9061 |
2023-11-07 07:58
|
IGCC.exe a3bb5280d95d7c638240975925c013ac AgentTesla Generic Malware Antivirus PWS KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9062 |
2023-11-07 10:13
|
bRoC.exe 07807c652283c997837c931b41c45f24 PE File PE32 .NET EXE VirusTotal Malware Tofsee |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
pt.textbin.net(148.72.177.212) 148.72.177.212 - mailcious 121.254.136.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
|
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9063 |
2023-11-07 10:59
|
File.rar f990fd3d664b4a2cd89a21cb6e2a9911 PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Browser RisePro DNS Downloader plugin |
62
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://157.90.152.131/9ea41fac0af12ade12ae478b6c25112b http://jaimemcgee.top/2a7743b8bbd7e4a7/softokn3.dll http://jaimemcgee.top/2a7743b8bbd7e4a7/msvcp140.dll http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://45.129.14.83/ch.exe - rule_id: 37431 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7mQSCiCXPXX6dRJCYyN_6SMF.exe&platform=0009&osver=5&isServer=0 http://jaimemcgee.top/40d570f44e84a454.php http://94.142.138.131/api/firegate.php - rule_id: 32650 http://91.92.243.151/api/tracemap.php - rule_id: 37889 http://157.90.152.131/ http://94.142.138.131/api/firecom.php - rule_id: 36179 http://jaimemcgee.top/2a7743b8bbd7e4a7/vcruntime140.dll http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://185.172.128.69/latestumma.exe http://stim.graspalace.com/order/tuc19.exe http://176.113.115.84:8080/4.php - rule_id: 34795 http://jaimemcgee.top/2a7743b8bbd7e4a7/freebl3.dll http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab http://jaimemcgee.top/2a7743b8bbd7e4a7/mozglue.dll http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://jaimemcgee.top/2a7743b8bbd7e4a7/nss3.dll http://157.90.152.131/getfiles.zip http://jaimemcgee.top/2a7743b8bbd7e4a7/sqlite3.dll https://sun6-21.userapi.com/c236331/u26060933/docs/d11/19c8da91767e/Risepro.bmp?extra=EwSSGzoAfy65GGSvZoW0Ph4KCtfnD5CJ-1u-khJCbN0uxDNn5vNuDAZaJ062NR0l9b6fIdcxu5_fWGeZra_Co2jUpbbfKnN7da75BE-JQqXJESVDc3dX5d4gxqJEeVS6pTXFFfmTxgRtA_-G https://db-ip.com/demo/home.php?s=175.208.134.152 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-22.userapi.com/c909418/u26060933/docs/d3/31f5159f58be/11M.bmp?extra=q7yy_WjSO4crX0JQqA0zrRgVKPA_BwhFITi3TkpiBNuBN76H24ifVVzGLVsXACZVJPMeewShQ3SYQq6fit-5m7yQlm5ukIqknODXs8Vp9JEzWjDpr3rUNgeRdS81CpnvMoQd5ItqRXAv6AhZ https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb https://vk.com/doc26060933_667308364?hash=p1GNfmBszTx4xyiyMmHgD2G6gamnOS6Qs3qnmrPFKHD&dl=o2oV7mrCcgrmkinSseauvXVuXZ6QwvOSPW95WlRGhv4&api=1&no_preview=1#test22 https://api.ip.sb/ip https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897 https://fdjbgkhjrpfvsdf.online/setup294.exe https://iplogger.com/2lhi52 https://sun6-20.userapi.com/c237031/u26060933/docs/d15/cc14cf618ad2/32ssh7832haf.bmp?extra=fwty-u7t3kuVDKn2Ab1i7boHK4AyOko_2OhckURSgZjMwMr1LMRzcDeu6ldvQCwfDuTH4EEUK6o17LKRsfTQtZt7FslDGR2y6GbdZCCcOp_WNzQ6CUda5D8--pR4RgBxlwovfJ0hDyZTvl6g https://sun6-22.userapi.com/c909218/u26060933/docs/d39/2b5c05ade136/PL_Client.bmp?extra=da599MOTGK0smGFDrYCbIOwnAESK93Bdw8XDZy_0vK13817g4Qsr6AWGWEf5TNMs8D67QVgYFb6fgHXsdA6lLB0kHdsNHYl2LuiA4Cchiwv-echVwulM9pvREF7eyP8R_tYUW-AEg4HMRDmJ https://sun6-20.userapi.com/c909518/u26060933/docs/d43/8987a58e0def/test031123.bmp?extra=LNcfpMmfQ4e1XyE-H-_EewnV5I3alPEAz1GiWT87qEkNNONXDFPJA59B4EdjSf6xHMjU6n27oNDeC6LkauW6gTJWelqIO0xD_w5qx4fnSi4e_urLm5ugwEHcpUfEvxKkJYlSyUrW7_Rggxqw https://db-ip.com/ https://iplis.ru/1Gemv7. https://vk.com/doc26060933_667421028?hash=j3Z25EXZmCIGuFo5YGWwnsvj9inMRrAWT9JdWCHuPks&dl=6wFoCNqOG7czMxkdXxPFPbkcj5eJ4YPZMxmedR2cQPc&api=1&no_preview=1#maff https://vk.com/doc26060933_667265534?hash=QrZOxyJfddotURGFHUaHcRtzBrPYFYi92QMrQaABFRL&dl=YGWXjzH1s6k62LlpR6zC3pzzD02Frvfpv4JhBLkPKVH&api=1&no_preview=1 https://msdl.microsoft.com/download/symbols/index2.txt https://iplis.ru/1Gemv7.mp3 https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=pKXD9T2Ja0HGIo5e8%2Fcvv0Yc9fVtfZRjyHGIX36WiAw%3D&spr=https&se=2023-11-08T02%3A35%3A45Z&rscl=x-e2eid-f67a0683-dccd4cc8-9426d7ad-4812ef6a-session-8414ebf2-89984859-8b4ebbb8-4b169b42 https://sun6-21.userapi.com/c235031/u26060933/docs/d60/17553397c370/BotClients.bmp?extra=-v4zcNPz1jW9QCJnnz9JVzDnTCKGRuMlTveecae_unmKfC9kkvBIvc2-te4xySL_yWe5nnd_YxV37ErLEFEIq7sRTyCvImhVEvmEOPxoun1R7sPoot0d8T6T-hCuuHgaJPUBO994jw7jL9uK https://vk.com/doc26060933_667404716?hash=N6wI3Dlu78zPmfalwE3rKRJ5FgIIyxAz1ZSoOw7ouQH&dl=0VFQn4zxEraMQuKRozZh3ZwLpQ7M6m03jjzYZOUAFTs&api=1&no_preview=1#1 https://dzen.ru/?yredirect=true https://sun6-20.userapi.com/c909328/u26060933/docs/d21/2cc2e6a109e1/crypted.bmp?extra=9329IUX2R9ECqwn1fgB2PsRHAwQiQF5IfXGz4Zcmshfj4-Cj0fSAuhRKbvx9FrgziFPry0eDKAetw1594ZxN3J8BTfYgczRhpTltfTyzn7_w9u923JOSl6UEO6RWfLQLPDaqGx3wAzBNy5bf https://api.2ip.ua/geo.json https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=CW2TdsX3u%2FEQJoPaUT23mMNV3SioEW9ghTlKz0cDkKQ%3D&spr=https&se=2023-11-08T02%3A12%3A02Z&rscl=x-e2eid-ca1ed09a-9ce84dbe-b0dda930-7b12b38c-session-42f81510-df9e406c-a337da90-7f880c70 https://vk.com/doc26060933_667379359?hash=RBD5wFZgphBd3Ltpr4zpvlKC5PFFn4lKiLxULYoChgD&dl=BKPDJrFBQ4b0FMpKZWHc5lZ9DL91O9orwTtaREbcz98&api=1&no_preview=1#rise10 https://sun6-21.userapi.com/c235031/u26060933/docs/d9/bc2848036729/RisePro.bmp?extra=SP1QdjCI8oU_xuYoIIuZttGFNgWH7AbE6JwtZ38DSR0pO-h7FoRCvnKkufqlmQ46-FAtSfPZhinV1S-bj-wfjvlOR9IAT1ozrONeI06QH8DZwg9_d29MnpwcitMyaiN5iQdqTV0kMpewNZlg https://vk.com/doc26060933_667364987?hash=BHX3WK0Px3UZYC6KUcanvJ8pCPk0aSa1CJ1a0crl1aL&dl=Y5COLZGRCC7rDCjMPJPVPA4Y0k1NZaZCa4v1PlcGmn8&api=1&no_preview=1 https://steamcommunity.com/profiles/76561199566884947 https://vk.com/doc26060933_667359908?hash=yQKoVWnfjFhzr903ZjYqRdETfhHRvOA3tdbWxY3zKzD&dl=zw8EgRqlD4zpJ6OqofPR0yVWnKxxgpXEHD0enFFWN4c&api=1&no_preview=1#risepro https://sun6-21.userapi.com/c235031/u26060933/docs/d17/db2aaaddfe32/WWW11_32.bmp?extra=LvgMZ5BcJibniVvg_xQUErj_9kLnqOtcusmOUyUjOIXbjkKeGQ7pW-CoV7IrznBP2wJiu4NzODsIVN7qO0IUK8lgpYQX9G5kXyxutFPWFhIaYYMu_JdxGjVFCbYekkWVqM3_yu14LtRG8yAR https://iplis.ru/1Gem https://sso.passport.yandex.ru/push?uuid=98d9fd1b-f887-410d-b8db-d30bf2bd21b5&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://iplis.ru/1
|
93
stim.graspalace.com(104.21.20.155) www.maxmind.com(104.18.145.235) db-ip.com(104.26.5.15) vanaheim.cn(158.160.73.47) - mailcious www.download.windowsupdate.com(23.199.34.11) ipinfo.io(34.117.59.81) yandex.ru(5.255.255.77) jaimemcgee.top(193.106.175.190) dzen.ru(62.217.160.2) medfioytrkdkcodlskeej.net(91.215.85.209) - malware learn.microsoft.com(23.36.221.172) api.2ip.ua(104.21.65.24) steamcommunity.com(104.76.78.101) - mailcious iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.1) msdl.microsoft.com(204.79.197.219) cdn.discordapp.com(162.159.135.233) - malware sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.4.15) ironhost.io(172.67.193.129) telegram.org(149.154.167.99) stun3.l.google.com(142.251.2.127) walkinglate.com(172.67.212.188) - malware api.ip.sb(104.26.13.31) iplogger.com(172.67.194.188) - mailcious gons09fc.top(212.113.122.87) - malware zexeq.com(201.110.235.204) - malware server3.localstats.org(185.82.216.111) t.me(149.154.167.99) - mailcious vsblobprodscussu5shard10.blob.core.windows.net(20.150.79.68) fdjbgkhjrpfvsdf.online(104.21.87.5) iplis.ru(172.67.147.32) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious bd178ff8-29e6-47f2-a804-23d45a4bfa60.uuid.localstats.org(185.82.216.111) vsblobprodscussu5shard58.blob.core.windows.net(20.150.79.68) vk.com(87.240.129.133) - mailcious sso.passport.yandex.ru(213.180.204.24) api.myip.com(172.67.75.163) 194.169.175.128 - mailcious 162.159.133.233 - malware 104.18.145.235 93.186.225.194 - mailcious 62.217.160.2 104.244.42.1 - suspicious 104.26.5.15 5.255.255.70 157.90.152.131 - mailcious 149.154.167.99 - mailcious 104.21.65.24 91.215.85.209 - mailcious 45.129.14.83 - malware 104.21.12.138 185.82.216.111 204.79.197.219 23.40.45.69 185.173.38.57 194.49.94.41 - mailcious 172.67.193.43 212.113.122.87 - malware 85.209.11.85 - mailcious 194.49.94.48 - malware 34.117.59.81 158.160.73.47 176.113.115.84 - mailcious 148.251.234.83 172.67.147.32 194.33.191.60 194.169.175.118 - mailcious 23.33.32.64 91.92.243.151 - mailcious 185.172.128.69 - malware 104.21.57.237 - mailcious 172.253.117.127 14.33.209.147 20.150.38.228 121.254.136.9 194.49.94.97 - malware 23.67.53.17 104.26.9.59 104.26.4.15 104.21.87.5 95.142.206.2 - mailcious 95.142.206.1 - mailcious 95.142.206.0 - mailcious 45.15.156.229 - mailcious 104.21.23.184 - malware 213.180.204.24 104.26.13.31 193.106.175.190 - malware 80.66.75.77 - mailcious 104.76.78.101 - mailcious 94.142.138.131 - mailcious
|
57
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Possible EXE Download From Suspicious TLD ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET HUNTING Suspicious services.exe in URI ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO TLS Handshake Failure ET INFO EXE - Served Attached HTTP ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Observed Telegram Domain (t .me in TLS SNI) ET MALWARE Redline Stealer Activity (Response) ET INFO Dotted Quad Host ZIP Request ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
|
10
http://zexeq.com/test2/get.php http://45.15.156.229/api/tracemap.php http://45.129.14.83/ch.exe http://45.15.156.229/api/firegate.php http://94.142.138.131/api/firegate.php http://91.92.243.151/api/tracemap.php http://94.142.138.131/api/firecom.php http://94.142.138.131/api/tracemap.php http://176.113.115.84:8080/4.php https://fdjbgkhjrpfvsdf.online/setup294.exe
|
7.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9064 |
2023-11-07 19:14
|
WinRar.exe 12ad5dac08fffe484f5bece941c6ee4e AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
2
camo.githubusercontent.com(185.199.108.133) 185.199.109.133 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9065 |
2023-11-07 19:21
|
WWW14_64.exe b79c2d99b9899e66e9a3c16b5bc407cb PrivateLoader NPKI RedLine Infostealer RedLine stealer HermeticWiper Generic Malware NSIS Suspicious_Script UPX Malicious Library Antivirus Malicious Packer .NET framework(MSIL) Confuser .NET Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Bl Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion IP Check VM Disk Size Check installed browsers check PrivateLoader Tofsee Ransomware Stealer Windows Browser ComputerName Trojan DNS Cryptographic key Software crashed |
23
http://94.142.138.131/api/firegate.php - rule_id: 32650 http://91.92.243.151/api/tracemap.php - rule_id: 37889 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=VneSnp3_ukQr2DpIFzFJmPqn.exe&platform=0009&osver=5&isServer=0 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://apps.identrust.com/roots/dstrootcax3.p7c http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://185.172.128.69/latestumma.exe - rule_id: 38123 https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897 https://sun6-22.userapi.com/c909228/u26060933/docs/d49/128817370068/frankurt.bmp?extra=S-7AocaxsIbLkK-ELoZtcguPmTMKNeGVULVejSj8lKOn4iE-SffQhWawQvouXtHuFn4V30tV4Vyf2KFZ982OpZrWgbptKJF--WytR4WsqWN9BMV4Qn2o60SPWY9OAPvZxXlmSACiGQB9-aWJ https://sun6-20.userapi.com/c237031/u26060933/docs/d15/cc14cf618ad2/32ssh7832haf.bmp?extra=fwty-u7t3kuVDKn2Ab1i7boHK4AyOko_2OhckURSgZjMwMr1LMRzcDeu6ldvQCwfDuTH4EEUK6o17LKRsfTQtZt7FslDGR2y6GbdZCCcOp_WNzQ9CENa5D8--pR4RgBxxVEvfsknWSZfulv4 https://api.myip.com/ https://vk.com/doc26060933_667439205?hash=9u0pp57etRglLIKfkYwZcH44T9cOpyz0LWapsbTF1Bg&dl=z3Yi2TZu3wznuaMj0bEuIRV5ZXaFnSzqV3ZZNSu9aWD&api=1&no_preview=1#pers https://vk.com/doc493219498_672836373?hash=M7A4hgYlu29jFClj8BntVZXGQNYZUrmGk5Xo8ZtSs3c&dl=vo1qv3UDs2s1kmfM0D1UlsXrUhketlWT0zHzAFUqZzz&api=1&no_preview=1#redcl https://iplis.ru/1cN8u7.mp3 https://sun6-20.userapi.com/c909218/u26060933/docs/d54/6e7fc67a6ccd/asca1ex.bmp?extra=o0dbnej6BqzEu2z5v-Mxe5oLOHfcHc8vUDbMSePw_8F_JPn8HPD_NLCakc5EiDyrOG0dJBsKL6WuWl8WcnQT6t_9LwNBS5067YCL7hMG9GPzh8bxUp8FvU7aJ65cY8FynND1rYBTFV4uc5jy https://neuralshit.net/41952c986340dccbd36c6f7751ad8d3c/7725eaa6592c80f8124e769b4e8a07f7.exe https://psv4.userapi.com/c237131/u26060933/docs/d39/e725e5f13f43/PERSOM-1107.bmp?extra=lM3OqGzYHO-ydtWN8GVm8iBO22fCJG2WhM2K66LXzBICJffrODU--a9Pi-hhT7sttyJddEU9SHHg9SZN_-JOhRN7W2Plh0m9KbP4ZMAMKkWq9tgZOTF670Girpl8yfCoW0v7ugGpJH7nzSwG https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716 https://vk.com/doc26060933_667402082?hash=YceActlCEWNAxzNWlyosqulkJNKFWOXwPC6aoepp51w&dl=4fZA3npX9cldehaLZ4Szl6YhrZWLZOAzHvN5zwGWoWH&api=1&no_preview=1#as https://sun6-22.userapi.com/c909218/u26060933/docs/d39/2b5c05ade136/PL_Client.bmp?extra=da599MOTGK0smGFDrYCbIOwnAESK93Bdw8XDZy_0vK13817g4Qsr6AWGWEf5TNMs8D67QVgYFb6fgHXsdA6lLB0kHdsNHYl2LuiA4Cchiwv-echSw-1M9pvREF7eyP8RrYMQCeAIgdGcFGmL https://vk.com/doc26060933_667283095?hash=XbMEOIVwAxvBMVozZrdx5JL01yibEzrk6OUGAeuqigk&dl=aHYtz9hCKP29fWdvsPFNX8NzNDQemO5X8RKctwJXQK0&api=1&no_preview=1#vmr
|
40
neuralshit.net(172.67.134.35) - malware globalwebventure.com(65.109.26.240) lakuiksong.known.co.ke(146.59.70.14) - malware fdjbgkhjrpfvsdf.online(104.21.87.5) - malware learn.microsoft.com(23.40.45.69) api.myip.com(104.26.9.59) iplis.ru(104.21.63.150) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious ipinfo.io(34.117.59.81) iplogger.com(172.67.194.188) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious vk.com(87.240.132.67) - mailcious octocrabs.com(104.21.21.189) - mailcious ironhost.io(172.67.193.129) psv4.userapi.com(87.240.190.76) 95.142.206.0 - mailcious 87.240.137.164 - mailcious 172.67.139.27 - mailcious 172.67.194.188 - mailcious 208.67.104.60 - mailcious 194.33.191.60 - mailcious 23.210.37.172 34.117.59.81 104.21.21.189 104.26.8.59 104.21.6.10 - malware 172.67.147.32 87.240.137.134 185.172.128.69 - malware 194.169.175.235 - mailcious 23.67.53.17 91.92.243.151 - mailcious 65.109.26.240 - mailcious 45.15.156.229 - mailcious 95.142.206.2 - mailcious 194.49.94.72 - malware 194.49.94.77 146.59.70.14 - malware 104.21.57.237 - mailcious 94.142.138.131 - mailcious
|
23
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET INFO TLS Handshake Failure ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
|
9
http://94.142.138.131/api/firegate.php http://91.92.243.151/api/tracemap.php http://45.15.156.229/api/tracemap.php http://94.142.138.131/api/tracemap.php http://45.15.156.229/api/firegate.php http://lakuiksong.known.co.ke/netTimer.exe http://185.172.128.69/latestumma.exe https://fdjbgkhjrpfvsdf.online/setup294.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
|
22.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9066 |
2023-11-08 09:39
|
ORDER-23116FC.pdf.js cf34cf3dc725d0145cb4b3ecfba459e7VirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://grapemundo.com/Apk/work.vbs
|
2
grapemundo.com(103.50.163.157) - mailcious 103.50.163.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9067 |
2023-11-08 09:51
|
File.rar c49151503a28c917e2857760532d8ef0 PrivateLoader Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Malware c&c Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows RisePro DNS |
53
http://195.201.251.173/ http://195.201.251.173/vcruntime140.dll http://195.201.251.173/msvcp140.dll http://195.201.251.173/mozglue.dll http://194.169.175.118/xinchao.exe - rule_id: 38117 http://194.49.94.97/download/Services.exe - rule_id: 38118 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://195.201.251.173/freebl3.dll http://45.15.156.229/api/firegate.php - rule_id: 36052 http://jaimemcgee.top/40d570f44e84a454.php - rule_id: 38121 http://94.142.138.131/api/firegate.php - rule_id: 32650 http://91.92.243.151/api/tracemap.php - rule_id: 37889 http://195.201.251.173/sqlite3.dll http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=MO990stgnECCXm487Ttm1ga6.exe&platform=0009&osver=5&isServer=0 http://94.142.138.131/api/firecom.php - rule_id: 36179 http://195.201.251.173/nss3.dll http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://194.49.94.48/timeSync.exe - rule_id: 38122 http://195.201.251.173/softokn3.dll http://185.172.128.69/latestumma.exe - rule_id: 38123 http://stim.graspalace.com/order/tuc19.exe - rule_id: 38124 http://176.113.115.84:8080/4.php - rule_id: 34795 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc26060933_667443076?hash=bDMwfuwwa4Bhfk5iGf4pMZfzUuBZI01JVp5BaGnL6ks&dl=iT71Bl3sZ2372hed0nHcWcvZK3ySxQ2nVKfHeXmS1cs&api=1&no_preview=1 https://sun6-21.userapi.com/c235031/u26060933/docs/d60/f6b4409db97c/BotClients.bmp?extra=XyDUtDw2kxfm9jE5QPM6GZyXP63jc58qFBlzPoTu75dHPn2dPLNikHfM4-g1wqdz4Qhn-mieiLcm4O7701M8WzPInDI5tOdQiWkYAR7YTs7NQMs0If_al1cKjhF-2gxL8v3LtRBMskS4po52 https://vk.com/doc26060933_667461496?hash=egdyyVbzZ1RrLg0G1GnF2OIAfOHjZ6QvOr9xjiWPRzk&dl=R2dHcfkklHZC6QWDijipWsfDaBcPGk1TJodmHYqQ8fk&api=1&no_preview=1#setup https://sun6-20.userapi.com/c237031/u26060933/docs/d15/93b5ea113936/32ssh7832haf.bmp?extra=J-reDmr00Qi8f6YZm72J-tJgjmoCfEc-kLljTjGdbr7yd3ZtlIOg3fyUoePkg0_0EreB5QB3smN1utxlWgRUlTPXJxmUl4Ef6z0DqxE6gf1mYYxCqOFW2_VFxHJGWv5aSGPvcnYvnjg0VlPT https://api.ip.sb/ip https://fdjbgkhjrpfvsdf.online/setup294.exe - rule_id: 37897 https://iplogger.com/2lhi52 - rule_id: 38127 https://db-ip.com/ https://sso.passport.yandex.ru/push?uuid=43ef0eff-f7be-4313-b10e-1ec1849baf48&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://iplis.ru/1Gemv7.mp3 https://vk.com/doc26060933_667452800?hash=pIiQI9ESvqLAvoJupWTJlr3ieUjnzDC7zAeymHyxjK4&dl=fBx5ZRcRnIbGHZBA56w0xzNAmq8tMCJq2fh7enTkokw&api=1&no_preview=1 https://dzen.ru/?yredirect=true https://sun6-21.userapi.com/c236331/u26060933/docs/d11/cc5a543357b1/Risepro.bmp?extra=98_LY8vGNbS9n8jSiu71V9JFct5W3jtQnqs7zTkGzJ2VoWwR0gmMISoiXczTZwrYuIzMg5qkHCPbFf4Q3cEmf3sR1dLKKxadp-QPLDW3m9o_qkYCehW0skIUIziOjMKu5cM-we-_6iJsrRtg https://sun6-23.userapi.com/c237331/u26060933/docs/d29/2565ea094508/RisePro.bmp?extra=jFaOgj7cGIe-uGIOZ7lfR_Sd3YndWWjgA5lFsVisLy5737qzplpz6ZEiBIYYlZaSxi2kIEWvlPOFxmNcvl8yyYK-pQaIVIk-R8q67opgjFsmjXqTOdlFcXmdcMkmcY7GUIepDJWwPvH_ID0D https://sun6-22.userapi.com/c909328/u26060933/docs/d14/3afe51af0e45/setup.bmp?extra=o6tSkvo3WJHNkWYV4m7MHb8rsWSS52VYICmzrxdaqtDHYoAtuXrvi3UTsiLcKTPhxiQfxNVblrwU_g8L_xHhVX--gZd0YSMm7dNG0AvZ1mBIeczOoQRPJoWtUq0MsJg1piA3KFKvYuuYDMSd https://api.2ip.ua/geo.json https://sun6-21.userapi.com/c235031/u26060933/docs/d17/87bf67900bd3/WWW11_32.bmp?extra=XOZlXgdd3bUWej72lwSyK7qAk7zr_0peJo1GKofvOna2ONZ-yM3AA7oSx1TPy4cCQCQ6wRJvbdwU0IDcAro_6SJj7dZA4ahsjH82rHaDVLTvh9HnCoPfpgPA-3FqdegwuIXON0YffOUWk9tl https://vk.com/doc26060933_667452525?hash=Gh9FdvMkZAv4GqS13jZPZHB5Pcx92djGdjwawRPGUH8&dl=T8IbErzc4mt11RokDKvo5O7LhWRnbzRIZQAIKyuFbVg&api=1&no_preview=1#1 https://vk.com/doc26060933_667442538?hash=mmgXWXsNqbKLvdAt9zehqkuJnMdb3X5PCDebEMwwvAw&dl=GGDaPNTZqZV3JZoFm1DNOMglxPYcMg1N3m7iaSGEzDs&api=1&no_preview=1#maf https://sun6-22.userapi.com/c235131/u26060933/docs/d1/ba97dca153ca/PL_Clientp.bmp?extra=i9THH3O8H4N_In69cCrUwR_eiU_x753MLTgoyyEPloC8fZBdB6WCrl2-6U0HOjiXL0gVmHe5NRuWccWK8pQGs1aevQpjvkIDvlBwrUwWdZPzdfj2J3XI-ZRUk4lHhrhqOT43mVOCVXLCRwRa https://sun6-23.userapi.com/c235131/u26060933/docs/d50/60b44504e085/file071123.bmp?extra=trC4U7plV8McjHNCq8dYdsz5Rg0fFfP-eFZscrLGXmck8alwfzoEtDSa_Dz1ix3m6Ygy37-jq-4lRumXt32zfR7uYa5jP5DsRgLG05cUZLLjgisywUwEdd4T4YFkaRkPTPqy4CgG3gqYi3db https://vk.com/doc26060933_667439449?hash=vzkbG8bKfHAO2x625lZNXBKXCuAvPBZzPx9sufiaWx0&dl=3zz9ZDFfOKnbcxNR19mrKyOTob271CPE08u0D3OPGzw&api=1&no_preview=1#risepro https://sun6-20.userapi.com/c909618/u26060933/docs/d28/cb4943e7d785/crypted.bmp?extra=-NWW48wNXl3YvNe-AnEflBbZHTLY4_N5lcHl5XP0D7TPUq6fpITpdKXfjR51pSITnAqWwBNo10QoTngMnWeyVzqu5nmAOqHsrjXwRKxHJOEo36gaOnosP9E15RLICh_lxm7oqnp74_g6XDzi https://sun6-20.userapi.com/c909418/u26060933/docs/d53/2538a0bc40f7/1MG.bmp?extra=S9vmGUX-pZ2meKHDX1Rz8vKYbPeXST17jDUsID2ZPP61PtEiwHzq3i-4xYLRq4qD_Cy53LPosP8ep3g9pTZYtfLqcEUgPO3ZG8R-WrerRlw_AJOHy9LADl1Uin3Rwz6N3mCX2NdcR8p1Q9nM https://vk.com/doc26060933_667462812?hash=BNWNUlhfnsvUW8vuJOkR6wETTQRQYSEXqD7FAHmgIoH&dl=Zt1uh0kla8CEullAPIbT2Uyh8Gn9CHZtt3EEdBcLJYD&api=1&no_preview=1#test22 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-20.userapi.com/c235131/u26060933/docs/d3/e0bc894d3f39/tmvwr.bmp?extra=PaStbbEwQZf_4ZOMtpbva-yY57KOQbmYSM0Zr6WbebuMjhlFCSsuwkBN0TlyCkjb2FqRcQEtgQpKtxniYw2yVB8_pp0JDAU_T_63OIZ4vYm70NbsbooB-1_iGzJNLdD9jJmvd9iOR4gY0Q2i https://steamcommunity.com/profiles/76561199568528949
|
76
stim.graspalace.com(104.21.20.155) - malware db-ip.com(104.26.4.15) sun6-23.userapi.com(95.142.206.3) - mailcious vanaheim.cn(158.160.73.47) - mailcious t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) yandex.ru(5.255.255.70) jaimemcgee.top(193.106.175.190) - mailcious dzen.ru(62.217.160.2) medfioytrkdkcodlskeej.net(91.215.85.209) - malware learn.microsoft.com(104.75.1.96) gons11fc.top(212.113.122.87) - malware api.2ip.ua(172.67.139.220) steamcommunity.com(104.75.41.21) - mailcious iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.1) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.5.15) ironhost.io(104.21.57.237) sso.passport.yandex.ru(213.180.204.24) api.ip.sb(104.26.13.31) iplogger.com(172.67.194.188) - mailcious fdjbgkhjrpfvsdf.online(104.21.87.5) - malware iplis.ru(104.21.63.150) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious www.maxmind.com(104.18.145.235) vk.com(87.240.129.133) - mailcious api.myip.com(104.26.8.59) 194.169.175.128 - mailcious 104.18.145.235 93.186.225.194 - mailcious 91.215.85.209 - mailcious 62.217.160.2 104.244.42.1 - suspicious 104.26.5.15 149.154.167.99 - mailcious 213.180.204.24 172.67.75.166 104.21.12.138 104.26.12.31 23.210.37.172 185.216.70.232 185.173.38.57 194.49.94.41 - mailcious 212.113.122.87 - malware 194.49.94.48 - malware 34.117.59.81 158.160.73.47 176.113.115.84 - mailcious 77.88.55.60 148.251.234.83 104.26.8.59 194.33.191.60 - mailcious 194.169.175.118 - mailcious 91.92.243.151 - mailcious 91.103.252.189 - malware 185.172.128.69 - malware 104.21.57.237 - mailcious 94.142.138.131 - mailcious 195.201.251.173 121.254.136.9 194.49.94.97 - malware 45.15.156.229 - mailcious 104.26.4.15 104.21.87.5 - malware 104.21.63.150 95.142.206.2 - mailcious 172.67.139.220 95.142.206.0 - mailcious 95.142.206.3 - mailcious 104.21.20.155 - malware 193.106.175.190 - malware 95.142.206.1 - mailcious 104.76.78.101 - mailcious
|
46
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DNS Query to a *.top domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET INFO Executable Download from dotted-quad Host ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 7 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET INFO EXE - Served Attached HTTP ET INFO Packed Executable Download ET HUNTING Possible EXE Download From Suspicious TLD ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO TLS Handshake Failure ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Observed Telegram Domain (t .me in TLS SNI) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Redline Stealer Activity (Response) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
15
http://194.169.175.118/xinchao.exe http://194.49.94.97/download/Services.exe http://45.15.156.229/api/tracemap.php http://45.15.156.229/api/firegate.php http://jaimemcgee.top/40d570f44e84a454.php http://94.142.138.131/api/firegate.php http://91.92.243.151/api/tracemap.php http://94.142.138.131/api/firecom.php http://94.142.138.131/api/tracemap.php http://194.49.94.48/timeSync.exe http://185.172.128.69/latestumma.exe http://stim.graspalace.com/order/tuc19.exe http://176.113.115.84:8080/4.php https://fdjbgkhjrpfvsdf.online/setup294.exe https://iplogger.com/2lhi52
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9068 |
2023-11-09 07:57
|
IGCC.exe 1007f94e20df5535b81e25138316ac57 AgentTesla Confuser .NET PWS SMTP KeyLogger AntiDebug AntiVM PE File PE64 Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows Browser Email ComputerName Software crashed keylogger |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
mail.bretoffice.com(185.174.174.220) - mailcious 121.254.136.9 185.174.174.220 - phishing
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9069 |
2023-11-09 08:00
|
IGCC.exe dad01083f1469e5ffa79e73f6c4252b3 AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
3
api.ipify.org(104.237.62.212) 185.174.174.220 - phishing 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9070 |
2023-11-09 08:08
|
smss.exe 62c8a57ed7d641bc8b4e451e37452df1 Malicious Library UPX PE File PE32 MZP Format DllRegisterServer dll RWX flags setting unpack itself Tofsee Interception crashed |
|
2
onedrive.live.com(13.107.42.13) - mailcious 13.107.42.13 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9071 |
2023-11-09 09:27
|
HtmlIEbrowsercachehistoryclean... 6d852c09f951469e5265373380460ebf MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://192.227.173.78/1255/IGCC.exe
|
3
api.ipify.org(64.185.227.156) 173.231.16.77
192.227.173.78 - malware
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9072 |
2023-11-09 09:27
|
HTMLIEbrowserChromehtml.vbs 63c71d97a2625c3537e9edde15f3d34b Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/9thzE
https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750
http://172.245.33.131/3324/RMR.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
172.67.187.200 - mailcious
104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9073 |
2023-11-09 09:31
|
ngown.vbs 02a3397b2d50409559121caee5c82d81 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/69jx0
https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750
http://equiticoy.top/vasity/ngohms.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware 104.21.84.67 - malware
121.254.136.18
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9074 |
2023-11-09 10:25
|
2000215005_20231107_20231127_r... 015ba89bce15c66baebc5fd94d03d19e Generic Malware Antivirus AntiDebug AntiVM Lnk Format GIF Format PowerShell MSOffice File VirusTotal Malware VBScript powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed Dropper |
6
http://ebpp.airport.kr/ui/jsp/if_pdfviewer.jsp http://ebpp.airport.kr/favicon.ico http://ebpp.airport.kr/updateEmail.jsp?ClassId=UpdateDataEmail&invno=2311200021500501&invdt=20231107&custid=2000215005&email=pkllo@naver.com&seq=1 http://ebpp.airport.kr/error.html http://ebpp.airport.kr/mail.do https://messengerin.com/layout/images/profile.php?color_style=TEST22-PC
|
4
messengerin.com(119.205.211.77) ebpp.airport.kr(116.84.245.100) 116.84.245.100 119.205.211.77 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9075 |
2023-11-09 10:34
|
2023년 10월4주차 주간 국제안보군사정세(통권 제2... 337bbc45280073edd0ec63a9cffeacbc Client SW User Data Stealer browser info stealer Generic Malware Downloader Google Chrome User Data Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyL Browser Info Stealer VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName Cryptographic key crashed |
1
https://dl.dropboxusercontent.com/scl/fi/7iouye2eg58i1fmaus5nt/20231101.zip?rlkey=xqx0na1023enhhwri02lszdps&dl=0
|
2
dl.dropboxusercontent.com(162.125.84.15) - malware 162.125.84.15 - malware
|
2
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|