9106 |
2023-11-21 08:00
|
smo.exe d117bdd49deff0dc9c560ed4a03d3a5f Emotet Gen1 Malicious Library UPX PE32 PE File CAB Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81) db-ip.com(104.26.5.15) 194.49.94.152 - mailcious 104.26.4.15 34.117.59.81
|
7
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
18.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9107 |
2023-11-21 18:17
|
htmlbrowserhistorydeletedbymic... 0a869df2007f5731f95c5d84aad6bbbf MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://107.175.113.202/450/htmlvb.vbs https://paste.ee/d/gIIFw
|
6
paste.ee(172.67.187.200) - mailcious uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.9 107.175.113.202 - mailcious 104.21.84.67 - malware 104.21.45.138 - malware
|
3
ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9108 |
2023-11-21 18:17
|
htmlvb.vbs a106d0b5d4423dbcb1b7551cc6f011b1 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/gIIFw
https://uploaddeimagens.com.br/images/004/666/676/original/vbs.jpg?1700182879
http://107.175.113.202/450/NEW.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware 104.21.84.67 - malware
23.43.165.66
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9109 |
2023-11-22 13:23
|
deepweb.exe 7a51a34ca5ccfe6eb43ef6abc0f92d46 RedlineStealer RedLine Infostealer RedLine stealer .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://91.92.241.80:1337/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31) 104.26.12.31 91.92.241.80 - malware
|
4
ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer Activity (Response)
|
|
8.0 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9110 |
2023-11-23 07:53
|
PhXExiF.exe 607e6e48bb7398dd40783cdf86ee4670 .NET framework(MSIL) UPX PE32 PE File .NET EXE Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee crashed |
|
2
i.ibb.co(104.194.8.143) - mailcious 172.96.161.6
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9111 |
2023-11-23 19:02
|
tfsoft.exe 1d6edfa073e4a8f072df28cfd5321bba PE32 PE File Emotet VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic buffers extracted unpack itself Windows utilities Detects VMWare suspicious process AppData folder sandbox evasion VMware Tofsee Windows crashed |
10
http://rip.oeklms.com/api/r/ip http://cdn.cuilet.com/API/General/lsrpu http://cdn.cuilet.com/API/General/client_log_user http://ddjf8dkd.wifi95.com/API/General/arearst http://cdn.cuilet.com/api/filegoto1/81b1e3e4c7ac0cfc http://ddjf8dkd.wifi95.com/api/userconfig/uc_2bd4378e4519b0a0f73b3cd533996173.json http://9xcb.oeklms.com/api/r/mcm http://ddjf8dkd.wifi95.com/API/General/lsrpu http://apps.game.qq.com/comm-htdocs/ip/get_ip.php http://ddjf8dkd.wifi95.com/API/General/thenewseven
|
17
c9g6lqgo.sched.sma.tdnsstic1.cn(116.136.12.139) rip.oeklms.com(139.196.190.229) 9xcb.oeklms.com(106.14.120.14) ddjf8dkd.wifi95.com.cdn.dnsv1.com(175.43.23.80) time.pool.aliyun.com(182.92.12.11) apps.game.qq.com(101.227.134.49) ddjf8dkd.wifi95.com(116.136.12.139) cdn.cuilet.com(175.43.23.67) sp0.baidu.com(119.63.197.151) 119.63.197.139 106.14.120.14 118.212.235.111 182.92.12.11 101.227.134.27 139.196.190.229 114.114.114.114 175.43.23.80
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
57 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9112 |
2023-11-24 10:58
|
Invoice.url 90962de04e13d0f8e7b96a094ec6b77a AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.141.116/scarica/paypal_inv.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9113 |
2023-11-24 11:00
|
Order_Information.url 73461871b344c75f77323047fbafd617 AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.141.114/scarica/InvoicePayPal.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.8 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9114 |
2023-11-24 11:03
|
Payment_Information.url 9eb31a50bbe8cc0146b9f778d270ddd4 AntiDebug AntiVM URL Format MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.141.118/scarica/SrvPayPal.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9115 |
2023-11-24 11:12
|
Payment.url 1009a583d82ccd724ae13dc4d378de59 AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.146.111/scarica/List_Invoice.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
6.0 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9116 |
2023-11-24 11:14
|
Order_Information.url 7f4085aab74f2da761e65d5fb41fd40f AntiDebug AntiVM URL Format MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://62.173.141.114/scarica/PayPal_List.exe
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9117 |
2023-11-25 17:55
|
Loader%20Resou%E2%80%AEnls.scr 21bc89b62236a92090a9b9732ce09b5e PE32 PE File .NET EXE PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee |
|
2
img.guildedcdn.com(54.230.176.64) - malware 54.230.176.64 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9118 |
2023-11-25 18:08
|
PLmp.exe d689713e2c880daf649ec894a0761274 PrivateLoader NPKI Gen1 HermeticWiper Generic Malware Suspicious_Script NSIS Malicious Library VMProtect UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM Javascript_Blob AntiDebug AntiVM PE File PE64 PE32 DLL PNG Format JPEG Forma Browser Info Stealer Malware download VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Disables Windows Security AppData folder AntiVM_Disk sandbox evasion WriteConsoleW IP Check VM Disk Size Check PrivateLoader Tofsee Ransomware Windows Browser DNS |
5
http://45.15.156.229/api/firegate.php - rule_id: 36052 http://45.15.156.229/api/tracemap.php - rule_id: 33783 https://vk.com/doc278414724_666990616?hash=4CotYHxpQIpd56XcQZdpXEA3nXJg8jBmLdZCLDYGTM4&dl=5wzQdfHJAm42JxdCzDIp2OLxzWhsnZyAL9RzHoNviH8&api=1&no_preview=1 https://sun6-23.userapi.com/c909618/u278414724/docs/d42/29be4c51d720/tmvwr.bmp?extra=lo1JLlDudToLN88wnSMMBgylnX1wZTo7dOyVInza09welEABQpw4eL107Ew0zGWbBHSZBcWjr8Ul2BHoKLnfShpyWd-XGHjt6BGnQMXMMB9fPp0nlsR-7ZS6NAy1Lkfclpxxg_FCr-j3uBfJEA https://api.myip.com/
|
10
vk.com(87.240.132.78) - mailcious ipinfo.io(34.117.59.81) api.myip.com(172.67.75.163) sun6-23.userapi.com(95.142.206.3) - mailcious 45.15.156.229 - mailcious 104.26.9.59 95.142.206.3 - mailcious 185.172.128.69 - malware 87.240.129.133 - mailcious 34.117.59.81
|
8
SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Executable Download from dotted-quad Host ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://45.15.156.229/api/firegate.php http://45.15.156.229/api/tracemap.php
|
19.4 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9119 |
2023-11-25 18:09
|
updater.exe 8589b564a5ed7920be4b1b08f3d6d8ed Gen1 Generic Malware UPX Antivirus Malicious Library PE32 PE File DLL PE64 OS Processor Check ZIP Format Cryptocurrency Miner Malware Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName intelligence DNS Cryptographic key crashed CoinMiner |
1
http://94.156.71.160/carsalepanel/api/endpoint.php
|
7
xmr.2miners.com(162.19.139.184) - mailcious pastebin.com(172.67.34.170) - mailcious pool.hashvault.pro(142.202.242.43) - mailcious 162.19.139.184 - mailcious 172.67.34.170 - mailcious 94.156.71.160 131.153.76.130 - mailcious
|
4
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) ET CINS Active Threat Intelligence Poor Reputation IP group 93 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9120 |
2023-11-25 18:13
|
Opesi.exe 51367ff68633e00c8a084cb52534182f Client SW User Data Stealer LokiBot ftp Client info stealer .NET framework(MSIL) Http API PWS AntiDebug AntiVM PE32 PE File .NET EXE FTP Client Info Stealer Malware Telegram suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software |
1
https://steamcommunity.com/profiles/76561199572358993
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.76.78.101) - mailcious 149.154.167.99 - mailcious 65.108.152.136 104.75.41.21 - mailcious
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|