9166 |
2023-12-13 17:11
|
Microsoftdecidedtoupdateentire... abd08657ab33f8d1fb76b2757c0253b2 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c http://23.94.239.93/3121/microsoftdecided.vbs
|
4
uploaddeimagens.com.br(104.21.45.138) - malware 23.94.239.93 - mailcious 121.254.136.18 172.67.215.45 - malware
|
2
ET INFO Dotted Quad Host VBS Request SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9167 |
2023-12-13 17:22
|
microsoftdecided.vbs 191f2509a2a2ee5ca560be4cf1baccd7 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/686/431/original/dll_vbe.jpg?1702073941
http://23.94.239.93/3121/HTC.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware 23.67.53.27
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9168 |
2023-12-13 17:22
|
microsoftcachedelete.vbs a69d043d32d4ac372b3901a54dc231d9 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/686/431/original/dll_vbe.jpg?1702073941
http://188.127.251.23/1151/HNJ.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware 23.67.53.27
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9169 |
2023-12-13 18:26
|
microsoftdecidedtoupdateentire... 911181c9ce56b902706424dfcc600236 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.4/2116/wlanext.exe
|
3
www.synergyinnovationgroup.com(65.60.36.22) 65.60.36.22 172.245.208.4 - mailcious
|
7
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.2 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9170 |
2023-12-14 08:00
|
abux.exe 34793ade11411172d60e1eacf6c92bfd AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Browser Email ComputerName DNS Software crashed |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
3
gangnam.top(194.36.191.196) 121.254.136.18 194.36.191.196 - mailcious
|
3
ET DNS Query to a *.top domain - Likely Hostile SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9171 |
2023-12-14 08:04
|
PC_Cleaner.exe 84326112ddead59fca719ef1d7d87685 Emotet Sality Generic Malware Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Anti_VM PE32 PE File ftp MZP Format OS Processor Check Lnk Format GIF Format DllRegisterServer dll URL Format DLL PE64 BMP Format Browser Info Stealer VirusTotal Malware Check memory Checks debugger Creates shortcut Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check installed browsers check Tofsee Browser ComputerName DNS crashed |
1
https://www.pchelpsoft.com/images/build-phone-banners/phone_activation.png
|
9
webtools.avanquest.com(37.59.71.200) techsupport.avqtools.com(116.203.251.147) www.pchelpsoft.com(104.26.0.116) stats.avqtools.com() notifications.avqtools.com(116.203.251.147) 37.59.71.200 116.203.251.147 104.26.0.116 194.36.191.196 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9172 |
2023-12-14 10:28
|
ORDER-232112.pdf.js ad919f29a6186c40a5bcb76d18803bfbVirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://grapemundo.com/Apk/good.vbs
|
2
grapemundo.com(103.50.163.157) - mailcious 103.50.163.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9173 |
2023-12-14 10:28
|
ORDER-232111.pdf.js ad919f29a6186c40a5bcb76d18803bfbVirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://grapemundo.com/Apk/good.vbs
|
2
grapemundo.com(103.50.163.157) - mailcious 103.50.163.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9174 |
2023-12-14 10:29
|
ORDER-231211.Xls.js 516442412f0c621f39abd64b645f587cVirusTotal Malware VBScript wscript.exe payload download Tofsee Dropper |
1
https://nac-ecs.co.mz/onedrive/wp.vbs
|
2
nac-ecs.co.mz(144.208.78.130) - malware 144.208.78.130 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
10.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9175 |
2023-12-14 19:14
|
agent.exe ca2de368c8a4930ce09986cd9f9f2280 Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware MachineGuid unpack itself Tofsee ComputerName |
|
2
cs.lvsehacker.com(104.21.59.67) 172.67.217.152
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9176 |
2023-12-15 16:22
|
128.5.14-package.hta 715d2502c51eddfd399a63042a259634 AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9177 |
2023-12-15 17:45
|
release.rar 57ab5e01e6e92d13ae33e587004ad918 Stealc PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Vidar Glupteba Open Directory Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Exploit Browser RisePro DNS Downloader plugin |
62
http://5.42.64.41/40d570f44e84a454.php - rule_id: 38591 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://91.92.242.146/advdlc.php http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=eight&s=ab - rule_id: 38706 http://5.42.64.35/timeSync.exe - rule_id: 38593 http://5.42.64.35/syncUpd.exe - rule_id: 38707 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://api.ipify.org/?format=qwc http://185.172.128.19/InstallSetup8.exe http://45.15.156.229/api/firegate.php - rule_id: 36052 http://still.topteamlife.com/order/tuc3.exe http://195.20.16.45/api/firegate.php - rule_id: 38697 http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll http://77.105.147.130/api/tracemap.php http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300 http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll http://91.92.254.7/scripts/plus.php?substr=one&s=two - rule_id: 38706 http://176.113.115.84:8080/4.php - rule_id: 34795 http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll http://195.20.16.45/api/tracemap.php - rule_id: 38695 http://zen.topteamlife.com/order/adobe.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://109.107.182.3/dote/film.exe http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll https://vk.com/doc418490229_669576362?hash=2TYLSTWS5p3PwhTNSYwsx2GpGiyOpl6IB17qzZDTTnz&dl=R4angaiywIuZ3iAh5RqnVQxC3TmVWJZOPSt2s7ZkU94&api=1&no_preview=1 https://vk.com/doc418490229_669536405?hash=R1SzeC40xJ3N84YoN0iXk4AQPRuvygwN5sp4tBfbczD&dl=GXT1bZGxOK19LH7eZCNhRVIcrGJyQCrsbbajDN7XKHk&api=1&no_preview=1#nsd https://sun6-20.userapi.com/c909228/u418490229/docs/d36/c87009947661/file141223.bmp?extra=riGpl1sVynSQNy7_56coUnxCg7bnPcMRbuAzvkh_ETAwlmYx6qE_ofcQ65AriUxQcf_ivxfJAJM3YADTPZpm0PQnGOn-nmQ0wfHlZF3X1ntWeFueWSrC0bm4lZU0qKMLHBkZK0r0esUhSSQUng https://vk.com/doc418490229_669587219?hash=k77BufzomwcBsW3hPhpz2FEdZyz0nCp5svZgzAhWzX8&dl=GGiKhtZZMwWTM9cPInAZ3ZvsfBC6QLOXzRT6d5aaZ9w&api=1&no_preview=1#xin https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=HJmhL06OJea1RlhWWse3wquZZjcLEZaOXFHu4a0VKb0%3D&spr=https&se=2023-12-16T09%3A12%3A02Z&rscl=x-e2eid-07bdf5ea-b89c46ec-8622ba13-cca3d6da-session-bfed46ea-eff3416b-81f720b1-a91cee8f https://vk.com/doc418490229_669575350?hash=vKrKQ1LNzfmk5bqDBawqJaSNYy2pPUvsVD8GKsP1go0&dl=bKf2OcMYkQVThifDdutSO1iDmr9BZ1mynSvBZGNDR74&api=1&no_preview=1#tw https://sun6-20.userapi.com/c909518/u418490229/docs/d24/8a4941081cf4/xinxin.bmp?extra=MYqii3RlgEdZmDiKshYG4cBuSFt-4I8No-BNWthaqggg8UIboNVqio9EQKvqnDf0IwnpwaqiXtjrufIKCgD54naDTYqQKF7M8ZxG9jgvbLoxaZAboWXtmkjqHzXUIPaO1cX_tjq7DjsuoOVT1Q https://sun6-22.userapi.com/c909218/u418490229/docs/d43/33a4d3a867cd/crypted.bmp?extra=7n1p5WXd_XA-frypoGw5NGGcH5ozP0-5aPXvPSGNWJnmWcOQyKm3XmG1A4H78VWMkEfRaxwAsjW6UtarY0Cdk2S00-TlIzTDgoGExJ2V7IUXR3iB7Oq8RmopiHVQh1hv_C_EWlY_STkxOJE2iw https://vk.com/doc418490229_669583708?hash=eKiEuBeLlD8AVLZpMr9fKb3Fp25y6PbAZumFOSRz8Ls&dl=Dexpdq6aIxefqfmky79VED88wzPCzbXZWs8AXq2twlc&api=1&no_preview=1#test22 https://vdfgdfbfdbdfbdfgroup.sbs/setup294.exe https://sun6-23.userapi.com/c909228/u418490229/docs/d43/b05f93b34277/irisaCrypt.bmp?extra=4bwsZcK5u5cEEHtMWABs91FQoKbo4zXJ4K4gfYbS4E4umS85yFuk5CBomenrD5NM9YfshQdl03pizbE7teLHEenSIgkV_vvzQNfWHtMMYtg94gK8eT35lVqZ2pCIzmY0OmDluTvvoGpmJj4z5A https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb https://domen414.com/70e35a78e758263ac94805845a3b1aa6/e0cbefcb1af40c7d4aff4aca26621a98.exe https://api.myip.com/ https://msdl.microsoft.com/download/symbols/index2.txt https://sun6-23.userapi.com/c909418/u418490229/docs/d39/c8967eb6f89d/PLmp.bmp?extra=4rNxN4-WGW1_vpBEh0yJ7O9mXuWiNiVfzRYTurrDDQ4puTpR49fSpaHI_fGwXIZcMw16OD6BZwIlWibKWNGNRnZP9KdPo-9HxcFrCZFI21fq_QZNl8UoJqh-BFl60eeV8xM1RFT1XYsTNcAO_w https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb https://db-ip.com/demo/home.php?s=175.208.134.152 https://vk.com/doc418490229_669553328?hash=izexNkT0c9lubTKZrX98Bt9LyqTRtBjqbopnZwLqlgz&dl=ECg5r3GQRknKKixHOxzIu5HdJ3xcDAtCSdybIVtGzGX&api=1&no_preview=1 https://vk.com/doc418490229_669446288?hash=QFSGrfzK1NpHqTbP7orCKrs6ivw74w9NbUeXT4cVAJ8&dl=scYinNdJ0msbOFLMzJwjxC4aj2UhN7mrdx5bV4i4j1T&api=1&no_preview=1#ww11 https://vk.com/doc418490229_669446210?hash=BZ9b8Xtsn5Z8zZkSRBEdwF1W7jzCAT8GJBVEicdXS6L&dl=eA4o75IiHafzbkgdBC8nz7TmLS7uMpwJRsfDOcAnrqD&api=1&no_preview=1 https://iplis.ru/1Gemv7.mp3 https://sun6-22.userapi.com/c909618/u418490229/docs/d42/d3f4cb6b29e6/twointe.bmp?extra=i7uy3fj3_0Ze73YL3gCj-5SBktdI9fvOagbQj0A_MTiUAkHJpynsELLBxOzk_eRHirZQfV0sivxHcLQaU_1LDcnsap5U75nd8N-bK6d_DTLR2JmJwXiur__vcggTugQ_hcATc-qjTcUuqdB49g https://api.2ip.ua/geo.json https://vk.com/doc418490229_668982322?hash=azDCFq3LKE8SI4FuHIiO9uqD9f0NzgSZGZRfp16uXc8&dl=S8rnCmwvOvSogOT6fxEmoZZvxNehhMMaIfqIZkup0tP&api=1&no_preview=1 https://sun6-23.userapi.com/c909228/u418490229/docs/d8/82a883d0cb5c/RisePro_1_1.bmp?extra=Khx0S2q1Cc35UHPx2HuaYmrza_MbtEdOxIPETSaulwXUXV1_rOOCqrnbkChic9YVaUB54TG5UV9XzCcFaEMz9Fs-QxMSWyPh49aPdA4i6lnKfYQSEDEtz4wB7t_GWVPlUMDQdldbTLx7Ifly2A https://sun6-21.userapi.com/c235131/u418490229/docs/d58/5c0b9e6bfbb0/WWW11_32.bmp?extra=p1oBag1URwphK9fm5j9Jq7YOyeLeYwoTlNXxy-wy5IUdSKAq5VMvZiEdPlIcLVQn8hIZLuRKmCNHWREB57Cexdl8j2qkqFJbyxi0QG7Y6MixRJdPAmBV-XZVChIxLC6qYD1souE3k5cCPKfsSA https://mrproper.org/e0cbefcb1af40c7d4aff4aca26621a98.exe https://vk.com/doc418490229_669431693?hash=ZJOgiMvcEt67O8ZgIQTPetDJ5TJVWChVj8OP8l7poMo&dl=l8kZtnWtBZ88utyX5ok8hBf0AvLsgVspFPCyrexPZcc&api=1&no_preview=1 https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=oby3wWHlvYWWrF7NhzaeDiB4De2SzNZjlf1ujeFGLuE%3D&spr=https&se=2023-12-16T09%3A35%3A46Z&rscl=x-e2eid-da202a57-853643ff-8f0c306b-e4a3eb32-session-aa02589a-042c46e7-b900bab6-bb84b0be https://sun6-21.userapi.com/c235031/u418490229/docs/d20/3537096df5d0/sdfj34dv.bmp?extra=-wfwzf8mggLUbLw-tDmqqwImNK4Ftwq957DguR_ZMse6BpyI5-rPV6hbhzSG2NwFqlvPZVAflEjl79RMCYIB1POUVIydbhkLkUQ6dr7fGPtpI4ydIkrZ_U79xWEv5Xk1NueG2w6-DwHLIn3DeQ https://vk.com/doc418490229_669575445?hash=vrqpipzq5gbIf9ZzlH6eoLxWYY2GVWTdCZyZfEBDU6o&dl=vAwShLyLIswxvXKtspyKZMxVY7MZYQOz2xin63S1bXz&api=1&no_preview=1#1 https://vk.com/doc418490229_669524169?hash=inQnNfQi9pW3FIKvlWtzgZEF4L0HuZ8DIxxvcU43wrc&dl=fEEIzUN5hJ8zayr8sOcmw911iz7V6Wz6VvyTXKMFcdk&api=1&no_preview=1#risepro https://sun6-21.userapi.com/c909328/u418490229/docs/d9/ed7e4b61a950/tmvwr.bmp?extra=8ABSpR5kzOaL11KUTp_YTUz2hMDoCUYwXHxrulWm_E5Qppp5p26G9nQBBugoFJ3FhMkU7aktVviN94njhqhJWc4jj01UDf2oKFiCQ5w1tYtq3ZQaL-VtmQiiv4NSJja4CPGU6aMHn99Tfe6lCg https://sun6-20.userapi.com/c909518/u418490229/docs/d9/5e0d43d301bf/BotClient_WWW.bmp?extra=K4Bc2tEiqrN1_FErEK6iFLRLCk66bRPdEIg_NBxdAdEKjqBoH80jch2EATGL5aoZyV0ONQLUKsLO3xWLSK_Dqja2G9_4sN84DzErWXT52ONKiCO1heZTXPBUC44s8QXP0LO8LqIDy-hnCQNaAQ
|
75
db-ip.com(104.26.4.15) 91920b82-9195-455d-9a5f-23f11e556e53.uuid.dumperstats.org(185.82.216.111) vanaheim.cn(91.222.236.186) - mailcious ipinfo.io(34.117.59.81) sun6-23.userapi.com(95.142.206.3) - mailcious medfioytrkdkcodlskeej.net(91.215.85.209) - malware server6.dumperstats.org(185.82.216.111) api.2ip.ua(172.67.139.220) iplogger.org(104.21.4.208) - mailcious msdl.microsoft.com(204.79.197.219) cdn.discordapp.com(162.159.135.233) - malware sun6-20.userapi.com(95.142.206.0) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious mrproper.org(104.21.63.180) stun1.l.google.com(172.253.56.127) zen.topteamlife.com(172.67.138.35) walkinglate.com(172.67.212.188) - malware api.ipify.org(64.185.227.156) zexeq.com(211.53.230.67) - malware transfer.sh(144.76.136.153) - malware domen414.com(172.67.166.192) vsblobprodscussu5shard10.blob.core.windows.net(20.150.38.228) iplis.ru(172.67.147.32) - mailcious still.topteamlife.com(172.67.138.35) sun6-22.userapi.com(95.142.206.2) - mailcious vsblobprodscussu5shard58.blob.core.windows.net(20.150.38.228) vdfgdfbfdbdfbdfgroup.sbs(172.67.222.70) vk.com(87.240.132.72) - mailcious api.myip.com(104.26.9.59) xmr-asia1.nanopool.org(172.104.165.191) - mailcious 95.142.206.1 - mailcious 5.42.64.35 - malware 91.92.254.7 - mailcious 91.215.85.209 - mailcious 162.159.135.233 - malware 104.26.5.15 172.67.138.35 172.67.212.188 23.67.53.27 104.21.38.114 104.21.63.180 45.15.156.187 172.67.75.163 34.117.186.192 185.172.128.19 - mailcious 185.82.216.111 211.53.230.67 - malware 121.254.136.18 91.92.242.146 87.240.132.67 - mailcious 172.104.165.191 - mailcious 20.150.79.68 34.117.59.81 176.113.115.84 - mailcious 194.33.191.60 - mailcious 5.42.64.41 - mailcious 204.79.197.219 172.253.56.127 20.150.38.228 45.15.156.229 - mailcious 194.33.191.102 - malware 144.76.136.153 - mailcious 172.67.166.192 195.20.16.45 - mailcious 77.105.147.130 173.231.16.77 176.123.10.211 - mailcious 104.21.63.150 95.142.206.2 - mailcious 172.67.139.220 95.142.206.0 - mailcious 95.142.206.3 - mailcious 91.222.236.186 172.67.132.113 109.107.182.3 - mailcious
|
62
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET DROP Spamhaus DROP Listed Traffic Inbound group 20 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET HUNTING Rejetto HTTP File Sever Response ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO TLS Handshake Failure ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config ET MALWARE Win32/Stealc Submitting System Information to C2 ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Redline Stealer Family Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET POLICY External IP Lookup (ipify .org) ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port) ET MALWARE Observed Glupteba CnC Domain (dumperstats .org in TLS SNI) ET MALWARE Amadey Bot Activity (POST) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
|
12
http://5.42.64.41/40d570f44e84a454.php http://zexeq.com/test2/get.php http://91.92.254.7/scripts/plus.php http://5.42.64.35/timeSync.exe http://5.42.64.35/syncUpd.exe http://45.15.156.229/api/tracemap.php http://45.15.156.229/api/firegate.php http://195.20.16.45/api/firegate.php http://185.172.128.19/ghsdh39s/index.php http://91.92.254.7/scripts/plus.php http://176.113.115.84:8080/4.php http://195.20.16.45/api/tracemap.php
|
7.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9178 |
2023-12-18 07:55
|
updater.exe 6f0e94c80d8b9c98ea75bff456eff5a2 Gen1 Generic Malware UPX Antivirus Malicious Library PE32 PE File ftp DLL PE64 OS Processor Check ZIP Format Cryptocurrency Miner Malware Cryptocurrency powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key CoinMiner |
1
http://94.156.71.160/carsalepanel/api/endpoint.php - rule_id: 38536
|
7
xmr.2miners.com(162.19.139.184) - mailcious pool.hashvault.pro(125.253.92.50) - mailcious pastebin.com(104.20.68.143) - mailcious 162.19.139.184 - mailcious 131.153.76.130 - mailcious 94.156.71.160 - mailcious 104.20.67.143 - mailcious
|
3
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
1
http://94.156.71.160/carsalepanel/api/endpoint.php
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9179 |
2023-12-18 09:46
|
microsoftdecidedtodeleteentire... 066232099ba8df43942395e4ebfa39a2 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.4/3456/wlanext.exe
|
3
www.synergyinnovationgroup.com(65.60.36.22) - mailcious 65.60.36.22 - mailcious
172.245.208.4 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9180 |
2023-12-18 09:55
|
Microsoftupgradedtechnologytoe... 27447785fd8cb3c3f48f90e09a0c15c2 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://91.92.253.11/hotcock.vbs https://paste.ee/d/xuQTc
|
6
paste.ee(104.21.84.67) - mailcious uploaddeimagens.com.br(104.21.45.138) - malware 182.162.106.33 - malware 104.21.84.67 - malware 91.92.253.11 - malware 172.67.215.45 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|