9151 |
2023-12-07 11:45
|
build.exe 6aaf4093cc7a18c1b3635f6078993bc7 RedlineStealer RedLine Infostealer RedLine stealer .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://91.92.243.247:1334/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31) 91.92.243.247 - malware 104.26.13.31
|
5
ET MALWARE RedLine Stealer - CheckConnect Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer Family Activity (Response) SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
65 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9152 |
2023-12-07 16:35
|
sostener.vbs 6b28299322157cbfd18c65db5e060c1f Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/682/796/original/dll.jpg?1701793965
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 121.254.136.9
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9153 |
2023-12-07 16:35
|
envifa.vbs 18bb62e29138d9c8dd098e5be9a4c13c Generic Malware Antivirus VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/682/796/original/dll.jpg?1701793965
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 121.254.136.9
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9154 |
2023-12-07 16:40
|
line.exe fcfc4a3e70883dc993ee49241e40c393 Emotet Gen1 SmokeLoader Generic Malware Malicious Library UPX Malicious Packer PE32 PE File CAB OS Processor Check Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB MachineGuid Check memory Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Remote Code Execution DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.59.81) db-ip.com(104.26.5.15) 193.233.132.51 - mailcious 104.26.4.15 34.117.59.81
|
6
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
|
|
15.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9155 |
2023-12-08 09:42
|
MicrosoftHealthcheck.vbs 61fee3f2dd4255c687072b4eac7cdb0d Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 23.67.53.27 104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9156 |
2023-12-08 18:38
|
Microsoftdecidedtodeleteentire... 684c997cc1b2dc1290b00576e884f425 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Windows Exploit DNS crashed |
|
3
www.synergyinnovationgroup.com(65.60.36.22) 172.245.208.126 - mailcious 65.60.36.22
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure
|
|
4.2 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9157 |
2023-12-08 18:40
|
microsoftdecidedtodeleteentire... 49ad634e1dfd465013beb3ce092015de MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c http://66.228.43.8/300/MicrosoftHealthcheck.vbs
|
4
uploaddeimagens.com.br(104.21.45.138) - malware 66.228.43.8 - mailcious 23.32.56.80 172.67.215.45 - malware
|
2
ET INFO Dotted Quad Host VBS Request SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9158 |
2023-12-11 14:24
|
release_ver9.rar a64249c49fd7686653154060beaa68dc Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware download Vidar Open Directory Malware c&c suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Exploit Browser RisePro DNS Downloader plugin |
15
http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll http://5.42.64.41/40d570f44e84a454.php - rule_id: 38591 http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll http://195.20.16.45/api/tracemap.php http://apps.identrust.com/roots/dstrootcax3.p7c http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll http://5.42.64.35/timeSync.exe - rule_id: 38593 http://195.20.16.45/api/firegate.php http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll https://db-ip.com/demo/home.php?s=175.208.134.152 https://api.myip.com/ https://iplis.ru/1Gemv7.mp3
|
28
medfioytrkdkcodlskeej.net(91.215.85.209) - malware db-ip.com(172.67.75.166) iplis.ru(104.21.63.150) - mailcious ioiouoiuououiyjgroup.sbs(172.67.212.175) - malware iplogger.org(172.67.132.113) - mailcious never.hitsturbo.com(172.67.168.30) - malware ipinfo.io(34.117.59.81) vk.com(87.240.132.72) - mailcious api.myip.com(104.26.8.59) 194.49.94.97 - malware 5.42.64.41 - mailcious 5.42.64.35 - malware 104.26.9.59 104.21.63.150 193.233.132.34 - mailcious 185.216.70.235 23.43.165.105 104.21.37.196 193.233.132.51 - mailcious 87.240.132.67 - mailcious 91.215.85.209 - mailcious 34.117.59.81 104.26.5.15 104.21.46.59 - malware 195.20.16.45 172.67.132.113 109.107.182.3 - mailcious 87.240.132.72 - mailcious
|
36
SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO EXE - Served Attached HTTP ET HUNTING Rejetto HTTP File Sever Response ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
|
2
http://5.42.64.41/40d570f44e84a454.php http://5.42.64.35/timeSync.exe
|
5.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9159 |
2023-12-11 19:21
|
DLL%20Injector%20Resou%E2%80%A... b6d15bc82d811c30d7e9633402bee9c2 Malicious Packer PE File PE64 VirusTotal Malware MachineGuid Check virtual network interfaces Tofsee crashed DoTNet |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
textbin.net(148.72.177.212) - mailcious 121.254.136.9 148.72.177.212 - mailcious
|
2
ET INFO Pastebin-style Service (textbin .net in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9160 |
2023-12-11 19:27
|
InstallSetup9.exe 9277e82030f3f80d2acb91ca8a2e21bb NSIS Generic Malware Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE32 PE File PNG Format OS Processor Check ZIP Format JPEG Format BMP Format CHM Format DLL icon PE64 CAB MZP Format MSOffice File Word 2007 fi VirusTotal Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk IP Check VM Disk Size Check Tofsee Ransomware Windows DNS |
4
http://api.ipify.org/?format=scc
http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=nine&s=ab
https://iplogger.com/19nVA4
http://5.42.64.35/syncUpd.exe
|
6
api.ipify.org(104.237.62.212)
iplogger.com(104.21.12.138) - mailcious 91.92.254.7
172.67.194.188 - mailcious
5.42.64.35 - malware
104.237.62.212
|
9
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup (ipify .org)
|
|
9.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9161 |
2023-12-11 19:32
|
SynapseExploit.exe 2cd9b5d48c0904c90537d3eb0f1becad RedLine stealer XMRig Miner Emotet Suspicious_Script_Bin Generic Malware task schedule Downloader Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) Obsidium protector Create Service Socket DGA Http API ScreenShot Escalate priviledges Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Kelihos Tofsee Stealer Windows Browser ComputerName Trojan DNS Cryptographic key Software crashed |
3
http://195.20.16.153/WinRing0x64.sys https://pastebin.com/raw/ZRRRiwsq - rule_id: 38555 https://api.ip.sb/ip
|
6
pastebin.com(104.20.68.143) - mailcious api.ip.sb(104.26.12.31) 195.20.16.153 - malware 104.26.13.31 45.15.156.167 104.20.67.143 - mailcious
|
11
ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Possible Kelihos.F EXE Download Common Structure ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download
|
1
https://pastebin.com/raw/ZRRRiwsq
|
22.8 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9162 |
2023-12-11 19:38
|
Winlock.exe 18563c62462e92e3c81dfe737e3a8997 Emotet Malicious Library UPX PE32 PE File OS Processor Check DLL VirusTotal Malware AutoRuns Check memory Creates executable files RWX flags setting Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW Tofsee Windows Browser Advertising Google ComputerName |
2
https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1BnLwNXIOB1ed0vfig76FOiB5_vSYfxO8 https://doc-0c-bs-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gsj07kmmd732u9jfj0sd2ubl6lqnbh2o/1702290825000/03617822427045637603/*/1BnLwNXIOB1ed0vfig76FOiB5_vSYfxO8?e=download&uuid=cd74acaf-b34e-46e0-a195-a721074feb84
|
4
doc-0c-bs-docs.googleusercontent.com(142.250.207.97) drive.google.com(142.250.206.206) - mailcious 142.251.220.78 142.251.220.97
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9163 |
2023-12-11 20:03
|
microsoftunderstandhowimportan... c4cde68e89e1c045c73591c40eeb439f MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://172.202.120.36/2119/Microsoftcookieclean.vbs http://apps.identrust.com/roots/dstrootcax3.p7c
|
5
uploaddeimagens.com.br(104.21.45.138) - malware 172.202.120.36 5.42.64.45 - malware 104.21.45.138 - malware 23.32.56.72
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
|
31 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9164 |
2023-12-12 07:47
|
ucdutchzx.exe 723bccfa9d5be24b8a064f547cf1c039 AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Browser Email ComputerName Software crashed |
|
2
cp5ua.hyperhost.ua(91.235.128.141) 91.235.128.141
|
2
SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9165 |
2023-12-12 07:53
|
ama.exe 294593fcb93a6d6694c9670e86e649bf Amadey UPX Malicious Library .NET framework(MSIL) PWS AntiDebug AntiVM PE32 PE File JPEG Format DLL PE64 OS Processor Check .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Buffer PE AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader |
4
http://185.172.128.5/v8sjh3hs8/index.php?scr=1 http://185.172.128.113/hv.exe - rule_id: 38526 http://185.172.128.5/v8sjh3hs8/index.php https://pastebin.com/raw/A54sKxhY
|
5
pastebin.com(104.20.67.143) - mailcious 185.172.128.5 - malware 185.172.128.113 - mailcious 94.130.51.115 - mailcious 104.20.67.143 - mailcious
|
9
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE Amadey Bot Activity (POST) M1 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://185.172.128.113/hv.exe
|
18.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|