| 9241 |
2024-01-16 10:23
|
browserforfindvideoswhichmakey... cac7fbeb22725d491739d21ce51d7cf2
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/DPx5S
http://23.94.239.93/5060/browserclear.vbs
|
5
paste.ee(104.21.84.67) - mailcious
wallpapercave.com(104.22.53.71) - malware
23.94.239.93 - mailcious
104.22.53.71
104.21.84.67 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
4.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9242 |
2024-01-17 08:10
|
 rty45.exe 02550318e655f52fa990158a1c709cef
Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution DNS |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
4
i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
173.44.176.41
23.32.56.80
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9243 |
2024-01-17 08:14
|
 latestrocki.exe 51a977874c9b190837bc2658396d4dfe
Generic Malware NSIS Malicious Library UPX Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE32 PE File .NET EXE PNG Format OS Processor Check PE64 ZIP Format MZP Format JPEG Format BMP Format CHM Format DLL icon CAB MSOffice File W VirusTotal Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS crashed |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.53/syncUpd.exe - rule_id: 38939
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981
https://i.alie3ksgaa.com/sta/imagd.jpg
|
5
i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
23.67.53.17
185.172.128.90 - mailcious
185.172.128.53 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
2
http://185.172.128.53/syncUpd.exe
http://185.172.128.90/cpa/ping.php
|
13.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9244 |
2024-01-17 08:14
|
 rty27.exe 34a7dbf9c978714dd0679079c5445a10
Malicious Packer PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
23.67.53.17
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9245 |
2024-01-17 08:16
|
 conhost.exe be3c89dc0d88fddd3289ac9e6e72360a
AgentTesla .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed |
|
2
api.ipify.org(173.231.16.75)
64.185.227.156
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9246 |
2024-01-17 08:23
|
 conhost.exe 431b955c96a65b12587361ef1e961c2b
AgentTesla Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
2
api.ipify.org(173.231.16.75)
173.231.16.75
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9247 |
2024-01-17 08:24
|
 liva.exe fb987f700ecaba1d1bced04a45c572e8
Generic Malware EnigmaProtector Malicious Library Malicious Packer UPX Code injection AntiDebug AntiVM PE32 PE File OS Processor Check MSOffice File PNG Format ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader |
20
http://109.107.182.3/cost/go.exe
http://185.215.113.68/mine/amer.exe
https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0,cross/7_6o7HJ05F8.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
https://www.facebook.com/favicon.ico
https://connect.facebook.net/security/hsts-pixel.gif
https://www.facebook.com/login
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://db-ip.com/demo/home.php?s=175.208.134.152
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/0_HoU29ShlI.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/QoWVNltU_ZO.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
|
16
db-ip.com(104.26.5.15)
fbsbx.com(157.240.215.35)
www.facebook.com(157.240.215.35)
static.xx.fbcdn.net(157.240.215.14)
fbcdn.net(157.240.215.35)
ipinfo.io(34.117.186.192)
connect.facebook.net(157.240.215.14)
facebook.com(157.240.215.35)
172.67.75.166
157.240.215.14
185.215.113.68 - malware
193.233.132.62 - mailcious
34.117.186.192
23.67.53.17
157.240.215.35
109.107.182.3 - mailcious
|
12
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
19.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9248 |
2024-01-17 14:21
|
msworldwidenamespreadingaround... 34ac6f63ff7a32a51e98db3c21fd7b1c
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.28/3636/conhost.exe
|
3
api.ipify.org(64.185.227.156)
172.245.208.28 - mailcious
64.185.227.156
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9249 |
2024-01-17 14:25
|
beautifulhjcreversehissettings... c0b8ac37280a20cd4a86808102cc3eb2
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://172.245.208.28/1313/conhost.exe
|
3
api.ipify.org(104.237.62.211)
172.245.208.28 - mailcious
104.237.62.211
|
9
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9250 |
2024-01-17 15:19
|
 go.exe 5d01c27e7807d0c5d9d0076d6a803b55
RedLine stealer Generic Malware Malicious Library UPX Code injection Anti_VM AntiDebug AntiVM PE32 PE File OS Processor Check PNG Format MSOffice File Browser Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName DNS crashed |
17
https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0,cross/7_6o7HJ05F8.css?_nc_x=Ij3Wp8lg5Kz
https://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=105.0.1&buildid=20220922151854
https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
https://www.facebook.com/favicon.ico
https://connect.facebook.net/security/hsts-pixel.gif
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
https://static.xx.fbcdn.net/rsrc.php/v3/yb/r/S-jgxi6wsFP.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/QoWVNltU_ZO.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
|
10
www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
static.xx.fbcdn.net(157.240.215.14)
fbcdn.net(157.240.215.35)
facebook.com(157.240.215.35)
connect.facebook.net(157.240.215.14)
crash-reports.mozilla.com(50.112.239.245)
157.240.215.35
52.13.80.180
157.240.215.14
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9251 |
2024-01-18 07:57
|
 conhost.exe 7547a8f171604d74d6436f7983c7a91d
AgentTesla PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger |
|
2
api.ipify.org(104.237.62.211)
104.237.62.211
|
4
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9252 |
2024-01-18 18:52
|
 JAN-17-2024-765FYDX.url 0a5062edfd1d56c273a2fa19c695a6a8
AntiDebug AntiVM URL Format MSOffice File VirusTotal Malware Code Injection Malicious Traffic RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
3
http://5.181.159.46/
http://5.181.159.46/Downloads
http://5.181.159.46/Downloads/26.url
|
1
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9253 |
2024-01-18 18:54
|
microbiolagicalthingshappenein... 6a0bc469af442ab4df602ad5af219b02
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself IP Check Tofsee Windows Exploit DNS crashed |
1
http://107.175.243.133/1522/conhost.exe
|
3
api.ipify.org(104.237.62.211)
107.175.243.133 - malware
173.231.16.75
|
9
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9254 |
2024-01-18 18:56
|
 microbiolagicalthingshappenein... adf6b4115caf260b8f57c1fd9bb618ec
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed |
1
http://107.175.243.133/1521/conhost.exe
|
3
api.ipify.org(64.185.227.156)
107.175.243.133 - malware
104.237.62.211
|
9
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9255 |
2024-01-19 07:59
|
 rty45.exe bfa0a2b457d28d8805a0658b7498c639
Malicious Library UPX PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
https://i.alie3ksgaa.com/sta/imagd.jpg
|
3
i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
121.254.136.27
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|