| 9031 |
2023-11-01 18:42
|
Archive.rar 8988dd76e0075a66d1030daa58d220f1
Escalate priviledges PWS KeyLogger AntiDebug AntiVM ftp Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee DNS |
5
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://94.142.138.113/api/tracemap.php - rule_id: 28877
https://vk.com/doc26060933_667173484?hash=A1dmV4pq2EY7qgmQUNzGLIsxaMexd8IeIWU9C4qfGWs&dl=HW3dyNuyU3NU5OenwscyGVYZxNCzBaTesYkhsTpR8qs&api=1&no_preview=1
https://sun6-21.userapi.com/c237231/u26060933/docs/d41/b01ef5bd7b4a/Setup.bmp?extra=fPPLkVjVVeEJBIi4Of7fAGBCJkUgPJP0zTNhqwXCyZxyqQK-ShKZ5pV0Q9N_iwIsrcQGex6idPQM1iCflk3FKizdrZfEwMM53QuRuvk2p_dEZymICGeJzS0sCUFyDI0lpF31qoWurBw1MNPi
https://api.myip.com/
|
13
iplis.ru(148.251.234.93) - mailcious
iplogger.org(148.251.234.83) - mailcious
ipinfo.io(34.117.59.81)
api.myip.com(172.67.75.163)
vk.com(87.240.132.72) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
148.251.234.83
148.251.234.93 - mailcious
104.26.9.59
95.142.206.1 - mailcious
87.240.137.164 - mailcious
94.142.138.113 - mailcious
34.117.59.81
|
8
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
|
2
http://94.142.138.113/api/firegate.php
http://94.142.138.113/api/tracemap.php
|
5.0 |
M |
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9032 |
2023-11-02 10:05
|
HTMLIEbrowserHistorycache.vbs 857f884bf745995ea1ccd1275446201fVirusTotal Malware wscript.exe payload download Tofsee |
1
|
2
paste.ee(104.21.84.67) - mailcious
172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9033 |
2023-11-02 10:09
|
1stANzasWQA435786990Mqa9.js f757a1a6ca3595f7219e80540bcbbf52
Generic Malware Antivirus ActiveXObject PowerShell VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://paste.ee/d/10dsb
https://imageupload.io/ib/WJveX71agmOQ6Gw_1698762642.jpg
|
4
paste.ee(104.21.84.67) - mailcious
imageupload.io(172.67.222.26) - malware
172.67.222.26 - malware
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9034 |
2023-11-02 10:11
|
Firefoxwzexefile.vbs 0b7f2e1c70bb997a5b6f1b0072c23679
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://107.175.113.212/file/12345Warzone.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9035 |
2023-11-02 10:30
|
 Limebase.txt.exe 22df9b6c3a71b8dbbdef5d5bd09e445f
UPX PE File PE32 .NET EXE VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key crashed |
1
https://pastebin.com/raw/LJe9sUk5
|
3
pastebin.com(104.20.68.143) - mailcious
91.92.247.146
172.67.34.170 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9036 |
2023-11-02 10:30
|
PuttyVbs-File0008765.vbs bb57207b20e143102f4256a708c71fd7
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/644/749/original/new_image.jpg?1698084523
http://107.175.113.212/file/PuttyLinks.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9037 |
2023-11-02 10:31
|
Vbs-File0008765putty.vbs 359f4448782994c2b42aa0027ee021db
LokiBot Generic Malware Antivirus Socket ScreenShot PWS DNS AntiDebug AntiVM PowerShell FTP Client Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key Software |
2
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg - rule_id: 37487
http://107.175.113.212/file/PuttyLinks.txt
|
3
imageupload.io(104.21.83.102) - malware
172.67.222.26 - malware
107.175.113.212 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg
|
16.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9038 |
2023-11-02 14:36
|
File.rar c18fbc972354abb0fd945ffccbb93ad3
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows RisePro DNS |
40
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://91.92.243.151/api/tracemap.php
http://91.92.243.151/api/firecom.php
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://185.172.128.69/newumma.exe - rule_id: 37499
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://apps.identrust.com/roots/dstrootcax3.p7c
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://ronaldrichards.icu/e9c345fc99a4e67e.php
http://www.maxmind.com/geoip/v2.1/city/me
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://171.22.28.226/download/Services.exe - rule_id: 37064
https://sun6-23.userapi.com/c909618/u26060933/docs/d4/7caf185e1947/Risepro.bmp?extra=7FXlsGxLQIPRYANXa3bqeG3hcbsNS0dKcak4PUGs8R5-_JslfV8EU9fv6FJOQdvEaI1m1FTJU93cK7oTMfBwNuFssszLscrz9Cp-PC8h5_cL92W_KwdOMx337cegLJS56Rsdw-WyUI_Npc2h
https://db-ip.com/demo/home.php?s=175.208.134.152
https://sun6-21.userapi.com/c909218/u26060933/docs/d31/c926cfacc1f4/new_go.bmp?extra=HtQcuH2QjM0315WmkJdVH1mdYBSvv064tAbEOg4LDcetY4TZLtnYzavt2XLLjq0NXXZQ-680zJ-uVhjhhGOj1dze70rfMIe3a_Ln3Lk-sWoOm4TTPqeibD4bjeVEAMiqwFd9f9Ip5nM3qbmH
https://vk.com/doc26060933_667226611?hash=3AOa9zwJbxnrXLo5M1UNZwTTDvxsoWSyfwgmxISqqxL&dl=HnSve9vk6MIyt0bE2UGvnGrn7uoz7zwDsDLBVNodlP4&api=1&no_preview=1#riseK
https://vk.com/doc26060933_667223635?hash=qzxpj41H7aJKGYAkotcS9kwFdHSU9KQawZjeS9cVst4&dl=iEliVZrkZcesylYAmZs8zvhVjQpPOUAfyAIZcvJVbPH&api=1&no_preview=1#ww11
https://sun6-22.userapi.com/c237331/u493219498/docs/d54/970161281382/tmvwr.bmp?extra=i927vrM_3T63rdgS7FcQie8v-JlaGdg4vrToGaMBTqwShIMTwkEVKCvfe9GoqbuPE_z5vIJs-kAStdG0VWdxGQ9kAITbxJ2ZhF92v5EIR_XuU2MfpG0xGXk2ybTmc8Gf8fEMNTEZ1sgmkstkcA
https://api.ip.sb/ip
https://fdjbgkhjrpfvsdf.online/setup294.exe
https://vk.com/doc26060933_667223519?hash=4h0hZRp0TSlGi1za4NQqeUs4Z2Owa7H8HcgLzZogiBc&dl=4yZXwXXDHBqFHcM30tryxz8P1qRNU3LWlwbmQoruwmL&api=1&no_preview=1
https://db-ip.com/
https://vk.com/doc26060933_667234651?hash=Rv3y1hZYldejZNTzjJxgzdYVgzKs0azR7LT5gowzNJT&dl=fEH5j2bjnO3mwDbqODuUYTgMkVbKBYVrBOOWxCsJzJ0&api=1&no_preview=1
https://vk.com/doc26060933_667218383?hash=7UW057pOa1xiEe10gtJ3QSwoTJDrSVPqZuGSbstptEH&dl=yqIEoQoYSd5j0zYFeVKTzHy16DTH1wq1kX6PBuZazRX&api=1&no_preview=1#bnf
https://dzen.ru/?yredirect=true
https://vk.com/doc26060933_667215509?hash=G3Jm1EaMJVztPO45r3HxRNlS4ZgetOknNtYy2avkFPw&dl=8fjE5gX9uYKwtbhjDbbqZIfJvR8v4T4lyZisCWbPlgc&api=1&no_preview=1#1
https://sun6-20.userapi.com/c909218/u26060933/docs/d16/6de25ac9c8b9/s2as2fad.bmp?extra=93M5T4Pa8Q3v-6wCV0cMg-imldFl3M7pP9fiQWexCQVfAHR6bOaCYNmIhblaorz2ajVnq9ITftW-KCQwspVW7DbtPyDFKCTvp9SEcQHaQMAlrKO5x90RNNH-89CyjAZ03dQGY6Leo9A9oUVa
https://sun6-20.userapi.com/c237331/u825067038/docs/d49/f3d174c7d126/PL_Client.bmp?extra=XDfkwfVkwRcivpIteb_RsNhr6eqpk3Sh24NjsrJ7nR2EAq93CkJ7kmPRE49s-PptoRkiv1DlMYMm4G-EjxMy3ZKbg-9BUhc0NtHIuZM8phnB22dI5a_tz7k-BACUbK_qxxTb405WhzGYuI1t0w
https://sun6-20.userapi.com/c909218/u26060933/docs/d22/a35d812ef006/RisePro.bmp?extra=LgPIMsxlbkpwHU5tCRY0vgUUAviiE7g7nMwb1oAv7HySSrauv2XjWksVWa7ZlFA3JXksarqScqvGtt1ETuNK6vMq7PyUQYgR2vLJ_T_aOnDWK_TKXwfUgdLiFLt-hsv4qpwsSsSIRWLoQTI1
https://sun6-21.userapi.com/c235031/u26060933/docs/d60/aadf300fd920/BotClients.bmp?extra=WDt2JKhhn-eQrPHTN9X8R0bO_tJ9q0myEWR4olRZdoa3canBj-lmFAG5cGCHMWcveqzg7IA6SkZEgaXn7_yF1ZPOhbnbI4vHz0fiMpVF8qWL4pijOcDsVf6aNjPpO0eOG8p1J66TE-BKQC-h
https://sun6-21.userapi.com/c235031/u26060933/docs/d17/f2f6f33ee91f/WWW11_32.bmp?extra=YkAJ9WwBghZQCvm2tl1uLbMufgtzR6Yn6c26ciwed5aKCO-Rw-yV4cJfXn8nio3l8RYZVp2QwfyPiYJ8Q8fOOfhA000eXJmSBorA7IDhKGejIp04_2OVOLLWjtHDUIjGYHzdNUwjv2l33dHB
https://sun6-21.userapi.com/c237031/u493219498/docs/d9/c7fc8ca88f65/file291023.bmp?extra=HJE0rWNAwxwlZMpDm0nMXfYfAV0NPcx59BCa43IG_bXuChoyS7uFn7bse_58CEa8kk12QRrnh7q-Dw-GenGfCBz-k2gxOG-kXj-MvZt78r50ec_AmOipYf-TCxGK9M1dCTfKr6B4BlweimH5oA
https://vk.com/doc26060933_667166279?hash=ZwaE4tvZWFZCd2bm3WcrC9P0n7U9VIU9U93MzzIkiVg&dl=pnJSpAC8qJBqMfKXSgNNzjPf12azGKZWlyCFZ86hE2P&api=1&no_preview=1#risepro
https://sso.passport.yandex.ru/push?uuid=378496ab-5899-48b7-bf10-80f50778653f&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://vk.com/doc26060933_667204817?hash=6lgEzCTOqGu7pXY0CjbNe2FXz4rab735i6AEdl7puVw&dl=U0RHXi4KJa141aANcboV7iQspCTlmbxFsgLwQz9bGwc&api=1&no_preview=1#maff
https://sun6-21.userapi.com/c909418/u26060933/docs/d20/171a1ad09e5c/crypted.bmp?extra=USOyMI-QrVD8ahA0mCuN1w-bxZzgqjcqo6Tzt3gOhGAsI0yQDB1U4gyXEOkH9dOBYLRqxIH032ISFZcZOEZ5KTf6gzdM_yJlTG3ITv6KbMFD9NzdtpVOIBX0BWIXmrNdeuJ6DUaJj52BUDaE
https://sun6-23.userapi.com/c236331/u26060933/docs/d36/f582a2f7d651/mggkfn.bmp?extra=kXzl1fMGvZsozKZ51_V9AIUJOViBXHnvbHtPIo-fm1QSon9y47f4eu5t1tnXJsZ-9Yn_qH0wPULruDXEJv5YPVFLCVB8tJk2Mcs-BJAZWoU6geCJmdzITbv3Y6p0_tmBtcEYUqbBEK0nsfd6
https://api.2ip.ua/geo.json
|
62
db-ip.com(104.26.5.15)
dl54-broomcleaner.icu(193.106.175.190) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
yandex.ru(5.255.255.70)
dzen.ru(62.217.160.2)
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
ronaldrichards.icu(193.106.175.190)
api.2ip.ua(172.67.139.220)
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.129)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
michaelcoleman.icu(193.106.175.190) - malware
api.ip.sb(172.67.75.172)
iplogger.com(148.251.234.93) - mailcious
zexeq.com(190.139.250.133) - malware
fdjbgkhjrpfvsdf.online(172.67.139.27)
api.myip.com(104.26.9.59)
sun6-22.userapi.com(95.142.206.2) - mailcious
www.maxmind.com(104.18.145.235)
vk.com(87.240.132.78) - mailcious
iplis.ru(148.251.234.93) - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.18.146.235
93.186.225.194 - mailcious
185.225.75.171 - mailcious
172.67.139.27 - mailcious
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
208.67.104.60 - mailcious
5.255.255.70
149.154.167.99 - mailcious
213.180.204.24
121.254.136.18
185.173.38.57
194.49.94.40
194.49.94.41
171.22.28.226 - malware
34.117.59.81
148.251.234.83
104.26.8.59
95.142.206.0 - mailcious
91.92.243.151
185.172.128.69 - malware
94.142.138.131 - mailcious
94.142.138.113 - mailcious
91.215.85.209 - mailcious
45.15.156.229 - mailcious
172.67.75.172 - mailcious
104.26.4.15
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
211.168.53.110
193.106.175.190 - malware
95.142.206.1 - mailcious
|
34
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO DNS Query for Suspicious .icu Domain
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO HTTP POST Request to Suspicious *.icu domain
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
|
8
http://94.142.138.131/api/firegate.php
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://185.172.128.69/newumma.exe
http://45.15.156.229/api/firegate.php
http://zexeq.com/test2/get.php
http://94.142.138.113/api/tracemap.php
http://171.22.28.226/download/Services.exe
|
7.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9039 |
2023-11-03 12:06
|
 yulzx.exe b38dc9fdc7cb07f8ccd59ed9f1c03b69
LokiBot PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
4
mail.int-logistics.com(210.2.169.195)
api.ipify.org(173.231.16.77)
104.237.62.212
210.2.169.195
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9040 |
2023-11-03 12:23
|
 lom30.exe 701ea7974b3f98830d636e93f836cfce
Amadey RedLine stealer Gen1 Emotet SmokeLoader Generic Malware Malicious Library UPX Antivirus Malicious Packer .NET framework(MSIL) Confuser .NET Admin Tool (Sysinternals etc ...) PWS ScreenShot Javascript_Blob AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Update Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader |
99
http://77.91.124.1/theme/Plugins/clip64.dll - rule_id: 37036
http://193.233.255.73/loghub/master - rule_id: 37500
http://77.91.68.249/fuza/2.ps1 - rule_id: 37524
http://77.91.68.249/fuza/foto1661.exe - rule_id: 37636
http://77.91.68.249/fuza/tus.exe - rule_id: 37637
http://77.91.124.1/theme/Plugins/cred64.dll - rule_id: 37037
http://77.91.124.1/theme/index.php - rule_id: 37040
https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/V9SMX8ENNXW.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Regular.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/shared/css/login.css?v=0H1th98etnSV&l=english&_cdn=cloudflare
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyxxWA0Ljh5xWLEvAJ6NevMd7QB5iL9TprwZYNP8u-n9zXo51MmtGRn25Gjf78sQZ4KzK1Dc
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=english&_cdn=cloudflare&load=effects,controls,slider,dragdrop
https://accounts.google.com/generate_204?NO7qPw
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyyT4td1m_8jmCTuLflf4CGZrqIHYxNvv-75kjvDivr6JChBm-48E_vH0foop83wQC67d99m
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Bold.ttf?v=4.015
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxVW6rLt9tLaC8ykc1nwAIgbdXX5n-L35f5sE1jqHcfiXjLMhDRqy2-fP8xGUFUaaXcJSrITA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-570376988%3A1698980725508326
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
https://www.facebook.com/login
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-LightItalic.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Thin.ttf?v=4.015
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyyidh94t-7_letWPwvjNQfl6I8TMheIR3px7R79ys-v-C3n_ey4IpHEeEFVPcsdPA92mVFQPw
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=8BlFIKwdZV37&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=E78TCC6Eu4d1&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=english&_cdn=cloudflare
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/EhJ0QrY2FBP.js?_nc_x=Ij3Wp8lg5Kz
https://accounts.google.com/generate_204?phWHLQ
https://accounts.google.com/generate_204?FM9MMw
https://www.epicgames.com/id/login
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&l=english&_cdn=cloudflare
https://www.youtube.com/img/desktop/supported_browsers/opera.png
https://community.cloudflare.steamstatic.com/public/shared/images/header/btn_header_installsteam_download.png?v=1
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Black.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=3Pb1f2YLp788&l=english&_cdn=cloudflare
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyz4A49MvhLj_r5ov_AJY5BYrTyapUBFfv7BWCcUgyCaE1ee8Ou4w4nAiEXlupUrsDguPr4bQw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S856045394%3A1698980708442226
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Fd2aj_zaBVQV&l=english&_cdn=cloudflare
https://accounts.google.com/
https://static.xx.fbcdn.net/rsrc.php/v3/y9/l/0,cross/eoEHQM4veKY.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&_cdn=cloudflare
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxHmAuJ7cTrlJwP83uTJIwZEOmrXGcYW_i0uz5KMlDH1JsRYBc2MmUHjR6ye20L2fYuNPufuw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S537282805%3A1698980634624638
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxa6sAB10RaHTDUTJBO3-eoyqwGJOMg6fq-JIxFpsnqcBSN8g6aim1IDWZ3iP__yBBnia-T&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1879541505%3A1698980644017236
https://static-assets-prod.unrealengine.com/account-portal/static/static/js/3.520a7eda.chunk.js
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yp/r/gC0mb5XShS_.js?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=F9Ougyu-CyG3&l=english&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Light.ttf?v=4.015
https://community.cloudflare.steamstatic.com/public/css/skin_1/home.css?v=-6qQi3rZclGf&l=english&_cdn=cloudflare
https://static.xx.fbcdn.net/rsrc.php/v3/yD/l/0,cross/OeVbDlggYtT.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-BoldItalic.ttf?v=4.015
https://www.facebook.com/favicon.ico
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
https://accounts.google.com/_/bscframe
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyy7hCYNnf-0YByYNzHXr3uFjshUMd78hOZpACYJ4Y7BQwyeDu8hhNuK6JppcoPONOvNupzDtw
https://accounts.google.com/generate_204?kjEEiA
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&_cdn=cloudflare
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
https://fonts.googleapis.com/css?family=Roboto:400,500
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://static.xx.fbcdn.net/rsrc.php/v3/yz/r/1jo5ZChBkzZ.js?_nc_x=Ij3Wp8lg5Kz
https://static-assets-prod.unrealengine.com/account-portal/static/static/js/main.10a25667.chunk.js
https://connect.facebook.net/security/hsts-pixel.gif
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=RL7hpFRFPE4A&l=english&_cdn=cloudflare
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-Medium.ttf?v=4.015
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=uR_4hRD_HUln&l=english&_cdn=cloudflare
https://static.xx.fbcdn.net/rsrc.php/v3/yh/l/0,cross/RvHDSigkA0R.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=eYJYuhv32ILn&l=english&_cdn=cloudflare
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunfWg&l=english&_cdn=cloudflare
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywosNhdGsuZdVCndGpS2K_jZJeHBslOkGyM_5Abhb0zccwpk0a_EpRThKNdW8KNTJvRtoAJFA
https://fonts.gstatic.com/s/youtubesans/v22/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://static.xx.fbcdn.net/rsrc.php/v3/yS/l/0,cross/M8A8jLevlDW.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yN/l/0,cross/zSmMZJhuRfw.css?_nc_x=Ij3Wp8lg5Kz
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyyGAuzn9a3z76ZcjJ_86wbJSidIfjfS9TcjHJMFLojLQH0IkqpoTM2fbcuLmlU3nQm3iQjlHg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1190693834%3A1698980664313585
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywa7Mm0Zk8Gm5Hb9kGiEkDrs_pgduAfwvBWsacz3D950CTr9Khe11ewNMaKJf4MaAiHmWs_
https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/7O04Eyj-1fg.css?_nc_x=Ij3Wp8lg5Kz
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyxVtPgesztclkUEaiZDNru1Lk12ZQXjId8z3gxpZ4pOLgUmGhg-fxuwVplGdjkIvsmeJrFYuA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-871854372%3A1698980704315173
https://community.cloudflare.steamstatic.com/public/shared/javascript/login.js?v=Vbm1kuHoXmMB&l=english&_cdn=cloudflare
https://accounts.google.com/generate_204?Mxmnvw
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
https://steamcommunity.com/openid/loginform/
https://community.cloudflare.steamstatic.com/public/shared/fonts/MotivaSans-RegularItalic.ttf?v=4.015
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
https://static-assets-prod.unrealengine.com/account-portal/static/epic-favicon-96x96.png
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=tSnvragsq7Tn&l=english&_cdn=cloudflare
https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&_cdn=cloudflare
|
43
ssl.gstatic.com(142.250.207.99)
www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
community.cloudflare.steamstatic.com(172.64.145.151)
www.paypal.com(151.101.193.21)
store.steampowered.com(23.40.44.77)
www.youtube.com(172.217.31.142) - mailcious
static.xx.fbcdn.net(157.240.215.14)
steamcommunity.com(104.76.78.101) - mailcious
static-assets-prod.unrealengine.com(18.64.8.66)
fbcdn.net(157.240.215.35)
connect.facebook.net(157.240.215.14)
twitter.com(104.244.42.1)
accounts.google.com(142.250.206.205)
fonts.gstatic.com(142.250.207.99)
facebook.com(157.240.215.35)
www.google.com(142.250.76.132)
fonts.googleapis.com(142.250.207.106)
www.epicgames.com(52.204.190.22)
142.251.130.3
23.40.44.77
18.64.8.109
77.91.124.1 - malware
193.233.255.73 - mailcious
146.75.49.21
104.244.42.129 - suspicious
104.94.217.48
142.250.204.46
172.217.31.3
142.251.220.78
172.64.145.151
77.91.124.86
104.75.41.21 - mailcious
142.250.66.45
157.240.215.35
77.91.68.249 - malware
52.45.237.32
157.240.215.14
104.76.78.101 - mailcious
216.58.200.228
54.175.89.124
18.64.8.127
142.250.66.42
|
19
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO PS1 Powershell File Request
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
27.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9041 |
2023-11-03 12:33
|
 gRjYtXOvXOp.vbs f11a5ac557578737ef391c0b6ad4b333wscript.exe payload download Tofsee crashed |
|
2
diamond9x.getmyip.com(103.73.65.129)
103.73.65.129
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to a *.getmyip .com Domain
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9042 |
2023-11-03 12:33
|
 JEQnFjDSDMbRhl.vbs 3acbcc1e0e59f0fa67e43c7e33a413c0wscript.exe payload download Tofsee crashed |
|
2
diamond9x.getmyip.com(103.73.65.129)
103.73.65.129
|
3
ET INFO DYNAMIC_DNS Query to a *.getmyip .com Domain
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9043 |
2023-11-03 15:54
|
 1.exe 1819332f150048eed72a2d891390dad1
Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll MSOffice File CAB Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces sandbox evasion Tofsee Ransomware Windows Google ComputerName Remote Code Execution DNS |
4
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
https://update.googleapis.com/service/update2?cup2key=12:fiH-rpFmRD_9K6RrmjLJh__4TUMN6H9j0EsLvPpPbKw&cup2hreq=d0876e1be58e78f6be4d5e4f2cb7dd29f25148548a5a47d58e905d10712788fc
https://update.googleapis.com/service/update2
|
27
edgedl.me.gvt1.com(34.104.35.123)
dns.google(8.8.4.4)
www.google.com(142.250.76.132)
www.gstatic.com(142.250.206.227)
r1---sn-3u-bh2ss.gvt1.com(211.114.64.12)
clients2.googleusercontent.com(142.250.206.225)
accounts.google.com(142.250.206.205)
_googlecast._tcp.local()
apis.google.com(142.250.206.238)
clientservices.googleapis.com(142.251.42.195)
142.250.207.65
216.58.203.78
211.114.64.12
172.217.175.227
142.250.204.131
142.250.206.225 - mailcious
142.250.204.110
142.250.199.68
142.250.66.99
34.104.35.123
216.58.200.227
142.250.76.138 - phishing
142.250.76.142 - mailcious
172.217.161.202 - malware
142.250.199.77
142.250.199.67
172.217.25.174 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
8.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9044 |
2023-11-03 17:38
|
setup.rar d7b36686b22ecf8da8c34bf6d55ad331
Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself PrivateLoader Tofsee DNS |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://91.92.243.151/api/tracemap.php - rule_id: 37889
|
7
ironhost.io(172.67.193.129)
61.111.58.34 - malware
172.67.193.129
91.92.243.151 - mailcious
94.142.138.131 - mailcious
94.142.138.113 - mailcious
208.67.104.60 - mailcious
|
2
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://91.92.243.151/api/tracemap.php
|
4.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9045 |
2023-11-03 18:11
|
cuzineeeeVBS_FILE.vbs 6e50413706aceea089f8a8c4f2d44ec6
Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/bkhV4
https://uploaddeimagens.com.br/images/004/652/514/original/new_image.jpg?1698762134
http://94.156.64.195/cuzinebase64bxjhgvhsj.txt
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
61.111.58.34 - malware
172.67.187.200 - mailcious
172.67.215.45 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
8.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|