8956 |
2023-10-25 09:52
|
HTMLprofile.dOC 2885bbb18db2fc076e129a10729faadb MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
2
http://toss.is/6*WW4F
http://141.98.6.91/2010/1/MAH.vbs
|
2
toss.is(45.33.42.226) 45.33.42.226
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Wrong direction first Data
|
|
3.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8957 |
2023-10-25 09:54
|
HTMLCacheCentos.dOC b39f481790c393d21234af0ced69da7a MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) 45.33.42.226
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Wrong direction first Data
|
|
2.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8958 |
2023-10-25 10:37
|
HTMLCachesClear.dOC ae797eafb49080484af9350259e7920a MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) 45.33.42.226
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Wrong direction first Data
|
|
2.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8959 |
2023-10-25 10:48
|
HTMLCacheCentos.dOC b39f481790c393d21234af0ced69da7a MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious 45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Wrong direction first Data
|
|
2.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8960 |
2023-10-25 11:00
|
HTMLprofile.doc 5342b58b3951c40f8e5eb08f5d9824be MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Windows Exploit Google DNS crashed |
7
http://141.98.6.91/72/Audiodgse.exe http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adnh37obenwknkqmvhcw72i7qsia_417/lmelglejhemejginpboagddgdfbepgmp_417_all_ZZ_kqkdtq7va5rvur2kfj67x5s2gi.crx3 http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3 http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3rm3ciqs3fjr4bc4x5vwuildeq_9.49.1/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.49.1_all_ixzyrcu7pvmgu5pjv6enfqq6wa.crx3 http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=11:ucciJXz2DRnbg3OLFhEKLNT1Ho4HCaExqeDsDp12_7M&cup2hreq=8650510305d18db3aa4a81c1579e660f081ba8e1c5014aaf087a8fc498361059
|
30
edgedl.me.gvt1.com(34.104.35.123) dns.google(8.8.4.4) www.google.com(142.250.76.132) clients2.googleusercontent.com(172.217.161.225) www.gstatic.com(142.250.206.227) accounts.google.com(142.250.206.205) _googlecast._tcp.local() apis.google.com(142.251.222.14) clientservices.googleapis.com(142.250.206.195) r1---sn-3u-bh2ss.gvt1.com(211.114.64.12) 142.250.204.35 142.250.206.238 - mailcious 172.217.25.1 - malware 141.98.6.91 - mailcious 211.114.64.12 142.250.206.234 - malware 142.251.220.46 142.250.206.195 172.217.25.3 34.104.35.123 142.250.76.131 142.250.199.68 142.251.220.109 172.217.24.68 172.217.161.225 - mailcious 142.251.220.110 172.217.24.67 142.250.207.106 - malware 142.250.199.67 172.217.25.174 - mailcious
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
4.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8961 |
2023-10-25 11:22
|
FX_432661.exe 897af5616bfd6af5b687876924f39ee3 Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check VirusTotal Malware PDB Code Injection Checks debugger wscript.exe payload download Creates executable files suspicious process Tofsee crashed |
|
2
m4gx.dns04.com(206.71.149.162) 206.71.149.162 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Wrong direction first Data
|
|
5.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8962 |
2023-10-25 12:19
|
Comprobante_transfer.pdf.js c8bb8a34766ec04c304597c76d179f4b ActiveXObject VirusTotal Malware wscript.exe payload download Check virtual network interfaces Tofsee DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://pastebin.com/raw/NVAgzFRR - rule_id: 35284
https://wtools.io/code/dl/bOoA
|
5
wtools.io(104.21.6.247) - malware
pastebin.com(104.20.68.143) - mailcious 172.67.135.130 - malware
121.254.136.9
172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
|
1
https://pastebin.com/raw/NVAgzFRR
|
3.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8963 |
2023-10-25 13:18
|
HNB.txt.exe 43ec3cc0836bd759260e8cf120b79a7b Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
mail.egyptscientific.com(192.185.51.90) - mailcious api.ipify.org(64.185.227.156) 192.185.51.90 - mailcious 104.237.62.212 23.209.95.50
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction
|
|
8.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8964 |
2023-10-25 13:18
|
HTMLbrowser.vbs 80c07cfd04a28aa0b03f1396fdf81b2d Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://141.98.6.91/2150/1/MHM.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 182.162.106.32
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8965 |
2023-10-25 13:19
|
HTMLobject.vbs 74a3ea36669a5bdbeff3775545527a92 LokiBot Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
http://141.98.6.91/windows/HNB.txt
|
8
mail.egyptscientific.com(192.185.51.90) - mailcious
imageupload.io(172.67.222.26) - malware
api.ipify.org(64.185.227.156) 104.21.83.102
141.98.6.91 - mailcious
192.185.51.90 - mailcious
64.185.227.156
23.67.53.27
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
20.0 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8966 |
2023-10-25 13:32
|
IGCC.vbs 42bc2a9470984d793673d9aae1a933b8 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://192.3.232.37/windows/HMT.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 182.162.106.32
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8967 |
2023-10-25 13:33
|
MAH.txt.exe 7ea06a0e6c1e5707a23364ae6984b4f3 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
4
api.ipify.org(104.237.62.212) api.telegram.org(149.154.167.220) 64.185.227.156 149.154.167.220
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
5.2 |
|
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8968 |
2023-10-25 13:52
|
SAN.txt.exe 6bdb7a11d0eaa407e7a7f34d794fb567 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS crashed |
|
4
api.ipify.org(64.185.227.156) api.telegram.org(149.154.167.220) 173.231.16.77 149.154.167.220
|
6
ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET HUNTING Telegram API Domain in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
4.6 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8969 |
2023-10-25 13:52
|
qasx.vbs ff2a2bc8850b1ad61236bd460eb61e01 Generic Malware Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PowerShell Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee EXPLOIT_KIT Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://193.42.33.51/myn.txt https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
|
3
imageupload.io(104.21.83.102) - malware 172.67.222.26 - malware 193.42.33.51 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
15.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8970 |
2023-10-25 16:50
|
up.ps1 21440931518ff0df59af9b94e52a7c84 Lnk Format GIF Format VirusTotal Malware powershell AutoRuns MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
4
www.dropbox.com(162.125.84.18) - mailcious ambjulio.com(62.72.22.30) - mailcious 62.72.22.30 - mailcious 162.125.84.18 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|