9211 |
2024-01-11 00:09
|
https://onedrive.live.com/down... Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
onedrive.live.com(13.107.139.11) - mailcious 13.107.137.11
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
Malwr
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9212 |
2024-01-11 09:59
|
JAN-122661-F2024.url d49e5049684aaa8d14a407ac08ddb3be AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.2 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9213 |
2024-01-11 10:12
|
release.rar 055bfe6e7bbf803236c3b1552f2ca0b1 Escalate priviledges PWS KeyLogger AntiDebug AntiVM Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check Tofsee DNS |
5
http://195.20.16.45/api/bing_release.php http://195.20.16.45/api/flash.php https://sun6-23.userapi.com/c909618/u418490229/docs/d51/1e80248cc5f3/8jccr.bmp?extra=I1B0d7qHmDrWBBQTgm6DCsfs_HxefbRVRDBMMl1mndN_42h_EOO-DEO4b1R5C8HYMiNVOCOnamxYlk9-My5bAFSfIzgZKrI9NoLJwJbBGG34aojGE1MEDXU_gW3h2-UJPHThE-0hKCfIk70-NA https://api.myip.com/ https://vk.com/doc418490229_670513616?hash=Rnz6mh1plmmQeRvLs9F8CK7xp1IzayhFDkq5VtfO7zL&dl=vqdYEy1z0yzb7VGu1G6kvdqbamVKV6KZryFk0aAy5M0&api=1&no_preview=1
|
9
vk.com(93.186.225.194) - mailcious ipinfo.io(34.117.186.192) api.myip.com(172.67.75.163) sun6-23.userapi.com(95.142.206.3) - mailcious 104.26.8.59 34.117.186.192 95.142.206.3 - mailcious 87.240.129.133 - mailcious 195.20.16.45 - mailcious
|
4
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
|
|
4.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9214 |
2024-01-12 07:59
|
love.exe d3420ffb07677d83ab1fd50b1c45c96d Emotet Gen1 EnigmaProtector Malicious Library UPX Malicious Packer AntiDebug AntiVM PE32 PE File CAB OS Processor Check PNG Format MSOffice File JPEG Format VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee Windows Update Exploit ComputerName Remote Code Execution DNS crashed |
2
https://instagram.com/accounts/login/ https://instagram.com/accounts/login
|
3
instagram.com(157.240.215.174) www.instagram.com(157.240.215.174) 157.240.215.174
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
12.4 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9215 |
2024-01-12 08:05
|
leru.exe 099556734bde76d46c677c726cbf2538 Generic Malware Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory Windows utilities Disables Windows Security suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
6
ipinfo.io(34.117.186.192) db-ip.com(104.26.5.15) 193.233.132.62 - mailcious 172.67.75.166 34.117.186.192 156.251.17.97
|
7
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity)
|
|
11.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9216 |
2024-01-12 08:05
|
plugins.exe d1a6f9be6f046fcdd20d871cec0e1a42 Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library Admin Tool (Sysinternals etc ...) .NET framework(MSIL) UPX Http API PWS Code injection AntiDebug AntiVM PE32 PE File .NET EXE DLL OS Processor Check VirusTotal Malware Telegram Buffer PE PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder malicious URLs Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://steamcommunity.com/profiles/76561199601319247
https://t.me/bg3goty
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.75.41.21) - mailcious 149.154.167.99 - mailcious
23.74.21.196
95.217.25.10
|
3
ET INFO TLS Handshake Failure ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9217 |
2024-01-12 15:58
|
love.exe d84ddf7e3d38eb30d74875aef7bdf829 Emotet Gen1 EnigmaProtector Malicious Library UPX Malicious Packer AntiDebug AntiVM PE32 PE File CAB PNG Format MSOffice File JPEG Format OS Processor Check VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security AppData folder AntiVM_Disk anti-virtualization VM Disk Size Check Tofsee Windows Update Exploit ComputerName Remote Code Execution DNS crashed |
2
https://instagram.com/accounts/login/ https://instagram.com/accounts/login
|
3
instagram.com(157.240.215.174) www.instagram.com(157.240.215.174) 157.240.215.174
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
12.4 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9218 |
2024-01-12 15:59
|
InstallSetup8.exe 90c84cef9f4f1a5eb8d0393904f508da NPKI HermeticWiper NSIS Generic Malware Suspicious_Script Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM Javascript_Blob PE32 PE File PNG Format JPEG Format OS Processor Check MZP Format ZIP Format icon BMP For VirusTotal Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk IP Check VM Disk Size Check Tofsee Ransomware Windows DNS |
3
http://api.ipify.org/?format=dfg http://185.172.128.53/syncUpd.exe - rule_id: 38939 https://iplogger.com/19bVA4
|
6
api.ipify.org(173.231.16.76) iplogger.com(104.21.76.57) - mailcious 91.92.255.226 64.185.227.156 172.67.188.178 - mailcious 185.172.128.53 - malware
|
10
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup (ipify .org) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://185.172.128.53/syncUpd.exe
|
9.4 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9219 |
2024-01-13 18:54
|
rty45.exe ef895c5307108231ad39d601a38a098f Malicious Packer UPX PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
23.67.53.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9220 |
2024-01-13 18:55
|
browserUpdate.vbs 2cf4670bd083efe16afb9041a0116341 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
https://paste.ee/d/NraZB
https://wallpapercave.com/uwp/uwp4203994.png
http://107.175.113.207/7800/LCC.txt
|
4
paste.ee(172.67.187.200) - mailcious
wallpapercave.com(104.22.53.71) - malware 172.67.29.26 - malware
172.67.187.200 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
9.6 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9221 |
2024-01-13 18:55
|
browserupdationrecentlydonebym... 510fbf28e3dd6ebb0fe934dad853d70b MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://107.175.113.207/7800/browserUpdate.vbs https://paste.ee/d/NraZB
|
7
paste.ee(172.67.187.200) - mailcious wallpapercave.com(104.22.52.71) - malware 172.67.187.200 - mailcious 107.175.113.207 104.22.52.71 - malware 154.92.15.189 - mailcious 23.67.53.27
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Pastebin-style Service (paste .ee) in TLS SNI ET INFO Dotted Quad Host VBS Request
|
|
6.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9222 |
2024-01-13 18:58
|
BrowserUpdate.vbs 55bb883a7a332f86d1ca49379d1ca95d Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
https://paste.ee/d/DjEFv
https://wallpapercave.com/uwp/uwp4203994.png
http://107.175.113.207/277/HSC.txt
|
4
paste.ee(104.21.84.67) - mailcious
wallpapercave.com(104.22.52.71) - malware 172.67.29.26 - malware
104.21.84.67 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
9.0 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9223 |
2024-01-13 19:01
|
leru.exe 1abfdde35393e3bed6dc4c88ddaec0c6 Generic Malware Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory Windows utilities Disables Windows Security suspicious process AntiVM_Disk WriteConsoleW anti-virtualization IP Check VM Disk Size Check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed |
1
https://db-ip.com/demo/home.php?s=175.208.134.152
|
5
ipinfo.io(34.117.186.192) db-ip.com(172.67.75.166) 104.26.5.15 193.233.132.62 - mailcious 34.117.186.192
|
6
ET MALWARE [ANY.RUN] RisePro TCP (Token) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
|
|
11.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9224 |
2024-01-13 19:05
|
rty31.exe 797344a5766214c49734b8f63f78e797 Malicious Packer UPX PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
23.67.53.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9225 |
2024-01-13 19:14
|
red.exe 3c78cef4203a47012167be0877274540 RedlineStealer RedLine Infostealer RedLine stealer .NET framework(MSIL) UPX Malicious Library Malicious Packer Antivirus PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://91.92.255.187:1334/
https://api.ip.sb/geoip
http://91.92.255.187/venom.exe
|
4
api.ip.sb(104.26.13.31) 23.67.53.27
104.26.13.31
91.92.255.187 - mailcious
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE RedLine Stealer - CheckConnect Response ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer Family Activity (Response) SURICATA HTTP unable to match response to request ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
9.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|