| 9091 |
2023-11-15 10:49
|
 Agenzia.url e8e03b91b2802891c978c8a67999bd10
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.141.118/scarica/provvedimento.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.8 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9092 |
2023-11-15 10:49
|
 Agenzia_Entrate.url 67b426814bf2530e2de2e85d1146c594
AntiDebug AntiVM URL Format MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.111/scarica/normativa.exe
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9093 |
2023-11-16 07:49
|
 open.exe 16252016f9922916b06ba87604aaaa29
AgentTesla .NET framework(MSIL) UPX PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(173.231.16.77)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9094 |
2023-11-16 07:56
|
 ama.exe a61aac13f8a4841915791fb57aa2e275
Amadey UPX PE32 PE File Malware download Amadey Malware AutoRuns Malicious Traffic Check memory RWX flags setting unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS |
1
http://185.172.128.100/u6vhSc3PPq/index.php - rule_id: 37993
|
4
www.dropbox.com(162.125.84.18) - mailcious
208.91.197.132 - mailcious
185.172.128.100 - mailcious
162.125.84.18 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey Bot Activity (POST)
|
1
http://185.172.128.100/u6vhSc3PPq/index.php
|
7.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9095 |
2023-11-16 13:35
|
 lightmuzik2.1.exe 8a7e5664d1f1d5bf41c6d943299aa1e8
NSIS Malicious Library UPX PE32 PE File OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9096 |
2023-11-16 15:57
|
htmlbrowserhistorycleanbothfil... 819445270fd095cf54c6768d1e380e1b
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/U1LNm
https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
61.111.58.34 - malware
172.67.187.200 - mailcious
104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9097 |
2023-11-16 18:57
|
NOV_INQUIRY.js b22055de1a1ea49c1b4f7d64ff315471
ActiveXObject wscript.exe payload download unpack itself Check virtual network interfaces Tofsee DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://pastebin.com/raw/NVAgzFRR - rule_id: 35284
https://wtools.io/code/dl/bR6Z
|
5
wtools.io(104.21.6.247) - malware
pastebin.com(104.20.68.143) - mailcious
104.21.6.247 - malware
121.254.136.9
172.67.34.170 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
|
1
https://pastebin.com/raw/NVAgzFRR
|
2.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9098 |
2023-11-16 18:59
|
 AWB No.5839077413pdf.exe 3192f8ad7bde4add1fd295e08176c383
AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212)
64.185.227.156
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
|
|
10.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9099 |
2023-11-16 19:03
|
 need.exe e622baf0198d6821fb4e1a8a23618a17
RedLine stealer Emotet Gen1 Malicious Library UPX ScreenShot PWS Socket Steal credential DNS Code injection AntiDebug AntiVM PE32 PE File CAB Browser Info Stealer RedLine Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications malicious URLs AntiVM_Disk sandbox evasion anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81)
db-ip.com(172.67.75.166)
194.49.94.152
104.26.4.15
34.117.59.81
|
11
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9100 |
2023-11-17 18:37
|
 AWB_Ref#.5839077413pdf.exe 7ac9bc3020e21341f1c2d8f9e938f9e3
AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
1
http://192.168.56.102:5357/017bd04f-b3bf-45b6-8167-9e8f41ff87bf/
|
4
api.ipify.org(104.237.62.212)
smtp.yandex.com(77.88.21.158)
173.231.16.77
77.88.21.158
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction
|
|
13.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9101 |
2023-11-17 18:41
|
 OFICIO_DE_EMBARGO_Nro_81_RAMA_... b935dc0f2d44f314601d7cc4e6e72989
Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/LR45D
https://uploaddeimagens.com.br/images/004/654/536/original/new_image.jpg?1698957750
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
172.67.187.200 - mailcious
121.254.136.18
104.21.45.138 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9102 |
2023-11-18 12:43
|
 home.exe 0569253c2d7bbd34d6576729c420930f
Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81)
db-ip.com(104.26.4.15)
104.26.5.15
34.117.59.81
194.49.94.152 - mailcious
|
7
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9103 |
2023-11-20 09:54
|
 v1.exe cc78ebc3aad20686d5bef8613aba55be
Client SW User Data Stealer LokiBot ftp Client info stealer .NET framework(MSIL) UPX Http API PWS AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software |
1
https://steamcommunity.com/profiles/76561199571056594
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(184.87.111.197) - mailcious
149.154.167.99 - mailcious
49.13.94.153 - mailcious
104.76.78.101 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
16.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9104 |
2023-11-20 09:55
|
 Lwsecure_beta.exe 5c320953f68110bc451f42495ef0a296
Gen1 Malicious Library UPX PE File PE64 ftp OS Processor Check VirusTotal Malware PDB Tofsee Remote Code Execution crashed |
|
2
app.physics.wisc.edu(128.104.160.19)
128.104.160.19
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9105 |
2023-11-20 09:58
|
 conhost.exe 0c648321522607509014810fa9850703
XMRig Miner Emotet Cryptocurrency Miner Generic Malware Suspicious_Script_Bin CoinHive Cryptocurrency task schedule Downloader Malicious Library UPX Antivirus Malicious Packer .NET framework(MSIL) Create Service Socket DGA Http API ScreenShot Escalate pri VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows ComputerName DNS Cryptographic key |
4
http://45.15.156.116/WatchDog.exe
http://45.15.156.116/WinRing0x64.sys
http://45.15.156.116/xmrig.exe
https://pastebin.com/raw/ZRRRiwsq
|
3
pastebin.com(104.20.67.143) - mailcious
45.15.156.116 - malware
104.20.67.143 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
13.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|