9121 |
2023-11-25 18:19
|
sservc.exe 4f17e0e8d7f6931d86bcef776619a2b5 Hide_EXE Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check VirusTotal Malware Buffer PE AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious TLD sandbox evasion Windows Tor ComputerName DNS |
82
http://paslo.de/phpMyAdmin/ http://westendsolution.com/administrator/ http://ww25.nvhrw.com/phpmyadmin/?subid1=20231125-1957-27f5-b954-dc376cf569f6 http://bseb.com/wp-login.php http://ohsjd.fr/phpmyadmin/ http://itisgiovannixxiii.email.com/administrator/index.php http://gmail.coive.com/administrator/index.php http://paslo.de/phpmyadmin/ http://www.saintjeandedieu.com/phpmyadmin http://itisgiovannixxiii.email.com/administrator/ http://steamlogic.org/administrator/index.php http://nvhrw.com/phpmyadmin/ http://protl.com/administrator/ http://egst.edu.et/administrator/index.php http://jomaroil.com.br/wp-login.php http://bamboo.cr/phpmyadmin/ http://nvrinc.coml.com/wp-admin/ http://gorina.cat/administrator/index.php http://eru.edu.eg/administrator/ http://lna.com.mx/administrator/index.php http://gmail.coive.com/wp-login.php http://nvhrw.com/administrator/index.php http://bseb.com/administrator/index.php http://mi.unc.edu.ar/administrator/ http://istitutocomprensivorosate.edu.it/administrator/ http://ohsjd.fr/administrator/ http://aleeas.com/administrator/ http://www.saintjeandedieu.com/administrator http://bamboo.cr/administrator/ http://nvrinc.coml.com/wp-login.php http://www.restajet.com/phpmyadmin/ http://nvrinc.coml.com/administrator/ http://paslo.de/administrator/ http://awartany.com/administrator/index.php http://wena.be/administrator/ http://bakerisroofing.com/administrator/ http://jomaroil.com.br/wp-admin/ http://steamlogic.org/wp-admin/ http://jomaroil.com.br/phpmyadmin/ http://freecycle.com.br/administrator/ http://awartany.com/phpmyadmin/ http://lna.com.mx/administrator/ http://nvhrw.com/administrator/ http://unab.edu.pe/administrator/ http://lna.com.mx/phpmyadmin/ http://nojesevent.se/wp-admin/ http://gmail.coive.com/administrator/ http://cook.de/wp-admin/ http://awartany.com/administrator/ http://nojesevent.se/administrator/ http://nvrinc.coml.com/administrator/index.php http://transformadoresvictory.com.mx/administrator/ http://cook.de/administrator/index.php http://fbsdigitalstore.pk/administrator/ http://egst.edu.et/phpmyadmin/ http://steamlogic.org/phpmyadmin/ http://ww25.nvhrw.com/administrator/?subid1=20231125-1957-2885-9232-b36a0c77a1c5 http://steamlogic.org/administrator/ http://gorina.cat/administrator/ http://nojesevent.se/administrator/index.php http://ww25.nvhrw.com/administrator/index.php?subid1=20231125-1957-30ca-aaf7-b67d4336639c http://nojesevent.se/wp-login.php http://quimifen.com/administrator/index.php http://restajet.com/administrator/ http://jomaroil.com.br/administrator/ http://quimifen.com/administrator/ http://paslo.de/administrator/index.php http://transformadoresvictory.com.mx/administrator/index.php http://bseb.com/administrator/ http://blueil.com/administrator/ http://bseb.com/phpmyadmin/ http://aleeas.com/administrator/index.php http://cook.de/administrator/ http://blueil.com/administrator/index.php http://bamboo.cr/administrator/index.php http://aleeas.com/phpmyadmin/ http://bseb.com/wp-admin/ http://steamlogic.org/wp-login.php http://egst.edu.et/administrator/ http://jomaroil.com.br/administrator/index.php http://cook.de/wp-login.php http://freecycle.com.br/administrator/index.php
|
252
(0.0.0.0) - smtp.getontheweb.com(35.236.231.204) ftp.telefonica.nl.com() xs4.com() ftp.abv.bgo.uk() h1studio.com(103.15.235.138) mx.zoho.com(204.141.33.44) restajet.com(104.22.57.191) student.fullo.za() hushmail.l.com() ohsjd.fr(213.186.33.5) aspmx.l.google.com(173.194.174.27) gmail.coroxat.com() salemarketwave.c() yahoo.com.arail.com(45.33.23.183) mail.jpsc.co.za() pvic.pl() gmp.br() alu.iismunari.it(62.149.128.40) gspnet.it(89.46.105.48) live.nail.com() gmai.vus.edu.vn() gmail.coon.gob.ec() wena.be(162.241.252.227) mail.telefonica.nl.com() starmarkshipping.cocom() mx2.titan.email(35.168.179.133) mail.wena.be(162.241.252.227) colaborativa.etc.br() freecycle.com.br(54.232.92.235) mail.outloove.nl() ftp.o2.co.uk.com() webbero.it() unab.edu.pe(192.124.249.103) bseb.com(209.61.212.154) gmail.range.es() seap.com() mail.1away.top(8.219.60.166) 1away.top() spokgmail.com() freemail.hm() ww25.nvhrw.com(199.59.243.225) outlook.ausd.org() builtbybamboo.com(104.21.92.188) ntlwoil.com() lna.com.mx(67.225.236.47) btopenworlgmail.com() westendsolution.com(107.180.1.10) mail.gmaicloud.com() bakerisroofing.com(216.81.136.20) itisgiovannixxiii.email.com(204.74.99.100) alt1.aspmx.l.google.com(142.250.141.27) jpsc.co.za() mail.gmail.l.edu.co() mi.unc.edu.ar(200.16.16.57) gosmart.id(103.131.51.10) protl.com(13.248.169.48) nojesevent.se(194.9.94.85) 71d5094d4da04584ea07f8dad8876a.mail.outlook.com(52.101.40.1) o2.co.um() gorina.cat(217.76.156.252) outloove.nl() doc.mux() tre.com.ng() mx1.simplelogin.co(176.119.200.136) egst.edu.et(162.221.189.186) awartany.com(74.208.236.160) nvhrw.com(103.224.212.212) gmail.coive.com(52.71.57.184) ftp.webbero.it() ftp.live.nail.com() victorysvg.ccom() volvo.ctps() kpnmail.il.com() o2.co.uk.com() yahoo.cmx.de() inboxgmx.de() mail.h-email.net(5.161.194.135) aleeas.com(172.67.155.39) www.saintjeandedieu.com(213.186.33.5) ohsjd-fr.mail.protection.outlook.com(104.47.25.36) gmaicloud.com() isise-edu-pe.mail.protection.outlook.com(52.101.11.9) aspmx2.googlemail.com(142.250.141.26) ftp.gmail.penny-arcade.com() gmailley.net() quimifen.com(66.198.240.40) enexumhotmail.com() blueyonderres.com() rbowprems.ga() mail.mailerhost.net(161.35.84.83) msnt.cat() brazilianl.com() gmx.dem.br() fastmail.cmail.ru() park-mx.above.com(103.224.212.34) www.hugedomains.com(172.67.70.191) alt4.aspmx.l.google.com(142.250.152.27) eru.edu.eg(104.21.44.179) simplelogin.io(176.119.200.11) butteredtoast.iomail.com() alt3.aspmx.l.google.com(64.233.171.26) mail.doc.mux() yahlook.com() mail.gmailley.net() myschool.hail.com() ftp.starmarkshipping.cocom() gmail.tps() gmail.cve.com() cobaep.edu.mx(172.16.42.2) blueil.com(34.205.242.146) mail.btopenworlgmail.com() fbsdigitalstore.pk(104.16.159.43) www.restajet.com(20.40.209.181) email.cde() mx20.antispam.mailspamprotection.com(34.120.156.61) mx2.emailsrvr.com(184.106.54.2) hotmail.nde() redifr.cl() qroo.nuevaescuela.mx(34.70.211.130) www.freecycle.com.br(18.64.8.47) cook.de(192.166.192.19) mail.redifr.cl() smtpin.rzone.de(81.169.145.97) mx03b.anti-spam-premium.com(209.59.183.18) gmafreenet.de() ftp.freemail.hm() gmail.coe.com() bamboo.cr(104.21.88.58) mx.gspnet.it(62.149.128.157) frontaggmail.com() autenticar.unc.edu.ar(200.16.16.171) frigonor.cl(23.227.38.65) istitutocomprensivorosate.edu.it(15.188.65.152) telefonica.nl.com() abv.bgo.uk() unipanamericantmail.com() bakerisroofing-com.mail.protection.outlook.com(104.47.74.10) mail.blueyonderres.com() domain-cn-1.cuiqiu.net(82.156.150.164) jomaroil.com.br(128.201.75.205) mail.customhost.de(202.61.249.4) steamlogic.org(3.0.11.115) paslo.de(81.169.145.158) live.lkqcorp.com() ah105.wadax.ne.jp(211.1.224.155) gmail.penny-arcade.com() nvrinc.coml.com(99.83.248.67) hotmail.comnisdubai.ae() mail.abv.bgo.uk() westendsolution-com.mail.protection.outlook.com(52.101.9.2) vo.de(91.223.145.55) gmailahoo.at() t-online.d.com() mail.email.cde() alt2.aspmx.l.google.com(142.250.115.26) transformadoresvictory.com.mx(35.215.101.188) gmail.l.edu.co() isise.edu.pe() aspmx4.googlemail.com(64.233.171.27) 50.7.8.141 34.70.211.130 91.121.160.6 64.233.171.26 64.233.171.27 173.203.187.2 49.13.4.90 204.141.33.44 217.76.156.252 - mailcious 176.119.200.11 99.83.248.67 - mailcious 8.219.60.166 107.180.1.10 74.125.23.26 176.119.200.136 74.208.236.160 172.67.173.78 13.248.169.48 - mailcious 52.101.40.6 104.21.92.188 104.22.57.191 54.209.32.212 - mailcious 172.67.202.98 50.21.186.234 103.224.212.34 162.221.189.186 199.59.243.225 - mailcious 52.71.57.184 - mailcious 52.86.6.113 - mailcious 52.101.42.13 52.101.42.10 104.21.44.179 172.67.155.39 34.120.156.61 128.201.75.205 192.166.192.19 52.101.8.34 5.161.98.212 209.61.212.154 104.21.88.58 54.232.92.235 15.188.65.152 202.61.249.4 89.46.105.48 - malware 162.241.252.227 52.101.42.6 81.169.145.158 - mailcious 91.223.145.55 194.9.94.86 - mailcious 194.9.94.85 - mailcious 52.55.70.181 211.1.224.155 142.250.141.26 142.250.141.27 45.136.244.187 104.16.159.43 - mailcious 66.198.240.40 104.21.6.144 213.186.33.5 - mailcious 35.215.101.188 3.130.204.160 185.205.70.136 35.236.231.204 20.40.209.181 204.74.99.100 - suspicious 142.250.115.26 139.162.210.252 - mailcious 104.17.9.99 52.101.11.2 104.47.24.36 3.130.253.23 - mailcious 198.58.118.167 - mailcious 67.225.236.47 67.227.237.112 172.67.9.103 142.250.152.26 223.120.1.10 103.224.212.212 - mailcious 104.47.25.36 104.47.74.10 104.26.7.37 161.35.84.83 91.107.214.206 81.169.145.97 200.16.16.57 192.124.249.103 18.64.8.47 82.156.150.164 216.81.136.20 3.18.7.81 - mailcious 3.94.41.167 - mailcious 3.0.11.115
|
9
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 749 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 747 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 719 ET POLICY TLS possible TOR SSL traffic ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 186 ET SCAN Potential SSH Scan OUTBOUND ET INFO TLS Handshake Failure ET DNS Query to a *.top domain - Likely Hostile ET INFO DNS Query for Suspicious .ga Domain
|
|
14.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9122 |
2023-11-26 13:35
|
obizx.doc a486b5b3452cc0b67c8c8d3ec919e141 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself suspicious TLD IP Check Tofsee Windows Exploit DNS crashed |
1
http://zang1.almashreaq.top/_errorpages/obizx.exe
|
4
zang1.almashreaq.top(104.21.70.74) - malware api.ipify.org(64.185.227.156) 173.231.16.77 172.67.221.26 - malware
|
9
ET DNS Query to a *.top domain - Likely Hostile ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9123 |
2023-11-26 13:49
|
home.exe b5f964d3dbe27ea562d3a750af190bea Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81) db-ip.com(172.67.75.166) 172.67.75.166 194.49.94.152 - mailcious 34.117.59.81
|
7
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
|
|
13.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9124 |
2023-11-27 09:36
|
PsExec.exe 9f26f723df0ce1ad3e928f983dffc61e Malicious Library .NET framework(MSIL) UPX PE32 PE File MZP Format JPEG Format DLL .NET EXE VirusTotal Malware AutoRuns Check memory Checks debugger Creates executable files unpack itself AppData folder Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger |
1
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
|
7
docs.google.com(142.250.206.206) - mailcious xred.mooo.com() - mailcious freedns.afraid.org(69.42.215.252) www.dropbox.com(162.125.84.18) - mailcious 69.42.215.252 142.251.220.46 162.125.84.18 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
63 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9125 |
2023-11-27 10:02
|
traff.html 1741302811bd4ccf06fe466aa79a7c4f Suspicious_Script_Bin AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9126 |
2023-11-28 09:23
|
htmljason.vbs e64be178e12b020963cc38980edc18f8VirusTotal Malware wscript.exe payload download Tofsee |
1
|
2
paste.ee(172.67.187.200) - mailcious 172.67.187.200 - mailcious
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9127 |
2023-11-28 09:27
|
file2data.exe e1628c99654edfe58f07bddbd9b29940 Malicious Packer .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check VirusTotal Malware PDB Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows ComputerName |
|
2
bitbucket.org(104.192.141.1) - malware 104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9128 |
2023-11-28 09:29
|
microsoftbrowserEdgedeletedhis... 75ae457731beea5721c8107608ee8316 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious 45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA Applayer Wrong direction first Data
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9129 |
2023-11-28 09:56
|
brAZILLLFile_HTA.hta e72b286e211eec5f15fcd218ffcc389c Generic Malware Antivirus AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut RWX flags setting unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.9
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9130 |
2023-11-28 09:57
|
File_HTA.hta dba4ee200dd745d57b7bb1f6dcdfe8d5 Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell MSOffice File VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates shortcut exploit crash unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840
http://91.92.248.130/toothpick.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9131 |
2023-11-28 09:58
|
BMW.txt.exe d3495009e35cc99a03329dda752d0bf4 AgentTesla Malicious Library Malicious Packer UPX PE32 PE File .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(64.185.227.156) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9132 |
2023-11-28 10:04
|
afriq.js 0cd971ef91e57c0c285da2fe74c2d6ec ActiveXObject VirusTotal Malware wscript.exe payload download Tofsee |
1
|
2
paste.ee(104.21.84.67) - mailcious 104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.0 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9133 |
2023-11-28 10:09
|
3tuvq.js a758953be379c89a34398eb1fc1f233a Generic Malware Antivirus ActiveXObject PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/Oe5nV
https://uploaddeimagens.com.br/images/004/666/683/original/js.jpg?1700183864
http://91.92.246.47/3fgwx.txt
|
5
paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
104.21.84.67 - malware
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9134 |
2023-11-28 14:17
|
obizx.exe 22033619d1075b112f8b58d657f536f8 Formbook .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.212) 64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9135 |
2023-11-28 14:51
|
보안메일.html.scr d0e8c1574fbd022e5723b85988c902a4 Eredel Stealer Extended NSIS Malicious Library UPX AntiDebug AntiVM PE32 PE File OS Processor Check .NET EXE PNG Format MSOffice File VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Check virtual network interfaces AppData folder Tofsee Windows Exploit DNS Cryptographic key crashed |
9
https://srtk.hometax.go.kr/download/jquery-1.11.1.min.js https://srtk.hometax.go.kr/download/img/security_pop_bt_close.png https://srtk.hometax.go.kr/download/cri.css?v=1 https://srtk.hometax.go.kr/download/components/enc-cp949-min.js https://srtk.hometax.go.kr/download/cri_ems_nt.js?v=1 https://srtk.hometax.go.kr/download/rollups/seed.js https://srtk.hometax.go.kr/download/rollups/md5.js https://srtk.hometax.go.kr/download/rollups/aes.js https://srtk.hometax.go.kr/download/img/security_pop_ic_lock.png
|
2
srtk.hometax.go.kr(116.67.103.155) 116.67.103.155
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
|
11 |
ZeroCenter
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|