9196 |
2023-12-23 18:23
|
f305ba-b4b69ab5.exe 683c060ccca9ee3a5dad65946c8c9a88 Generic Malware UPX Antivirus PWS AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check PNG Format ZIP Format Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency powershell PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process IP Check Tofsee Ransomware Windows Discord Browser ComputerName DNS Cryptographic key crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://ip-api.com/json/?fields=225545 https://gstatic.com/generate_204
|
9
discord.com(162.159.128.233) - mailcious ip-api.com(208.95.112.1) artemis.community(172.67.193.142) - malware gstatic.com(142.250.206.227) 162.159.137.232 - mailcious 208.95.112.1 172.67.193.142 - malware 23.50.121.137 142.250.199.67
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed Discord Domain (discord .com in TLS SNI) ET POLICY External IP Lookup ip-api.com ET INFO Observed Discord Domain in DNS Lookup (discord .com)
|
|
15.4 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9197 |
2023-12-23 18:31
|
Rby1.exe e0bc2140d5a10035fb6d3b4e1b46cdfe Emotet NSIS Generic Malware UPX Malicious Library Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM AntiDebug AntiVM PE File PE64 PNG Format PE32 OS Processor Check BMP Format MZP Format ZIP Format JPEG Format CHM Format DLL icon C VirusTotal Malware Buffer PE AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces AppData folder malicious URLs AntiVM_Disk suspicious TLD IP Check VM Disk Size Check Tofsee Ransomware Windows ComputerName Firmware DNS |
17
http://47.236.140.86/s/twty.exe http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=three&s=ab - rule_id: 38706 http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://api.ipify.org/?format=wet http://5.42.64.35/InstallSetup3.exe http://5.42.64.35/syncUpd.exe - rule_id: 38707 https://iplogger.com/1gDcm4 https://iplogger.com/19hVA4 https://randomdomainname.org/2cba948feb9c53fce4409f0079aec61c.exe https://pastebin.com/raw/E0rY26ni - rule_id: 37702 https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://budgienation.net/8c35a460636521ed0deef49f6749c0e3/2cba948feb9c53fce4409f0079aec61c.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783 https://yip.su/RNWPd.exe - rule_id: 37623 https://bitbucket.org/micaorrsoft/update/downloads/a01.exe https://potatogoose.com/8c35a460636521ed0deef49f6749c0e3/baf14778c246e15550645e30ba78ce1c.exe https://bbuseruploads.s3.amazonaws.com/c653674a-68fa-46c6-b413-9e71a0a3be60/downloads/7cc5bf80-2f20-4024-8172-c47af249efe9/a01.exe?response-content-disposition=attachment%3B%20filename%3D%22a01.exe%22&AWSAccessKeyId=ASIA6KOSE3BNLFZPBG6X&Signature=k4eYmK01rl8PGp4sOTTE04lteD0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjELr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDzQD%2B3UL8xV1DvAUP2KA45yti0HItkJ7%2FZj%2BYPZQQy%2BAIgK%2BOaDvdrjmeM3oRZP0OlFI2Pl%2B7GauL9ExmwyykyfrwqpwIIQhAAGgw5ODQ1MjUxMDExNDYiDOob2cJxt3Exs6kaAiqEAh4UYnRFarCTXYvHT0WXfJIgVuJuVvzUOPIbUG1w3nq2Yphc6rTsOhGwJcQzKyRWF%2BFm10oe88IpTj4lNM0gXnjCTwZXQVKi1Uz9JNwgbaaYzUofoIP2CZjnvaRuOYs0d6gOPdtnykb2eWeS2dGifaFBhMq%2BTovxD1l5xXeH3tHvHNOaHU%2F7ARV55Dc9YfRvdX2zOOUhEp62CjCviT3FBfq3tK8eLfJ2mwSddoM%2FvxLRaudgcAE%2FiTTi0RrZN5feEmr54GKsqEohzoLCOWAVpxR0dUkQrUDuJVTdHHFSkuX%2FWnX7mWGXITM985Y282tuaPXm6LdfM5BRgxr0vV3YWCtcSJnXMLjKmqwGOp0B5x1g24OisxHRKZUaNxp9%2BSGjgOsFU3J%2Fbs39LZmb4y%2BP29AtY729%2BALyUGmbQ3ghX9X%2FHvfZiW7jkSIo533BZtqI2LeUKLMZGFRSS862V%2FwPY7aL9mQD2m03u7eiKl8%2BE2Kc5rYFMkJjjg%2BliR6dKkTaba%2FDuj%2FNE2de8W4Y9dFnibQCoicKOX5nhXD%2B3R8dFgBbmLV9RQDHhvlDPg%3D%3D&Expires=1703324736
|
35
www.kaspersky.com(185.85.15.47) flyawayaero.net(104.21.93.225) - malware budgienation.net(104.21.33.167) bitbucket.org(104.192.141.1) - malware malwarebytes.com(192.0.66.233) api.ipify.org(104.237.62.212) bbuseruploads.s3.amazonaws.com(52.217.101.204) - malware zonealarm.com(209.87.209.205) redirector.pm(194.49.94.85) - malware randomdomainname.org(104.21.30.5) pastebin.com(172.67.34.170) - mailcious iplogger.com(172.67.188.178) - mailcious net.geo.opera.com(107.167.110.216) galandskiyher5.com(158.160.130.138) - malware potatogoose.com(172.67.180.173) - malware yip.su(104.21.79.77) - mailcious 104.21.30.5 91.92.254.7 - mailcious 209.87.209.205 158.160.130.138 104.21.33.167 192.0.66.233 107.167.110.211 3.5.28.176 185.85.15.46 104.21.93.225 - phishing 104.21.79.77 - phishing 5.42.64.35 - malware 104.20.68.143 - mailcious 172.67.180.173 - malware 172.67.188.178 - mailcious 104.192.141.1 - mailcious 47.236.140.86 194.49.94.85 - malware 64.185.227.156
|
12
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup (ipify .org) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO TLS Handshake Failure
|
5
http://91.92.254.7/scripts/plus.php http://5.42.64.35/syncUpd.exe https://pastebin.com/raw/E0rY26ni https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://yip.su/RNWPd.exe
|
16.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9198 |
2023-12-25 23:49
|
IMG_7005_21603pdf.exe 733a47d0689018b00e9017be3a92b4de AgentTesla .NET framework(MSIL) UPX PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
1
http://ip-api.com/line/?fields=hosting
|
6
server1.sqsendy.shop(63.250.35.178) - mailcious api.ipify.org(104.237.62.212) ip-api.com(208.95.112.1) 63.250.35.178 - mailcious 104.237.62.212 208.95.112.1
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup ip-api.com ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction
|
|
15.4 |
|
55 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9199 |
2023-12-26 08:03
|
wlanext.exe cb52c8b5a81a6576eb7d75963f44eab0 Formbook PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(104.237.62.212) mail.telefoonreparatiebovenkarspel.nl(185.94.230.135) 64.185.227.156 185.94.230.135
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Detect protocol only one direction
|
|
11.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9200 |
2023-12-26 08:03
|
288c47bbc1871b42239df19ff4df68... 3954cc01c26d1962284f3b95602f2367 Generic Malware NSIS Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM AntiDebug AntiVM PE32 PE File .NET EXE PNG Format OS Processor Check MZP Format ZIP Format JPEG Format BMP Format CHM Format DLL icon PE64 CA Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder AntiVM_Disk IP Check VM Disk Size Check Tofsee Ransomware Windows DNS |
4
http://api.ipify.org/?format=dfg http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=nine&s=ab - rule_id: 38706 http://5.42.64.35/syncUpd.exe - rule_id: 38707 https://iplogger.com/19nVA4
|
12
www.kaspersky.com(185.85.15.47) zonealarm.com(209.87.209.205) malwarebytes.com(192.0.66.233) api.ipify.org(173.231.16.77) iplogger.com(104.21.76.57) - mailcious 5.42.64.35 - malware 192.0.66.233 104.21.76.57 209.87.209.205 91.92.254.7 - mailcious 64.185.227.156 185.85.15.47
|
10
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET POLICY External IP Lookup (ipify .org) ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
|
2
http://91.92.254.7/scripts/plus.php http://5.42.64.35/syncUpd.exe
|
13.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9201 |
2023-12-26 08:07
|
wlanext.exe a2f55bda1a5d9cee3bfcc7f30f2c6b44 .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
4
api.ipify.org(64.185.227.156) mail.telefoonreparatiebovenkarspel.nl(185.94.230.135) 173.231.16.77 185.94.230.135
|
5
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup SURICATA Applayer Detect protocol only one direction ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
|
|
12.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9202 |
2023-12-27 07:47
|
valid.exe a42c8531e8e1fc631b80fac9f688609c EnigmaProtector UPX PE32 PE File .NET EXE ZIP Format DLL OS Processor Check Lnk Format GIF Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder IP Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://ipinfo.io/widget/demo/175.208.134.152
|
4
ipinfo.io(34.117.186.192) 121.254.136.9 34.117.186.192 193.233.132.62
|
7
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
|
|
15.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9203 |
2023-12-27 07:49
|
foxi.exe 25be69edbd38d09faf01adfe59e39da2 Emotet Gen1 SmokeLoader EnigmaProtector Malicious Library UPX PE32 PE File CAB ZIP Format Lnk Format GIF Format DLL OS Processor Check .NET EXE Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk IP Check VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c https://ipinfo.io/widget/demo/175.208.134.152
|
4
ipinfo.io(34.117.186.192) 23.32.56.72 34.117.186.192 193.233.132.62
|
7
ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
|
|
15.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9204 |
2023-12-28 07:55
|
Klassikas.exe 66f5f2edbd70030763f4d19266889288 PE32 PE File VirusTotal Malware unpack itself Tofsee crashed |
1
https://bitbucket.org/alisoujka2x/pikachuytro/raw/1a539acfcc4b55efedb2e3b46ace6417e24a7490/casoid
|
2
bitbucket.org(104.192.141.1) - malware 104.192.141.1 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9205 |
2024-01-05 07:54
|
newbuild.exe 51d74fa113ee4efae8e73626e9277dff Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check Malware download Amadey VirusTotal Malware AutoRuns Malicious Traffic Check memory Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS |
3
http://5.42.66.0/f7Vkbh7X/index.php https://jabbahatth.com/e0cbefcb1af40c7d4aff4aca26621a98.exe https://somerandomshit.org/fedfdf3a03a34020e1cdd0c84e9132e5/e0cbefcb1af40c7d4aff4aca26621a98.exe
|
9
jabbahatth.com(104.21.47.48) somerandomshit.org(172.67.186.198) 173.231.16.77 185.215.113.68 104.21.76.57 5.42.66.0 - malware 77.91.68.21 - malware 104.21.19.150 - mailcious 104.21.47.48
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
|
|
8.6 |
|
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9206 |
2024-01-05 07:58
|
bongo.exe 98e589da2cf91986d1e703189919dec1 RedLine stealer Emotet Gen1 Amadey RedlineStealer NSIS Generic Malware Malicious Library UPX .NET framework(MSIL) Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus ScreenShot PWS Anti_VM AntiDebug AntiVM PE32 PE File CAB .NET EXE OS Processor Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency Microsoft Buffer PE AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check installed browsers check Kelihos Tofsee Ransomware Stealer Windows Exploit Browser RisePro Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed |
29
http://77.91.68.21/lend/YT.exe http://77.91.68.21/lend/MRK.exe http://77.91.68.21/lend/golden.exe http://77.91.68.21/lend/macheri.exe http://77.91.68.21/lend/flesh.exe http://77.91.68.21/lend/bakhtiar.exe http://185.215.113.68/theme/Plugins/cred64.dll http://77.91.68.21/mine/nocry.exe http://api.ipify.org/?format=ewf http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=seven&s=ab - rule_id: 38706 http://apps.identrust.com/roots/dstrootcax3.p7c http://5.42.66.0/newrock.exe http://185.215.113.68/theme/Plugins/clip64.dll http://77.91.68.21/lend/pixelguy.exe http://185.215.113.68/theme/index.php https://www.youtube.com/img/desktop/supported_browsers/firefox.png https://fonts.gstatic.com/s/youtubesans/v23/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff https://www.youtube.com/favicon.ico https://ipinfo.io/widget/demo/175.208.134.152 https://www.youtube.com/img/desktop/supported_browsers/edgium.png https://www.youtube.com/ https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F https://fonts.googleapis.com/css?family=YouTube+Sans:500 https://www.youtube.com/img/desktop/supported_browsers/chrome.png https://www.youtube.com/img/desktop/supported_browsers/opera.png https://fonts.googleapis.com/css?family=Roboto:400,500
|
23
www.youtube.com(172.217.175.14) - mailcious fonts.googleapis.com(172.217.25.170) api.ipify.org(173.231.16.77) ipinfo.io(34.117.186.192) iplogger.com(104.21.76.57) - mailcious fonts.gstatic.com(172.217.25.163) 20.79.30.95 173.231.16.77 195.20.16.103 185.215.113.68 193.233.132.62 104.21.76.57 5.42.66.0 - malware 216.58.220.138 - mailcious 5.42.65.31 216.58.203.78 77.91.68.21 - malware 23.32.56.80 185.172.128.53 - malware 91.92.254.7 - mailcious 172.217.24.227 121.254.136.9 34.117.186.192
|
27
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO Microsoft net.tcp Connection Initialization Activity ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request ET MALWARE Redline Stealer Family Activity (Response) ET MALWARE Possible Kelihos.F EXE Download Common Structure ET INFO Packed Executable Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup (ipify .org) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
|
1
http://91.92.254.7/scripts/plus.php
|
26.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9207 |
2024-01-06 10:41
|
test3.doc 4333cf43659835679e5f6e9371611b46 VBA_macro Generic Malware AntiDebug AntiVM MSOffice File Vulnerability VirusTotal Malware Code Injection wscript.exe payload download unpack itself Tofsee |
|
2
configure.syscatec.com(69.46.5.226) - mailcious 69.46.5.226 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9208 |
2024-01-06 10:48
|
test2.doc 794004e79c07dbba60e1307549c04c3d VBA_macro Generic Malware AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection wscript.exe payload download RWX flags setting exploit crash unpack itself Tofsee Exploit crashed |
|
2
configure.syscatec.com(69.46.5.226) - mailcious 69.46.5.226 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
7.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9209 |
2024-01-08 09:38
|
newrock.exe 3133d3642bfa4a27451dc4ba649d0c50 Generic Malware Malicious Packer UPX Malicious Library PE32 PE File .NET EXE PE64 VirusTotal Malware MachineGuid Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) 154.92.15.189
23.67.53.17
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9210 |
2024-01-10 08:07
|
288c47bbc187122b439df19ff4df68... d872ad98ce3e3db8497ccd15e0baad33 NPKI HermeticWiper Generic Malware Suspicious_Script NSIS Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM Javascript_Blob PE32 PE File .NET EXE PNG Format JPEG Format OS Processor Check MZP Format ZIP Format ico VirusTotal Malware Malicious Traffic Check memory Checks debugger Creates executable files unpack itself AppData folder AntiVM_Disk IP Check VM Disk Size Check Tofsee Ransomware Windows DNS |
3
http://api.ipify.org/?format=dfg http://185.172.128.53/syncUpd.exe - rule_id: 38939 https://iplogger.com/19nVA4
|
6
api.ipify.org(64.185.227.156) iplogger.com(172.67.188.178) - mailcious 173.231.16.76 104.21.76.57 91.92.255.226 185.172.128.53 - malware
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup (ipify .org)
|
1
http://185.172.128.53/syncUpd.exe
|
10.2 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|