8926 |
2023-10-19 10:49
|
himeffectivelyproress.exe fa9494dcb5bd42e61e89231dfc8eb0da Gen1 Emotet Malicious Library UPX AntiDebug AntiVM PE File PE64 CAB PE32 .NET EXE OS Processor Check PNG Format MSOffice File JPEG Format VirusTotal Malware AutoRuns PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows Exploit Remote Code Execution DNS crashed |
1
http://104.194.128.170/svp/Ykwrxaauw.dat - rule_id: 37401
|
3
iplogger.com(148.251.234.93) - mailcious 148.251.234.93 - mailcious 104.194.128.170 - mailcious
|
4
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
http://104.194.128.170/svp/Ykwrxaauw.dat
|
10.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8927 |
2023-10-19 18:27
|
sevenththththththth.vbs f9145a219ca855c79279b94e9b902068 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4072801.png
http://185.254.37.80/seventhhhhhhhh.txt
|
2
wallpapercave.com(104.22.52.71) - malware 172.67.29.26 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8928 |
2023-10-19 18:28
|
westartagain.vbs a19e87eb4cfc892ad7ccf43fd3a2a114 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4082989.png
http://94.156.253.236/newbeginining.txt
|
2
wallpapercave.com(172.67.29.26) - malware 172.67.29.26 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8929 |
2023-10-19 18:28
|
gfhdsggssdgfsFile.vbs 50530ad3f7a59a70e2ad275d8eca6e34 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4072801.png
http://185.254.37.80/apamaaktivosbase6444.txt
|
2
wallpapercave.com(104.22.52.71) - malware 104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8930 |
2023-10-19 18:42
|
HTMLcache8.dOC 2b81d6d754937ab82947a76d395df643 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash Tofsee Exploit DNS crashed |
1
http://185.254.37.80/sevenththththththth.vbs
|
3
wallpapercave.com(104.22.52.71) - malware 185.254.37.80 - mailcious
104.22.53.71
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
3.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8931 |
2023-10-20 07:31
|
newumma.exe dfd00cebfa70ea1470514e2c03770fd4 Malicious Library UPX Malicious Packer AntiDebug AntiVM PE File PE32 OS Processor Check PE64 Malware download Amadey Cryptocurrency Miner Malware AutoRuns PDB Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Kelihos Tofsee Windows ComputerName DNS CoinMiner |
4
http://79.137.192.18/latestX.exe - rule_id: 37269 http://galandskiyher5.com/downloads/toolspub2.exe - rule_id: 37268 http://193.42.33.7/mbSDvj3/index.php https://foxandcatbet.org/e0cbefcb1af40c7d4aff4aca26621a98.exe - rule_id: 37364
|
13
rangeroverfan.org(172.67.165.223) - malware galandskiyher5.com(194.169.175.127) - malware foxandcatbet.org(104.21.71.26) - malware pastebin.com(104.20.67.143) - mailcious xmr-eu1.nanopool.org(51.15.193.130) - mailcious 51.255.34.118 193.42.33.7 - mailcious 194.169.175.127 - malware 79.137.192.18 - malware 104.21.66.240 104.21.71.26 - malware 51.15.65.182 - mailcious 172.67.34.170 - mailcious
|
10
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Possible Kelihos.F EXE Download Common Structure ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
|
3
http://79.137.192.18/latestX.exe http://galandskiyher5.com/downloads/toolspub2.exe https://foxandcatbet.org/e0cbefcb1af40c7d4aff4aca26621a98.exe
|
12.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8932 |
2023-10-20 07:32
|
truever0510dn.exe 93556130a3846a62780b2b331cd19ea0 Gen1 Generic Malware Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM PE File PE32 CAB OS Processor Check PE64 DLL ftp DllRegisterServer dll PNG Format Malware PDB Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Tofsee ComputerName DNS |
1
https://i.imgur.com/pRZqSZX.png
|
7
i.imgur.com(146.75.92.193) - mailcious ctrip.com(114.80.56.121) i.ibb.co(172.96.160.210) - mailcious 104.194.8.143 - mailcious 146.75.92.193 - mailcious 51.15.65.182 - mailcious 114.80.56.121
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8933 |
2023-10-20 09:26
|
HTMLincache.doc 0f8b57f118a80ad75a56a9bb3f1206ea MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://94.156.253.236/lllllillilililiil.vbs
|
3
wallpapercave.com(104.22.53.71) - malware 172.67.29.26 - malware 94.156.253.236 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8934 |
2023-10-20 16:35
|
a3.jpg.exe ca0299d9cfce19b30bedc50656f16983 AsyncRAT UPX Malicious Packer .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check Malware download AsyncRAT NetWireRC Malware DNS DDNS |
|
2
rxrr.duckdns.org(185.81.157.213) - mailcious 185.81.157.213 - mailcious
|
4
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
0.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8935 |
2023-10-20 17:36
|
lllllillilililiil.vbs c22b3eab9a5dbb2ac744e6d3c683bc30 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4082989.png
http://94.156.253.236/yeyeyeyyeeyyeyeye.txt
|
2
wallpapercave.com(104.22.52.71) - malware 104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8936 |
2023-10-20 18:12
|
Setup.7z 72b145dcb4456a0892b5b725eec5d1b4 Stealc Vidar PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser RisePro Trojan DNS Downloader |
68
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://kevinrobinson.top/e9c345fc99a4e67e.php - rule_id: 37432 http://172.86.97.117/himeffectivelyproress.exe - rule_id: 37400 http://85.217.144.143/files/Amadey.exe - rule_id: 37253 http://5.75.212.77/13088c19c5a97b42d0d1d9573cc9f1b8 http://5.75.212.77/upgrade.zip - rule_id: 37406 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://gobo02fc.top/build.exe - rule_id: 37395 http://85.217.144.143/files/My2.exe - rule_id: 34643 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e - rule_id: 37430 http://104.194.128.170/svp/Hfxbflp.mp3 http://jackantonio.top/timeSync.exe - rule_id: 37357 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://5.42.92.88/loghub/master - rule_id: 37264 http://193.42.33.7/mbSDvj3/index.php - rule_id: 37449 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://5.75.212.77/ - rule_id: 37407 http://45.129.14.83/fra.exe http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://171.22.28.213/3.exe - rule_id: 37068 http://94.142.138.113/api/firegate.php - rule_id: 36152 http://171.22.28.221/files/Random.exe - rule_id: 37434 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://www.maxmind.com/geoip/v2.1/city/me http://gons01b.top/build.exe - rule_id: 37402 http://77.91.68.249/navi/kur90.exe - rule_id: 37069 https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb https://sun6-23.userapi.com/c909228/u52355237/docs/d38/847843b59260/d3h782af.bmp?extra=47rdXWAczPPHoELmIB5F-wINKuHjiWx6MelbVcVKX-XzpjSlHCjtPC1dX3n_SIjy-E4a7Hg3ljMBe_q87PD5QlZ2pVx4ON5lHKAy5mRVFJ1gUNHTUI93vvVaO6EwzCqnfk4tvVE6n497Lvvo https://db-ip.com/demo/home.php?s=175.208.134.152 https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783 https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=a00cd6w1eEWAICwyKE1cTFHt5KkPpREimUXb%2F8yxloI%3D&spr=https&se=2023-10-21T09%3A35%3A45Z&rscl=x-e2eid-895be34d-23854a20-9d9bd2e0-37a2ea5b-session-e9f4363b-00ed493a-bb4152d6-64db1898 https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=i2VslFCszJFPcsoKvioFglCJvuT3uSV4ZcbuBEr9zkw%3D&spr=https&se=2023-10-21T09%3A12%3A02Z&rscl=x-e2eid-ea5bfd11-052b4cba-8003f3a4-4c7e5a46-session-8e6b7233-d98a40c2-b0fb76d7-2383fe95 https://sun6-20.userapi.com/c909618/u52355237/docs/d11/f10de79a60ff/zxc.bmp?extra=2IWemhXJCtxsmHnrEM-ehLyp7-WvTFYNf8GWUSetJ8-guOw5s09JP69BhcVtGTfTBNve75XWmGAhxDunL7CtJMC1rNTCZuAvsRuanIuDufmraKQuKFdW0Cm_40H7Ham6r6z6YAx4u-VxVNfo https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397 https://vk.com/doc52355237_667162081?hash=4BgzraSUlIskCw5J6xGm3ViPzq8b7svHxEssqfvoCPH&dl=LANzNVd3qg51q6TImeUt70feNJmp9qZlTmWM3bxixcD&api=1&no_preview=1#test22 https://potatogoose.com/011c9f113ddd731c796c737fa640ca01/baf14778c246e15550645e30ba78ce1c.exe https://experiment.pw/setup294.exe - rule_id: 37436 https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403 https://sun6-23.userapi.com/c909518/u52355237/docs/d49/2461e2bfbe4c/PL_Client.bmp?extra=rsx6YdeS1TMyj8hstvsuJl4qhUAw0Cl_BDL9zlBtIcqYM_c5iOMTGcoEDS3olEnkyxRuhLKtQgZ_Zj9A57UjQvMe0WnaTE5UkrhQZfK52loM8JRRAIGs9XcvugIqJJ1mp3W0eylyXuWPRmvv https://api.myip.com/ https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362 https://sun6-23.userapi.com/c235131/u52355237/docs/d29/c2ec420964d3/2.bmp?extra=smxM9cx8UEWCOi7dAazlPSUrryzvsUncAMkw9IxCyGfvRsBfqF9Kcg1S-tNZodsGOZ48oxP5EllG8Xt2Ml5MTfQOxvIXD5_Fz8dySEBwkZD0lSlzpLf7fEFS2icznum8dAEPSqE3f4Oo6JPe https://msdl.microsoft.com/download/symbols/index2.txt https://sso.passport.yandex.ru/push?uuid=f7ac55a0-6e6f-4cd3-8e26-a48c8345246e&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-23.userapi.com/c909518/u52355237/docs/d48/367eee565503/WWW11_32.bmp?extra=lT8dVRtZIQ6vp6oOAx94JFf1Pro4u-Ic3tMl1CwZ8XPaX73x5ZrR1KeXmhnzlfj7eyhv7kwN3ufSPWi09MsfgYLRAda7vmz9jpdhAXH9UFKpzlAsiGhAQn-f4zeU-Bw9pQ0y1tekcHh7kG0I https://sun6-20.userapi.com/c909518/u52355237/docs/d7/12f243df05d7/test2222.bmp?extra=5bKT7bWgmxjzByTTdgZLdjnXojvB8-hfjOtwHYX6E6fgUFd2WSjbF6OE-4IlOSj2ex_qerAma71rtt-akOzRHhnyyLh_hGKtJNRiHlwRwkCy1H5_zDaf6KrOyd06nRcyKhI_1KX0VQOBkLZW https://dzen.ru/?yredirect=true https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://api.2ip.ua/geo.json https://sun6-22.userapi.com/c909228/u52355237/docs/d34/5396c88b015b/RisePro_0_9.bmp?extra=yXqSXHL5f2CYAzONeUP1CPICSmUZrVngDGEO05ensD48azqcKnZhT4LnpLZSM8Awzy3VfNBN9qtudAdBqvG2Bz9DjytesrB8-F7i4ClmlyfNYz5P0OZKhaPjYFvjyA3yFHnDZDJPNuyzY6lZ https://vk.com/doc52355237_667141516?hash=HsWBQHEyToldG20L9sZwIGv5gYpaCVz2I4NaffNltj4&dl=bzijOkGFnqMWzUUPzsZAF8ZEAo0nny8RcsO8lHuWRKD&api=1&no_preview=1#rise https://diplodoka.net/011c9f113ddd731c796c737fa640ca01/7a54bdb20779c4359694feaa1398dd25.exe https://vk.com/doc52355237_667169888?hash=0FXstFY9YauEmcBFs6Ju2Y5tz7xvBx6HWmEsxICLiEk&dl=ZYeU9AHGQRsNeFvrDCqd9qZaUAOggliBMioUMK71cy8&api=1&no_preview=1#t1 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://neuralshit.net/011c9f113ddd731c796c737fa640ca01/7725eaa6592c80f8124e769b4e8a07f7.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716 https://sun6-20.userapi.com/c235131/u52355237/docs/d47/44a24ce675a2/crypted.bmp?extra=zC6h-JiJEnlq0D7d34kRb8Vbq1AnLg6Vg_zNG5ePklvOfDwaCO35VzPPNI5eK99N1s35KXwS1iDpWGb2FFRintE43fmGTCnpX9oWSgb42LHByV-2U5b5oyRP2ZmgndiJVmc8OeFX9UV2rI2A
|
127
neuralshit.net(172.67.134.35) - malware www.maxmind.com(104.18.146.235) db-ip.com(172.67.75.166) jackantonio.top(45.132.1.20) - malware dzen.ru(62.217.160.2) t.me(149.154.167.99) - mailcious lrefjviufewmcd.org(91.215.85.209) - malware ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) - mailcious galandskiyher5.com(194.169.175.127) - malware iplogger.org(148.251.234.83) - mailcious potatogoose.com(104.21.35.235) - malware darianentertainment.com(65.109.26.240) lakuiksong.known.co.ke(146.59.70.14) - malware api.2ip.ua(172.67.139.220) steamcommunity.com(104.76.78.101) - mailcious martvl.com(69.48.143.183) - malware api.db-ip.com(172.67.75.166) laubenstein.space(45.130.41.101) - mailcious twitter.com(104.244.42.129) telegram.org(149.154.167.99) yip.su(148.251.234.93) - mailcious cdn.discordapp.com(162.159.135.233) - malware sun6-20.userapi.com(95.142.206.0) - mailcious kevinrobinson.top(45.132.1.20) - mailcious octocrabs.com(104.21.21.189) - mailcious ab07dfb1-b583-46f4-8c3d-99c8152cf07f.uuid.filesdumpplace.org(185.82.216.96) sun6-21.userapi.com(95.142.206.1) - mailcious msdl.microsoft.com(204.79.197.219) diplodoka.net(104.21.78.56) - malware experiment.pw(104.21.34.37) - malware yandex.ru(77.88.55.60) grabyourpizza.com(172.67.197.174) - malware iplogger.com(148.251.234.93) - mailcious gons01b.top(85.143.220.63) - malware zexeq.com(211.119.84.112) - malware stun4.l.google.com(172.253.127.127) vsblobprodscussu5shard10.blob.core.windows.net(20.150.70.36) colisumy.com(201.124.243.137) - malware net.geo.opera.com(107.167.110.211) api.myip.com(172.67.75.163) gobo02fc.top(85.143.220.63) - malware sun6-22.userapi.com(95.142.206.2) - mailcious pastebin.com(104.20.67.143) - mailcious flyawayaero.net(104.21.93.225) - malware vsblobprodscussu5shard58.blob.core.windows.net(20.150.38.228) vk.com(87.240.132.67) - mailcious sso.passport.yandex.ru(213.180.204.24) server11.filesdumpplace.org(185.82.216.96) iplis.ru(148.251.234.93) - mailcious lycheepanel.info(104.21.32.208) - malware 148.251.234.93 - mailcious 194.169.175.128 - mailcious 85.217.144.143 - malware 104.18.146.235 193.42.33.7 - mailcious 93.186.225.194 - mailcious 171.22.28.213 - malware 69.48.143.183 - malware 172.67.167.220 - malware 194.169.175.127 - malware 185.225.75.171 - mailcious 77.91.124.55 - mailcious 104.20.68.143 - mailcious 162.159.135.233 - malware 62.217.160.2 104.244.42.1 - suspicious 104.26.5.15 5.255.255.70 172.86.97.117 - malware 104.20.67.143 - mailcious 149.154.167.99 - mailcious 104.21.65.24 104.21.34.37 - phishing 45.129.14.83 - malware 20.150.38.228 104.21.90.82 - malware 95.142.206.1 - mailcious 91.215.85.209 - mailcious 204.79.197.219 172.67.187.122 - malware 190.187.52.42 171.22.28.224 171.22.28.226 - malware 171.22.28.221 - malware 20.150.79.68 34.117.59.81 77.91.68.249 - malware 85.143.220.63 - malware 104.21.21.189 104.21.35.235 185.82.216.96 148.251.234.83 104.26.8.59 104.21.6.10 - malware 190.219.136.87 193.42.32.118 - mailcious 5.75.212.77 - mailcious 45.132.1.20 - mailcious 104.21.32.208 - malware 172.67.75.166 172.67.216.81 - malware 94.142.138.113 - mailcious 172.67.197.174 121.254.136.9 65.109.26.240 - mailcious 45.130.41.101 - mailcious 104.21.78.56 - malware 107.167.110.211 45.15.156.229 - mailcious 104.194.128.170 - mailcious 193.42.32.29 - malware 95.142.206.3 - mailcious 95.142.206.2 - mailcious 172.67.139.220 185.216.70.238 - mailcious 172.67.217.52 - malware 95.142.206.0 - mailcious 146.59.70.14 - malware 171.22.28.239 213.180.204.24 172.67.180.173 - malware 87.240.132.72 - mailcious 142.251.2.127 171.22.28.236 104.76.78.101 - mailcious 5.42.92.88 - mailcious
|
56
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET INFO Executable Download from dotted-quad Host ET DNS Query to a *.top domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET DNS Query to a *.pw domain - Likely Hostile ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Possible EXE Download From Suspicious TLD ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO TLS Handshake Failure ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Redline Stealer Activity (Response) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET HUNTING Request to .TOP Domain with Minimal Headers ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO Dotted Quad Host ZIP Request ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
|
36
http://171.22.28.226/download/WWW14_64.exe http://kevinrobinson.top/e9c345fc99a4e67e.php http://172.86.97.117/himeffectivelyproress.exe http://85.217.144.143/files/Amadey.exe http://5.75.212.77/upgrade.zip http://zexeq.com/test2/get.php http://45.15.156.229/api/firegate.php http://galandskiyher5.com/downloads/toolspub1.exe http://colisumy.com/dl/build2.exe http://gobo02fc.top/build.exe http://85.217.144.143/files/My2.exe http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e http://jackantonio.top/timeSync.exe http://zexeq.com/files/1/build3.exe http://94.142.138.113/api/tracemap.php http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://5.42.92.88/loghub/master http://193.42.33.7/mbSDvj3/index.php http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://5.75.212.77/ http://45.15.156.229/api/tracemap.php http://171.22.28.213/3.exe http://94.142.138.113/api/firegate.php http://171.22.28.221/files/Random.exe http://193.42.32.118/api/firecom.php http://gons01b.top/build.exe http://77.91.68.249/navi/kur90.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe https://experiment.pw/setup294.exe https://pastebin.com/raw/HPj0MzD6 https://steamcommunity.com/profiles/76561199563297648 https://pastebin.com/raw/xYhKBupz https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8937 |
2023-10-20 18:34
|
setup2.7z 3735adf80a188c2b01494f4c914ad709 Stealc Vidar PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Dridex VirusTotal Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader |
60
http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://kevinrobinson.top/e9c345fc99a4e67e.php - rule_id: 37432 http://172.86.97.117/himeffectivelyproress.exe - rule_id: 37400 http://85.217.144.143/files/Amadey.exe - rule_id: 37253 http://5.75.212.77/13088c19c5a97b42d0d1d9573cc9f1b8 - rule_id: 37466 http://gons01b.top/build.exe - rule_id: 37402 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://5.75.212.77/ - rule_id: 37407 http://colisumy.com/dl/build2.exe - rule_id: 31026 http://gobo02fc.top/build.exe - rule_id: 37395 http://85.217.144.143/files/My2.exe - rule_id: 34643 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e - rule_id: 37430 http://104.194.128.170/svp/Hfxbflp.mp3 - rule_id: 37467 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://zexeq.com/files/1/build3.exe - rule_id: 27913 http://171.22.28.221/files/Ads.exe - rule_id: 37468 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://5.42.92.88/loghub/master - rule_id: 37264 http://193.42.33.7/mbSDvj3/index.php - rule_id: 37449 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396 http://45.129.14.83/fra.exe - rule_id: 37469 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://171.22.28.213/3.exe - rule_id: 37068 http://171.22.28.221/files/Random.exe - rule_id: 37434 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://www.maxmind.com/geoip/v2.1/city/me http://5.75.212.77/upgrade.zip - rule_id: 37406 http://77.91.68.249/navi/kur90.exe - rule_id: 37069 http://193.42.33.7/newumma.exe - rule_id: 37470 http://jackantonio.top/timeSync.exe - rule_id: 37357 https://sun6-23.userapi.com/c909228/u52355237/docs/d38/847843b59260/d3h782af.bmp?extra=47rdXWAczPPHoELmIB5F-wINKuHjiWx6MelbVcVKX-XzpjSlHCjtPC1dX3n_SIjy-E4a7Hg3ljMBe_q87PD5QlZ2pVx4ON5lHKAy5mRVFJ1gUNHTUI93vvVaO6EwzCqnfk4tvVE6n497Lvvo https://db-ip.com/demo/home.php?s=175.208.134.152 https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783 https://sun6-20.userapi.com/c909618/u52355237/docs/d11/f10de79a60ff/zxc.bmp?extra=2IWemhXJCtxsmHnrEM-ehLyp7-WvTFYNf8GWUSetJ8-guOw5s09JP69BhcVtGTfTBNve75XWmGAhxDunL7CtJMC1rNTCZuAvsRuanIuDufmraKQuKFdW0Cm_40H7Ham6r6z6YAx4u-VxVNfo https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397 https://experiment.pw/setup294.exe - rule_id: 37436 https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403 https://sso.passport.yandex.ru/push?uuid=0c22eec9-dd9e-4ca3-bb99-195d019d5eff&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://sun6-23.userapi.com/c909518/u52355237/docs/d49/2461e2bfbe4c/PL_Client.bmp?extra=rsx6YdeS1TMyj8hstvsuJl4qhUAw0Cl_BDL9zlBtIcqYM_c5iOMTGcoEDS3olEnkyxRuhLKtQgZ_Zj9A57UjQvMe0WnaTE5UkrhQZfK52loM8JRRAIGs9XcvugIqJJ1mp3W0eylyXuWPRmvv https://api.myip.com/ https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362 https://sun6-23.userapi.com/c235131/u52355237/docs/d29/c2ec420964d3/2.bmp?extra=smxM9cx8UEWCOi7dAazlPSUrryzvsUncAMkw9IxCyGfvRsBfqF9Kcg1S-tNZodsGOZ48oxP5EllG8Xt2Ml5MTfQOxvIXD5_Fz8dySEBwkZD0lSlzpLf7fEFS2icznum8dAEPSqE3f4Oo6JPe https://potatogoose.com/49a60f5db34b71a108084872f1d8829a/baf14778c246e15550645e30ba78ce1c.exe https://diplodoka.net/49a60f5db34b71a108084872f1d8829a/7a54bdb20779c4359694feaa1398dd25.exe https://sun6-23.userapi.com/c909518/u52355237/docs/d48/367eee565503/WWW11_32.bmp?extra=lT8dVRtZIQ6vp6oOAx94JFf1Pro4u-Ic3tMl1CwZ8XPaX73x5ZrR1KeXmhnzlfj7eyhv7kwN3ufSPWi09MsfgYLRAda7vmz9jpdhAXH9UFKpzlAsiGhAQn-f4zeU-Bw9pQ0y1tekcHh7kG0I https://sun6-20.userapi.com/c909518/u52355237/docs/d7/12f243df05d7/test2222.bmp?extra=5bKT7bWgmxjzByTTdgZLdjnXojvB8-hfjOtwHYX6E6fgUFd2WSjbF6OE-4IlOSj2ex_qerAma71rtt-akOzRHhnyyLh_hGKtJNRiHlwRwkCy1H5_zDaf6KrOyd06nRcyKhI_1KX0VQOBkLZW https://dzen.ru/?yredirect=true https://neuralshit.net/49a60f5db34b71a108084872f1d8829a/7725eaa6592c80f8124e769b4e8a07f7.exe https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://api.2ip.ua/geo.json https://sun6-22.userapi.com/c909228/u52355237/docs/d34/5396c88b015b/RisePro_0_9.bmp?extra=yXqSXHL5f2CYAzONeUP1CPICSmUZrVngDGEO05ensD48azqcKnZhT4LnpLZSM8Awzy3VfNBN9qtudAdBqvG2Bz9DjytesrB8-F7i4ClmlyfNYz5P0OZKhaPjYFvjyA3yFHnDZDJPNuyzY6lZ https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716 https://sun6-20.userapi.com/c235131/u52355237/docs/d47/44a24ce675a2/crypted.bmp?extra=zC6h-JiJEnlq0D7d34kRb8Vbq1AnLg6Vg_zNG5ePklvOfDwaCO35VzPPNI5eK99N1s35KXwS1iDpWGb2FFRintE43fmGTCnpX9oWSgb42LHByV-2U5b5oyRP2ZmgndiJVmc8OeFX9UV2rI2A
|
116
neuralshit.net(104.21.6.10) - malware db-ip.com(104.26.4.15) lakuiksong.known.co.ke(146.59.70.14) - malware jackantonio.top(45.132.1.20) - malware t.me(149.154.167.99) - mailcious lrefjviufewmcd.org(91.215.85.209) - malware ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) - mailcious yandex.ru(5.255.255.77) galandskiyher5.com(194.169.175.127) - malware iplogger.org(148.251.234.83) - mailcious potatogoose.com(104.21.35.235) - malware darianentertainment.com(65.109.26.240) dzen.ru(62.217.160.2) api.2ip.ua(104.21.65.24) steamcommunity.com(104.76.78.101) - mailcious martvl.com(69.48.143.183) - malware grabyourpizza.com(104.21.90.82) - malware laubenstein.space(45.130.41.101) - mailcious twitter.com(104.244.42.65) telegram.org(149.154.167.99) yip.su(148.251.234.93) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious kevinrobinson.top(45.132.1.20) - mailcious api.db-ip.com(104.26.4.15) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) diplodoka.net(172.67.217.52) - malware experiment.pw(104.21.34.37) - malware www.maxmind.com(104.18.145.235) iplogger.com(148.251.234.93) - mailcious gons01b.top(85.143.220.63) - malware zexeq.com(2.180.10.7) - malware octocrabs.com(104.21.21.189) - mailcious colisumy.com(123.140.161.243) - malware 412f46bf-dd0d-47dc-a208-5c99cf96abe8.uuid.alldatadump.org(185.82.216.108) iplis.ru(148.251.234.93) - mailcious gobo02fc.top(85.143.220.63) - malware sun6-22.userapi.com(95.142.206.2) - mailcious pastebin.com(104.20.67.143) - mailcious flyawayaero.net(172.67.216.81) - malware net.geo.opera.com(107.167.110.216) vk.com(87.240.132.67) - mailcious api.myip.com(172.67.75.163) lycheepanel.info(104.21.32.208) - malware 148.251.234.93 - mailcious 194.169.175.128 - mailcious 85.217.144.143 - malware 104.18.146.235 104.18.145.235 123.140.161.243 - mailcious 93.186.225.194 - mailcious 69.48.143.183 - malware 172.67.167.220 - malware 194.169.175.127 - malware 185.225.75.171 - mailcious 77.91.124.55 - mailcious 104.20.68.143 - mailcious 62.217.160.2 104.26.5.15 208.67.104.60 - mailcious 104.244.42.129 - suspicious 172.86.97.117 - malware 104.20.67.143 - mailcious 149.154.167.99 - mailcious 104.21.65.24 172.67.75.166 45.129.14.83 - malware 104.21.90.82 - malware 95.142.206.1 - mailcious 91.215.85.209 - mailcious 193.42.33.7 - mailcious 172.67.187.122 - malware 23.77.13.112 171.22.28.224 - mailcious 171.22.28.226 - malware 171.22.28.221 - malware 34.117.59.81 77.91.68.249 - malware 85.143.220.63 - malware 104.21.21.189 172.67.180.173 - malware 87.240.137.164 - mailcious 148.251.234.83 104.26.8.59 45.130.41.101 - mailcious 172.67.134.35 - malware 193.42.32.118 - mailcious 5.75.212.77 - mailcious 45.132.1.20 - mailcious 104.21.32.208 - malware 77.88.55.88 172.67.216.81 - malware 121.254.136.9 65.109.26.240 - mailcious 23.67.53.27 104.26.9.59 104.21.78.56 - malware 107.167.110.211 45.15.156.229 - mailcious 104.194.128.170 - mailcious 107.167.110.216 193.42.32.29 - malware 95.142.206.3 - mailcious 95.142.206.2 - mailcious 5.42.92.88 - mailcious 95.142.206.0 - mailcious 172.67.217.52 - malware 104.21.93.225 - phishing 146.59.70.14 - malware 171.22.28.239 - mailcious 213.180.204.24 171.22.28.213 - malware 87.240.129.133 - mailcious 171.22.28.236 - mailcious 104.76.78.101 - mailcious
|
52
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DNS Query to a *.top domain - Likely Hostile SURICATA Applayer Mismatch protocol both directions ET DNS Query to a *.pw domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET HUNTING Possible EXE Download From Suspicious TLD ET HUNTING Suspicious services.exe in URI ET INFO TLS Handshake Failure ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Packed Executable Download ET MALWARE Redline Stealer Activity (Response) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET HUNTING Request to .TOP Domain with Minimal Headers ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Potential Dridex.Maldoc Minimal Executable Request ET MALWARE Win32/Vodkagats Loader Requesting Payload ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Dotted Quad Host ZIP Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
|
39
http://171.22.28.226/download/WWW14_64.exe http://kevinrobinson.top/e9c345fc99a4e67e.php http://172.86.97.117/himeffectivelyproress.exe http://85.217.144.143/files/Amadey.exe http://5.75.212.77/13088c19c5a97b42d0d1d9573cc9f1b8 http://gons01b.top/build.exe http://zexeq.com/test2/get.php http://5.75.212.77/ http://colisumy.com/dl/build2.exe http://gobo02fc.top/build.exe http://85.217.144.143/files/My2.exe http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e http://104.194.128.170/svp/Hfxbflp.mp3 http://45.15.156.229/api/firegate.php http://zexeq.com/files/1/build3.exe http://171.22.28.221/files/Ads.exe http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://5.42.92.88/loghub/master http://193.42.33.7/mbSDvj3/index.php http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://galandskiyher5.com/downloads/toolspub1.exe http://45.129.14.83/fra.exe http://45.15.156.229/api/tracemap.php http://171.22.28.213/3.exe http://171.22.28.221/files/Random.exe http://193.42.32.118/api/firecom.php http://5.75.212.77/upgrade.zip http://77.91.68.249/navi/kur90.exe http://193.42.33.7/newumma.exe http://jackantonio.top/timeSync.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe https://experiment.pw/setup294.exe https://pastebin.com/raw/HPj0MzD6 https://steamcommunity.com/profiles/76561199563297648 https://pastebin.com/raw/xYhKBupz https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
7.4 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8938 |
2023-10-23 09:31
|
HTMLcachies.dOC e8277a6ee73ffeb63f76e8343e1ac5e4 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
1
http://185.254.37.174/droidwednesdayyyFile.vbs
|
3
wallpapercave.com(104.22.52.71) - malware 185.254.37.174 - mailcious 104.22.52.71
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8939 |
2023-10-23 12:18
|
abyx.vbs a4b27b7143e37f8c1c3d038e22fab7e5 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4082989.png
http://193.42.33.51/aby.txt
|
2
wallpapercave.com(172.67.29.26) - malware 172.67.29.26 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8940 |
2023-10-23 12:18
|
droidwednesdayyyFile.vbs c6cc9287c08464bfe297be623543d72d Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4082989.png
http://185.254.37.174/apamaaktivozdroidbase644.txt
|
2
wallpapercave.com(104.22.53.71) - malware 104.22.53.71
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|