9226 |
2024-01-13 19:18
|
one.exe bd94daa7872d164c29dcdf71a89b4771 Client SW User Data Stealer LokiBot ftp Client info stealer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE32 PE File MSOffice File .NET EXE DLL OS Processor Check VirusTotal Malware Telegram Buffer PE PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder malicious URLs Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://steamcommunity.com/profiles/76561199601319247
https://t.me/bg3goty
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious 149.154.167.99 - mailcious
104.76.78.101 - mailcious
65.109.241.139
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
12.6 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9227 |
2024-01-13 19:20
|
updationavailableforentierospr... 8f65da99c939a67fd8065dd8890374ab MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/DjEFv
http://107.175.113.207/277/BrowserUpdate.vbs
|
5
paste.ee(104.21.84.67) - mailcious
wallpapercave.com(172.67.29.26) - malware 104.22.53.71
104.21.84.67 - malware
107.175.113.207 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9228 |
2024-01-13 19:26
|
InstallSetup10.exe d5610fe6893c1bb0df7b32471f878839 NSIS Generic Malware Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM PE32 PE File PNG Format OS Processor Check MZP Format ZIP Format JPEG Format BMP Format CHM Format DLL icon PE64 CAB MSOffice File Word 2007 f Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk IP Check VM Disk Size Check Tofsee Ransomware Windows DNS |
3
http://185.172.128.53/syncUpd.exe - rule_id: 38939 http://api.ipify.org/?format=fgf https://iplogger.com/1zteH4
|
6
api.ipify.org(173.231.16.76) iplogger.com(104.21.76.57) - mailcious 173.231.16.76 104.21.76.57 91.92.255.226 185.172.128.53 - malware
|
10
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET POLICY External IP Lookup (ipify .org) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://185.172.128.53/syncUpd.exe
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9229 |
2024-01-13 19:27
|
twoo.exe 013dd34c1d52ad6a86419657437e247a Client SW User Data Stealer LokiBot ftp Client info stealer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE32 PE File MSOffice File .NET EXE DLL OS Processor Check Malware Telegram Buffer PE PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder malicious URLs Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://steamcommunity.com/profiles/76561199601319247
https://t.me/bg3goty
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious 149.154.167.99 - mailcious
104.76.78.101 - mailcious
65.109.241.139
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9230 |
2024-01-13 19:31
|
newrock2.exe 20dc7abde7dbae943356eb9bd311e9c0 NPKI HermeticWiper Generic Malware Suspicious_Script NSIS Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM Javascript_Blob PE32 PE File .NET EXE PNG Format JPEG Format OS Processor Check ZIP Format MZP Format PE6 Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS |
3
http://apps.identrust.com/roots/dstrootcax3.p7c http://185.172.128.53/syncUpd.exe - rule_id: 38939 http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
|
5
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious 23.67.53.17 185.172.128.90 185.172.128.53 - malware
|
6
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://185.172.128.53/syncUpd.exe
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9231 |
2024-01-15 07:58
|
4.exe e4153c1acc9bab930996d7ee3b148f57 Vidar Malicious Library UPX PE32 PE File OS Processor Check Malware Telegram MachineGuid Malicious Traffic WMI Tofsee ComputerName DNS crashed |
2
https://steamcommunity.com/profiles/76561199601319247 - rule_id: 38985
https://t.me/bg3goty
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious 149.154.167.99 - mailcious
104.76.78.101 - mailcious
65.109.241.139 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199601319247
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9232 |
2024-01-15 08:02
|
ReymenStealer.exe 2f4f4f544c12721873f7600bf1d5a37b Generic Malware Antivirus PE32 PE File .NET EXE PowerShell powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process Tofsee Windows Discord ComputerName DNS Cryptographic key Downloader |
1
https://cdn.discordapp.com/attachments/1193667029731909664/1193667157301678110/WinSAT.exe
|
2
cdn.discordapp.com(162.159.129.233) - malware 162.159.134.233 - malware
|
3
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9233 |
2024-01-15 08:07
|
rty47.exe d641a8c632aa4b393491a9bd2a1407e3 Malicious Packer UPX PE File PE64 PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
23.43.165.105
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9234 |
2024-01-16 08:01
|
rty29.exe 484970b905d262cd9a08d8afb5a6fdac Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious 154.92.15.189 - mailcious
182.162.106.144
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9235 |
2024-01-16 08:13
|
MartDrum.exe 1e4352c43b8c5a6b5a10dd0ace9a57a4 Gen1 Downloader task schedule Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE32 Malware download AsyncRAT NetWireRC Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check Windows ComputerName DDNS |
|
3
ILEBAjQfqsOIasLkjMdYuEw.ILEBAjQfqsOIasLkjMdYuEw() leetman.dynuddns.com(94.156.64.207) 94.156.64.207
|
3
ET INFO DYNAMIC_DNS Query to a *.dynuddns .com Domain ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) ET MALWARE Generic AsyncRAT Style SSL Cert
|
|
11.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9236 |
2024-01-16 08:15
|
done.exe 750730cacee06f5b29188ef5050ff7ab Client SW User Data Stealer Emotet Gen1 browser info stealer EnigmaProtector Generic Malware Google Chrome User Data Downloader Malicious Library UPX Malicious Packer .NET framework(MSIL) Http API PWS Code injection Create Service Socket DGA ScreenShot Es Browser Info Stealer VirusTotal Malware AutoRuns PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser Remote Code Execution DNS crashed |
15
https://fbsbx.com/security/hsts-pixel.gif?c=5 https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz https://www.facebook.com/favicon.ico https://connect.facebook.net/security/hsts-pixel.gif https://www.facebook.com/login https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yJ/l/0,cross/JtVgZ46o85N.css?_nc_x=Ij3Wp8lg5Kz https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
|
8
www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 157.240.215.35 157.240.215.14
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9237 |
2024-01-16 10:04
|
M.hta a712950af45bdc5e33863aae223c1ac6 AntiDebug AntiVM MSOffice File JPEG Format VirusTotal Malware Code Injection Check memory Checks debugger RWX flags setting exploit crash unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows Exploit ComputerName DNS crashed |
2
https://mail.chapanakit-rta.com/favicon.ico https://mail.chapanakit-rta.com/images/happynewyear.jpg
|
2
mail.chapanakit-rta.com(203.113.25.99) - mailcious 203.113.25.99 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
7.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9238 |
2024-01-16 10:16
|
browserclear.vbs 955cba0154cb22d954e10771041d58b3 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
https://paste.ee/d/DPx5S
https://wallpapercave.com/uwp/uwp4228677.png
http://23.94.239.93/5060/CBL.txt
|
4
paste.ee(172.67.187.200) - mailcious
wallpapercave.com(104.22.53.71) - malware 172.67.29.26 - malware
104.21.84.67 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
9.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9239 |
2024-01-16 10:18
|
browserdatasavedforvideotocrea... 894868d948fb83d3039e9d0f13caa8f6 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://107.175.113.207/3555/BrowserUpdate.vbs
https://paste.ee/d/s5jMq
|
5
paste.ee(104.21.84.67) - mailcious
wallpapercave.com(104.22.53.71) - malware 104.22.53.71
104.21.84.67 - malware
107.175.113.207 - malware
|
3
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host VBS Request
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9240 |
2024-01-16 10:20
|
BrowserUpdate.vbs 7eed4e5991eacf9b104dd2d2da0856fb Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
2
https://wallpapercave.com/uwp/uwp4228677.png
http://107.175.113.207/3555/TH.txt
|
4
paste.ee(172.67.187.200) - mailcious
wallpapercave.com(104.22.53.71) - malware 172.67.29.26 - malware
104.21.84.67 - malware
|
2
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|