe - rule_id: 37063 http://gons01b.top/build.exe http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://gobo02fc.top/build.exe http://85.217.144.143/files/My2.exe - rule_id: 34643 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e http://77.91.68.52/fuza/sus.exe - rule_id: 37265 http://jackantonio.top/timeSync.exe - rule_id: 37357 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://77.91.68.52/fuza/foto2552.exe - rule_id: 37267 http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://kevinrobinson.top/e9c345fc99a4e67e.php http://5.42.92.88/loghub/master - rule_id: 37264 http://galandskiyher5.com/downloads/toolspub1.exe http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790 http://5.75.212.77/ http://77.91.124.1/theme/index.php - rule_id: 37040 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://171.22.28.213/3.exe - rule_id: 37068 http://194.169.175.232/autorun.exe - rule_id: 36817 http://94.142.138.113/api/firegate.php - rule_id: 36152 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://www.maxmind.com/geoip/v2.1/city/me http://5.75.212.77/upgrade.zip http://77.91.68.249/navi/kur90.exe - rule_id: 37069 https://db-ip.com/demo/home.php?s=175.208.134.152 https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783 https://sun6-23.userapi.com/c909228/u52355237/docs/d38/95de023df160/d3h782af.bmp?extra=uWvrEgJ3z5rjbkGUgGON8BXoSf90LSPwWAVk1MDz2OGC8nJ7Utcq106l9DbiP0hwHWIPGkGeSQz1I4q-2rTjcC0itP_kUcIkzUbCArTQw7W5SWTQ68NispfgdBF879wcmT2vN2D5d1A-dqqB https://sun6-23.userapi.com/c909518/u52355237/docs/d49/debee9bfa529/PL_Client.bmp?extra=_HM8K8Sjj1WxKScQ1OeYMYRrX5RMl47KjJl7rwxmzUFhY6HrzOU4J5MJ2VAdTOuft64FSYluhbzSv9pEZlFOTcbs8GEL2XxJVnZXzbEsgwyqWDzo8igRCcZOQKYXFnUdy_j7_idbCPcftFZA https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzIlVx6lvDzEWF2VQxM6HnX3-7bQnCeiaJ8MzoFw7koldZNkvp9MJgSpLpAAJ-RbwL6dIMHGg https://sun6-23.userapi.com/c235131/u52355237/docs/d29/36cae3a74adf/2.bmp?extra=uh8Nl0xP01rObI2BgDjA81T1ht-JLxZhwz08F1JatMWjPlUdT9BtUuQyrzy8TEQXqyjdKZK0UYOAhBCV3wODweJt-D01gV2oaL0fISrPLFWSG9xh0IGIjUAu7QEVx0PY-SA8x2zc1V7QAvEc https://vk.com/doc52355237_667122051?hash=LLU5GKPE1Bxnq0uull1jryyVzalFqZ7cqq3hgRfl8pz&dl=Sow5fZmwA8GkZGzQhzOU7iQNHmYouZcqLORXwYaqRSc&api=1&no_preview=1#rise https://sun6-20.userapi.com/c235131/u52355237/docs/d47/1e4aeaf4b1cc/crypted.bmp?extra=VfK8gGvrthV0hJRIQ7uVaB63HwstXnqx7j4VPNZHwI4G7JbTAKOzOCiPCvNdfuAi5rd_PorBwxTw_A0OJF0Zx-Nm_AM4IxAqk_bR9oyn25eR1cLHusUvUBRQ3l5X5kDDBthNc3DsI-61cMLK https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://experiment.pw/setup294.exe https://pastebin.com/raw/HPj0MzD6 https://sun6-21.userapi.com/c237231/u52355237/docs/d27/414f7ca564de/tmvwr.bmp?extra=4uCpGtOudHwIqN77rEX9G8lWrBIS3DKRQnWulm-GsiVJDRUh2vA0LlERRvfWitZqVnntI_idvAjIbjJ3Z5i8u0XcfjmrpbWm8W7SlF1LNKXL9YWyeGqt3cL-YZxQV6odCmlo7fI3VmrRjw-v https://api.myip.com/ https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxfTCKidsLSETyDN2ZQPPtpAFuvSbxIsl2_xXmgKF4k7ryyJcqupcrFS-Bsux6MQriiC3Mp&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S537430000%3A1697678262022281 https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362 https://vk.com/doc52355237_667061084?hash=RhHoRXA484KClkz0frx3CM9bI4u2I55Ei4EZrjsoui4&dl=Fdk6Nbq2bRZKBvCJgsexoP1lzfwWZIQUN1YWRdecfpP&api=1&no_preview=1#zxc https://msdl.microsoft.com/download/symbols/index2.txt https://sun6-23.userapi.com/c909518/u52355237/docs/d48/7a6c9a3fc548/WWW11_32.bmp?extra=gEVUBIMSpLFW-sulR4k8pIyQnDa735WSxMfKdQ0FVscR3Z-euUtZLO5-UkuSpVRy2FTLe6_wLrRN7iqVt_tf5g5d_VS9Bh0zx-v7NIR77xhiJaAwEZ-zB-ErFyjqxUJPoy0Qy0mlY-bG6AK- https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb https://diplodoka.net/315b6291544e9427ed9c51d39ce0e88a/7a54bdb20779c4359694feaa1398dd25.exe https://potatogoose.com/315b6291544e9427ed9c51d39ce0e88a/baf14778c246e15550645e30ba78ce1c.exe https://sun6-22.userapi.com/c909418/u52355237/docs/d54/7cf9702300ea/zxc.bmp?extra=RNCMcjFxA24fI1PmnuRyOY5IftzA7ZvZDX-jEzoN8B1frPPqZcklxduh1iFcuH8q2IQVpvD-oNcodE946iNJu3oxUE5QUW6e_KNW2e1C_xzdfrxKV8Tfmxfo90tWcb2DO2c26nOVDKdnvJVf https://dzen.ru/?yredirect=true https://vk.com/doc52355237_667128433?hash=c75kTaBvy8XsGUHj9nZuWnwfdY9ZY2Vr0W0kqMRZKj4&dl=yd0Kt5iJ7qiHq1ne4m1DmzhCyz12TwydRCTVOZYwpg8&api=1&no_preview=1#redcl https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://sso.passport.yandex.ru/push?uuid=8bd09553-e90a-40db-9876-5bae9fb9ffda&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://api.2ip.ua/geo.json https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=7uuTdQ9yPFoIgRPO6Phqx1wMESnkwiHJHATRmVnGV%2FQ%3D&spr=https&se=2023-10-20T01%3A12%3A02Z&rscl=x-e2eid-26e9f45d-861f4c0b-b06b9090-63530012-session-900d63c7-554d47c4-854dea3d-0e2598c0 https://sun6-22.userapi.com/c237231/u52355237/docs/d30/15a1cf47157b/StealerClient_vmp.bmp?extra=KT-f23WxqBQ65uqhhWHQXPNuhiIugIViEdMCQi2BzBo7yt9K1aN3W99K2QYBjITkBCkQw3odEfiI7hfrUgxVCdGOBJ14TNwPPuQK0DvmNqyqwrlh6cFvi-zxRGnOSjGaFh0PU4iAgwwk_c8p https://accounts.google.com/_/bscframe https://vk.com/doc52355237_667106954?hash=u1nxcEZaxcLM5gBJiodoTcIasNoT55fLzvwrRyhTuIk&dl=eHGUUzvGf3mld3Z4uL26ddKyh2AQiccctdzWDv3HEzk&api=1&no_preview=1#1 https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=jYWwYqntlQNo7VqQEVc7W0I7oehs9CpUhmmPu4LPWr4%3D&spr=https&se=2023-10-20T01%3A35%3A45Z&rscl=x-e2eid-bfe69332-5f324c5b-a4756aa8-ea45ce85-session-c338b56b-83a7497d-b3581a15-6a910b4f https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-23.userapi.com/c909228/u52355237/docs/d47/e08d562222fa/test222.bmp?extra=FKHq0JGAiinhcWKOGpyO4U_lhw9Olo9e_pEe34SbB12PISAklYZQ3HrQCl_WIfjsPWOYZxD9YZx1KLHcAYg8zGIzEtfmlRchaiOTaUHO1g2BjvGsxR-2EbTc4Xw94m3rCXZUQvFZql9qy3E3 https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
|
138
server5.statscreate.org(185.82.216.96) pastebin.com(104.20.68.143) - mailcious db-ip.com(172.67.75.166) telegram.org(149.154.167.99) jackantonio.top(45.132.1.20) - malware dzen.ru(62.217.160.2) neuralshit.net(172.67.134.35) - malware www.maxmind.com(104.18.146.235) t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) accounts.google.com(142.250.206.205) ssl.gstatic.com(142.250.206.227) sun6-23.userapi.com(95.142.206.3) - mailcious galandskiyher5.com(194.169.175.127) - malware potatogoose.com(172.67.180.173) darianentertainment.com(65.109.26.240) lakuiksong.known.co.ke(146.59.70.14) - malware api.2ip.ua(104.21.65.24) steamcommunity.com(104.76.78.101) - mailcious martvl.com(69.48.143.183) - malware laubenstein.space(45.130.41.101) - mailcious twitter.com(104.244.42.1) msdl.microsoft.com(204.79.197.219) lrefjviufewmcd.org(91.215.85.209) - malware yip.su(148.251.234.93) - mailcious cdn.discordapp.com(162.159.130.233) - malware sun6-20.userapi.com(95.142.206.0) - mailcious kevinrobinson.top(45.132.1.20) octocrabs.com(104.21.21.189) - mailcious clientservices.googleapis.com(142.250.206.195) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) walkinglate.com(172.67.212.188) - malware diplodoka.net(104.21.78.56) experiment.pw(172.67.167.220) yandex.ru(77.88.55.60) grabyourpizza.com(172.67.197.174) - malware iplogger.com(148.251.234.93) - mailcious gons01b.top(85.143.220.63) zexeq.com(190.139.250.133) - malware api.db-ip.com(104.26.5.15) vsblobprodscussu5shard10.blob.core.windows.net(20.150.79.68) colisumy.com() - malware net.geo.opera.com(107.167.110.216) api.myip.com(172.67.75.163) stun.l.google.com(172.217.211.127) gobo02fc.top(85.143.220.63) sun6-22.userapi.com(95.142.206.2) - mailcious 978e3a64-beaf-4479-964b-134bc983cfb0.uuid.statscreate.org(185.82.216.96) flyawayaero.net(104.21.93.225) - malware vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68) vk.com(87.240.137.164) - mailcious iplis.ru(148.251.234.93) - mailcious lycheepanel.info(104.21.32.208) - malware 95.142.206.1 - mailcious 148.251.234.93 - mailcious 194.169.175.128 - mailcious 162.159.133.233 - malware 104.18.145.235 69.48.143.183 - malware 172.67.167.220 194.169.175.127 - malware 185.225.75.171 - mailcious 77.91.124.55 - mailcious 142.250.66.99 62.217.160.2 104.244.42.1 - suspicious 104.26.5.15 85.217.144.143 - malware 5.255.255.77 172.67.212.188 172.86.97.117 85.143.220.63 149.154.167.99 - mailcious 104.21.65.24 104.21.34.37 - phishing 5.42.92.88 - mailcious 172.67.75.163 104.21.90.82 - malware 45.9.74.80 - malware 91.215.85.209 - mailcious 204.79.197.219 172.67.187.122 - malware 77.91.68.52 - mailcious 74.125.204.127 171.22.28.224 171.22.28.226 - malware 87.240.132.67 - mailcious 171.22.28.221 - malware 85.209.11.85 34.117.59.81 77.91.68.249 - malware 45.129.14.83 - malware 104.21.21.189 211.181.24.132 172.67.180.173 182.162.106.32 182.162.106.33 - malware 104.26.8.59 104.21.6.10 - malware 45.130.41.101 - mailcious 142.250.204.141 87.240.132.78 - mailcious 5.75.212.77 45.132.1.20 - mailcious 142.251.220.109 172.67.75.166 194.169.175.232 - malware 20.150.38.228 77.91.124.1 - malware 94.142.138.113 - mailcious 121.254.136.9 65.109.26.240 - mailcious 185.82.216.96 104.26.9.59 104.21.78.56 107.167.110.211 45.15.156.229 - mailcious 104.194.128.170 104.26.4.15 193.42.32.29 - malware 95.142.206.3 - mailcious 95.142.206.2 - mailcious 172.67.139.220 185.216.70.238 - mailcious 104.21.32.208 - malware 104.21.93.225 - phishing 146.59.70.14 - malware 171.22.28.239 172.217.24.77 213.180.204.24 171.22.28.213 - malware 95.142.206.0 - mailcious 193.42.32.118 - mailcious 172.67.34.170 - mailcious 172.217.27.3 171.22.28.236 104.76.78.101 - mailcious
|
57
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query to a *.pw domain - Likely Hostile ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET HUNTING Suspicious services.exe in URI ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO TLS Handshake Failure ET HUNTING Possible EXE Download From Suspicious TLD ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING Request to .TOP Domain with Minimal Headers ET INFO Packed Executable Download ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Dotted Quad Host ZIP Request ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET INFO PS1 Powershell File Request SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
30
http://77.91.68.52/fuza/nalo.exe http://171.22.28.226/download/WWW14_64.exe http://77.91.68.52/fuza/2.ps1 http://85.217.144.143/files/Amadey.exe http://45.9.74.80/zinda.exe http://zexeq.com/test2/get.php http://45.15.156.229/api/firegate.php http://85.217.144.143/files/My2.exe http://77.91.68.52/fuza/sus.exe http://jackantonio.top/timeSync.exe http://zexeq.com/files/1/build3.exe http://77.91.68.52/fuza/foto2552.exe http://94.142.138.113/api/tracemap.php http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://5.42.92.88/loghub/master http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://45.9.74.80/0bjdn2Z/index.php http://77.91.124.1/theme/index.php http://45.15.156.229/api/tracemap.php http://171.22.28.213/3.exe http://194.169.175.232/autorun.exe http://94.142.138.113/api/firegate.php http://193.42.32.118/api/firecom.php http://77.91.68.249/navi/kur90.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://steamcommunity.com/profiles/76561199563297648 https://pastebin.com/raw/xYhKBupz https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
8.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|