| 9181 |
2023-12-18 10:03
|
microsoftprofiledeletedhistory... b2acb6f83affabe12ebf11bade4940de
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Windows Exploit DNS crashed |
1
http://198.46.178.135/3590/wlanext.exe
|
3
www.magssin.com(167.86.119.6)
167.86.119.6
198.46.178.135 - malware
|
7
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9182 |
2023-12-18 10:07
|
 film.exe da044811ca4ac1cc04b14153dccbbf37
Themida Packer Generic Malware UPX PE32 PE File .NET EXE Lnk Format GIF Format DLL OS Processor Check ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces suspicious process AppData folder VMware anti-virtualization IP Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Remote Code Execution Firmware DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://ipinfo.io/widget/demo/175.208.134.152
|
4
ipinfo.io(34.117.186.192)
91.92.249.253
23.209.95.51
34.117.186.192
|
7
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
|
|
17.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9183 |
2023-12-18 10:28
|
hotcock.vbs eb4e97fbd44e49363137ec846b846271
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
5
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/xuQTc - rule_id: 38842
https://paste.ee/d/xuQTc
https://uploaddeimagens.com.br/images/004/689/631/original/new_image.jpg?1702461175
http://91.92.253.11/pedofilebase6444444.jpg
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
182.162.106.33 - malware
104.21.84.67 - malware
172.67.215.45 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9184 |
2023-12-19 07:35
|
 plugmanzx.exe 3e76e206fa47934466616d05600d8caf
AgentTesla Formbook PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
2
api.ipify.org(173.231.16.77)
173.231.16.77
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9185 |
2023-12-19 12:21
|
Updationavailableformisofficet... 1990c5debf314b3860557e285f8c00ac
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted RWX flags setting exploit crash Tofsee Exploit DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://23.94.239.93/2355/microsoftprofile.vbs
https://paste.ee/d/o8Evr
|
6
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
23.94.239.93 - mailcious
104.21.84.67 - malware
104.21.45.138 - malware
182.162.106.144
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9186 |
2023-12-19 18:35
|
microsoftprofile.vbs 7469ff142c0075494c1225977f91ddf5
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/o8Evr
https://uploaddeimagens.com.br/images/004/689/631/original/new_image.jpg?1702461175
http://23.94.239.93/2544/MJB.txt
|
5
paste.ee(172.67.187.200) - mailcious
uploaddeimagens.com.br(172.67.215.45) - malware
104.21.84.67 - malware
121.254.136.18
104.21.45.138 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9187 |
2023-12-20 07:48
|
 alex.exe 794fc2da25b437ba1f88c2276b336c4d
AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(64.185.227.156)
64.185.227.156
|
4
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9188 |
2023-12-20 07:51
|
 spfasiazx.exe 89ebe827b46d7e08adb6aa47e3761fed
Formbook PWS AntiDebug AntiVM PE32 PE File .NET EXE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces Tofsee Windows ComputerName Cryptographic key crashed |
|
2
spf-asia.com(185.38.151.11)
185.38.151.11 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9189 |
2023-12-20 23:29
|
https://www.luxuryshield.org/?...
Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
https://www.luxuryshield.org/?__cf_chl_tk=MzoipA0JWISUjOClHcsQwKUHXueBNC8cKT_tsGH.M2s-1702993100-0-gaNycGzNDaU
https://www.luxuryshield.org/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=83888fe87ed83149
https://www.luxuryshield.org/cdn-cgi/styles/challenges.css
|
2
www.luxuryshield.org(172.67.149.231)
172.67.149.231
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9190 |
2023-12-21 07:59
|
Microsoftdigitalwallettechnolo... f306b23f34ca0c9d62c74d45f399d21a
MS_RTF_Obfuscation_Objects RTF File doc Malware download Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.4/2546/wlanext.exe
|
3
www.synergyinnovationgroup.com(65.60.36.22) - mailcious
65.60.36.22 - mailcious
172.245.208.4 - mailcious
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9191 |
2023-12-21 17:09
|
file.rar 6b0f8a62bc4fec439739c021445942f5
Stealc Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Open Directory Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Stealc Stealer Windows Discord Exploit RisePro DNS |
52
http://5.42.64.41/40d570f44e84a454.php - rule_id: 38591
http://45.15.156.229/api/bing_release.php
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=XvW4AHeGTk9BJBAfrMTJoSzL.exe&platform=0009&osver=5&isServer=0
http://77.105.147.130/api/bing_release.php
http://45.15.156.229/api/flash.php
http://109.107.182.3/hugo/rest.exe
http://195.20.16.45/api/tracemap.php - rule_id: 38695
http://185.172.128.19/latestbuild.exe
http://zen.topteamlife.com/order/adobe.exe - rule_id: 38815
http://apps.identrust.com/roots/dstrootcax3.p7c
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://5.42.64.35/timeSync.exe - rule_id: 38593
http://77.105.147.130/api/flash.php
https://vk.com/doc418490229_669821688?hash=we6BBhNerpmPCN87ImRmGXGmmNbiwaqIUE7eoga2Rxz&dl=LWFkeguGbB1zYgia1ntLjueUZO6Xo4LDzp1kwruth9L&api=1&no_preview=1#xin
https://www.youtube.com/favicon.ico
https://vk.com/doc418490229_669837378?hash=MnOFxJ6eziq0VhVwK1AJSav5Kza1nVE2q1ZBBZcGWRL&dl=9KbYwSMouDRxKm0lIB9Xdq82AMZkYdJZEamMlGg5LMk&api=1&no_preview=1#rise
https://sun6-20.userapi.com/c909518/u418490229/docs/d22/f9bc9c314f2c/tmvwr.bmp?extra=sd0_DwktE5ym3xM-aWd3PZcQQNFY6bp3WQ5VsGllmzEMFAtmw-OyqM1eVt928NFsxWs8QHb0HsGHash_oEI6n1gh9vXdV5kFD25RzEbF90zM7p_djCfq8EJQwnCi2W-JCJQnyO9B9LG4J3GX6Q
https://db-ip.com/demo/home.php?s=175.208.134.152
https://ipinfo.io/widget/demo/175.208.134.152
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://vk.com/doc418490229_669809323?hash=kP50PMPFZEp4LI0jKiDZoizq5f0DkvKaUhxGOocg9Dc&dl=ef8AbWt2wxR8jCnafScstynLK9c6NAExi1czT8Aj7RP&api=1&no_preview=1
https://sun6-22.userapi.com/c909618/u418490229/docs/d43/4b059ba24311/jhiu.bmp?extra=l0kdKyMk_DE9orYnqcSfbjthykugKl64jxq49hWPbhbXCcBf17Opbad2ORHF8yf8kRcMyLmMAybNcazH2et0SNJTgFMvZStMaLIbhHdbSId_FkJfmDNSVrAo-6Kc03ssHd6raxj3iG2283Flmg
https://iplis.ru/1cC8u7.mp3
https://sun6-21.userapi.com/c909218/u418490229/docs/d10/086e039362d4/PL_p.bmp?extra=8F7qp6YQkCH8wV9nhVMbtZ1UkuuPcor_TcnOSrWG7itioGOoY6UpVTsjlY1C5ovb0TjNeuPFvln5OAEgHQIcB_9HA0EVPtSQVuaz_uQw3lZoDp8_oj9TWMoGkawFPDu_w_CVdmKaxp-_bS1jNA
https://fonts.googleapis.com/css?family=Roboto:400,500
https://sun6-23.userapi.com/c909328/u418490229/docs/d37/be767eccf01d/file191223.bmp?extra=8RxI2JAEk2k-tJfACQF-UAFNz5Ph76gpPikca1Ji9eC1di9N5P2da5-yC6h9er6-4brijf2n62vHQGnXQhxdtuJjS74PHA77wi2uQuN6d9lvY8lqxtaYsbdzd0Z2rYvaf2_icqKb3Hg2vVXsAA
https://DCFSDFDS2FDHFGJ.SBS/setup294.exe
https://vk.com/doc418490229_669810929?hash=moVJunUKZjhyRMc0xySkXZHSaBAL88Cc1tupiMvEEwT&dl=b94zGjzpuQj7BaXz8O1vo6cCAGPlVcVsAKcnHpZ2xlP&api=1&no_preview=1#1
https://sun6-21.userapi.com/c909628/u418490229/docs/d52/f159185b6992/BotClients.bmp?extra=slFJ7cnAm4zJ31a8gA__JV7O6Upb3oLdzWCe_2xEmcxJ-iI-vPMhq7NnhDvLjuBsukj5w8rFgXcq3blNonFLqp_PbuM_tRhTHH7rkMm_ZTCxE4XHG6L6mcES_3a2bym1Cd_D5PjIOHzO9wRCnA
https://vk.com/doc418490229_669807321?hash=VxBEaHVIT9bEVMzjUs6ZDaUDkTBi1A9bgCEvJPTLeKs&dl=ccjZxaprGX6O639lCOjRrkV8Wz9PFe6NB5IDGXdR71o&api=1&no_preview=1
https://vk.com/doc418490229_669653354?hash=l8DHCu4lEp9Sb8CTCk5eithtVIhhbBkli1pjUtPjJNP&dl=7vSjZ36UYD1hlgYVc9MzZLLGmShUHLSQatIOzo7OZBg&api=1&no_preview=1#logger_statistics
https://www.youtube.com/
https://vk.com/doc418490229_669783554?hash=BH6rDsCdPWk2J9y1TmstXOZKSIMojhaG8Fw9a8GF3Ps&dl=gYknZQrp3U8V5VDWqeRDZZgAOIRQPc5uWYpO07u16QT&api=1&no_preview=1#test22
https://vk.com/doc418490229_669674726?hash=zO6JQAo6iYaXqKxkZ7OtAgZUB0nnLHef5V5H7iZ0Erg&dl=V9sXR6aIOgK4znoIV3QEJiCPc0YxrQNplxazvg1DdAs&api=1&no_preview=1
https://psv4.userapi.com/c237031/u418490229/docs/d30/a2f18a7159cd/Sp.bmp?extra=8t27aDbP5wFBo5a9WsZ_kZ9kOVIEvgcSoR-WyoDH3eR_35CbiWZxGMvLR7K0fHTHPfVpDxBlvQzJxA4aHNSnlH4K-qnSVn4EF_Si-AlL60A3sA0eBI9gwZZPhtvDYp-tVEsJM6NhsfEJQQ0iiQ
https://sun6-21.userapi.com/c909618/u418490229/docs/d7/3c13fccecb0d/xincz.bmp?extra=ZSt5xRYqy92_IEekhgFvB1qr9i_FtOiNT51g2xpchVZfODaKJSE90n8UupLNci2RG6gzFjeSyxq0Oqb_34_93iJFW1PdnjomJAvx6CNDXguTjcnMryul_TTRv5tXoPVSIcjoOAUrYTtDfWP7TQ
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://vk.com/doc418490229_669753909?hash=WT7APgrulCXZFZTSEvdEhpp2wKrYTIZVouZnBZXB72g&dl=7ei7VkBuvhBOPmO5RJDS1eEOZh0NZgZcXNvjBcCFfJ8&api=1&no_preview=1#ww11
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://sun6-22.userapi.com/c240331/u418490229/docs/d4/5ba0427424be/WWW11_32.bmp?extra=N-N_wqY1NIwAlVfIR5pYrBcNGu-kwYAzemwNThjJIh_6xOECNLWLQmT5UTWCxQU3irEk4s0tDzSjPFWZEKQav7b9lotmLgJlMtxtS7uhKfr1gWyicC9O0Ot1dTTMTC-uuTl_XLb7ef48c4KGew
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://sun6-21.userapi.com/c237031/u418490229/docs/d18/6b546154631b/sdfhj8s.bmp?extra=C_vJLuNWCRIppkkIF6WUoUokqmaeSJqMBjrt4zjg9VnJyJhAvki5z7wZk_JX5JGRJKeGSeM8y6i0C_GOFaYmVyRvRed1FQFM0q1Kou5v6rtOgAt69h0BIEgojXsd2TuTOShLu8kzbNqW-2g7rw
https://vk.com/doc418490229_669637079?hash=VdguLglaUQxQEWy7OPzp09fMiy3JG1498Od7lJ6mEhw&dl=Z0vdo01g0fZfW08T5s4JBiEH2UzpBHOBxg4Yxkx8vU4&api=1&no_preview=1
https://api.2ip.ua/geo.json
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://sun6-23.userapi.com/c237231/u418490229/docs/d12/ececed6be1fb/LG.bmp?extra=pLNgfOmTCOoCaYarwpdyTYgqNb4VBMyPeCK1ctoGNIrUiMRz2sgnoXwnnCBPcRPNVWfRTkA0kvj3KpSooKOvyYdyemYk3kUC3gIdzVA1LdoEQVTtDW9ybLvdgW8VLXHZ3cEBSJgo8-VWwXgr8A
https://fonts.gstatic.com/s/youtubesans/v23/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://www.youtube.com/img/desktop/supported_browsers/opera.png
|
62
fonts.googleapis.com(172.217.26.234)
db-ip.com(104.26.5.15)
ipinfo.io(34.117.186.192)
sun6-23.userapi.com(95.142.206.3) - mailcious
medfioytrkdkcodlskeej.net(91.215.85.209) - malware
psv4.userapi.com(87.240.137.134)
learn.microsoft.com(104.76.76.50)
api.2ip.ua(172.67.139.220)
iplogger.org(172.67.132.113) - mailcious
cdn.discordapp.com(162.159.134.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
sun6-21.userapi.com(95.142.206.1) - mailcious
zen.topteamlife.com(172.67.138.35) - malware
www.youtube.com(142.250.207.46) - mailcious
bitbucket.org(104.192.141.1) - malware
fonts.gstatic.com(172.217.25.163)
zexeq.com(175.120.254.9) - malware
www.linkedin.com(13.107.42.14)
api.myip.com(172.67.75.163)
sun6-22.userapi.com(95.142.206.2) - mailcious
vk.com(87.240.132.67) - mailcious
dcfsdfds2fdhfgj.sbs(104.21.25.43)
iplis.ru(104.21.63.150) - mailcious
95.142.206.1 - mailcious
5.42.64.35 - malware
162.159.133.233 - malware
13.107.42.14 - phishing
195.20.16.188
172.67.138.35 - malware
104.21.4.208
142.250.204.142
142.251.220.99
172.67.75.163
34.117.186.192
185.172.128.19 - mailcious
91.215.85.209 - mailcious
189.232.1.60
91.92.249.253 - mailcious
5.42.64.41 - mailcious
194.33.191.60 - mailcious
104.26.8.59
104.76.76.50
172.67.222.173
172.67.147.32
193.233.132.67
61.111.58.34 - malware
87.240.137.134
172.67.75.166
194.33.191.102 - malware
104.192.141.1 - mailcious
195.20.16.45 - mailcious
77.105.147.130
142.250.204.138
45.15.156.229 - mailcious
193.42.33.14 - malware
87.240.137.164 - mailcious
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
95.142.206.0 - mailcious
87.240.132.72 - mailcious
109.107.182.3 - mailcious
|
35
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Rejetto HTTP File Sever Response
ET INFO Packed Executable Download
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE Redline Stealer Family Activity (Response)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
|
5
http://5.42.64.41/40d570f44e84a454.php
http://195.20.16.45/api/tracemap.php
http://zen.topteamlife.com/order/adobe.exe
http://zexeq.com/test2/get.php
http://5.42.64.35/timeSync.exe
|
5.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9192 |
2023-12-22 08:08
|
 rest.exe 7e267bec235e3a97a82cbc14780e5af1
Themida Packer Malicious Library Admin Tool (Sysinternals etc ...) UPX Anti_VM AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check PNG Format ZIP Format MSOffice File DLL JPEG Format Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces suspicious process AppData folder VMware anti-virtualization IP Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://ipinfo.io/widget/demo/175.208.134.152
|
6
ipinfo.io(34.117.186.192)
www.linkedin.com(13.107.42.14)
34.117.186.192
121.254.136.18
13.107.42.14 - phishing
91.92.249.253 - mailcious
|
7
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
|
|
20.0 |
|
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9193 |
2023-12-22 08:13
|
 build2.exe e23c839edb489081120befe1e44b04db
Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE32 PE File OS Processor Check VirusTotal Malware Telegram PDB MachineGuid Code Injection Malicious Traffic Checks debugger buffers extracted WMI unpack itself malicious URLs Tofsee ComputerName Remote Code Execution DNS crashed |
1
https://steamcommunity.com/profiles/76561199583900422
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
104.76.78.101 - mailcious
95.216.178.71
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
|
|
11.0 |
|
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9194 |
2023-12-22 15:00
|
 OperaGXSetup.exe 46431992aa566007949fc4acbc058856
Generic Malware PE32 PE File VirusTotal Malware Malicious Traffic unpack itself Tofsee ComputerName |
1
http://www.msk-post.com/server/init.php
|
2
www.msk-post.com(91.228.225.55)
91.228.225.55
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9195 |
2023-12-23 03:12
|
 SHIPMENT.html eee94ac7a87b9751276ff8a8f2dd1545
AntiDebug AntiVM MSOffice File PNG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
https://i.gyazo.com/4522caeb250b902767ea9d7dbee510fb.png
|
2
i.gyazo.com(104.18.25.163)
104.18.25.163
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|