| 9061 |
2023-11-07 07:58
|
 IGCC.exe a3bb5280d95d7c638240975925c013ac
AgentTesla Generic Malware Antivirus PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9062 |
2023-11-07 10:13
|
 bRoC.exe 07807c652283c997837c931b41c45f24
PE File PE32 .NET EXE VirusTotal Malware Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212)
148.72.177.212 - mailcious
121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9063 |
2023-11-07 10:59
|
File.rar f990fd3d664b4a2cd89a21cb6e2a9911
PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser RisePro DNS Downloader plugin |
62
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://157.90.152.131/9ea41fac0af12ade12ae478b6c25112b
http://jaimemcgee.top/2a7743b8bbd7e4a7/softokn3.dll
http://jaimemcgee.top/2a7743b8bbd7e4a7/msvcp140.dll
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://45.129.14.83/ch.exe - rule_id: 37431
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7mQSCiCXPXX6dRJCYyN_6SMF.exe&platform=0009&osver=5&isServer=0
http://jaimemcgee.top/40d570f44e84a454.php
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://157.90.152.131/
http://94.142.138.131/api/firecom.php - rule_id: 36179
http://jaimemcgee.top/2a7743b8bbd7e4a7/vcruntime140.dll
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://185.172.128.69/latestumma.exe
http://stim.graspalace.com/order/tuc19.exe
http://176.113.115.84:8080/4.php - rule_id: 34795
http://jaimemcgee.top/2a7743b8bbd7e4a7/freebl3.dll
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
http://jaimemcgee.top/2a7743b8bbd7e4a7/mozglue.dll
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
http://jaimemcgee.top/2a7743b8bbd7e4a7/nss3.dll
http://157.90.152.131/getfiles.zip
http://jaimemcgee.top/2a7743b8bbd7e4a7/sqlite3.dll
https://sun6-21.userapi.com/c236331/u26060933/docs/d11/19c8da91767e/Risepro.bmp?extra=EwSSGzoAfy65GGSvZoW0Ph4KCtfnD5CJ-1u-khJCbN0uxDNn5vNuDAZaJ062NR0l9b6fIdcxu5_fWGeZra_Co2jUpbbfKnN7da75BE-JQqXJESVDc3dX5d4gxqJEeVS6pTXFFfmTxgRtA_-G
https://db-ip.com/demo/home.php?s=175.208.134.152
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-22.userapi.com/c909418/u26060933/docs/d3/31f5159f58be/11M.bmp?extra=q7yy_WjSO4crX0JQqA0zrRgVKPA_BwhFITi3TkpiBNuBN76H24ifVVzGLVsXACZVJPMeewShQ3SYQq6fit-5m7yQlm5ukIqknODXs8Vp9JEzWjDpr3rUNgeRdS81CpnvMoQd5ItqRXAv6AhZ
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://vk.com/doc26060933_667308364?hash=p1GNfmBszTx4xyiyMmHgD2G6gamnOS6Qs3qnmrPFKHD&dl=o2oV7mrCcgrmkinSseauvXVuXZ6QwvOSPW95WlRGhv4&api=1&no_preview=1#test22
https://api.ip.sb/ip
https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897
https://fdjbgkhjrpfvsdf.online/setup294.exe
https://iplogger.com/2lhi52
https://sun6-20.userapi.com/c237031/u26060933/docs/d15/cc14cf618ad2/32ssh7832haf.bmp?extra=fwty-u7t3kuVDKn2Ab1i7boHK4AyOko_2OhckURSgZjMwMr1LMRzcDeu6ldvQCwfDuTH4EEUK6o17LKRsfTQtZt7FslDGR2y6GbdZCCcOp_WNzQ6CUda5D8--pR4RgBxlwovfJ0hDyZTvl6g
https://sun6-22.userapi.com/c909218/u26060933/docs/d39/2b5c05ade136/PL_Client.bmp?extra=da599MOTGK0smGFDrYCbIOwnAESK93Bdw8XDZy_0vK13817g4Qsr6AWGWEf5TNMs8D67QVgYFb6fgHXsdA6lLB0kHdsNHYl2LuiA4Cchiwv-echVwulM9pvREF7eyP8R_tYUW-AEg4HMRDmJ
https://sun6-20.userapi.com/c909518/u26060933/docs/d43/8987a58e0def/test031123.bmp?extra=LNcfpMmfQ4e1XyE-H-_EewnV5I3alPEAz1GiWT87qEkNNONXDFPJA59B4EdjSf6xHMjU6n27oNDeC6LkauW6gTJWelqIO0xD_w5qx4fnSi4e_urLm5ugwEHcpUfEvxKkJYlSyUrW7_Rggxqw
https://db-ip.com/
https://iplis.ru/1Gemv7.
https://vk.com/doc26060933_667421028?hash=j3Z25EXZmCIGuFo5YGWwnsvj9inMRrAWT9JdWCHuPks&dl=6wFoCNqOG7czMxkdXxPFPbkcj5eJ4YPZMxmedR2cQPc&api=1&no_preview=1#maff
https://vk.com/doc26060933_667265534?hash=QrZOxyJfddotURGFHUaHcRtzBrPYFYi92QMrQaABFRL&dl=YGWXjzH1s6k62LlpR6zC3pzzD02Frvfpv4JhBLkPKVH&api=1&no_preview=1
https://msdl.microsoft.com/download/symbols/index2.txt
https://iplis.ru/1Gemv7.mp3
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=pKXD9T2Ja0HGIo5e8%2Fcvv0Yc9fVtfZRjyHGIX36WiAw%3D&spr=https&se=2023-11-08T02%3A35%3A45Z&rscl=x-e2eid-f67a0683-dccd4cc8-9426d7ad-4812ef6a-session-8414ebf2-89984859-8b4ebbb8-4b169b42
https://sun6-21.userapi.com/c235031/u26060933/docs/d60/17553397c370/BotClients.bmp?extra=-v4zcNPz1jW9QCJnnz9JVzDnTCKGRuMlTveecae_unmKfC9kkvBIvc2-te4xySL_yWe5nnd_YxV37ErLEFEIq7sRTyCvImhVEvmEOPxoun1R7sPoot0d8T6T-hCuuHgaJPUBO994jw7jL9uK
https://vk.com/doc26060933_667404716?hash=N6wI3Dlu78zPmfalwE3rKRJ5FgIIyxAz1ZSoOw7ouQH&dl=0VFQn4zxEraMQuKRozZh3ZwLpQ7M6m03jjzYZOUAFTs&api=1&no_preview=1#1
https://dzen.ru/?yredirect=true
https://sun6-20.userapi.com/c909328/u26060933/docs/d21/2cc2e6a109e1/crypted.bmp?extra=9329IUX2R9ECqwn1fgB2PsRHAwQiQF5IfXGz4Zcmshfj4-Cj0fSAuhRKbvx9FrgziFPry0eDKAetw1594ZxN3J8BTfYgczRhpTltfTyzn7_w9u923JOSl6UEO6RWfLQLPDaqGx3wAzBNy5bf
https://api.2ip.ua/geo.json
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=CW2TdsX3u%2FEQJoPaUT23mMNV3SioEW9ghTlKz0cDkKQ%3D&spr=https&se=2023-11-08T02%3A12%3A02Z&rscl=x-e2eid-ca1ed09a-9ce84dbe-b0dda930-7b12b38c-session-42f81510-df9e406c-a337da90-7f880c70
https://vk.com/doc26060933_667379359?hash=RBD5wFZgphBd3Ltpr4zpvlKC5PFFn4lKiLxULYoChgD&dl=BKPDJrFBQ4b0FMpKZWHc5lZ9DL91O9orwTtaREbcz98&api=1&no_preview=1#rise10
https://sun6-21.userapi.com/c235031/u26060933/docs/d9/bc2848036729/RisePro.bmp?extra=SP1QdjCI8oU_xuYoIIuZttGFNgWH7AbE6JwtZ38DSR0pO-h7FoRCvnKkufqlmQ46-FAtSfPZhinV1S-bj-wfjvlOR9IAT1ozrONeI06QH8DZwg9_d29MnpwcitMyaiN5iQdqTV0kMpewNZlg
https://vk.com/doc26060933_667364987?hash=BHX3WK0Px3UZYC6KUcanvJ8pCPk0aSa1CJ1a0crl1aL&dl=Y5COLZGRCC7rDCjMPJPVPA4Y0k1NZaZCa4v1PlcGmn8&api=1&no_preview=1
https://steamcommunity.com/profiles/76561199566884947
https://vk.com/doc26060933_667359908?hash=yQKoVWnfjFhzr903ZjYqRdETfhHRvOA3tdbWxY3zKzD&dl=zw8EgRqlD4zpJ6OqofPR0yVWnKxxgpXEHD0enFFWN4c&api=1&no_preview=1#risepro
https://sun6-21.userapi.com/c235031/u26060933/docs/d17/db2aaaddfe32/WWW11_32.bmp?extra=LvgMZ5BcJibniVvg_xQUErj_9kLnqOtcusmOUyUjOIXbjkKeGQ7pW-CoV7IrznBP2wJiu4NzODsIVN7qO0IUK8lgpYQX9G5kXyxutFPWFhIaYYMu_JdxGjVFCbYekkWVqM3_yu14LtRG8yAR
https://iplis.ru/1Gem
https://sso.passport.yandex.ru/push?uuid=98d9fd1b-f887-410d-b8db-d30bf2bd21b5&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://iplis.ru/1
|
93
stim.graspalace.com(104.21.20.155)
www.maxmind.com(104.18.145.235)
db-ip.com(104.26.5.15)
vanaheim.cn(158.160.73.47) - mailcious
www.download.windowsupdate.com(23.199.34.11)
ipinfo.io(34.117.59.81)
yandex.ru(5.255.255.77)
jaimemcgee.top(193.106.175.190)
dzen.ru(62.217.160.2)
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
learn.microsoft.com(23.36.221.172)
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.76.78.101) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.1)
msdl.microsoft.com(204.79.197.219)
cdn.discordapp.com(162.159.135.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.4.15)
ironhost.io(172.67.193.129)
telegram.org(149.154.167.99)
stun3.l.google.com(142.251.2.127)
walkinglate.com(172.67.212.188) - malware
api.ip.sb(104.26.13.31)
iplogger.com(172.67.194.188) - mailcious
gons09fc.top(212.113.122.87) - malware
zexeq.com(201.110.235.204) - malware
server3.localstats.org(185.82.216.111)
t.me(149.154.167.99) - mailcious
vsblobprodscussu5shard10.blob.core.windows.net(20.150.79.68)
fdjbgkhjrpfvsdf.online(104.21.87.5)
iplis.ru(172.67.147.32) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
bd178ff8-29e6-47f2-a804-23d45a4bfa60.uuid.localstats.org(185.82.216.111)
vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68)
vk.com(87.240.129.133) - mailcious
sso.passport.yandex.ru(213.180.204.24)
api.myip.com(172.67.75.163)
194.169.175.128 - mailcious
162.159.133.233 - malware
104.18.145.235
93.186.225.194 - mailcious
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
5.255.255.70
157.90.152.131 - mailcious
149.154.167.99 - mailcious
104.21.65.24
91.215.85.209 - mailcious
45.129.14.83 - malware
104.21.12.138
185.82.216.111
204.79.197.219
23.40.45.69
185.173.38.57
194.49.94.41 - mailcious
172.67.193.43
212.113.122.87 - malware
85.209.11.85 - mailcious
194.49.94.48 - malware
34.117.59.81
158.160.73.47
176.113.115.84 - mailcious
148.251.234.83
172.67.147.32
194.33.191.60
194.169.175.118 - mailcious
23.33.32.64
91.92.243.151 - mailcious
185.172.128.69 - malware
104.21.57.237 - mailcious
172.253.117.127
14.33.209.147
20.150.38.228
121.254.136.9
194.49.94.97 - malware
23.67.53.17
104.26.9.59
104.26.4.15
104.21.87.5
95.142.206.2 - mailcious
95.142.206.1 - mailcious
95.142.206.0 - mailcious
45.15.156.229 - mailcious
104.21.23.184 - malware
213.180.204.24
104.26.13.31
193.106.175.190 - malware
80.66.75.77 - mailcious
104.76.78.101 - mailcious
94.142.138.131 - mailcious
|
57
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET HUNTING Suspicious services.exe in URI
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET INFO EXE - Served Attached HTTP
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Redline Stealer Activity (Response)
ET INFO Dotted Quad Host ZIP Request
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
|
10
http://zexeq.com/test2/get.php
http://45.15.156.229/api/tracemap.php
http://45.129.14.83/ch.exe
http://45.15.156.229/api/firegate.php
http://94.142.138.131/api/firegate.php
http://91.92.243.151/api/tracemap.php
http://94.142.138.131/api/firecom.php
http://94.142.138.131/api/tracemap.php
http://176.113.115.84:8080/4.php
https://fdjbgkhjrpfvsdf.online/setup294.exe
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9064 |
2023-11-07 19:14
|
 WinRar.exe 12ad5dac08fffe484f5bece941c6ee4e
AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.108.133)
185.199.109.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9065 |
2023-11-07 19:21
|
 WWW14_64.exe b79c2d99b9899e66e9a3c16b5bc407cb
PrivateLoader NPKI RedLine Infostealer RedLine stealer HermeticWiper Generic Malware NSIS Suspicious_Script UPX Malicious Library Antivirus Malicious Packer .NET framework(MSIL) Confuser .NET Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Bl Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check installed browsers check PrivateLoader Tofsee Ransomware Stealer Windows Browser ComputerName Trojan DNS Cryptographic key Software crashed |
23
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=VneSnp3_ukQr2DpIFzFJmPqn.exe&platform=0009&osver=5&isServer=0
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://apps.identrust.com/roots/dstrootcax3.p7c
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://185.172.128.69/latestumma.exe - rule_id: 38123
https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897
https://sun6-22.userapi.com/c909228/u26060933/docs/d49/128817370068/frankurt.bmp?extra=S-7AocaxsIbLkK-ELoZtcguPmTMKNeGVULVejSj8lKOn4iE-SffQhWawQvouXtHuFn4V30tV4Vyf2KFZ982OpZrWgbptKJF--WytR4WsqWN9BMV4Qn2o60SPWY9OAPvZxXlmSACiGQB9-aWJ
https://sun6-20.userapi.com/c237031/u26060933/docs/d15/cc14cf618ad2/32ssh7832haf.bmp?extra=fwty-u7t3kuVDKn2Ab1i7boHK4AyOko_2OhckURSgZjMwMr1LMRzcDeu6ldvQCwfDuTH4EEUK6o17LKRsfTQtZt7FslDGR2y6GbdZCCcOp_WNzQ9CENa5D8--pR4RgBxxVEvfsknWSZfulv4
https://api.myip.com/
https://vk.com/doc26060933_667439205?hash=9u0pp57etRglLIKfkYwZcH44T9cOpyz0LWapsbTF1Bg&dl=z3Yi2TZu3wznuaMj0bEuIRV5ZXaFnSzqV3ZZNSu9aWD&api=1&no_preview=1#pers
https://vk.com/doc493219498_672836373?hash=M7A4hgYlu29jFClj8BntVZXGQNYZUrmGk5Xo8ZtSs3c&dl=vo1qv3UDs2s1kmfM0D1UlsXrUhketlWT0zHzAFUqZzz&api=1&no_preview=1#redcl
https://iplis.ru/1cN8u7.mp3
https://sun6-20.userapi.com/c909218/u26060933/docs/d54/6e7fc67a6ccd/asca1ex.bmp?extra=o0dbnej6BqzEu2z5v-Mxe5oLOHfcHc8vUDbMSePw_8F_JPn8HPD_NLCakc5EiDyrOG0dJBsKL6WuWl8WcnQT6t_9LwNBS5067YCL7hMG9GPzh8bxUp8FvU7aJ65cY8FynND1rYBTFV4uc5jy
https://neuralshit.net/41952c986340dccbd36c6f7751ad8d3c/7725eaa6592c80f8124e769b4e8a07f7.exe
https://psv4.userapi.com/c237131/u26060933/docs/d39/e725e5f13f43/PERSOM-1107.bmp?extra=lM3OqGzYHO-ydtWN8GVm8iBO22fCJG2WhM2K66LXzBICJffrODU--a9Pi-hhT7sttyJddEU9SHHg9SZN_-JOhRN7W2Plh0m9KbP4ZMAMKkWq9tgZOTF670Girpl8yfCoW0v7ugGpJH7nzSwG
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://vk.com/doc26060933_667402082?hash=YceActlCEWNAxzNWlyosqulkJNKFWOXwPC6aoepp51w&dl=4fZA3npX9cldehaLZ4Szl6YhrZWLZOAzHvN5zwGWoWH&api=1&no_preview=1#as
https://sun6-22.userapi.com/c909218/u26060933/docs/d39/2b5c05ade136/PL_Client.bmp?extra=da599MOTGK0smGFDrYCbIOwnAESK93Bdw8XDZy_0vK13817g4Qsr6AWGWEf5TNMs8D67QVgYFb6fgHXsdA6lLB0kHdsNHYl2LuiA4Cchiwv-echSw-1M9pvREF7eyP8RrYMQCeAIgdGcFGmL
https://vk.com/doc26060933_667283095?hash=XbMEOIVwAxvBMVozZrdx5JL01yibEzrk6OUGAeuqigk&dl=aHYtz9hCKP29fWdvsPFNX8NzNDQemO5X8RKctwJXQK0&api=1&no_preview=1#vmr
|
40
neuralshit.net(172.67.134.35) - malware
globalwebventure.com(65.109.26.240)
lakuiksong.known.co.ke(146.59.70.14) - malware
fdjbgkhjrpfvsdf.online(104.21.87.5) - malware
learn.microsoft.com(23.40.45.69)
api.myip.com(104.26.9.59)
iplis.ru(104.21.63.150) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
ipinfo.io(34.117.59.81)
iplogger.com(172.67.194.188) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
vk.com(87.240.132.67) - mailcious
octocrabs.com(104.21.21.189) - mailcious
ironhost.io(172.67.193.129)
psv4.userapi.com(87.240.190.76)
95.142.206.0 - mailcious
87.240.137.164 - mailcious
172.67.139.27 - mailcious
172.67.194.188 - mailcious
208.67.104.60 - mailcious
194.33.191.60 - mailcious
23.210.37.172
34.117.59.81
104.21.21.189
104.26.8.59
104.21.6.10 - malware
172.67.147.32
87.240.137.134
185.172.128.69 - malware
194.169.175.235 - mailcious
23.67.53.17
91.92.243.151 - mailcious
65.109.26.240 - mailcious
45.15.156.229 - mailcious
95.142.206.2 - mailcious
194.49.94.72 - malware
194.49.94.77
146.59.70.14 - malware
104.21.57.237 - mailcious
94.142.138.131 - mailcious
|
23
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET INFO TLS Handshake Failure
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
|
9
http://94.142.138.131/api/firegate.php
http://91.92.243.151/api/tracemap.php
http://45.15.156.229/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://45.15.156.229/api/firegate.php
http://lakuiksong.known.co.ke/netTimer.exe
http://185.172.128.69/latestumma.exe
https://fdjbgkhjrpfvsdf.online/setup294.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
22.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9066 |
2023-11-08 09:39
|
 ORDER-23116FC.pdf.js cf34cf3dc725d0145cb4b3ecfba459e7VirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://grapemundo.com/Apk/work.vbs
|
2
grapemundo.com(103.50.163.157) - mailcious
103.50.163.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
10.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9067 |
2023-11-08 09:51
|
File.rar c49151503a28c917e2857760532d8ef0
PrivateLoader Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows RisePro DNS |
53
http://195.201.251.173/
http://195.201.251.173/vcruntime140.dll
http://195.201.251.173/msvcp140.dll
http://195.201.251.173/mozglue.dll
http://194.169.175.118/xinchao.exe - rule_id: 38117
http://194.49.94.97/download/Services.exe - rule_id: 38118
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://195.201.251.173/freebl3.dll
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://jaimemcgee.top/40d570f44e84a454.php - rule_id: 38121
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://195.201.251.173/sqlite3.dll
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=MO990stgnECCXm487Ttm1ga6.exe&platform=0009&osver=5&isServer=0
http://94.142.138.131/api/firecom.php - rule_id: 36179
http://195.201.251.173/nss3.dll
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://194.49.94.48/timeSync.exe - rule_id: 38122
http://195.201.251.173/softokn3.dll
http://185.172.128.69/latestumma.exe - rule_id: 38123
http://stim.graspalace.com/order/tuc19.exe - rule_id: 38124
http://176.113.115.84:8080/4.php - rule_id: 34795
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc26060933_667443076?hash=bDMwfuwwa4Bhfk5iGf4pMZfzUuBZI01JVp5BaGnL6ks&dl=iT71Bl3sZ2372hed0nHcWcvZK3ySxQ2nVKfHeXmS1cs&api=1&no_preview=1
https://sun6-21.userapi.com/c235031/u26060933/docs/d60/f6b4409db97c/BotClients.bmp?extra=XyDUtDw2kxfm9jE5QPM6GZyXP63jc58qFBlzPoTu75dHPn2dPLNikHfM4-g1wqdz4Qhn-mieiLcm4O7701M8WzPInDI5tOdQiWkYAR7YTs7NQMs0If_al1cKjhF-2gxL8v3LtRBMskS4po52
https://vk.com/doc26060933_667461496?hash=egdyyVbzZ1RrLg0G1GnF2OIAfOHjZ6QvOr9xjiWPRzk&dl=R2dHcfkklHZC6QWDijipWsfDaBcPGk1TJodmHYqQ8fk&api=1&no_preview=1#setup
https://sun6-20.userapi.com/c237031/u26060933/docs/d15/93b5ea113936/32ssh7832haf.bmp?extra=J-reDmr00Qi8f6YZm72J-tJgjmoCfEc-kLljTjGdbr7yd3ZtlIOg3fyUoePkg0_0EreB5QB3smN1utxlWgRUlTPXJxmUl4Ef6z0DqxE6gf1mYYxCqOFW2_VFxHJGWv5aSGPvcnYvnjg0VlPT
https://api.ip.sb/ip
https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897
https://iplogger.com/2lhi52 - rule_id: 38127
https://db-ip.com/
https://sso.passport.yandex.ru/push?uuid=43ef0eff-f7be-4313-b10e-1ec1849baf48&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://iplis.ru/1Gemv7.mp3
https://vk.com/doc26060933_667452800?hash=pIiQI9ESvqLAvoJupWTJlr3ieUjnzDC7zAeymHyxjK4&dl=fBx5ZRcRnIbGHZBA56w0xzNAmq8tMCJq2fh7enTkokw&api=1&no_preview=1
https://dzen.ru/?yredirect=true
https://sun6-21.userapi.com/c236331/u26060933/docs/d11/cc5a543357b1/Risepro.bmp?extra=98_LY8vGNbS9n8jSiu71V9JFct5W3jtQnqs7zTkGzJ2VoWwR0gmMISoiXczTZwrYuIzMg5qkHCPbFf4Q3cEmf3sR1dLKKxadp-QPLDW3m9o_qkYCehW0skIUIziOjMKu5cM-we-_6iJsrRtg
https://sun6-23.userapi.com/c237331/u26060933/docs/d29/2565ea094508/RisePro.bmp?extra=jFaOgj7cGIe-uGIOZ7lfR_Sd3YndWWjgA5lFsVisLy5737qzplpz6ZEiBIYYlZaSxi2kIEWvlPOFxmNcvl8yyYK-pQaIVIk-R8q67opgjFsmjXqTOdlFcXmdcMkmcY7GUIepDJWwPvH_ID0D
https://sun6-22.userapi.com/c909328/u26060933/docs/d14/3afe51af0e45/setup.bmp?extra=o6tSkvo3WJHNkWYV4m7MHb8rsWSS52VYICmzrxdaqtDHYoAtuXrvi3UTsiLcKTPhxiQfxNVblrwU_g8L_xHhVX--gZd0YSMm7dNG0AvZ1mBIeczOoQRPJoWtUq0MsJg1piA3KFKvYuuYDMSd
https://api.2ip.ua/geo.json
https://sun6-21.userapi.com/c235031/u26060933/docs/d17/87bf67900bd3/WWW11_32.bmp?extra=XOZlXgdd3bUWej72lwSyK7qAk7zr_0peJo1GKofvOna2ONZ-yM3AA7oSx1TPy4cCQCQ6wRJvbdwU0IDcAro_6SJj7dZA4ahsjH82rHaDVLTvh9HnCoPfpgPA-3FqdegwuIXON0YffOUWk9tl
https://vk.com/doc26060933_667452525?hash=Gh9FdvMkZAv4GqS13jZPZHB5Pcx92djGdjwawRPGUH8&dl=T8IbErzc4mt11RokDKvo5O7LhWRnbzRIZQAIKyuFbVg&api=1&no_preview=1#1
https://vk.com/doc26060933_667442538?hash=mmgXWXsNqbKLvdAt9zehqkuJnMdb3X5PCDebEMwwvAw&dl=GGDaPNTZqZV3JZoFm1DNOMglxPYcMg1N3m7iaSGEzDs&api=1&no_preview=1#maf
https://sun6-22.userapi.com/c235131/u26060933/docs/d1/ba97dca153ca/PL_Clientp.bmp?extra=i9THH3O8H4N_In69cCrUwR_eiU_x753MLTgoyyEPloC8fZBdB6WCrl2-6U0HOjiXL0gVmHe5NRuWccWK8pQGs1aevQpjvkIDvlBwrUwWdZPzdfj2J3XI-ZRUk4lHhrhqOT43mVOCVXLCRwRa
https://sun6-23.userapi.com/c235131/u26060933/docs/d50/60b44504e085/file071123.bmp?extra=trC4U7plV8McjHNCq8dYdsz5Rg0fFfP-eFZscrLGXmck8alwfzoEtDSa_Dz1ix3m6Ygy37-jq-4lRumXt32zfR7uYa5jP5DsRgLG05cUZLLjgisywUwEdd4T4YFkaRkPTPqy4CgG3gqYi3db
https://vk.com/doc26060933_667439449?hash=vzkbG8bKfHAO2x625lZNXBKXCuAvPBZzPx9sufiaWx0&dl=3zz9ZDFfOKnbcxNR19mrKyOTob271CPE08u0D3OPGzw&api=1&no_preview=1#risepro
https://sun6-20.userapi.com/c909618/u26060933/docs/d28/cb4943e7d785/crypted.bmp?extra=-NWW48wNXl3YvNe-AnEflBbZHTLY4_N5lcHl5XP0D7TPUq6fpITpdKXfjR51pSITnAqWwBNo10QoTngMnWeyVzqu5nmAOqHsrjXwRKxHJOEo36gaOnosP9E15RLICh_lxm7oqnp74_g6XDzi
https://sun6-20.userapi.com/c909418/u26060933/docs/d53/2538a0bc40f7/1MG.bmp?extra=S9vmGUX-pZ2meKHDX1Rz8vKYbPeXST17jDUsID2ZPP61PtEiwHzq3i-4xYLRq4qD_Cy53LPosP8ep3g9pTZYtfLqcEUgPO3ZG8R-WrerRlw_AJOHy9LADl1Uin3Rwz6N3mCX2NdcR8p1Q9nM
https://vk.com/doc26060933_667462812?hash=BNWNUlhfnsvUW8vuJOkR6wETTQRQYSEXqD7FAHmgIoH&dl=Zt1uh0kla8CEullAPIbT2Uyh8Gn9CHZtt3EEdBcLJYD&api=1&no_preview=1#test22
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-20.userapi.com/c235131/u26060933/docs/d3/e0bc894d3f39/tmvwr.bmp?extra=PaStbbEwQZf_4ZOMtpbva-yY57KOQbmYSM0Zr6WbebuMjhlFCSsuwkBN0TlyCkjb2FqRcQEtgQpKtxniYw2yVB8_pp0JDAU_T_63OIZ4vYm70NbsbooB-1_iGzJNLdD9jJmvd9iOR4gY0Q2i
https://steamcommunity.com/profiles/76561199568528949
|
76
stim.graspalace.com(104.21.20.155) - malware
db-ip.com(104.26.4.15)
sun6-23.userapi.com(95.142.206.3) - mailcious
vanaheim.cn(158.160.73.47) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
yandex.ru(5.255.255.70)
jaimemcgee.top(193.106.175.190) - mailcious
dzen.ru(62.217.160.2)
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
learn.microsoft.com(104.75.1.96)
gons11fc.top(212.113.122.87) - malware
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.75.41.21) - mailcious
iplogger.org(148.251.234.83) - mailcious
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
sun6-20.userapi.com(95.142.206.0) - mailcious
api.db-ip.com(104.26.5.15)
ironhost.io(104.21.57.237)
sso.passport.yandex.ru(213.180.204.24)
api.ip.sb(104.26.13.31)
iplogger.com(172.67.194.188) - mailcious
fdjbgkhjrpfvsdf.online(104.21.87.5) - malware
iplis.ru(104.21.63.150) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
sun6-22.userapi.com(95.142.206.2) - mailcious
www.maxmind.com(104.18.145.235)
vk.com(87.240.129.133) - mailcious
api.myip.com(104.26.8.59)
194.169.175.128 - mailcious
104.18.145.235
93.186.225.194 - mailcious
91.215.85.209 - mailcious
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
149.154.167.99 - mailcious
213.180.204.24
172.67.75.166
104.21.12.138
104.26.12.31
23.210.37.172
185.216.70.232
185.173.38.57
194.49.94.41 - mailcious
212.113.122.87 - malware
194.49.94.48 - malware
34.117.59.81
158.160.73.47
176.113.115.84 - mailcious
77.88.55.60
148.251.234.83
104.26.8.59
194.33.191.60 - mailcious
194.169.175.118 - mailcious
91.92.243.151 - mailcious
91.103.252.189 - malware
185.172.128.69 - malware
104.21.57.237 - mailcious
94.142.138.131 - mailcious
195.201.251.173
121.254.136.9
194.49.94.97 - malware
45.15.156.229 - mailcious
104.26.4.15
104.21.87.5 - malware
104.21.63.150
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
95.142.206.3 - mailcious
104.21.20.155 - malware
193.106.175.190 - malware
95.142.206.1 - mailcious
104.76.78.101 - mailcious
|
46
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET INFO Executable Download from dotted-quad Host
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO EXE - Served Attached HTTP
ET INFO Packed Executable Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Redline Stealer Activity (Response)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
15
http://194.169.175.118/xinchao.exe
http://194.49.94.97/download/Services.exe
http://45.15.156.229/api/tracemap.php
http://45.15.156.229/api/firegate.php
http://jaimemcgee.top/40d570f44e84a454.php
http://94.142.138.131/api/firegate.php
http://91.92.243.151/api/tracemap.php
http://94.142.138.131/api/firecom.php
http://94.142.138.131/api/tracemap.php
http://194.49.94.48/timeSync.exe
http://185.172.128.69/latestumma.exe
http://stim.graspalace.com/order/tuc19.exe
http://176.113.115.84:8080/4.php
https://fdjbgkhjrpfvsdf.online/setup294.exe
https://iplogger.com/2lhi52
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9068 |
2023-11-09 07:57
|
 IGCC.exe 1007f94e20df5535b81e25138316ac57
AgentTesla Confuser .NET PWS SMTP KeyLogger AntiDebug AntiVM PE File PE64 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Software crashed keylogger |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
mail.bretoffice.com(185.174.174.220) - mailcious
121.254.136.9
185.174.174.220 - phishing
|
2
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9069 |
2023-11-09 08:00
|
 IGCC.exe dad01083f1469e5ffa79e73f6c4252b3
AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
3
api.ipify.org(104.237.62.212)
185.174.174.220 - phishing
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9070 |
2023-11-09 08:08
|
 smss.exe 62c8a57ed7d641bc8b4e451e37452df1
Malicious Library UPX PE File PE32 MZP Format DllRegisterServer dll RWX flags setting unpack itself Tofsee Interception crashed |
|
2
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9071 |
2023-11-09 09:27
|
HtmlIEbrowsercachehistoryclean... 6d852c09f951469e5265373380460ebf
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://192.227.173.78/1255/IGCC.exe
|
3
api.ipify.org(64.185.227.156)
173.231.16.77
192.227.173.78 - malware
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9072 |
2023-11-09 09:27
|
HTMLIEbrowserChromehtml.vbs 63c71d97a2625c3537e9edde15f3d34b
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/9thzE
https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750
http://172.245.33.131/3324/RMR.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
172.67.187.200 - mailcious
104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9073 |
2023-11-09 09:31
|
ngown.vbs 02a3397b2d50409559121caee5c82d81
Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/69jx0
https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750
http://equiticoy.top/vasity/ngohms.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
104.21.84.67 - malware
121.254.136.18
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9074 |
2023-11-09 10:25
|
2000215005_20231107_20231127_r... 015ba89bce15c66baebc5fd94d03d19e
Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell MSOffice File VirusTotal Malware VBScript powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed Dropper |
6
http://ebpp.airport.kr/ui/jsp/if_pdfviewer.jsp
http://ebpp.airport.kr/favicon.ico
http://ebpp.airport.kr/updateEmail.jsp?ClassId=UpdateDataEmail&invno=2311200021500501&invdt=20231107&custid=2000215005&email=pkllo@naver.com&seq=1
http://ebpp.airport.kr/error.html
http://ebpp.airport.kr/mail.do
https://messengerin.com/layout/images/profile.php?color_style=TEST22-PC
|
4
messengerin.com(119.205.211.77)
ebpp.airport.kr(116.84.245.100)
116.84.245.100
119.205.211.77 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9075 |
2023-11-09 10:34
|
2023년 10월4주차 주간 국제안보군사정세(통권 제2... 337bbc45280073edd0ec63a9cffeacbc
Client SW User Data Stealer browser info stealer Generic Malware Downloader Google Chrome User Data Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyL Browser Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Cryptographic key crashed |
1
https://dl.dropboxusercontent.com/scl/fi/7iouye2eg58i1fmaus5nt/20231101.zip?rlkey=xqx0na1023enhhwri02lszdps&dl=0
|
2
dl.dropboxusercontent.com(162.125.84.15) - malware
162.125.84.15 - malware
|
2
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|