9181 |
2023-12-18 10:03
|
microsoftprofiledeletedhistory... b2acb6f83affabe12ebf11bade4940de MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Windows Exploit DNS crashed |
1
http://198.46.178.135/3590/wlanext.exe
|
3
www.magssin.com(167.86.119.6) 167.86.119.6
198.46.178.135 - malware
|
7
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9182 |
2023-12-18 10:07
|
film.exe da044811ca4ac1cc04b14153dccbbf37 Themida Packer Generic Malware UPX PE32 PE File .NET EXE Lnk Format GIF Format DLL OS Processor Check ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces suspicious process AppData folder VMware anti-virtualization IP Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://ipinfo.io/widget/demo/175.208.134.152
|
4
ipinfo.io(34.117.186.192) 91.92.249.253 23.209.95.51 34.117.186.192
|
7
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
|
|
17.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9183 |
2023-12-18 10:28
|
hotcock.vbs eb4e97fbd44e49363137ec846b846271 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
5
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/xuQTc - rule_id: 38842
https://paste.ee/d/xuQTc
https://uploaddeimagens.com.br/images/004/689/631/original/new_image.jpg?1702461175
http://91.92.253.11/pedofilebase6444444.jpg
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware 182.162.106.33 - malware
104.21.84.67 - malware
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9184 |
2023-12-19 07:35
|
plugmanzx.exe 3e76e206fa47934466616d05600d8caf AgentTesla Formbook PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(173.231.16.77) 173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9185 |
2023-12-19 12:21
|
Updationavailableformisofficet... 1990c5debf314b3860557e285f8c00ac MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://23.94.239.93/2355/microsoftprofile.vbs https://paste.ee/d/o8Evr
|
6
paste.ee(172.67.187.200) - mailcious uploaddeimagens.com.br(172.67.215.45) - malware 23.94.239.93 - mailcious 104.21.84.67 - malware 104.21.45.138 - malware 182.162.106.144
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9186 |
2023-12-19 18:35
|
microsoftprofile.vbs 7469ff142c0075494c1225977f91ddf5 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/o8Evr
https://uploaddeimagens.com.br/images/004/689/631/original/new_image.jpg?1702461175
http://23.94.239.93/2544/MJB.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware 104.21.84.67 - malware
121.254.136.18
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9187 |
2023-12-20 07:48
|
alex.exe 794fc2da25b437ba1f88c2276b336c4d AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156) 64.185.227.156
|
4
ET INFO TLS Handshake Failure ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9188 |
2023-12-20 07:51
|
spfasiazx.exe 89ebe827b46d7e08adb6aa47e3761fed Formbook PWS AntiDebug AntiVM PE32 PE File .NET EXE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
|
2
spf-asia.com(185.38.151.11) 185.38.151.11 - malware
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9189 |
2023-12-20 23:29
|
https://www.luxuryshield.org/?... Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
https://www.luxuryshield.org/?__cf_chl_tk=MzoipA0JWISUjOClHcsQwKUHXueBNC8cKT_tsGH.M2s-1702993100-0-gaNycGzNDaU https://www.luxuryshield.org/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=83888fe87ed83149 https://www.luxuryshield.org/cdn-cgi/styles/challenges.css
|
2
www.luxuryshield.org(172.67.149.231) 172.67.149.231
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9190 |
2023-12-21 07:59
|
Microsoftdigitalwallettechnolo... f306b23f34ca0c9d62c74d45f399d21a MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.4/2546/wlanext.exe
|
3
www.synergyinnovationgroup.com(65.60.36.22) - mailcious 65.60.36.22 - mailcious
172.245.208.4 - mailcious
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9191 |
2023-12-21 17:09
|
file.rar 6b0f8a62bc4fec439739c021445942f5 Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Open Directory Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Exploit RisePro DNS |
52
http://5.42.64.41/40d570f44e84a454.php - rule_id: 38591 http://45.15.156.229/api/bing_release.php http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=XvW4AHeGTk9BJBAfrMTJoSzL.exe&platform=0009&osver=5&isServer=0 http://77.105.147.130/api/bing_release.php http://45.15.156.229/api/flash.php http://109.107.182.3/hugo/rest.exe http://195.20.16.45/api/tracemap.php - rule_id: 38695 http://185.172.128.19/latestbuild.exe http://zen.topteamlife.com/order/adobe.exe - rule_id: 38815 http://apps.identrust.com/roots/dstrootcax3.p7c http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://5.42.64.35/timeSync.exe - rule_id: 38593 http://77.105.147.130/api/flash.php https://vk.com/doc418490229_669821688?hash=we6BBhNerpmPCN87ImRmGXGmmNbiwaqIUE7eoga2Rxz&dl=LWFkeguGbB1zYgia1ntLjueUZO6Xo4LDzp1kwruth9L&api=1&no_preview=1#xin https://www.youtube.com/favicon.ico https://vk.com/doc418490229_669837378?hash=MnOFxJ6eziq0VhVwK1AJSav5Kza1nVE2q1ZBBZcGWRL&dl=9KbYwSMouDRxKm0lIB9Xdq82AMZkYdJZEamMlGg5LMk&api=1&no_preview=1#rise https://sun6-20.userapi.com/c909518/u418490229/docs/d22/f9bc9c314f2c/tmvwr.bmp?extra=sd0_DwktE5ym3xM-aWd3PZcQQNFY6bp3WQ5VsGllmzEMFAtmw-OyqM1eVt928NFsxWs8QHb0HsGHash_oEI6n1gh9vXdV5kFD25RzEbF90zM7p_djCfq8EJQwnCi2W-JCJQnyO9B9LG4J3GX6Q https://db-ip.com/demo/home.php?s=175.208.134.152 https://ipinfo.io/widget/demo/175.208.134.152 https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://vk.com/doc418490229_669809323?hash=kP50PMPFZEp4LI0jKiDZoizq5f0DkvKaUhxGOocg9Dc&dl=ef8AbWt2wxR8jCnafScstynLK9c6NAExi1czT8Aj7RP&api=1&no_preview=1 https://sun6-22.userapi.com/c909618/u418490229/docs/d43/4b059ba24311/jhiu.bmp?extra=l0kdKyMk_DE9orYnqcSfbjthykugKl64jxq49hWPbhbXCcBf17Opbad2ORHF8yf8kRcMyLmMAybNcazH2et0SNJTgFMvZStMaLIbhHdbSId_FkJfmDNSVrAo-6Kc03ssHd6raxj3iG2283Flmg https://iplis.ru/1cC8u7.mp3 https://sun6-21.userapi.com/c909218/u418490229/docs/d10/086e039362d4/PL_p.bmp?extra=8F7qp6YQkCH8wV9nhVMbtZ1UkuuPcor_TcnOSrWG7itioGOoY6UpVTsjlY1C5ovb0TjNeuPFvln5OAEgHQIcB_9HA0EVPtSQVuaz_uQw3lZoDp8_oj9TWMoGkawFPDu_w_CVdmKaxp-_bS1jNA https://fonts.googleapis.com/css?family=Roboto:400,500 https://sun6-23.userapi.com/c909328/u418490229/docs/d37/be767eccf01d/file191223.bmp?extra=8RxI2JAEk2k-tJfACQF-UAFNz5Ph76gpPikca1Ji9eC1di9N5P2da5-yC6h9er6-4brijf2n62vHQGnXQhxdtuJjS74PHA77wi2uQuN6d9lvY8lqxtaYsbdzd0Z2rYvaf2_icqKb3Hg2vVXsAA https://DCFSDFDS2FDHFGJ.SBS/setup294.exe https://vk.com/doc418490229_669810929?hash=moVJunUKZjhyRMc0xySkXZHSaBAL88Cc1tupiMvEEwT&dl=b94zGjzpuQj7BaXz8O1vo6cCAGPlVcVsAKcnHpZ2xlP&api=1&no_preview=1#1 https://sun6-21.userapi.com/c909628/u418490229/docs/d52/f159185b6992/BotClients.bmp?extra=slFJ7cnAm4zJ31a8gA__JV7O6Upb3oLdzWCe_2xEmcxJ-iI-vPMhq7NnhDvLjuBsukj5w8rFgXcq3blNonFLqp_PbuM_tRhTHH7rkMm_ZTCxE4XHG6L6mcES_3a2bym1Cd_D5PjIOHzO9wRCnA https://vk.com/doc418490229_669807321?hash=VxBEaHVIT9bEVMzjUs6ZDaUDkTBi1A9bgCEvJPTLeKs&dl=ccjZxaprGX6O639lCOjRrkV8Wz9PFe6NB5IDGXdR71o&api=1&no_preview=1 https://vk.com/doc418490229_669653354?hash=l8DHCu4lEp9Sb8CTCk5eithtVIhhbBkli1pjUtPjJNP&dl=7vSjZ36UYD1hlgYVc9MzZLLGmShUHLSQatIOzo7OZBg&api=1&no_preview=1#logger_statistics https://www.youtube.com/ https://vk.com/doc418490229_669783554?hash=BH6rDsCdPWk2J9y1TmstXOZKSIMojhaG8Fw9a8GF3Ps&dl=gYknZQrp3U8V5VDWqeRDZZgAOIRQPc5uWYpO07u16QT&api=1&no_preview=1#test22 https://vk.com/doc418490229_669674726?hash=zO6JQAo6iYaXqKxkZ7OtAgZUB0nnLHef5V5H7iZ0Erg&dl=V9sXR6aIOgK4znoIV3QEJiCPc0YxrQNplxazvg1DdAs&api=1&no_preview=1 https://psv4.userapi.com/c237031/u418490229/docs/d30/a2f18a7159cd/Sp.bmp?extra=8t27aDbP5wFBo5a9WsZ_kZ9kOVIEvgcSoR-WyoDH3eR_35CbiWZxGMvLR7K0fHTHPfVpDxBlvQzJxA4aHNSnlH4K-qnSVn4EF_Si-AlL60A3sA0eBI9gwZZPhtvDYp-tVEsJM6NhsfEJQQ0iiQ https://sun6-21.userapi.com/c909618/u418490229/docs/d7/3c13fccecb0d/xincz.bmp?extra=ZSt5xRYqy92_IEekhgFvB1qr9i_FtOiNT51g2xpchVZfODaKJSE90n8UupLNci2RG6gzFjeSyxq0Oqb_34_93iJFW1PdnjomJAvx6CNDXguTjcnMryul_TTRv5tXoPVSIcjoOAUrYTtDfWP7TQ https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://vk.com/doc418490229_669753909?hash=WT7APgrulCXZFZTSEvdEhpp2wKrYTIZVouZnBZXB72g&dl=7ei7VkBuvhBOPmO5RJDS1eEOZh0NZgZcXNvjBcCFfJ8&api=1&no_preview=1#ww11 https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://sun6-22.userapi.com/c240331/u418490229/docs/d4/5ba0427424be/WWW11_32.bmp?extra=N-N_wqY1NIwAlVfIR5pYrBcNGu-kwYAzemwNThjJIh_6xOECNLWLQmT5UTWCxQU3irEk4s0tDzSjPFWZEKQav7b9lotmLgJlMtxtS7uhKfr1gWyicC9O0Ot1dTTMTC-uuTl_XLb7ef48c4KGew https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://sun6-21.userapi.com/c237031/u418490229/docs/d18/6b546154631b/sdfhj8s.bmp?extra=C_vJLuNWCRIppkkIF6WUoUokqmaeSJqMBjrt4zjg9VnJyJhAvki5z7wZk_JX5JGRJKeGSeM8y6i0C_GOFaYmVyRvRed1FQFM0q1Kou5v6rtOgAt69h0BIEgojXsd2TuTOShLu8kzbNqW-2g7rw https://vk.com/doc418490229_669637079?hash=VdguLglaUQxQEWy7OPzp09fMiy3JG1498Od7lJ6mEhw&dl=Z0vdo01g0fZfW08T5s4JBiEH2UzpBHOBxg4Yxkx8vU4&api=1&no_preview=1 https://api.2ip.ua/geo.json https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff https://sun6-23.userapi.com/c237231/u418490229/docs/d12/ececed6be1fb/LG.bmp?extra=pLNgfOmTCOoCaYarwpdyTYgqNb4VBMyPeCK1ctoGNIrUiMRz2sgnoXwnnCBPcRPNVWfRTkA0kvj3KpSooKOvyYdyemYk3kUC3gIdzVA1LdoEQVTtDW9ybLvdgW8VLXHZ3cEBSJgo8-VWwXgr8A https://fonts.gstatic.com/s/youtubesans/v23/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://www.youtube.com/img/desktop/supported_browsers/opera.png
|
62
fonts.googleapis.com(172.217.26.234) db-ip.com(104.26.5.15) ipinfo.io(34.117.186.192) sun6-23.userapi.com(95.142.206.3) - mailcious medfioytrkdkcodlskeej.net(91.215.85.209) - malware psv4.userapi.com(87.240.137.134) learn.microsoft.com(104.76.76.50) api.2ip.ua(172.67.139.220) iplogger.org(172.67.132.113) - mailcious cdn.discordapp.com(162.159.134.233) - malware sun6-20.userapi.com(95.142.206.0) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious zen.topteamlife.com(172.67.138.35) - malware www.youtube.com(142.250.207.46) - mailcious bitbucket.org(104.192.141.1) - malware fonts.gstatic.com(172.217.25.163) zexeq.com(175.120.254.9) - malware www.linkedin.com(13.107.42.14) api.myip.com(172.67.75.163) sun6-22.userapi.com(95.142.206.2) - mailcious vk.com(87.240.132.67) - mailcious dcfsdfds2fdhfgj.sbs(104.21.25.43) iplis.ru(104.21.63.150) - mailcious 95.142.206.1 - mailcious 5.42.64.35 - malware 162.159.133.233 - malware 13.107.42.14 - phishing 195.20.16.188 172.67.138.35 - malware 104.21.4.208 142.250.204.142 142.251.220.99 172.67.75.163 34.117.186.192 185.172.128.19 - mailcious 91.215.85.209 - mailcious 189.232.1.60 91.92.249.253 - mailcious 5.42.64.41 - mailcious 194.33.191.60 - mailcious 104.26.8.59 104.76.76.50 172.67.222.173 172.67.147.32 193.233.132.67 61.111.58.34 - malware 87.240.137.134 172.67.75.166 194.33.191.102 - malware 104.192.141.1 - mailcious 195.20.16.45 - mailcious 77.105.147.130 142.250.204.138 45.15.156.229 - mailcious 193.42.33.14 - malware 87.240.137.164 - mailcious 95.142.206.3 - mailcious 95.142.206.2 - mailcious 172.67.139.220 95.142.206.0 - mailcious 87.240.132.72 - mailcious 109.107.182.3 - mailcious
|
35
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SURICATA Applayer Mismatch protocol both directions ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET INFO Executable Download from dotted-quad Host ET HUNTING Rejetto HTTP File Sever Response ET INFO Packed Executable Download ET INFO TLS Handshake Failure ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE Redline Stealer Family Activity (Response) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
5
http://5.42.64.41/40d570f44e84a454.php http://195.20.16.45/api/tracemap.php http://zen.topteamlife.com/order/adobe.exe http://zexeq.com/test2/get.php http://5.42.64.35/timeSync.exe
|
5.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9192 |
2023-12-22 08:08
|
rest.exe 7e267bec235e3a97a82cbc14780e5af1 Themida Packer Malicious Library Admin Tool (Sysinternals etc ...) UPX Anti_VM AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check PNG Format ZIP Format MSOffice File DLL JPEG Format Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces suspicious process AppData folder VMware anti-virtualization IP Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://ipinfo.io/widget/demo/175.208.134.152
|
6
ipinfo.io(34.117.186.192) www.linkedin.com(13.107.42.14) 34.117.186.192 121.254.136.18 13.107.42.14 - phishing 91.92.249.253 - mailcious
|
7
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
|
|
20.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9193 |
2023-12-22 08:13
|
build2.exe e23c839edb489081120befe1e44b04db Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE32 PE File OS Processor Check VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted WMI unpack itself malicious URLs Tofsee ComputerName Remote Code Execution DNS crashed |
1
https://steamcommunity.com/profiles/76561199583900422
|
5
t.me(149.154.167.99) - mailcious steamcommunity.com(104.76.78.101) - mailcious 149.154.167.99 - mailcious 104.76.78.101 - mailcious 95.216.178.71
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
11.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9194 |
2023-12-22 15:00
|
OperaGXSetup.exe 46431992aa566007949fc4acbc058856 Generic Malware PE32 PE File VirusTotal Malware Malicious Traffic unpack itself Tofsee ComputerName |
1
http://www.msk-post.com/server/init.php
|
2
www.msk-post.com(91.228.225.55) 91.228.225.55
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9195 |
2023-12-23 03:12
|
SHIPMENT.html eee94ac7a87b9751276ff8a8f2dd1545 AntiDebug AntiVM MSOffice File PNG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
https://i.gyazo.com/4522caeb250b902767ea9d7dbee510fb.png
|
2
i.gyazo.com(104.18.25.163) 104.18.25.163
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|